Are you an attorney licensed to practice law in the United States? If you are, EFF needs your help to fight spam-igation.
The U.S. Copyright Group has quietly targeted 50,000 Bit Torrent users for legal action in federal court in Washington DC. The defendants, all Does, are accused of having downloaded independent films such as "Far Cry," "Steam Experiment," and "Uncross the Stars" without authorization. U.S. Copyright Group has recently announced that it will also be targeting unauthorized downloaders of the film "Hurt Locker." News reports suggest that the attorneys bringing these suits are not affiliated with any major entertainment companies, but are instead intent on building a lucrative business model built from collecting settlements from the largest possible set of individual defendants.
The lawsuits proceed similarly to the RIAA lawsuits against unauthorized music downloaders: US Copyright Group files a copyright infringement suit in federal court in Washington DC, against thousands of Does, identified by IP address. Then it presents ISP's with the list of IP's and dates and subpoenas the billing address of the user who had that IP at that date. The ISP's then contact then contact their customers, inform them of the subpoena, and give them an opportunity to file a motion to quash.
In the event that no motion to quash is filed, the ISP gives up the identity of the user. US Copyright Group's attorneys then contact the user and offer a settlement, usually starting at $2500.
EFF is seeking as many attorneys as possible to advise the targets of these lawsuits and, where appropriate, file motions to quash. Respondents' contact information would be added to a website that will act as a resource for the targets of these lawsuits.
If interested, please contact Rebecca Reagan at firstname.lastname@example.org with your contact information or the contact information for your firm, and the states in which you are licensed to practice law.
Social network service providers today are in a unique position. They are intermediaries and hosts to our communications, conversations and connections with loved ones, family, friends and colleagues. They have access to extremely sensitive information, including data gathered over time and from many different individuals.
Here at EFF, we've been thinking a lot recently about what specific rights a responsible social network service should provide to its users. Social network services must ensure that users have ongoing privacy and control over personal information stored with the service. Users are not just a commodity, and their rights must be respected. Innovation in social network services is important, but it must remain consistent with, rather than undermine, user privacy and control. Based on what we see today, therefore, we suggest three basic privacy-protective principles that social network users should demand:
#1: The Right to Informed Decision-Making
Users should have the right to a clear user interface that allows them to make informed choices about who sees their data and how it is used.
Users should be able to see readily who is entitled to access any particular piece of information about them, including other people, government officials, websites, applications, advertisers and advertising networks and services.
Whenever possible, a social network service should give users notice when the government or a private party uses legal or administrative processes to seek information about them, so that users have a meaningful opportunity to respond.
#2: The Right to Control
Social network services must ensure that users retain control over the use and disclosure of their data. A social network service should take only a limited license to use data for the purpose for which it was originally given to the provider. When the service wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user. The right to control includes users' right to decide whether their friends may authorize the service to disclose their personal information to third-party websites and applications.
Social network services must ask their users' permission before making any change that could share new data about users, share users' data with new categories of people, or use that data in a new way. Changes like this should be "opt-in" by default, not "opt-out," meaning that users' data is not shared unless a user makes an informed decision to share it. If a social network service is adding some functionality that its users really want, then it should not have to resort to unclear or misleading interfaces to get people to use it.
#3: The Right to Leave
Users giveth, and users should have the right to taketh away.
One of the most basic ways that users can protect their privacy is by leaving a social network service that does not sufficiently protect it. Therefore, a user should have the right to delete data or her entire account from a social network service. And we mean really delete. It is not enough for a service to disable access to data while continuing to store or use it. It should be permanently eliminated from the service's servers.
Furthermore, if users decide to leave a social network service, they should be able to easily, efficiently and freely take their uploaded information away from that service and move it to a different one in a usable format. This concept, known as "data portability" or "data liberation," is fundamental to promote competition and ensure that users truly maintain control over their information, even if they sever their relationship with a particular service.
The Electronic Frontier Foundation (EFF) has added thousands of never-before-seen records to its online collection of documents obtained through the Freedom of Information Act (FOIA). The treasure trove of government records, now up to date and posted on our website in its entirety, is the result of almost 200 FOIA requests and over a dozen lawsuits.
The document collection now includes for the first time:
The results show that the overwhelming majority of Internet users could be uniquely fingerprinted and tracked using only the configuration and version information that their browsers make available to websites. These types of system information should be regarded as identifying, in much the same way that cookies, IP addresses, and supercookies are.
In our analysis of anonymized data from around half a million distinct browsers, 84% had unique configurations. Among browsers that had Flash or Java installed, 94% were unique, and only 1% had fingerprints that were seen more than twice. However, our experiment only studied a limited number of variables, and the companies that offer specialized fingerprinting services are likely to use a wider and therefore more powerful range of measurements.
While almost all browsers are uniquely fingerprintable, there were four special categories that were comparatively resistant to fingerprinting:
Those that use TorButton, which successfully anticipated and defended against many fingerprinting measurements.
Mobile devices like Androids and iPhones (unfortunately, these devices tend not to have good interfaces for controlling cookies, and so may be trackable by that method)
Corporate desktop machines that are precise clones of one another (Such systems appeared to constitute around 3-4% of the visitors to Panopticlick; unfortunately, there are some fingerprinting techniques like CPU clock skew measurement which would will work against these systems. commercial fingerprinting services employ those techniques).
Ultimately, browser developers will need to take the lead in defending their users against this particularly troublesome form of tracking. That won't be easy, but our article includes a number of recommendations about how to start.
[Click here and here for earlier blog posts about the Gizmodo warrant.]
Today, San Mateo County Superior Court Judge Clifford Cretan ordered the release of the previously-sealed warrant affidavit that led to the search of Gizmodo editor Jason Chen’s house. As expected, the affidavit confirmed that there was no legal basis for the search.
The search warrant affidavit does indeed allege that Jason Chen committed three crimes: receipt of stolen property (California Penal Code section 496(a)), theft (California Penal Code section 499c(b)(3)), and “maliciously damaging the property of another” (California Penal Code section 594(b)(1)). Whether Chen will even be charged with such crimes, let alone convicted, remains to be seen. But as we have repeatedlypointed out, the warranted search and seizure of Chen’s property was still illegal.
In his recent article titled "iPhone, Gizmodo, and Moral Clarity About Crime," Rutgers law professor Stuart Green argued that the decision to seek a warrant was justified and that critics who question this decision must be confused, misguided, or "legally mistaken." Professor Green flatly misstated the law. Contrary to his assertion, there is no “specific exemption” to what Green refers to as the California reporter’s shield law “when the police are looking for evidence that the journalists … themselves committed crimes.” Moreover, the shield law itself, which is a testimonial privilege, however, that protects journalists who refuse to testify about sources and unpublished information, is not directly relevant to the Chen raid at all.
Instead, the applicable statute is California Penal Code section 1524(g), which categorically prohibits the issuance of warrants for “unpublished information obtained or prepared in gathering, receiving or processing of information for communication to the public.” This is a limitation on the warrant process itself and does not affect the potential legal liability of a journalist-suspect. Contrary to the assertions of Professor Green, George Washington University Law School Professor JonathanTurley, and others, it contains no exemption, specific or otherwise, that limits its reach.
The California Supreme Court has said that the reporter’s testimonial privilege might give way in very limited circumstances, such as when another constitutional right (like a defendant’s right to a fair trial) comes into play. No such right is implicated here. And in any event, the California Supreme Court has never second-guessed the California legislature’s judgment in passing the Penal Code section at issue here. Nor is it likely to, since the protection provided by 1524(g) was specifically enacted to limit the ability of law enforcement to search journalists pursuant to a search warrant, a protection that the U.S. Supreme Court held was not found in the U.S. Constitution.
The protections afforded to Chen by the California Penal Code will likely not affect the potential prosecution of any crime here. The police already know the identity of the person who purportedly found the phone and passed it on to Gizmodo. The allegedly stolen phone was returned to Apple before the raid. Moreover, the police also have Gizmodo’s detailed video analysis of the iPhone prototype, which would likely come in handy as evidence at any eventual trial. What the police will lose, if Chen’s attorneys choose to press the issue, is the information that they illegally seized. The police could then try to subpoena a small subset of this information from Chen directly. (Recall that all of Chen's computers and all of the data on them were seized in the raid). The issuance of a subpoena would would allow Chen and Gizmodo to challenge the validity of the district attorney’s legal position, a far different posture than the one Chen found himself in after armed police officers bashed in his door.
San Mateo prosecutors are predictably circling the wagons to defend the raid. The D.A. agreed to halt any search of Chen’s computers while he evaluates the implication of California legal protections for journalists, conceding that such a post-raid analysis is “unusual.” This concession speaks volumes about how much thought went into this raid before it took place. It should also give pause to commentators who have ignored the extent of the legal ramifications triggered by the search and instead rushed to the defense of the police, confusing a desire to force the police to comply with the law with an attack on the enforceability of trade secret or copyright law.
Opposition to the police raid of Jason Chen’s home has nothing to do with misplaced support for a scrappy underdog or an affinity for schoolyard conceptions of right and wrong. Objections to overreaching police power are rooted in both a dedication to free speech and freedom of the press and in a fealty to the rule of law. The relevant legal question in the Chen matter is whether the police obtained a warrant for “unpublished information obtained or prepared in gathering, receiving or processing of information for communication to the public.” Obviously, they did. If critics believe that police should be able to execute warrants to seize unpublished notes and other data held by journalists – and I would urge them to think through the ramifications of such a decision – then the proper course is to lobby the legislature for such a change to the very clear statute that is now in place, not to pretend that the law already supports their position.
About a year ago, Facebook suffered a tremendous consumer backlash over its changes to the Terms of Service. To quell the uproar, Facebook introduced a set of Principles. Through a "Facebook site governance" vote, users voted on whether these Principles should serve as the foundation for governing the site." At the time, the company trumpeted the success of the vote, by which about 75% of voters selected the new Facebook Principles: "We strongly believe that our proposed documents satisfied the concerns raised in February." As Facebook explains, the Principles are "the foundation of the rights and responsibilities of those within the Facebook Service." A year later, the foundation is cracking.
Now Facebook flatly contradicts its own stated Principles. The contradictions are clearly shown in Facebook's widely panned () response to New York Times readers' questions on the social network's brave new privacy practices. A reader asked Elliot Schrage, Facebook's vice president for public policy, the key question: "Why can’t I control my own information anymore?"
The answer should have been easy. Facebook's Principles declare:
People should have the freedom to decide with whom they will share their information, and to set privacy controls to protect those choices.
Instead of saying "Sorry, we'll fix it," Facebook's response was dismissive. The company said that "Joining Facebook is a conscious choice" and more bluntly, "If you’re not comfortable sharing, don’t." It's Facebook's way or the highway. Schrage lists the information that Facebook requires to be public information, focusing on how people choose to submit this information and make connections instead of Facebook's choice to remove privacy controls.
Another reader asked "Why not simply set everything up for opt-in rather than opt-out?" Facebook's answer was a strange exercise in Newspeak - "Everything is opt-in on Facebook. Participating in the service is a choice." In Facebook's view, simply by signing up for the Facebook service, one has opted in to whatever sharing it later desires — even if you are one of the over 300 million users who joined before the switch to "public information" without privacy controls. Facebook is going to share the information it deems public, and you're supposed to Like it.
This is not the freedom of choice that Facebook's previously vaunted Principles declare. The "foundation for governing" Facebook does not speak of control as the choice whether to share information, but with whom. Facebook's promises speak of protecting users with privacy controls, not withholding the information.
Facebook's Principles also declare that "Every Person should be able to use the Facebook Service regardless of his or her level of participation or contribution." Now Facebook suggests that the users who aren't willing to play ball must leave.
Of course, as Facebook explains in response to another question, if you decide to leave by deactivating your account, information is saved in case you decide to reactivate later. Even if you delete your Facebook account, you have to wait 14 days and even then Messages and Wall posts remain. The Facebook Principles are much clearer: Users have the right to "take [their data] with them anywhere they want, including removing it from the Facebook Service." Again Facebook is not living up to its promises.
These promises are important. These are the reassurances that helped people decide whether to trust Facebook with their information. They should not be discarded lightly, with glib quips like "Please don’t share if you’re not comfortable." If Facebook truly believes that its users "should have the freedom to share whatever information they want," it must enable that sharing by making people comfortable.
Facebook wrote these Principles and designed them to not only reassure its users, but to give itself wiggle room for the future. It is a carefully drafted document, and Facebook has no excuse not to live up to the minimum standards it set out for itself. If Facebook wants to regain the trust of its users, following its own principles would be a good place to start.
At any hour of the day or night, millions of people around the globe are engrossed in multiplayer online games, questing and battling to win virtual "gold," jewels, and precious artifacts. Meanwhile, others seek to exploit this vast shadow economy, running electronic sweatshops in the world's poorest countries, where countless "gold farmers," bound to their work by abusive contracts and physical threats, harvest virtual treasure for their employers to sell to First World gamers who are willing to spend real money to skip straight to higher-level gameplay.
Mala is a brilliant 15-year-old from rural India whose leadership skills in virtual combat have earned her the title of "General Robotwalla." In Shenzen, heart of China's industrial boom, Matthew is defying his former bosses to build his own successful gold-farming team. Leonard, who calls himself Wei-Dong, lives in Southern California, but spends his nights fighting virtual battles alongside his buddies in Asia, a world away. All of these young people, and more, will become entangled with the mysterious young woman called Big Sister Nor, who will use her experience, her knowledge of history, and her connections with real-world organizers to build them into a movement that can challenge the status quo.
If you're in San Francisco, come support EFF and hear a great contemporary science fiction author read from his latest work!
Should US and European law enforcement agencies be given unrestricted access to commercial and travel transactions from individuals around the world without judicial oversight? That was the question on the table in a heated debate in the European Parliament this week.
In the early years of the so-called “War On Terror”, the US government created a number of secret programs that granted it and its agents sweeping new global surveillance powers. In particular, the US Treasury Department has sought and been given access to financial information held by the SWIFT network to find and track down individuals suspected of terrorism as part of its Terrorism Finance Tracking Program. Another agreement requires all airlines flying to the US to provide the Department of Homeland Security with full electronic access to detailed personal information on all passengers, in the form of Passenger Name Records (PNRs).
Europeans have long been arguing that handing over this information to US law enforcement agencies violates privacy rights protected by European legislation. But when the Lisbon Treaty and the European Charter of Fundamental Rights entered into force at the end of 2009, personal data protection was greatly strengthened in Europe. In addition, the European Parliament now has a crucial right to give or withhold consent to these international data-sharing agreements. This year, the European Parliament has used its new powers to demand that the European Commission and European Council address serious data protection, privacy and due process concerns.
Read on to hear more about the debate in European Parliament.
No Financial Data Sharing Agreement
On the financial data transfer agreements, yesterday the Parliament adopted a resolution stating that indiscriminate bulk data transfers bypass EU legislation. Members of Parliament also demanded that any possible future agreement guarantee European citizens the same rights as US citizens in the event of an abuse of the data; currently only US citizens and permanent residents can claim rights under the US Privacy Act - EU citizens have no redress. The Parliament has also demanded access to any documents that demonstrate the actual need for these agreements.
SWIFT is a banking network, headquartered in Brussels, that routes financial data between 8,300 financial institutions in over 208 countries. There have been several previous SWIFT interim agreements, all of which have ignored existing legal safeguards against government abuse of citizens' data. This was the primary reason why the European Parliament rejected the latest interim-agreement last February. These accords allow US law enforcement agencies to access citizens' financial data held by the SWIFT network with complete immunity, bypassing court-approved warrants or subpoenas required to examine specific transactions. As Dutch MEP Jeanine Hennis-Plasschaert said, "with the proposed [rejected] interim-agreement we, instead, rely on broad administrative subpoenas for millions of records of European citizens".
No Travelers' Passenger Records Agreement
On the Passenger Name Records (PNR) accord, the European Parliament yesterday decided to postpone its vote to approve or reject the agreement until a standard Passenger Name Record file model is devised that meets Parliament's demands regarding data protection. The Parliament Resolution calls for any future PNR agreement to be created as a binding international treaty. The Resolution further demanded an appropriate mechanisms for independent review, judicial oversight and democratic control. The interim PNR agreement requires all airlines flying to the US to provide the Department of Homeland Security with full electronic access to detailed personal information on all passengers.
Between 2004 and 2007, three consecutive agreements between the US Department of Homeland Security and the Council of the European Union were negotiated, over the objections of the European Parliament. In 2004, the European Court of Justice annulled the 2004 agreement on the basis of a complaint made by the European Parliament. The 2007 PNR agreement required 19 categories of data to be collected, stored and disclosed to US law enforcement authorities. As European lawmakers said, "PNR data, which was originally collected for commercial purposes, is increasingly being used to combat crime."
While the European Parliament is now playing an important role in calling for information on the need for these agreements, and plans to scrutinize the agreements to see whether they’re limited to law enforcement purposes (and not for instance, for copyright enforcement), by comparison, the US Congress currently plays no role in oversight of their negotiation.
So where does all of this leave citizens who are concerned about this massive government effort to collect, use, and disclose their personal data, without judicial oversight? There is growing recognition that legally enforceable data protection standards and legal safeguards against intrusive warrantless electronic surveillance of private information are needed.
These privacy protection concepts are embodied in Article 17 of the International Covenant on Civil and Political Rights, the most important international treaty that protects the right to privacy. In analyzing Article 17, the UN Special Rapporteur has highlighted the erosion of the right to privacy in the fight against terrorism. In its 2009 annual report, he emphasized "the need for a comprehensive data protection and privacy law that creates limits on the use, storage, and disclosure of the information, and that they have a right to access and redress, regardless of nationality and jurisdiction."