Efforts to protect net neutrality that involve government regulation have always faced one fundamental obstacle: the substantial danger that the regulators will cause more harm than good for the Internet. The worst case scenario would be that, in allowing the FCC to regulate the Internet, we open the door for big business, Hollywood and the indecency police to exert even more influence on the Net than they do now.
On Monday, Google and Verizon proposed a new legislative framework for net neutrality. Reaction to the proposal has been swift and, for the most part, highly critical. While we agree with many aspects of that criticism, we are interested in the framework's attempt to grapple with the Trojan Horse problem. The proposed solution: a narrow grant of power to the FCC to enforce neutrality within carefully specified parameters. While this solution is not without its own substantial dangers, we think it deserves to be considered further if Congress decides to legislate.
Unfortunately, the same document that proposed this intriguing idea also included some really terrible ideas. It carves out exemptions from neutrality requirements for so-called "unlawful" content, for wireless services, and for very vaguely-defined "additional online services." The definition of "reasonable network management" is also problematically vague. As many, many, many have already pointed out, these exemptions threaten to completely undermine the stated goal of neutrality.
Here's a more detailed breakdown of our initial thoughts:
Limited FCC Jurisdiction — Good:
Those who have followed EFF’s position on net neutrality will know that, while we strongly support neutrality in practice, we are opposed to open-ended grants of regulatory authority to the FCC. On that score, the Google/Verizon proposal takes a promising new approach. It would limit the FCC to case-by-case enforcement of consumer protection and nondiscrimination requirements and prohibit broad rulemaking. In essence, it tries to limit the FCC to the type of authority that the FTC has — the authority to investigate claims as they are made.
This limitation, if enforced, could help avoid many of the problems we’ve been concerned about, such as the possibility that a future FCC might decide to take on the role of “Internet indecency” police or, as a result of regulatory capture, might become an innovation gatekeeper, blocking new ideas by small innovators in order to protect the interests of big dinosaurs.
The proposal also rightly exempts software applications, content and services from FCC jurisdiction. Suggestions that the content layer should be directly regulated by the FCC were among the most wrong-headed in past debates about this issue.
The provision does suggests the use of “private non-governmental dispute resolution processes,” which is somewhat troubling — we’ve seen how such processes can be gamed by repeat players.
Standard-Setting Bodies — Interesting:
The proposal also has an interesting suggestion for handling concerns about politicization of the FCC processes and the need for a deep technological understanding to make good decisions in this area: standard-setting bodies. It suggests that “reasonable network management” should be “consistent with the technical requirements, standards or best practices adopted by an independent, widely recognized Internet community governance initiative or standard-setting organization.”
This idea is intriguing, but there are some reasons to be wary. Standard-setting bodies can sometimes do a better job of recognizing and resisting bad technological arguments than political or agency bodies. And technical bodies successfully developed many of the standards that make the Internet great. But as we well know at EFF, standards bodies are not immune to bad ideas. We spent years fighting anti-consumer efforts in various standard-setting fora around DRM and trying to correct some bad standards that had been set in the area of evoting. In those instances, we found that allegedly "independent" standards bodies were often closed to the voices of consumers and small innovators, wrapped in secrecy, and lacking basic mechanisms needed to ensure accountability. If standards bodies are to be introduced as part of a network neutrality oversight scheme, that language needs to guarantee that the processes are completely transparent and representative of the interests of user and independent developer communities.
The definition of “reasonable network management” needs to be clarified and refined. While we think the way that standard-setting organizations are included in the definition is interesting and potentially constructive, the language on what makes some network management ”reasonable” is extremely unclear. For EFF, the first test for a network neutrality proposal is this: would it have clearly prevented Comcast from interfering with BitTorrent? In the Google/Verizon proposal, because of ambiguous exceptions like the one that allows an ISP “otherwise to manage the daily operation of its network“, we can't be sure that that's true.
The cutout for “additional online services” is also very disturbing. Many have pointed out that it could be the exception that swallows the nondiscrimination rule. After all, much of the innovation we expect to occur in the future will involve services “distinguishable in scope and purpose from broadband Internet access service, but could make use of or access Internet content, applications or services." If discrimination is allowed for all such things, then there could easily be little left on the “neutral” part of the Internet in a few years. There may be some services that need traffic prioritization, such as urgent medical services, but the approach in the proposal creates no real limits on what could be allowed as an “additional online service.” It would be much better if space for these services was addressed through waivers or other processes that put the burden on the company suggesting such services to prove that they are needed. And such processes must be fully transparent — not just consumers but the FCC must be in a position to know how these services work and what impact they are having. They must also be open to real debate and opposition.
“Lawful” Content and Wireless Exclusions — Fail:
The proposal essentially ignores some of the key problems that EFF and others have had with previous network neutrality proposals. These loopholes could undermine the goals of neutrality, or lead to unanticipated and regrettable outcomes.
It still limits nondiscrimination to “lawful” content without defining the term or giving any indication of who decides what is “lawful,” opening the door to entertainment industry and law enforcement efforts that could hinder free speech and innovation Last year, the big media companies took advantage of similar language to push for a “copyright loophole” to net neutrality that would have allowed them to pressure ISPs to block, interfere with, or otherwise discriminate against perfectly legal activities in the course of implementing online copyright enforcement measures and a similar loophole existed for law enforcement. So long as your ISP claimed that it was trying to prevent copyright infringement or helping law enforcement, it could be exempted from the net neutrality principles. This was the focus of EFF's comments to the FCC in January, 2010 and our Real Net Neutrality campaign.
As many others have noted, the exclusion of wireless from all but the transparency requirements is a dreadful idea. Neutrality should be the rule for all services, and a distinction between wired and wireless not only defies reason, it also abandons the portion of the Internet that is currently most lacking in openness and neutrality. Users are increasingly demanding the ability to do many, if not all, of the same things in a wireless environment as they do in a wired one. Regardless of what regulation may look like or whether there is any regulation at all, there shouldn’t be a distinction between the neutrality available on wired services and that available on wireless services.
We share these initial thoughts in order to surface some details that may be lost in the controversy sparked by this proposal. Others are weighing in with valuable comments as well, and we are paying close attention to their views. We urge policymakers to do the same.
Recent news has made it abundantly clear that the government uses the Internet and social networking sites as tools for investigation. But what’s not clear, and what the government has been reluctant to reveal, is how this information has been collected and utilized. To get answers, EFF, with help from Berkeley Law’s Samuelson Clinic, made a series of Freedom of Information Act (FOIA) requests asking various law enforcement agencies to disclose documents detailing their use of social networking sites in their investigations. When the government refused to comply with these requests, we went to court to compel them to respond. The latest disclosures from this litigation reveal just some of the ways the government is obtaining and using information from the Internet.
In addition to using this information for law enforcement investigations, the government has been considering using it for all background checks in security clearances. The ODNI has released this study [PDF] from 2008 on the potential of Internet searches in government security clearances. With just a name, address, date of birth, and social security number, government-hired Internet investigators were able to find “noteworthy” search results for as many as 53% of the 349 study participants. “Noteworthy” information included the proclivity to put personal information online, but also included so-called “questionable” material such as disclosure of “underage drinking, profanity, extreme religious and/or political views on public forums.”
Social networking sites like MySpace were also included in the background investigations. And while investigators limited themselves to searching only “public” information on these sites, they still found even more damaging (termed “adverse”) results. These “adverse” results included overly descriptive posting of personal or work information as well as references to or pictures depicting illegal drug use. The study found that approximately 48% of those investigated had at least two or more pieces of “adverse” or “noteworthy” information accessible online and that the highest percentages of those having adverse information on the Internet were in the 18 to 24 year old age group.
The disclosures also show the government’s increasing interest in documenting or “mapping” social networks. The ODNI study explicitly mentions the value of obtaining further information about individuals from interviews of “friends” and business associates, and a presentation [PDF] released by DEA presents one example where a “fugitive on the run” was located by finding a video after examining social networking websites for the profile of either the fugitive or his associates. The DEA presentation also notes the use of online tools such as MySpace Visualizer and YouTube Visualizer, which can visually chart the associations between users of these services.
Security exploits were not the only covert practice endorsed in the government’s disclosures. For example, the DEA presentation cryptically mentions the ability to potentially “recover ‘private’ content only shared among those chosen by the page owner.” Another document, the FBI Intelligence Information Report Handbook [PDF], mentions using “covert accounts” to access protected information. And a document describing Secret Service procedures [PDF] for monitoring electronic communications includes recommendations on how to avoid leaving “electronic footprints” by utilizing “stand-alone” computers with “anonymous accounts from an ISP” during surveillance.
As the FOIA litigation progresses, more documents will become available here. Stay tuned.
On behalf of the Electronic Frontier Foundation, we would like to thank all of you who contributed and supported our work at the Black Hat and DEF CON conferences in Las Vegas last week. In particular we would like to acknowledge Jeff Moss and the Black Hat and DEF CON organizers for their ongoing support of EFF each year.
The EFF members - first time donors and long time members alike - continue to impress us with their generosity. Thanks to all of you who attended our talks, gave kind words of support, joined EFF at our membership table, donated "just because," or used your own ingenuity to fundraise in our honor. This of course includes all of the Defcon 18 Getaway Contest participants (who raised nearly $10,000 together!), our contest sponsors: Tenable Network Security, iSEC Partners, and IOActive, as well as our prize donors: DEF CON, Vegas 2.0, iSEC Partners, and Ninja Networks.
The community support was stronger than ever this year. Cheers to the Vegas 2.0 crew for hosting an amazing sixth annual Summit party as an EFF fundraiser. Headlined by Dual Core and the MiniBosses, the Summit rocked the Top of the Riv and raised a record-high total of donations at the door and from the on-stage auctions. Thank you to BSidesLasVegas for collecting for EFF and congratulation on another great event! Our gratitude to stealth for bringing back Hackers and Guns and for his years of support (going back to the Dunk Tank!). Big ups to everyone who got a Mohawk-Con buzz to benefit EFF, including our own Kellie Brownell! We are grateful to these groups and the many others who found creative ways to help EFF. We are happy to report that together we raised far more money this year for EFF in Las Vegas than we ever have before!
And the computer security community's much appreciated support keeps coming! We will soon auction the waffle iron used and signed by the DEF CON Comedy Jam III Security Fail panel, as well as a Ninja Networks "Pirate #1" boss badge from this year's party. We will also be auctioning a limited edition DEF CON skateboard deck signed by security luminaries including the Dark Tangent, Dan Kaminsky, Dead Addict, Moxie Marlinspike, Kevin Mitnick, Joe "Kingpin" Grand, Miss Jackalope, Dual Core, and many, many more! Details to come. Check out the deck here (kittehs not inkludid):
EFF is a small non-profit that has developed an exceptionally strong voice over its 20 year history. Most funding comes from you, EFF's loyal individual members, giving what you can every year (and sometimes more often!) to ensure that we can fund our activism and our work in the courts and in rulemaking. Regardless of whether you gave $5 or $5,000, it's the grassroots support from you and events like The Next HOPE, Shmoo Con, Black Hat, Security B-Sides, and DEF CON that allows EFF to stay strong and continue defending digital rights. Thank you.
Every year, people astonish and amaze us with the inventive ways in which they raise funds for EFF. EFF supporters have given away free games, shaved people's hair into mohawks, and drawn cartoons to show their support for digital civil liberties. For the second year in a row, Michael Wigren of WKID "Froggy" Radio in Vevay, Indiana, has chosen the potentially dangerous pastime of grape-stomping as the medium through which he demonstrates his devotion to EFF.
Wigren is participating in the 2nd Annual Media Celebrity Grape Stomp for Charity in Vevay, Indiana, where newscasters, radio personalities, and other local celebrities will go toe-to-toe in grape barrels to out-stomp the competition. Each of the top three celebrities will walk away with a check for their favorite charity organization. The event will take place on August 28th at noon, during the Swiss Wine Festival on the Paul Ogle Riverfront Park in Vevay, Indiana at the official grape stomping stage. If you are in the area, stop by to show your support for Wigren, WKID, and the Electronic Frontier Foundation!
Recent news reports have presented somewhat contradictory analysis of government plans in the United Arab Emirates (UAE), Saudi Arabia, and other countries to block the use of BlackBerry smart phones as a form of pressure on Research in Motion, BlackBerry's Canadian manufacturer. All the reports agree that these governments feel RIM has made at least some BlackBerry messages too private and secure, but reports disagree about how private they actually are and exactly what RIM is being asked to do.
Many observers have noted that we're likely to stay in the dark about some of these details. As Jonathan Zittrain put it, "we're only seeing a small slice of a government-to-company negotiation — the public threat part — so exactly what's being asked hasn’t been disclosed, and neither the government nor RIM have much incentive to say more." We particularly appreciate the analyses of the situation from Prof. Zittrain and our former colleague Danny O'Brien at the Committee to Protect Journalists. Both emphasize that only a portion of BlackBerry communications are really strongly encrypted: those sent through BlackBerry's business-oriented BlackBerry Enterprise Service, but not those sent through the ordinary BlackBerry Internet Service. (Of course, all BlackBerry users — and other smartphone users — can optionally use other encryption tools to protect themselves. The subtle distinction between BES and BIS is just one reminder that users need to be skeptical about exactly what kind of protection they're getting. It also raises concerns that Blackberry's recent statements that fail to differentiate between the products may be misleading a large number of their customers — we believe Blackberry should immediately clarify this).
In any case, the UAE government's rhetoric that it must have a backdoor into all communications is very alarming. It reminds us of the situation here in the United States during the 1990s, when the Federal government repeatedly sought to keep strong cryptography out of the general public's hands and to put U.S. government backdoors into communications products. We often call that time the "crypto wars." During them, the civil liberties and business communities fought to make sure Americans would be allowed to use the best available privacy tools to protect their communications. EFF was heavily involved in the crypto wars, litigating the Bernstein case to protect programmers' rights to publish encryption software. Ultimately the government dropped plans like the Clipper Chip that would have been a backdoor into Americans' communications and dramatically reduced the government regulations that stood in the way of Americans getting strong cryptography in their tools.
But the UAE government position seems like 1995 all over again, with government officials insisting that some privacy tools are just too secure to let the public use them.
Press reports also suggest that UAE officials have compared their announced restrictions to "lawful intercept" laws (like the U.S. Communications Assistance for Law Enforcement Act) that force communications carriers to provide wiretapping assistance to government officials. But those laws have never forbidden users from using their choice of encryption software or forced carriers to block any communications, domestic or foreign, because of how they were encrypted or who had the keys. So millions of people in every country routinely use strong cryptography to protect their communications at home or when they travel.
The UAE's and Saudi Arabia's announced restrictions are particularly scary because it seems that the same rationale will lead to government blocks on all sorts of other communications — from web mail to virtual private networks — that those governments deem too private and secure. They also show that the right to use encryption technology to protect privacy needs to be defended all around the world. Quite possibly, the crypto wars never ended.
"The tracking files represent the leading edge of a lightly regulated, emerging industry of data-gatherers who are in effect establishing a new business model for the Internet: one based on intensive surveillance of people to sell data about, and predictions of, their interests and activities, in real time."
What the industry knows about you may surprise you. The articles examine the world of tracking cookies, and other less well-known tracking technologies like flash cookies and beacons. They found that "the nation's 50 top websites on average installed 64 pieces of tracking technology onto the computers of visitors, usually with no warning."
Using information gathered this way, the advertising industry is able to accurately guess substantial information about you — often including your gender, age, income, marital status, credit-rating, and whether you have children or own a home. The findings are used not only to determine what advertisements you see, but sometimes to decide what kind of discounts or credit card offers you're allowed access to.
The series also reveals the stunning story of how a 2008 power struggle at Microsoft Corp. undermined Web privacy standards. When the product design team behind Microsoft Internet Explorer 8.0 proposed adding stronger privacy safeguards, Microsoft's advertising department objected. The software features would have granted Web users substantially better privacy and protection from tracking than exists today. But Microsoft, seeking to maintain alliances with the online advertising industry, ultimately rejected the features. The story shows that the advertising industry has considerably more influence over web-browser design than one might expect.
The "What They Know" project is already the largest and highest-profile investigation by the mainstream media into consumer Web privacy to date. No doubt more articles are on the way, and the project's Twitter account is providing many smaller updates. It's already affecting the conversation in Washington DC, where important efforts by both Congress and the FTC are underway to rein in this dangerous and unregulated industry.
So, kudos to the team at the Wall Street Journal. Hopefully their efforts will encourage more serious approaches to privacy from regulators, law-makers, software companies, advertising companies and ordinary consumers.
Next time you fly Virgin America, you just might see one of EFF's new PSAs as part of your onboard entertainment. Earlier this year, EFF worked with Bucknell University Professor Eric Faden (of A Fair(y) Use Tale fame) to create these two video PSAs about important, cutting-edge digital rights issues!
Hopefully, viewers are reminded of the very important idea that many of the rights and protections we have in the physical world should apply to the digital world as well.
Many thanks to Bucknell University Professor Eric Faden, cinematographer Steve Gibson, and the spring 2010 film production class (Claire Bonti, Kristen Bucaria, Diego Chiri, Dana Farley, Meredith Field, William McCormick, Leanne Miller, Parker Phillips, Caroline Pogust, Hannah Roman, and Casey Sims) for their fantastic work in turning our ideas into these short PSAs!
Now that the dust has settled on the long-awaited announcement of new DMCA circumvention exemptions, it’s time for an explanation of what these exemptions will (and will not) do for consumers and creators. We’ll start with a tremendously important exemption that we fear was somewhat overlooked in the excitement about jailbreaking and unlocking: breaking DVD encryption in order to take short clips for purposes of criticism and commentary for noncommercial use, educational use and documentary films.
This exemption represents many months of hard work by an array of public interest groups. EFF led the charge on behalf of vidders (with invaluable support from the Organization for Transformative Works, among others). The documentary films issue was pushed by the International Documentary Association, Kartemquin Films (a Chicago-based nonprofit) and the USC Gould School of Law Intellectual Property & Technology Law Clinic. The educational uses were championed by a group of educators from American University, the University of Pennsylvania, Temple University, and the University of Maryland, working with the Library Copyright Alliance.
In public comments and at numerous hearings, these groups called on the Librarian of Congress to bring copyright in line with its true purpose – promoting creativity and education – by removing the DMCA as a powerful legal impediment to fair use. Hollywood responded by suggesting that fair users should use “alternatives” to circumvention, such as pointing a camcorder at your television screen to “capture” a poor quality copy of a movie that is playing. In other words, fair users should pretend they are living and working in 1994. Happily, the rulemakers decided to let us live in the present, describing this suggestion as “specious.”
What this means.
Before this exemption was issued, the only people allowed to circumvent DVD encryption for fair use purposes were film and media studies professors. Now, that category has expanded to include all college and university professors and film and media studies students (as long as they are circumventing for educational purposes), documentary filmmakers, and noncommercial vidders. The user may take only a “short portion” of the original work for purposes of criticism and commentary, and she must reasonably believe she needs to break the DRM to accomplish that purpose.
What it doesn’t.
This exemption does not affect toolmakers – i.e., those that develop and provide the tools that make circumventing CSS possible. Nor can it stop Hollywood from attempting to impose other technical limits on the ability to copy, even for fair use purposes. Also, K-12 educators and students who aren’t in film and media studies classes have to keep using 20th century technology. Finally, even though the Register of copyrights has declared that using short portions of a movie for purposes of criticism or comment in a noncommercial video is a fair use (no surprise), Hollywood can still use tools like YouTube’s Content I.D. system to take down such videos with the flip of a switch.
This exemption is long overdue, and therein lies a question: why now? After all, as the Register of Copyrights notes in the report that led to the rulemaking, it was clear back in 2000 that CSS could interfere with fair use in ways Congress didn’t anticipate when it passed the DMCA. The Register’s answer is that the factual record has changed: First, proponents submitted enough substantial evidence of hardship to support their cases. (Which points to a fundamental problem in the process – where it’s clear as a matter of pure logic that a given form of DRM is impeding fair use, it’s irrational to force fair users to suffer for years under legal threat until enough evidence of the harm is accrued.) Second, the market for DVDs has (supposedly) changed:
In past rulemakings, the MPAA has offered evidence that CSS protection was a critical factor in the decision to release motion pictures in digital format . . . [but] CSS-protected DVDs have continued to be the dominant form even though circumventions tools have long been widely available online. At this point in time, the suggestion that an exemption for certain noninfringing uses will cause the end of the digital distribution of motion pictures is without foundation.
We think the MPAA’s bluster that it would stop distributing DVD movies if an exception was granted for fair use circumvention should have never been credited by the Register, but it’s gratifying that the Register refuses to do so any longer.
Some Other Highlights
In the report that led to the rulemaking, the Register of Copyrights made a series of telling observations about encryption and fair use. For example, she implicitly acknowledged what we’ve been saying for years -- that DVD encryption is primarily designed not to restrict access, but to serve as a legal "hook" that forces technology companies to enter into license agreements before they build products that can play movies. As the Report puts it:
By design, the CSS encryption system serves as a link in a chain of legal and technological requirements that ultimately inhibit the possessor of a CSS-protected DVD from copying the work or works embodied in it.”
Of course, those license agreements do more than inhibit copying -- they define what the devices can and can't do, thereby protecting Hollywood business models from disruptive innovation.
Also notable is the Register’s fair use analysis, and particularly her conclusion that there was no evidence that taking short clips cause any harm to any actual market for the original works. Opponent of the exemption had argued, among other things, that they were experimenting with ways to get short clips to educators – in other words, a market might emerge. Not good enough, said the Register: “there was no evidence in the record that a viable or efficient mechanism for permissions or licensing exists or is likely to exist” for the next three years.
This exemption could go further -- for example, there's no sensible reason why literature students, or math students for that matter, should have been excluded. Nonetheless, it represents a big step in the right direction. Hopefully the next rulemaking will go further down the path.