The Electronic Frontier Foundation is seeking to assist defendants in the Righthaven copyright troll lawsuits. Righthaven, founded in March of 2010, files hundreds of copyright infringement lawsuits on behalf of newspaper publishers against bloggers who make use of news content without permission. To that end, Righthaven searches the internet for stories and parts of stories from the newspapers that they represent. Once they find content that has been re-published, Righthaven purchases the copyright to the article and sues the owner of the blog.
Just like the US Copyright Group shakedowns, and the RIAA shakedowns of the recent past, Righthaven relies on the threat of enormous statutory damages associated with the Copyright Act to scare defendants, often individual bloggers operating non-commercial websites, into a quick settlement, reportedly ranging from two to five thousand dollars. The Righthaven lawsuits are of particular concern because they sometimes target the operators of political websites who re-publish newspaper stories, chilling political speech. Righthaven has also targeted the newspaper's source for the very articles allegedly infringed.
If you are the target for a Righthaven lawsuit in need of representation, please contact Rebecca Reagan at email@example.com. Please understand that we have a relatively small number of very hard-working attorneys, so we do not have the resources to defend everyone who asks, no matter how deserving. However, if we cannot represent you directly, we will make every effort to put you in touch with attorneys who can.
Good news in the fight against bad software patents: a jury in the Eastern District of Texas recently found the Firepond/Polaris patent (U.S. Patent No. 6,411,947) invalid. This patent was on EFF's "Most Wanted" list, targeted because it claimed nothing more than a system using natural language processing to respond to customers' online inquires by email.
EFF was not involved in this case, in which Bright Response, LLC — the technical owner of the patent — sued Google, Inc., Yahoo!, Inc. and eight other companies, alleging that Google's AdWords and Yahoo!'s Sponsored Search infringes the Firepond/Polaris patent. The jury found three of the patent's claims invalid based on the public use bar, obviousness, and for lacking written description. The jury also found that neither Google nor Yahoo! infringed those claims. Finally, the jury found the entire patent invalid due to improper inventorship.
In addition to the jury's findings, the Patent and Trademark Office is nearing completion of a reexamination of the patent, instituted by Google, that narrows the scope of that patent's claims.
"This is a great outcome and good news for people and developers who create new products related to customer service or email," said Patrick King, one of the attorneys assisting EFF on this matter.
Because the court has not yet entered a final judgment, Bright Response could still, in theory, attempt to prohibit others from using the basic natural language processing technology in its patent. EFF is on the lookout for this threatening behavior, so please make sure to let us know if you hear of any. EFF will continue to monitor this case — and the corresponding reexam — and will take action as necessary to fight any additional efforts to use the Firepond/Polaris patent to quash competition and hurt innovation.
"We are still waiting for the court case to finish up and to see if Bright Responses will appeal the decision. If any of the patent is still alive after that, we will do whatever we can to invalidate it, and allow competitors to use this simple technology, which was well known prior to the patent filing," said Gina M. Steele, another attorney assisting EFF with this matter.
The Firepond/Polaris patent was one of the ten original Top Ten Patents targeted by EFF’s Patent Busting Project, which combats the chilling effects of bad patents on the public and consumer interests. So far nine patents targeted by EFF have been busted, invalidated, narrowed, or had a reexamination granted by the Patent Office.
It looks like Apple, Inc., is exploring a new business opportunity: spyware and what we're calling "traitorware." While users were celebrating the new jailbreaking and unlocking exemptions, Apple was quietly preparing to apply for a patent on technology that, among other things, would allow Apple to identify and punish users who take advantage of those exemptions or otherwise tinker with their devices. This patent application does nothing short of providing a roadmap for how Apple can — and presumably will — spy on its customers and control the way its customers use Apple products. As Sony-BMG learned, spying on your customers is bad for business. And the kind of spying enabled here is especially creepy — it's not just spyware, it's "traitorware," since it is designed to allow Apple to retaliate against you if you do something Apple doesn't like.
Essentially, Apple's patent provides for a device to investigate a user's identity, ostensibly to determine if and when that user is "unauthorized," or, in other words, stolen. More specifically, the technology would allow Apple to record the voice of the device's user, take a photo of the device's user's current location or even detect and record the heartbeat of the device's user. Once an unauthorized user is identified, Apple could wipe the device and remotely store the user's "sensitive data." Apple's patent application suggests it may use the technology not just to limit "unauthorized" uses of its phones but also shut down the phone if and when it has been stolen.
However, Apple's new technology would do much more. This patented device enables Apple to secretly collect, store and potentially use sensitive biometric information about you. This is dangerous in two ways: First, it is far more than what is needed just to protect you against a lost or stolen phone. It's extremely privacy-invasive and it puts you at great risk if Apple's data on you are compromised. But it's not only the biometric data that are a concern. Second, Apple's technology includes various types of usage monitoring — also very privacy-invasive. This patented process could be used to retaliate against you if you jailbreak or tinker with your device in ways that Apple views as "unauthorized" even if it is perfectly legal under copyright law.
Here's a sample of the kinds of information Apple plans to collect:
The system can take a picture of the user's face, "without a flash, any noise, or any indication that a picture is being taken to prevent the current user from knowing he is being photographed";
The system can record the user's voice, whether or not a phone call is even being made;
The system can determine the user's unique individual heartbeat "signature";
To determine if the device has been hacked, the device can watch for "a sudden increase in memory usage of the electronic device";
The user's "Internet activity can be monitored or any communication packets that are served to the electronic device can be recorded"; and
The device can take a photograph of the surrounding location to determine where it is being used.
In other words, Apple will know who you are, where you are, and what you are doing and saying and even how fast your heart is beating. In some embodiments of Apple's "invention," this information "can be gathered every time the electronic device is turned on, unlocked, or used." When an "unauthorized use" is detected, Apple can contact a "responsible party." A "responsible party" may be the device's owner, it may also be "proper authorities or the police."
Apple does not explain what it will do with all of this collected information on its users, how long it will maintain this information, how it will use this information, or if it will share this information with other third parties. We know based on long experience that if Apple collects this information, law enforcement will come for it, and may even order Apple to turn it on for reasons other than simply returning a lost phone to its owner.
This patent is downright creepy and invasive — certainly far more than would be needed to respond to the possible loss of a phone. Spyware, and its new cousin traitorware, will hurt customers and companies alike — Apple should shelve this idea before it backfires on both it and its customers.
An Indian computer scientist was arrested this weekend when he refused to disclose an anonymous source who provided an electronic voting machine to a team of security researchers.
Hari Prasad is the managing director of Netindia Ltd., an Indian research and development firm. He and other researchers have long questioned the security of India's paperless electronic voting machines. Despite repeated reports of election irregularities and concerns about fraud, the Election Commission of India insists that the machines are tamper-proof.
In 2009, the commission publicly challenged Prasad to show that India's voting machines could be compromised, but refused to give him access to the machines to perform a review. Earlier this year, an anonymous source provided an Indian voting machine to a research team led by Prasad, Alex Halderman, and Rop Gonggrijp. The team exposed security flaws that could allow an attacker to change election results and compromise ballot secrecy. They published a paper detailing their findings, which you can read here.
According to Halderman, Prasad was questioned Saturday morning at his home in Hyderabad by authorities who wanted to know the identity of the source who gave the voting machine to the research team. Prasad was ultimately arrested and taken to Mumbai, though reportedly hadn't been charged with a crime.
This turn of events is deeply troubling. Prasad is a respected researcher who helped to discover a critical flaw in India's voting system. He and his fellow researchers would never have been able to document the weaknesses in India's voting machines without the help of their anonymous source. This is precisely why anonymity is important: it allows people to make important contributions to the public dialogue without fear of retribution.
The Election Commission of India should have given researchers access to the voting machines in the first place. Rather than attempting to persecute Prasad and the anonymous source, the government should be focusing its attention and resources on the real problem: electronic voting machines with no mechanism for accountability.
UPDATE: According to the Times of India and Reuters, Prasad has been charged in connection with the alleged theft of the voting machine studied by the research team. He has been remanded to police custody until Thursday, August 26.
A bill that could undermine a new and important form of online activism has quietly worked its way through the California legislature. If signed by the governor, the new law would make it a crime to impersonate someone online in order to “harm” that person. In other words, it could be illegal to create a Facebook or Twitter account with someone else’s name, and then use that account to embarrass that person (including a corporate person like British Petroleum or the U.S. Chamber of Commerce, or a public official).
Here’s the problem: temporarily "impersonating" corporations and public officials has become an important and powerful form of political activism, especially online. For example, the Yes Men, a group of artists and activists, pioneered “identity correction,” posing as business and government representatives and making statements on their behalf to raise popular awareness of the real effects of those entities’ activities, like the failure to Dow to adequately compensate victims of the Bhopal disaster and the U.S. government’s destruction of public housing units in New Orleans. These sorts of actions regularly receive widespread media coverage, sparking further public debate. Last year, the activists staged a thinly veiled hoax, presenting themselves at a press conference and on a website as the Chamber of Commerce and, in direct opposition to the Chamber’s actual position, promising to stop lobbying against strong climate change legislation. (Not amused, the Chamber promptly sued the Yes Men based on a trumped-up trademark complaint; EFF is defending the activists.)
Others have taken a similar approach, using spoof sites and identity correction to raise awareness about community issues,environmental threats, and, most recently, the historical roots of Haiti’s economic problems. Unfortunately, the targets of the criticism, like the Chamber, have responded with improper legal threats and lawsuits. It would be a shame if Senator Simitian’s bill added another tool to their anti-speech arsenal.
Proponents of the bill insist that there is no free speech problem because the new law would only apply to “credible” impersonations. That argument misses the point – identity correction depends on initial credibility, just as it also depends on prompt exposure.
What is worse, the bill is not needed. Sponsors of the bill say that victims of online harassment and defamation have little legal recourse. That’s simply not true. Laws against fraud and defamation are already on the books, and they apply online as well as offline. Moreover, judges and juries applying those laws have the benefit of an extensive body of jurisprudence aimed at limiting their impact on legitimate free speech.
We urge Governor Schwarzenegger not to sign this dangerous bill.
Yesterday, Facebook introduced Places, a new location feature that competes with popular services like Foursquare, Google Latitude, Loopt, and Gowalla. Places allows Facebook users to 'check in' to real world locations and to tag their friends as present (similar to how Facebook allows tagging in photos). Everyone who is checked in to the location can see who else is listed as "Here Now" for a few hours after they check in. Once you are checked in to a location, Places also creates a story in your friends' News Feeds and places a notice in the location's page's Recent Activity section. The product will roll out over the next few days.
Like all location products, the new application publishes potentially sensitive information, since a stream of information on location can provide a detailed picture of your life. Some locations might appear cool at one moment, and yet become something you'd rather forget the next. Your Facebook friends may include prolific bloggers, business competitors, and former lovers. For business and personal reasons, you might need to keep your location private from them. And, as pleaserobme.com effectively illustrated, revealing your location can also reveal sensitive information about where you are not.
To its credit, by default, only your Facebook friends can see when you are tagged in a location, unless you opted for the "Everyone" master setting on the privacy controls. (EFF recommends against using the "Everyone" master setting; see how to maximize your privacy on Facebook). To further protect your privacy, you can use friend lists to exercise a more fine-tuned control over who can see your check-ins. If you don't want a location to go down on your permanent record, you need to manually delete the check in.
If your friend attempts to check you in and you have not opted into Places, you will receive a notification that gives you two options: (1) “allow check-ins," which opts you in to the program or (2) "not now" which only disallows that particular check in. Once you are opted in, you will not receive further notices before being checked in by friends. If you want to have complete control over whether you are listed at a location, you have to permanently disallow check-ins by your friends by disabling "Friends can check me in to Places" on the customize privacy settings page. This is the most privacy protective option, since you will only be listed at a location if you affirmatively choose to check in.
"Here Now" broadcasts a list of those checked in to everyone else who is checked in, regardless of whether they are "friends." Sometimes you may not want every Places user in the same location to be able to see you, since the location might be large like a ballpark or an outdoor music festival. You can opt out of the Here Now feature by unchecking the "Include me in 'People Here Now' after I check in" privacy control. However, Facebook does not offer the ability to limit Here Now visibility to subsets of your friends.
Places is designed to limit your location options to places that are actually near you, as reported by the geolocation features of your mobile device. Sometimes, however, you may have personal or professional reasons to report a different location. For example, you might want to report your location as being at a cafe, when you are really at an HIV clinic or a domestic violence shelter. While you can have a friend check you in anywhere they are, or spoof your geolocation if you have sufficient technical chops, Facebook should allow arbitrary locations.
Note that location data can be a tempting target for law enforcement. We urge Facebook to follow the lead of other location service providers like Google and Loopt, and provide the strongest protection for its users by requiring a wiretap order before tracking a Places user's location for law enforcement. Update:In response to this post, Facebook tells us that "We consider our Places product to generate content of communications, and would require a search warrant for prior generated content or a wiretap to capture forward generated content."
If you start to use Places, Facebook apps can also use your location data, and your friends can authorize the disclosure of your location data. The ACLU's DotRights has provided a helpful guide to managing your location privacy settings, including how to prevent your friends' apps from seeing your location information. (Facebook responded to ACLU's criticisms in Techcrunch).
Places is Facebook's most significant product launch since the controversial introduction of Connections and Instant Personalization. We had a number of constructive conversations with Facebook leading up to this launch, and appreciated the opportunity to provide feedback. Not everything resulted in changes, but overall it was a positive process. While the product is not perfect and could use some important changes, as noted above, the privacy settings and defaults represent a substantial improvement over those earlier launches. However, the settings are only good if users understand them intuitively and use them effectively. As the product rolls out to millions of Facebook users, we will be looking closely at its implementation and effects on locational privacy.
An auction for a Ninja Boss Badge just closed (raising over $1,000 for EFF), but there is still one opportunity left: The unique Ninja Networks EFF Quest Badge, a master Badge which gives the Mark of the Defender, worth a 10% increase to other Ninja Badges' defensive skills.
Note: The DEFCON skateboard deck bat'leth functionality is not currently implemented. While it is designed to change color when placed in the presence of an unbreakable cryptosystem, we have been unable to confirm this through testing.