The Supreme Court handed down a landmark opinion in Carpenter v. United States last week, ruling 5-4 that the Fourth Amendment protects cell phone location information. In an opinion by Chief Justice Roberts, the court recognized that location information—collected by cell providers like Sprint, AT&T, and Verizon—creates a “detailed chronicle of a person’s physical presence compiled every day, every moment over years.” As a result, police must now get a warrant before obtaining this data.
Perhaps the most significant part of the ruling is its explicit recognition that individuals can maintain an expectation of privacy in information that they provide to third parties. The court termed that a “rare” case, but it’s clear that other invasive surveillance technologies, particularly those that can track individuals through physical space, are now ripe for challenge in light of Carpenter. Expect to see much more litigation on this subject from EFF and our friends.
We’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.
Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significant wins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.
STARTTLS is an addition to SMTP, which allows one email server to say to the other, “I want to deliver this email to you over an encrypted communications channel.” The recipient email server can then say “Sure! Let’s negotiate an encrypted communications channel.” The two servers then set up the channel and the email is delivered securely, so that anybody listening in on their traffic only sees encrypted data. In other words, network observers gobbling up worldwide information from Internet backbone access points (like the NSA or other governments) won't be able to see the contents of messages while they’re in transit, and will need to use more targeted, low-volume methods.
STARTTLS Everywhere provides software that a sysadmin can run on an email server to automatically get a valid certificate from Let’s Encrypt. This software can also configure their email server software so that it uses STARTTLS, and presents the valid certificate to other email servers. Finally, STARTTLS Everywhere includes a “preload list” of email servers that have promised to support STARTTLS, which can help detect downgrade attacks. The net result: more secure email, and less mass surveillance.
It all started when Stephanie Lenz posted a YouTube video of her then-toddler-aged son dancing while Prince’s song “Let's Go Crazy” played in the background, and Universal used copyright claims to get the link disabled. We brought the case hoping to get some clarity from the courts on a simple but important issue: can a rightsholder use the Digital Millennium Copyright Act to take down an obvious fair use, without consequence?
The U.S. Court of Appeals for the Ninth Circuit held that the DMCA requires a rightsholder to consider whether the uses she targets in a DMCA notice are actually lawful under the fair use doctrine. However, the court also held that a rightsholder’s determination on that question passes muster as long as she subjectively believes it to be true. This leads to a virtually incoherent result: a rightsholder must consider fair use, but has no incentive to actually learn what such a consideration should entail. After all, if she doesn’t know what the fair use factors are, she can’t be held liable for not applying them thoughtfully.
Thanks to the Lenz decision, courts will be more likely to think of fair use, correctly, as a crucial vehicle for achieving the real purpose of copyright law: to promote the public interest in creativity and innovation. And rightsholders are on notice: they must at least consider fair use before sending a takedown notice. After the Supreme Court denied petitions to consider the Ninthb Circuit's ruling, the case returned to the district court for trial on the question of whether Universal’s takedown was a misrepresentation under the Ninth Circuit’s subjective standard. Rather than go to trial, the parties have agreed to a settlement.
Using word searches to find infringement is a bad way to go about things. It is likely why Volkswagen filed three takedown requests on art of beetles. Not Beetles with four wheels and headlights. Beetles with six legs and hard, shiny carapaces. For the record, Volkswagen holds no rights to literal bugs.
This year marks the fourth anniversary of the Supreme Court’s decision in Alice v. CLS Bank. In Alice, the court ruled that an abstract idea does not become eligible for a patent simply by being implemented on a generic computer. Now that four years have passed, we know the case’s impact: bad patents went down, and software innovation went up.
Lower courts have applied Alice to throw out a rogues’ gallery of abstract software patents. Counting both federal courts and the Patent Trial and Appeal Board, there are more than 400 decisions finding patent claims invalid under Alice. These include rulings invalidating patents on playing bingo on a computer, computerized meal plans, updating games, and many more. Some of these patents had been asserted by patent trolls dozens or even hundreds of times. A single ruling threw out 168 cases where a troll claimed that companies infringed a patent on the idea of storing and labeling information.
Browser fingerprinting is on a collision course with privacy regulations. Compared to more well-known tracking “cookies,” browser fingerprinting is trickier for users and browser extensions to combat: websites can do it without detection, and it’s very difficult to modify browsers so that they are less vulnerable to it. As cookies have become more visible and easier to block, companies have been increasingly tempted to turn to sneakier fingerprinting techniques.
But companies also have to obey the law. And for residents of the European Union, the General Data Protection Regulation (GDPR), which entered into force on May 25th, is intended to cover exactly this kind of covert data collection. The EU has also begun the process of updating its ePrivacy Directive, best known for its mandate that websites must warn you about any cookies they are using. If you’ve ever seen a message asking you to approve a site’s cookie use, that’s likely based on this earlier Europe-wide law.
This leads to a key question: Will the GDPR require companies to make fingerprinting as visible to users as the original ePrivacy Directive required them to make cookies?
The answer, in short, is yes. Where the purpose of fingerprinting is tracking people, it will constitute “personal data processing” and will be covered by the GDPR.
The Border Security and Immigration Reform Act (H.R. 6136), introduced before Congress last week, would offer immigrants a new path to citizenship in exchange for increased high tech government surveillance of citizens and immigrants alike. The bill calls for increased DNA and other biometric screening, updated automatic license plate readers, and expanded social media snooping. It also asks for 24 hours-a-day, five-days-a-week drone surveillance along the southern U.S. border.
This bill would give the U.S. Department of Homeland Security broad authority to spy on millions of individuals who live and work as far as 100 miles away from a U.S. border. It would enforce invasive biometric scans on innocent travelers, regardless of their citizenship or immigration status.
As Congress weighs different factors in the ongoing immigration debate, we urge them to look closely at the expanded high-tech surveillance provisions in this proposed package. This bill would undermine the privacy of countless law-abiding Americans and visitors, regardless of citizenship.
EFF’s efforts to fix holes in oversight of the California Law Enforcement Telecommunications System (CLETS) are paying off.
New data and records released by California Department of Justice (CADOJ) show a steep increase in the number of agencies disclosing cases of abuse of the state's network of law enforcement databases—a major victory for transparency and law enforcement accountability.
EFF has been selected as one of the exclusive non-profit partners of hack.summit() which made history for running the largest virtual developer conference of all time. As a non-profit partner, we will be receiving funds generated by ticket sales & sponsorships from the event. This year’s event, hack.summit(“blockchain”), focuses on spreading and democratizing knowledge about blockchain and cryptocurrencies to attendees around the world.
HOPE (Hackers on Planet Earth) returns to the Hotel Pennsylvania for its twelfth iteration this year, hosted by our friends at 2600. The biennial conference is one of the foremost hacker events, chock full of projects, talks, workshops, and more. We'll have a table in the vendor area, where you can stop by and become a member at a discount, and pick up our latest swag. We are gearing up to announce a New York area meetup and EFF talks as the event gets closer. More information is available here. We'll see you there!
Join representatives from EFF, Mozilla, Twitter, and more on July 17th in San Francisco for a townhall on the future of free speech, now that tech giants police communications on the Internet.
Learn more about the people defending your digital rights and why we're inspired to fight to protect them.
EFF is seeking an organized, empathetic, and analytical person with excellent communication skills to join EFF as its Intake Coordinator. The Intake Coordinator is the first point of access for legal assistance and general information about EFF for the public. You will be performing a variety of tasks from giving information about our work to referring people to both EFF staff attorneys and outside attorneys for legal assistance.
The legislative activist will focus on EFF’s work advocating for state laws that protect people’s right to privacy, free expression, and innovation, as well as advocating against laws that would undercut those rights. EFF intervenes in state legislation nationwide with a particular emphasis on the California legislature. This person will also work in other areas as needed including national campaigns and non-legislative work.
EFF is seeking a full-time Staff Technologist to work with our Browser Extensions team as the lead developer for HTTPS Everywhere.
EFF is looking to hire an experienced litigator with an unshakeable sense of justice and Fourth Amendment expertise to join our civil liberties team.
Concerned about the privacy policies of services that claim to streamline airport screening? “The biometric data concern is one tip of a very big iceberg,” said EFF’s Shahid Buttar. (KUOW)
“Painted into a corner by an unjust law,” that was never intended to be applied to whistleblowers, Reality Winner has pleaded guilty to charges under the Espionage Act. (The Intercept)
The EU's proposed Article 11 is a copyright rule that would take away Europeans’ right to freely link to their own news sites—unless they use a giant, probably American, service to do so. (Motherboard)
The EU's proposed Article 13 wouldn't just mean upload filters for websites. Your favorite game could be next. (Kotaku)
You should use encrypted messaging apps, says Lily Hat Newman. You should also be careful about how you use them. (Wired)