Skip to main content

EFF Press Release Archives

Press Releases: February 2012

February 28, 2012

Firefox Browser Extension Detects and Notifies Users of Encryption Weaknesses

San Francisco - The Electronic Frontier Foundation (EFF) launched the 2.0 version of HTTPS Everywhere for the Firefox browser today, including an important new update that warns users about web security holes.

The "Decentralized SSL Observatory" is an optional feature that detects encryption weaknesses and notifies users when they are visiting a website with a security vulnerability – flagging potential risk for sites that are vulnerable to eavesdropping or "man in the middle" attacks.

"In recent weeks, an unexpected weakness in the encryption used by many routers, firewalls and VPN devices made big news," said EFF Technology Projects Director Peter Eckersley. "The new version of HTTPS Everywhere for Firefox will let users know when they connect to a website or device that has a security problem – including weak key problems like the ones that were disclosed two weeks ago – giving people the information they need to protect themselves."

The HTTPS Everywhere browser extension has already been installed more than a million times since it was first launched in 2010 in collaboration with the Tor Project. HTTPS Everywhere helps secure web use by encrypting connections to more than 1,400 websites, using carefully crafted rules to switch sites from HTTP to HTTPS whenever possible, increasing your security and privacy. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking.

"EFF and the Tor Project created HTTPS Everywhere to make it easier for people to keep their usernames, passwords, and browser histories secure and private. Now, the 2.0 release also gives Internet users more information about deeper security problems they couldn't spot on their own," said Eckersley. "This is an extra level of protection that we encourage Firefox users to download, install, and use."

The user interface for HTTPS Everywhere for Firefox has now been translated into 12 languages, as browser security is critical in countries around the world.

Also available today is a beta version of HTTPS Everywhere for the Chrome browser. The Chrome release includes the increased encryption features available in the Firefox version, but it does not yet notify users of weak key vulnerabilities and other certificate problems.

To download or update HTTPS Everywhere:
https://www.eff.org/https-everywhere

Contact:

Peter Eckersley
   Technology Projects Director
   Electronic Frontier Foundation
   pde@eff.org

Related Issues:
February 24, 2012

Privilege Against Self-Incrimination Applies to Act of Decrypting Data

San Francisco - A federal appeals court has found a Florida man's constitutional rights were violated when he was imprisoned for refusing to decrypt data on several devices. This is the first time an appellate court has ruled the 5th Amendment protects against forced decryption – a major victory for constitutional rights in the digital age.

In this case, titled United States v. Doe, FBI agents seized two laptops and five external hard drives from a man they were investigating but were unable to access encrypted data they believed was stored on the devices via an encryption program called TrueCrypt. When a grand jury ordered the man to produce the unencrypted contents of the drives, he invoked his Fifth Amendment privilege against self-incrimination and refused to do so. The court held him in contempt and sent him to jail.

The Electronic Frontier Foundation (EFF) filed an amicus brief under seal, arguing that the man had a valid Fifth Amendment privilege against self-incrimination, and that the government's attempt to force him to decrypt the data was unconstitutional. The 11th U.S. Circuit Court of Appeals agreed, ruling that the act of decrypting data is testimonial and therefore protected by the Fifth Amendment. Furthermore, the government's limited offer of immunity in this case was insufficient to protect his constitutional right, because it did not extend to the government's use of the decrypted data as evidence against him in a prosecution.

"The government's attempt to force this man to decrypt his data put him in the Catch-22 the 5th Amendment was designed to prevent – having to choose between self-incrimination or risking contempt of court," said EFF Senior Staff Attorney Marcia Hofmann. "We're pleased the appeals court recognized the important constitutional issues at stake here, and we hope this ruling will discourage the government from using abusive grand jury subpoenas to try to expose data people choose to protect with encryption. "

A similar court battle is ongoing in Colorado, where a woman named Ramona Fricosu has been ordered by the court to decrypt the contents of a laptop seized in an investigation into fraudulent real estate transactions. EFF also filed a friend of the court brief in that case, arguing that Fricosu was being forced to become a witness against herself. An appeals court recently rejected her appeal, and she has been ordered to decrypt the information this month.

"As we move into an increasingly digital world, we're seeing more and more questions about how our constitutional rights play out with regards to the technology we use every day," said EFF Staff Attorney Hanni Fakhoury. "This is a case where the appeals court got it right – protecting the 5th Amendment privilege against self-incrimination."

John Doe was represented by Chet Kaufman of the Federal Public Defender's Office in Tallahassee.

For the full court ruling:
https://www.eff.org/document/opinion

Contacts:

Marcia Hofmann
   Senior Staff Attorney
   Electronic Frontier Foundation
   marcia@eff.org

Hanni Fakhoury
   Staff Attorney
   Electronic Frontier Foundation
   hanni@eff.org

Related Issues:
February 24, 2012

Federal Law and First Amendment Protect Criticism of Attorneys and Law Firms

San Francisco - The Electronic Frontier Foundation (EFF) has filed suit in federal court to block threats aimed at LawyerRatingz.com, a website that allows Internet users to write comments and rate attorneys.

A Florida law firm – the Law Offices of Adrian Philip Thomas, P.A. – claims to have lost business based upon negative ratings and reviews posted on LawyerRatingz.com, which included complaints about Mr. Thomas, his billing rates, and his proposed contingency fees. The firm repeatedly threatened legal action against LawyerRatingz.com unless all comments – positive or negative – were removed from the site. LawyerRatingz.com, represented by EFF, filed suit Wednesday against Thomas and his firm, asking for a judicial ruling that LawyerRatingz.com is not legally responsible for material posted by third parties as well as an end to the baseless legal threats.

"Mr. Thomas's claims are meritless and run afoul of bedrock legal principles protecting website operators," said EFF Senior Staff Attorney Matt Zimmerman. "Section 230 of the Communications Decency Act categorically protects providers of 'interactive computer services' from suits such as this one seeking to make them responsible for the speech of their users. Without such protections, valuable sites like LawyerRatingz.com – or Facebook or Yelp or individual blogs that rely upon user comments – simply could not exist."

This is the latest example of legal threats issued to website operators that imply heightened reputational rights on behalf of professionals, such as doctors and lawyers, and demanding that critical reviews be removed. In a 2011 case, a California dentist sued review site Yelp, seeking to hold it responsible for critical reviews posted by a former patient. The case was ultimately dismissed and the dentist was forced to pay the reviewer's and Yelp's attorneys' fees. A website developed by Santa Clara and Berkeley law schools, DoctoredReviews.com, documents efforts by doctors to prohibit critical reviews of their care. In the declaratory relief suit filed Wednesday, LawyerRatingz.com argues that complaints about third party posts have to be taken up with reviewers themselves.

"CDA 230 plainly provides legal protection against these kinds of threats, but small website operators are nonetheless coerced by meritless demands that would ordinarily be too expensive to litigate," Zimmerman said. "Given the critical role played by intermediaries such as LawyerRatingz.com in providing platforms for Internet users to express their views, it is important to give force to those protections and encourage website operators to fight against baseless claims like these."

For the full complaint:
https://www.eff.org/document/complaint-6

Contact:

Matt Zimmerman
   Senior Staff Attorney
   Electronic Frontier Foundation
   mattz@eff.org

February 22, 2012

Copyright Lawsuit Threatened Essential Tool for Engineers Around the World

San Francisco - The Electronic Frontier Foundation (EFF) is pleased to announce that a copyright lawsuit threatening an important database of time zone information has been dismissed. The astrology software company that filed the lawsuit, Astrolabe, has also apologized and agreed to a 'covenant not to sue' going forward, which will help protect the database from future baseless legal actions and disruptions.

Software engineers around the world depend on the time zone database to make sure that time-stamps for email and other files work correctly no matter where you are. However, last September, Astrolabe filed a lawsuit against Arthur David Olson and Paul Eggert – the researchers who coordinated the database's development for decades – because the database includes information from an atlas in which Astrolabe claimed to own copyright. But facts – like what time the sun rises – are not copyrightable. EFF, along with co-counsel Adam Kessel and Olivia Nguyen at the Boston office of Fish & Richardson P.C, promptly signed on to defend Olson and Eggert and protect this essential tool. In January, EFF advised Astrolabe that Olson and Eggert would move for sanctions if Astrolabe did not withdraw its complaint. Today's dismissal followed.

In a statement, Astrolabe said, "Astrolabe's lawsuit against Mr. Olson and Mr. Eggert was based on a flawed understanding of the law. We now recognize that historical facts are no one's property and, accordingly, are withdrawing our Complaint. We deeply regret the disruption that our lawsuit caused for the volunteers who maintain the TZ database, and for Internet users."

"It's a fundamental principle of copyright law that facts are not copyrightable, and Astrolabe should have known that," said EFF Intellectual Property Director Corynne McSherry. "While the lawsuit should never have been filed, we're pleased that the legal threat to an important resource has been eliminated.

"We are grateful that EFF and its co-counsel at Fish & Richardson were able to step in and assist us, so that we could help ensure the TZ database would continue to be available," said Eggert and Olson.

For more on this case:
https://www.eff.org/cases/astrolabe-v-olson

Contacts:

Corynne McSherry
   Intellectual Property Director
   Electronic Frontier Foundation
   corynne@eff.org

Mitch Stoltz
   Staff Attorney
   Electronic Frontier Foundation
   mitch@eff.org

Related Issues:
February 10, 2012

Users Beware: Many Sites Have Serious Security Holes

San Francisco - Millions of people use Internet dating sites to search for love and connection every day, but it could come a big cost for their privacy and security. The Electronic Frontier Foundation (EFF) has found that many services are taking shortcuts in safeguarding users' profiles and other sensitive data.

In "Six Heartbreaking Truths About Online Dating Privacy," EFF identifies serious security holes and counter-intuitive privacy settings that could expose daters' private information. For example, your dating profile – including your photo – can hang around long after you think you've taken yourself off the market. Some sites are also sucking up the vast quantity of data their users share and selling it to online marketers. If you aren't careful, your profile can also be indexed by Google, perhaps popping up in search results if you have an unusual nickname or other unique ways of describing yourself.

"Whether you signed up on a lark or maintained an active profile for years, you may be exposing more information about yourself than you know," said EFF Activism Director Rainey Reitman. "There are a number of ways your online dating profile can be connected to your real identity, exposing things like religious and political beliefs, drug and alcohol use, and sexual preferences. That's why we created this list of the biggest risks, and included some simple tips for online daters who want to protect themselves."

As part of its campaign to raise awareness about the privacy and security risks on popular online dating sites, EFF analyzed the security practices of eight major sites. Many of the most popular sites, like eHarmony and Match.com, don't offer secure access through HTTPS by default, and OkCupid doesn't provide HTTPS access at all. That means every OkCupid username, email, chat session, search, and page viewed are all transmitted in plaintext instead of in encrypted form.

"OkCupid says it can limit who sees your profile – for example, users who identify as gay or bisexual may opt out of being seen by straight people," said EFF Senior Staff Technologist Seth Schoen. "But without HTTPS, the fact that you identify as gay and don't want to be seen by some groups is sent in plaintext, making it easy for someone with the right skills to uncover it. Major sites like Twitter and Facebook have implemented HTTPS recently to protect their users. But dating sites like OkCupid are sadly lagging behind."

Six Heartbreaking Truths About Online Dating Privacy:
https://www.eff.org/deeplinks/2012/02/six-heartbreaking-truths-about-online-dating-privacy

Comparing Privacy and Security Practices on Online Dating Sites:
https://www.eff.org/deeplinks/2012/02/comparing-privacy-and-security-online-dating-sites

Tell OkCupid to Protect Users' Privacy:
https://www.eff.org/deeplinks/2012/02/hey-okcupid-how-about-some-ssl-love

Rainey Reitman
   Activist
   Electronic Frontier Foundation
   rainey@eff.org

Seth Schoen
   Senior Staff Technologist
   Electronic Frontier Foundation
   seth@eff.org

Related Issues:
February 10, 2012

Staggering Financial Penalty for Sharing 24 Songs Is Unreasonable, Unpredictable, and Hurts Innovation

San Francisco - The Electronic Frontier Foundation (EFF) and a coalition of libraries and public interest groups have asked an appeals court to affirm the downsized copyright damage award in Capitol v. Thomas-Rasset – the first individual file-sharing case to go to trial.

Juries in this long-running case have come up with different damage awards against Jammie Thomas-Rasset for sharing 24 songs: one for $220,000 and then, when the case was retried, another for a staggering $1.5 million. Last year, a federal judge reduced the award to $54,000, calling the jury's verdict "so severe and oppressive as to be wholly disproportioned to the offense and obviously unreasonable." However, Capitol Records did not agree and appealed the judge's ruling to the 8th U.S. Circuit Court of Appeals.

In an amicus brief in support of Thomas-Rasset filed today, EFF explains that statutory damage awards must pass constitutional due process review. Without that review, damages are incredibly unpredictable and can discourage reasonable uses of copyrighted material that involve any legal risk.

"Copyright law should encourage innovation, creativity and the dissemination of information," said EFF Intellectual Property Director Corynne McSherry. "But fear of crushing liability if you guess wrong about whether a court will decide you are protected by fair use can chill experimentation and the creation of new consumer products and services. We don't know what will be the next YouTube, Spotify, or Pandora – and we'll never know if creators of technology are scared away from developing new ideas."

EFF also asked the court to affirm the district court's rejection of Capitol's "making available" theory, which claims that a person legally "distributes" a work if she simply makes it available to the public.

"The Copyright Act is very clear: a work isn't 'distributed' unless someone actually downloads it," said EFF Fellow Michael Barclay. "In essence, the labels want the courts to give them a pass on proving a crucial part of their case."

EFF's brief was joined by the Internet Archive, the Association of Research Libraries, the Association of College and Research Libraries, the American Library Association, and Public Knowledge.

For the full amicus brief in Capitol v. Thomas-Rasset:
https://www.eff.org/document/amicus-brief-8th-circuit-court-appeals

Contacts:

Corynne McSherry
   Intellectual Property Director
   Electronic Frontier Foundation
   corynne@eff.org

Michael Barclay
   Fellow
   Electronic Frontier Foundation
   michael@eff.org

Related Issues:
February 2, 2012

EFF Formally Requests Retention of Materials Stored on Megaupload’s Services

San Francisco - The Electronic Frontier Foundation (EFF) today formally requested the preservation of the data seized when the U.S. government shut down Megaupload.com and related sites, notifying the court and attorneys involved in the case that Megaupload's innocent users deserve a fair process to control and retrieve their lawful material.

"The government knows that Megaupload had many customers who followed the law. Yet it gave those users no notice that their data was at risk and no information about how they might be able to eventually get that data back," said EFF Staff Attorney Julie Samuels. "Our client, and the many other innocent Megaupload users, are entitled to a clear process for obtaining access to their own property, and the first step is to make sure that property is not deleted or damaged until the court can sort this out."

Instead of assisting the innocents caught up in the seizure, the U.S government summarily announced this week that it had finished its examination of Megaupload's servers and announced that the companies that owned those servers – Carpathia and Cogent – were free to delete the contents. The government even stated that deletions could start as soon as February 2, leaving innocent users with very little time to protect themselves. Thankfully, both hosting services have agreed not to destroy users' data for the time being, and it appears that Megaupload is trying in good faith to help users get access. But there is still no clear path for customers to get their content back.

"Megaupload's innocent users are entitled to access their property," said EFF Legal Director Cindy Cohn. "We hope that everyone involved can work together to comply with the law and ensure basic fairness to the millions of people who have done nothing wrong."

This week, Carpathia Hosting and EFF announced that Carpathia created a website at www.megaretrieval.com so that Megaupload’s lawful customers could contact EFF and provide information about the scope of the issue and the material made unavailable by the seizure.  If you are one of these users, are based in the United States, and are looking for legal help retrieving your data, please email your contact information to megauploadmissing@eff.org.

For the full letter sent to the court:
https://www.eff.org/document/letter-court

For more on this case:
https://www.eff.org/cases/megaupload-data-seizure

Contacts:

Julie Samuels
   Staff Attorney
   Electronic Frontier Foundation
   julie@eff.org

Cindy Cohn
   Legal Director
   Electronic Frontier Foundation
   cindy@eff.org

Related Issues:
JavaScript license information