EFF in the News
Squirreled away in something called the Digital Millennium Copyright Act of 1998 is fine print that makes it risky to dig around under the hood of a new car and find out what makes it tick, explains Kit Walsh of the Electronic Frontier Foundation.
“The modern automobile is controlled by about 100 different computers running software created by the automakers or third parties that they contract with,” Walsh said. "And they typically will lock down that software so that you can’t even look at it, let alone modify it as a user."
That's troubling to Andrew Crocker, a staff attorney at the Electronic Frontier Foundation, who has researched the US government’s practice of buying information about software vulnerabilities. Using a Freedom of Information Act request, Mr. Crocker was able to get a copy of the government's Vulnerabilities Equities Process – the guidelines that the government and intelligence services use to acquire and deploy software vulnerabilities.
"It’s an open secret that the government uses vulnerabilities for both offensive and defensive purposes," said Crocker. "And this isn't just vulnerabilities they discover, but those they acquire from other sources."
Crocker said that the practice of buying vulnerabilities from vendors such as Zerodium presents many problems. The least of those is that buying the information has the potential to make governments complicit in allowing software vulnerabilities to fester. And, because nation-states or cybercriminals might discover the same holes, such activity may put the public at risk, he notes.
Hours after activist David Miranda revealed his proposal for the Snowden Treaty, Snowden himself addressed the Electronic Frontier Foundation's 2015 Pioneer Awards ceremony, where he was interviewed by journalist Kashmir Hill about his 2013 disclosures and the way they've changed the world.
"The fact that automakers can assert a DMCA claim against researchers is a deterrent to going in and actually looking at the code to understand what it's doing," said Kit Walsh, a staff attorney at the Electronic Frontier Foundation (EFF).
The EFF, a non-profit digital rights group, has opposed the protections for the auto industry under the DMCA, arguing that vehicle owners and others have the right to inspect the code that runs their vehicles and allow a mechanic of their choice do work on their cars and trucks.
Nadia Kayyali with the Electronic Frontier Foundation said “there are not a lot of spots left where there’s not some sort of private or public surveillance camera.”
"It sounds like a gold mine for ID thieves," said Jeremy Gillula, staff technologist for the Electronic Frontier Foundation, a civil liberties group focused on technology. "I'm kind of surprised that this information was never compromised."
“No amount of authentication can compensate for insecure hardware and software,” Electronic Frontier Foundation senior staff attorney Lee Tien said. “Plus, we just saw that OPM admitted something like 5.6 million fingerprints were compromised—isn’t biometric authentication wonderful?”
In the taxpayer security situation, “here, I guess the issue is face recognition—but if I can make my phone send a picture of you, is that enough?” he wondered.
“The NSA’s greatest win would be to convince people that privacy doesn’t exist,” says Danny O’Brien, international director of the US-based digital rights campaigners Electronic Frontier Foundation. “Privacy nihilism is the state of believing that: ‘If I’m doing nothing wrong, I have nothing to hide, so it doesn’t matter who’s watching me’.”
This has had an unintended effect of creating what O’Brien describes as “unintentional honeypots” of data that tempt those who want to snoop, be it malicious hackers, other corporations or states. In the past, corporations protected this data from hackers who might try to get credit card numbers (or similar) to carry out theft. However, these “honeypot” operators have realised that while they were always subject to the laws and courts of various countries, they are now also protecting their data from state security agencies. This largely came to light following the alleged hacking of Google’s Gmail by China. Edward Snowden’s revelations about the United States’ NSA and the UK’s GCHQ further proved the extent to which states were carrying out not just targeted snooping, but also mass surveillance on their own and foreign citizens.
“What we've sometimes seen is that if a company fails, their patents may be sold off in order to get money for creditors,” Vera Ranieri, a patent law staff lawyer for the Electronic Frontier Foundation, wrote me in an email. “Oftentimes the patents are sold to non-practicing entities that intend to use the patents to sue for infringement.”
"The Open Internet Order wouldn't reach this conduct because neither Cisco nor Apple are providing mass market broadband service in this scenario," said Electronic Frontier Foundation attorney Kit Walsh in an email.