EFF: Updates

Subscribe to EFF: Updates feed
EFF's Deeplinks Blog: Noteworthy news from around the internet
Updated: 1 hour 52 min ago

Local Communities Can Inject Desperately Needed Competition in the ISP Market

Thu, 01/25/2018 - 2:18pm

Last year we witnessed the elimination of critical privacy and network neutrality protections in the broadband market. But these moves would be less dangerous if we were able to vote with our wallets, and choose a provider that respected our privacy and didn’t engage in unfair data discrimination. Unfortunately, most of us have only one choice for high-speed Internet; if Comcast behaves badly we can complain but we can’t hit them where it really hurts by switching to someone else.

The good news: communities across the country are trying to fix that by developing their own community broadband networks. And some members of Congress trying to help. Led by Congresswoman Eshoo, Congress recently introduced HR 4814, the Community Broadband Act of 2018, to empower local citizens to explore community broadband as a means to induce competition and lower prices. In particular, the bill tackles barriers raised by laws in more than 20 states that prevent local communities from building their own networks.

If the bill passes, it could clear the way for an explosion of new experimentation. While not all community broadband effort have flourished several markets that have embraced community broadband options have succeeded in offering faster and cheaper broadband access. For example, Chattanooga, Tennessee long ago deployed a community broadband network from their local utility after the found they were being left behind in the digital age. Today, the people of that city pay $70 a month for symmetrical gigabit service, which is comparable to many Google Fiber markets. And while it may not make sense in every community, denying people the opportunity to explore the option in its entirety effectively green lights the local monopoly to engage in anti-consumer conduct.

In EFF’s own backyard of San Francisco, the local government is actively exploring building out its own fiber optic platform for all comers to sell broadband access to its citizens, and has proactively committed to supporting network neutrality and user privacy. The city’s feasibility and economic analysis estimates it can make high speed broadband available to all of its residents and affordable for all income levels. If successful, it could be a model for many other major cities.

Community broadband might not be a household term yet, but then neither was “net neutrality” just a few years ago. We’re thrilled to see lawmakers, city officials and ordinary citizens taking up the cause. Community broadband isn’t a complete solution to the FCC decision to abandon its role in protecting net neutrality, or Congress’ outrageous decision to gut consumer privacy, but it’s a good start.

Could Platform Safe Harbors Save the NAFTA Talks?

Tue, 01/23/2018 - 6:18pm

As the sixth round of talks over a modernized North American Free Trade Agreement (NAFTA) kicks off in Montreal, Canada, this week, EFF has joined with 15 other organizations and 39 academic experts to send the negotiators an open letter [PDF] about the importance of platform safe harbor rules, a topic that has been proposed for the deal's Digital Trade chapter. The proposed rules, which are based on S47 U.S.C. section 230, a provision of the Communications Decency Act ("CDA 230"), would require that Internet intermediaries—whether giants like Facebook, or just your neighbour with an open Wi-Fi hotspot—can't be held liable for most speech of their users.

Usually our arguments for such strong platform safe harbor protections  (which the letter refers to as intermediary immunity) center around how these support users' freedom of expression, by preventing would-be censors and critics from shutting down the platforms that host user speech. But as trade negotiators are not particularly receptive to human rights arguments, instead our joint letter focuses on the economic arguments for platform safe harbors, which are also compelling:

First, intermediary immunity facilitates the development of effective reputation systems that strengthen markets. Reputation systems improve buyer trust and encourage vendors to compete on quality as well as price. Online, consumer review services and other wisdom-of-the-crowds feedback mechanisms have emerged that have no offline equivalent. However, online reputation systems require liability immunity to function properly. Otherwise, vendors can easily suppress truthful negative information via litigation threats. Immunity keeps that information online so that it can benefit consumers.

Second, intermediary immunity lowers the barriers to launch new online services predicated on third party content, making those markets more competitive. Without immunity, new entrants face business-ending liability exposure from day one; and they must make expensive upfront investments to mitigate that risk. Immunity lowers entrants’ capital requirements and the riskiness of their investments, leading to more new entrants seeking to disrupt incumbents. This helps prevent the market from ossifying at a small number of incumbent giants.

The difficulty with the inclusion of Section 230 style safe harbors in NAFTA is that it would either require Canada and Mexico to change their law, or it would require the provision to be watered down in order to become compatible with their existing law—which would make its inclusion pointless. Therefore, the first option is the better one. For Canada, in particular, strengthening legal protection for Internet platforms could help roll back the precedent set in the Google v. Equustek case, in which the Canadian Supreme Court required Google to globally de-index a website that purportedly infringed Canadian trade secret rights.

Although changing Canadian law to strengthen platform safe harbors would be a significant step, there are certainly even tougher issues pending in the NAFTA negotiations, such as dispute resolution, government procurement, and America's demand for a five-year sunset clause. Moreover, Canada is asking a lot of the United States, too; having this month filed a broad-ranging World Trade Organization (WTO) complaint [PDF] against the United States alleging that the latter is flouting WTO rules in the way that it imposes tariffs and duties on other countries. In that context, reaching an agreement on platform safe harbors could become an olive branch to bring the countries closer to an overall deal.

Exporting Section 230 to Mexico and Canada isn't the only reason to advocate for its inclusion in a modernized NAFTA. This negotiation comes at a time when Section 230 stands under threat in the United States, currently from the SESTA and FOSTA proposals, which could escalate into demands that platforms also assume greater responsibility for other types of content. As uncomfortable as we are with the lack of openness of trade negotiations, baking Section 230 into NAFTA may be the best opportunity we have to protect it domestically.

Officially, this is the second-last round of NAFTA talks that has been scheduled, although it seems next to impossible that the talks could be resolved in the next round. The two more likely scenarios are either that President Trump will notify the other parties that the U.S. is withdrawing from the existing NAFTA, or that additional rounds of negotiation will be scheduled after the Mexican general elections in July. Extending the negotiation would also leave more time for negotiators to begin to engage meaningfully with the public about platform safe harbors and other digital policy issues, which they have failed to do to date.

Frankly, we don't think that trade agreements are the right place to be negotiating rules for the Internet, and we'd rather that a Digital Trade chapter wasn't being negotiated at all, without significant reforms to the transparency and openness of the negotiations. But if a Digital Trade chapter in NAFTA is inevitable, which seems to be the case, the better outcome for users is for broad platform safe harbor rules to be a part of that deal—both to protect users and innovators in the United States, and to ensure that the same level of protection applies North and South of the border.

Support Community Control of Spy Tech in Berkeley

Tue, 01/23/2018 - 11:00am

Not long ago we wrote about our support for the City of Berkeley’s proposed Surveillance Technology Use and Community Safety Ordinance. In the time since, conversations like those already underway in the Police Review Commission, Peace and Justice Commission, and Disaster and Fire Safety Commission have continued with city agencies and residents.

Having been sculpted through these conversations and the recommendations of members of the Berkeley community, this ordinance represents the civil rights and civil liberties values of the people of the City of Berkeley.

To inform the City Council as they consider this ordinance, Berkeley residents may submit written comments on its adoption through an online forum. In addition, community members are encouraged to email the City Council directly.

Take Action


As we stated in our letter of support submitted to the Berkeley City Council by EFF and more than a dozen local groups and national civil rights organizations:

The ordinance is straightforward: it requires essential community control, transparency, and accountability for all surveillance technology proposals, and it ensures the public has the opportunity to learn about the civil rights and civil liberties impact of surveillance technologies before city agencies acquire them.

With the adoption of this bill, the power to decide whether these invasive spying technologies are acquired, and how they are utilized, will be protected from unilateral decisions by agency executives, and instead placed in the hands of elected City Council members. More importantly, all residents will be provided an opportunity to comment on proposed surveillance technologies before representatives decide whether to adopt them.

EFF Asks California Supreme Court to Defuse a Time Bomb That Could Harm Anonymous Speech

Mon, 01/22/2018 - 7:40pm

In recent months, we’ve seen worrying decisions in state and federal courts that weaken the First Amendment protection for anonymous speech. Last week, EFF called on the California Supreme Court to limit the impact of one these decisions, Yelp v. Superior Court.

The Yelp case involves a defamation lawsuit brought by an accountant who claims that an anonymous Yelp reviewer defamed him and his business. Last year, a California court of appeal found that Yelp had to turn over information identifying the anonymous user because the plaintiff had a plausible case of defamation. As we wrote then, the court applied a test that failed to give full weight to the First Amendment. We predicted that the Yelp decision was a time bomb that “could invite a fresh wave of lawsuits against anonymous speakers that are designed to harass or intimidate anonymous speakers rather than vindicate actual legal grievances.” 

Our prediction may be coming true: Yelp told the California Supreme Court that it is already involved in another case where a defamation plaintiff is trying to reveal an anonymous reviewer without any evidence at all. 

To limit the damage from the 2017 decision, Yelp is asking the California Supreme Court to “depublish” the part of the opinion that invites baseless defamation lawsuits against anonymous speakers. Depublication means that the decision cannot be relied on by future courts.

EFF filed our own letter supporting the depublication request and calling attention other attempts to harass anonymous speakers. We hope the California Supreme Court agrees.


Google’s Advanced Protection Program Offers Security Options For High-Risk Users

Mon, 01/22/2018 - 11:25am

Security is not a one-size-fits-all proposition, and features that are prohibitively inconvenient for some could be critical for others. For most users, standard account security settings options are sufficient protection against common threats. But for the small minority of users who might be targeted individually—like journalists, policy makers, campaign staff, activists, people with abusive exes, or victims of stalking—standard security options won’t cut it.

For those users, Google recently added the option to add stronger protections to personal Google accounts with the Advanced Protection Program. Advanced Protection is a big step in the right direction to provide different levels of protection for different people, and other companies and platforms should follow suit.

An account with Advanced Protection turned on will change in three main ways. First, when you sign in, you’ll need to use a physical security key in addition to your password. Advanced Protection also requires you to have a second back-up key on hand. Second, you’ll only be able to use Gmail and other Google services on the Chrome browser, and third-party apps won’t be able to access your Gmail or Google Drive. And third, if you ever get locked out of your account, regaining access will take more time and require more types of identity verification. Respectively, these measures protect against phishing, malicious apps that try to trick you into granting them excessive permissions, and attackers who try to use the account recovery process to take over your account.

This adds up to the best option available to individuals who want to give their personal Google accounts the highest level of security without needing technical expertise or deep pockets.

Of course, Advanced Protection comes with significant trade-offs and limitations. Starting to use Advanced Protection requires two security keys and some set-up time. For people not used to carrying around and keeping track of security keys, that can pose an inconvenience when signing in. And once signed in, users who rely on non-Google apps or clients to use their Gmail or Google Calendar will lose some of that functionality. This is especially the case for Mac and iPhone users: since native Apple applications do not currently support two-factor authentication with security keys, iOS users will have to take arduous extra steps to make sure their apps and contacts are set up. Finally, if you ever lose your security keys or forget your password, the lengthy account recovery process will lock you out of your account for days. Expect the specifics to change, however, as Google updates the program’s protections and functionality going forward.

By definition, Advanced Protection won’t be for everyone. Using it means accepting more inconvenience in exchange for higher security. But if an account breach could threaten your reputation, career, or even your life, it is an option worth considering. If you turn on Advanced Protection on and it turns out to not be the right fit, it can be turned off at any time.

EFF Asks Ninth Circuit Appeals Court To Strengthen Privacy Protections Of Smart Phones At The Border

Fri, 01/19/2018 - 6:20pm
Warrantless Border Searches of Phones, Laptops, Are Unconstitutional

San Diego, California—The Electronic Frontier Foundation (EFF) urged the U.S. Ninth Circuit Court of Appeals to require federal agents to obtain a warrant before conducting highly intrusive searches of electronic devices at the border by requiring federal agents to obtain a warrant if they want to access the contents of travelers’ phones.

“The Ninth Circuit four years ago issued an important ruling requiring officials to show they have reasonable suspicion of criminal activity to forensically search digital devices. While that was an improvement over the government’s prior practice of conducting suspicionless searches, the court didn’t go far enough,” said EFF Staff Attorney Sophia Cope. “We are now asking the Ninth Circuit to bar warrantless device searches at the border.”

“Our electronic devices contain texts, emails, photos, contact lists, work documents, and other communications that reveal intimate details of our private lives. Our privacy interests in this material is tremendous. Requiring a warrant is a critical step in making sure our Fourth Amendment protections survive into the digital age,” said Cope.

The Ninth Circuit is being asked to throw out evidence obtained through a warrantless forensic search of the defendant’s cell phone at the U.S.-Mexico border in southern California. The case, U.S. v. Cano, is a drug prosecution and the first before the Ninth Circuit since the U.S. Supreme Court ruled that because devices hold “the privacies of life,” police need a warrant to search the phones of people who are arrested.

In an amicus brief filed today in U.S. v. Cano, EFF urged the court to recognize that people traveling through our international borders deserve the same privacy protections that the Supreme Court has extended to arrestees. The Ninth Circuit’s rulings apply to states in the west and southwest, several of whom share borders with Mexico and Canada,

Warrantless border searches of luggage have been allowed under an exception to the Fourth Amendment for routine immigration and customs enforcement. But since digital devices provide so much more highly personal, private information than what is traditionally carried in a suitcase, agents should be required to show a judge that they have probable cause to believe that the device contains evidence of a violation of the immigration or customs laws, EFF said in the brief.

Digital device searches at the border have more than tripled since the inauguration of President Trump. This increase, along with the increasing number of people who carry these devices while traveling, has highlighted the need for stronger privacy rights while crossing the U.S. border. Last year, EFF and ACLU filed a lawsuit in Boston against the federal government on behalf of 11 travelers whose smartphones and other electronic devices were searched without a warrant at the U.S. border.

“Digital devices differ wildly from luggage and other physical items a person carries across the border,” said EFF Senior Staff Attorney Adam Schwartz. “Now is the time to apply the full force of constitutional privacy protections to digital devices.”

For the brief:

For more on privacy at the border:

Contact:  SophiaCopeStaff Attorneysophia@eff.org AdamSchwartzSenior Staff Attorneyadam@eff.org

Dark Caracal: Good News and Bad News

Fri, 01/19/2018 - 2:14pm

Yesterday, EFF and Lookout announced a new report, Dark Caracal, that uncovers a new, global malware espionage campaign. One aspect of that campaign was the use of malicious, fake apps to impersonate legitimate popular apps like Signal and WhatsApp. Some readers had questions about what this means for them. This blog post is here to answer those questions and dive further into the Dark Caracal report.

First, the good news: Dark Caracal does not mean that Signal or WhatsApp themselves are compromised in any way. It only means that attackers found new, insidious ways to create and distribute fake Android versions of them. (iOS is not affected.) If you downloaded your apps from Google’s official app store, Google Play, then you are almost certainly in the clear. The threat uncovered in the Dark Caracal report referred to “trojanized” apps, which are fake apps that pretend to look like real, trusted ones. These malicious spoofs often ask for excessive permissions and carry malware. Such spoofed versions of Signal and WhatsApp were involved in the Dark Caracal campaign.

The malicious actors behind Dark Caracal got these fake, malicious apps onto people’s phones by spearphishing. Several types of phishing emails directed people—including military personnel, activists, journalists, and lawyers—to go to a fake app store-like page, where fake Android apps waited. There is even evidence that, in some cases, Dark Caracal used physical access to people’s phones to install the fake apps. Again, if you downloaded your apps from the official app store, you can rest easy that this has likely not affected you.

And now the bad news: Dark Caracal has wide-reaching implications for how state-sponsored surveillance and malware works. Most people do not have to worry about this very specific threat. But for the small minority of users who may be directly targeted by nation-states or other skilled, motivated adversaries—and for the malware researchers who try to track those adversaries down—the Dark Caracal report uncovers a new infrastructure that makes it even harder to attribute attacks and malware campaigns to a particular nation or actor. More details are available in the report.

Dark Caracal is also a reminder that most modern hacking requires the unwitting participation of the user. The most dangerous thing in the online environment is not necessarily complex, headline-grabbing vulnerabilities, but well-crafted phishing messages and fake apps that trick users into handing over log-in credentials and granting excessive permissions. Keep an eye out for links, attachments, and apps pretending to be something they’re not, and make sure your friends, neighbors, and others in your community are informed too.

An Open Letter to Our Community On Congress’s Vote to Extend NSA Spying From EFF Executive Director Cindy Cohn

Thu, 01/18/2018 - 10:51pm

Dear friends,

Today, the United States Congress struck a significant blow against the basic human right to read, write, learn, and associate free of government’s prying eyes. 

Goaded by those who let fear override democratic principles, some members of Congress shuttered public debate in order to pass a bill that extends the National Security Agency’s unconstitutional Internet surveillance for six years. 

This means six more years of warrantless surveillance under Section 702 of the FISA Amendments Act. This is a long-abused law marketed as targeting foreigners abroad but which—intentionally and by design—subjects a tremendous amount of our Internet activities to government review, as they pass through key Internet checkpoints, and as they are stored by providers like Google and Facebook. Ultimately, the NSA uses Section 702 to sweep in and retain the communications of countless non-suspect Americans. 

Today’s action also means six more years of FBI access to giant databases of these NSA-collected communications, for purposes of routine domestic law enforcement that stray far from the original justification of national security. 

It didn’t have to be this way. Forward-thinking U.S. legislators from both sides of the aisle negotiated compromise bills that, while far from ideal, would have reined in some of the worst abuses of NSA surveillance powers while ensuring our intelligence agents could still do their jobs. But leadership from both Houses prevented the full Congress from considering these measures. For example, Senators were denied the opportunity to consider the USA Rights Act, and Representatives never had an opportunity to vote on the Poe-Lofgren Amendment during Thursday's floor vote. Both legislative vehicles offered sensible reforms that would have advanced the privacy of innocent American technology users. This procedural maneuvering also meant that your opportunity to make your voices heard was greatly truncated.   

While this debate took place in the halls of Washington, the ramifications are global. Millions of people around the world suffer under the NSA’s dragnet data collection. EFF fights for the rights of technology users everywhere, and our mission will not be complete until innocent users worldwide can communicate with dignity and privacy. Today Congress demonstrated its lack of regard for the human rights to privacy and association. And it shirked its duty to protect Americans’ rights under the Constitution.

We offer this response to the National Security Agency and its allies in Congress: enjoy it while you can because it won’t last. 

Today’s Congressional failure redoubles our commitment to seek justice through the courts and through the development and spread of technology that protects our privacy and security.

First, in the courts. We’ve actively litigated against NSA spying since 2005. Our flagship lawsuit against mass surveillance Jewel v. NSA is currently in discovery in the District Court, having survived multiple challenges by the government. The government even sought in October to indefinitely delay responding to demands from the court to turn over documentation of surveillance, but the court refused. Instead, they are facing a looming deadline to produce documents to the court: February 16, 2018. We’re also confronting NSA mass spying through use of the Freedom of Information Act, supporting the other cases against mass spying, and participating in the few criminal court cases where the government has admitted using evidence collected under Section 702.  

We also continue to search for new cases and arguments to challenge NSA mass spying in court—stepping up to the legal challenge of finding people who have admissible evidence that they have been surveilled and can pass the hurdle of standing that has blocked so many before. 

We aim to bring mass surveillance to the Supreme Court. By showcasing the unconstitutionality of the NSA’s collect-it-all approach to tapping the Internet, we’ll seek to end the dragnet surveillance of millions of innocent people. We know that the wheels of justice turn slowly, especially when it comes to impact litigation against the NSA, but we’re in this for the long run. 

Second, we’ll continue to harden digital platforms to make them resistant to surveillance and increase the ability of everyone to be digitally secure. We will promote widespread encryption through EFF tools like Certbot and HTTPS Everywhere, and we’ll promote the adoption of security tools through education and outreach. We’ll stand up to ongoing FBI efforts to block or deter our access to strong encryption. Together, we can make it more difficult and more costly for the NSA’s spying eyes to ensnare innocent people. And we will help technology users increase their digital security against bad actors.

Finally, we will continue to work with our allies in Congress to expose and restrain NSA surveillance. There is much to do on Capitol Hill, long before the next reauthorization debate in 2023.

Our vision is for a secure digital world, free from government surveillance and censorship. You deserve to have a private conversation online, just as you can have one offline. You deserve the right to associate and organize with others, as well as to read and research, free of government snooping. While Congress failed the American people today, EFF will not. With the support of our more than 40,000 members, we are stronger and more ready than ever to keep up this fight.

Cindy Cohn   
Executive Director
Electronic Frontier Foundation
January 16, 2018

Public domain image from Trevor Paglen

EFF to Court: Requiring Universities to Ban Anonymous Online Speech Platforms on Campus is Counterproductive and Unconstitutional

Thu, 01/18/2018 - 7:48pm

Requiring public universities to ban access to anonymous online speech platforms would undermine activism occurring on those campuses and violate the First Amendment, EFF argued in a brief filed on Thursday.

Plaintiffs in the case, Feminist Majority Foundation et al. v. University of Mary Washington, claim that university officials violated federal anti-discrimination law by not taking appropriate steps to address threats and harassment directed at students, including messages posted on the now-defunct online platform Yik Yak.

One way university officials could have prevented the harassment, according to plaintiffs, is by blocking access to Yik Yak. After a federal trial court dismissed their claims last year, the plaintiffs appealed to the U.S. Court of Appeals for the Fourth Circuit.

The lawsuit followed a request by one of the plaintiffs in the case for federal rules that would have required universities to ban access to anonymous online platforms to comply with federal law, which EFF also opposed [.pdf].

EFF agrees with the plaintiffs that online threats and harassment are a serious issue and that universities can and should do more to protect students on campus. We filed the brief in the case, however, because solutions to stopping harassment and threats at universities should not include unconstitutional bans on anonymous speech or the online platforms that permit people to speak anonymously.

In the brief [.pdf], EFF argues that plaintiffs’ “well-intentioned efforts to protect college students from harassment and threats will jeopardize their ability to advocate for equality on campuses by prohibiting them and others from using anonymous online speech platforms as a tool for broader social change.”

The brief provides several examples of the benefits anonymity provides to students and others who are advocating for social change, such as allowing students to report racism and sexual violence without fear of reprisal or to avoid surveillance.

“When advocating for equality on the basis of gender, race, and other protected statuses, both on campus and throughout the world, many university students choose to speak anonymously,” the brief argues. “This is especially true when these student activists perceive that their views are controversial with fellow students, university officials, or even local police.”

The brief also shows how beneficial anonymous online speech platforms can be to social movements because they “enrich our public discourse by disseminating important voices that might not otherwise be heard if individuals had to attach their names to them.”

Finally, the brief argues that requiring public universities to restrict anonymous speech or access to anonymous online platforms would violate the First Amendment. “The University thus could not, consistent with the First Amendment, have blocked students from communicating anonymously, whether through Yik Yak or otherwise, in order to fulfill their Title IX requirements,” the brief argues.

EFF to Supreme Court: Protect the Privacy of Cross-Border Data

Thu, 01/18/2018 - 6:50pm

The Electronic Frontier Foundation urged the Supreme Court today to hold that Microsoft cannot be forced by the U.S. government to disclose the contents of users’ emails stored on the company’s computers in Dublin, Ireland.

The stakes for user privacy in the court’s decision are extremely high. Governments around the world may feel empowered to snoop on the countless emails, chats, and other online communications that cross international boundaries if the court sides with the government.

At the center of the case, the U.S. government is attempting to overturn a Second Circuit decision holding that police cannot use U.S. warrants to compel U.S. Internet companies to disclose users’ email and digital content stored outside the United States. The appellate court reasoned that this extraterritorial application of a U.S. warrant would exceed the process Congress created — the Electronic Communications Privacy Act (ECPA) — to protect people’s privacy while allowing law enforcement access to emails. The case is titled United States v. Microsoft, and is often called “the Microsoft Ireland case.” EFF joined the ACLU, Brennan Center, Restore the Fourth, and R Street Institute to file the amicus brief with the Supreme Court.

The U.S. government’s unilateral approach to obtaining Microsoft users’ emails would bypass the international procedures that it has previously agreed to. Specifically, the U.S. has signed treaties with 65 individual countries and the European Union, called Mutual Legal Assistance Treaties (MLATs), that enable the U.S. to apply to foreign governments where evidence of a crime is located, and ask that country to assist in collecting the evidence under its own privacy laws. The countries the United States has partnered with can similarly request that the U.S. Department of Justice help them collect evidence stored in the United States. Under MLATs, foreign countries must follow the privacy rules established by U.S. law, including the requirement under the Fourth Amendment that law enforcement obtain a warrant to search and seize content. These MLATs recognize the importance of other countries’ privacy and human rights laws. Ireland has advised the U.S. Supreme Court that it believes the MLAT process is the most appropriate means for the U.S. government to obtain the emails that Microsoft stores in Ireland.

To evade using MLATs, and get around the fact that U.S. warrants typically do not have international reach, the U.S. government is arguing that a Fourth Amendment search and seizure only occurs when Microsoft, within the United States, delivers emails to officers of the U.S. government. That is simply not the case. Rather, if Microsoft copies or moves data from Ireland to the United States on demand from the U.S. government, that is a search and seizure, and it occurs abroad. As our amicus brief states:

Furthermore, the Government’s argument that such collection and copying does not “expand[ ] [Microsoft’s] authority over those emails” (id.) ignores that it does expand the government’s authority over them. A government-directed exercise of dominion over an individual’s private communications, by itself, is a Fourth Amendment seizure.

EFF has long worked to ensure the greatest privacy protection for cross-border data. In the Microsoft Ireland case, we filed amicus briefs before the district court and the appellate court. We are also fighting for privacy protections at the international level in the Council of Europe, where a  new treaty  could allow direct foreign law enforcement access to data stored in other countries’ territories.  And EFF is advocating against overbroad DOJ legislative proposals to access online content stored abroad.

We urge the Supreme Court to hold the government accountable for following the rules set by Congress, and by international treaty, when law enforcement agencies seek access to our private conversations stored outside the United States. The court is expected to decide this case during the spring 2018 term.

We thank our counsel Brett J. Williamson, Nathaniel Asher, David K. Lukmire, and Cara Gagliano of O’Melveny & Myers.

Related Cases: In re Warrant for Microsoft Email Stored in Dublin, Ireland

Happy Together Once More: The California Supreme Court and Congress Take Up The Question of Copyright in Old Music Recordings

Thu, 01/18/2018 - 3:29pm

Federal copyright law doesn’t give artists and labels the right to control most ways music recordings are played in public. That’s how FM and AM radio stations work. That’s how stores playing soothing “don’t you want to buy something?” music work. And that’s how restaurants playing music at an uncomfortably loud decibel so you can’t talk to your friends work. But because older recordings aren’t covered by these laws, some copyright holders keep trying to use them to gain more control over how their recordings are played - something they’ve never been able to do.

EFF just weighed in on one of these cases, in the California Supreme Court. In Flo & Eddie v. Pandora Media, we argued that state law, which governs sound recordings made before 1972, doesn’t include a right to control public performances of sound recordings, including radio play. If this sounds familiar, that’s because this fight has played out across the country over the past three years. The high courts of New York and Florida have already ruled that their own state laws don’t let pre-1972 copyright holders control public performances of their sound recordings.

These cases stem from a broader debate about copyright in sound recordings. Although federal copyrights in sound recordings cover reproduction and distribution, they don’t include a general right to control public performances, except for “digital audio transmissions” like Internet and satellite radio. That’s why AM and FM radio stations, and businesses like restaurants that play music, have never had to pay record labels or recording artists, nor ask their permission. (Songwriters and music publishers do get paid for public performances). But recordings made before February 15, 1972 aren’t covered by federal law at all. Instead, they fall under a patchwork of pre-digital state laws and court decisions. The labels have tried for many decades to win a performance right, but so far neither Congress nor state legislatures have created one.

The strange status of pre-1972 recordings created an opportunity for recording artists and labels to try getting from the courts what Congress has never given them: a right to control public performances. Flo & Eddie is a company owned by two members of the 1960s rock band the Turtles, famous for their hit “Happy Together.” Flo & Eddie sued Pandora and Sirius XM under state laws across the country, claiming they should not be allowed to play Turtles tracks and other pre-1972 recordings without permission and payment, even though that's what people had been doing for over 50 years.

EFF filed amicus briefs in each of these cases. We argued that copyright holders should only be given new rights when necessary to encourage new creativity. And we argued that creating those rights is a job for legislatures, not courts. We also pointed out that new rights under copyright (like the digital public performance right Congress created in 1996) are always coupled with limitations. A public performance right under state law, created by courts without the limitations and exceptions that exist in federal law, would create unpredictable legal risks for digital music services, broadcasters, and even restaurants.

Creating a patchwork of new rights through state court decisions would also make complying with copyright law complex and risky for businesses that use music. Pandora and Sirius XM, major digital music businesses with a nationwide reach, could actually win by losing this case. They have the resources and expertise to negotiate licenses with thousands of copyright holders in classic music recordings, while startups and smaller competitors may not. In fact, Sirius XM and Pandora are already making these kinds of licenses through class action settlements and private agreements. In our amicus brief, we pointed out to the California Supreme Court that uniform rules give competition a chance to thrive.

The California case is particularly worrisome, because the decision on appeal, which came from the federal courts to the state supreme court through a “certified question” process, was shockingly broad. The federal district court in Los Angeles ruled that the state “record piracy” statute covered not only public performances of sound recordings but every other right that those copyright owners could possibly have—with a single exception for artists making cover recordings. On its face, that decision seemed to eliminate the fair use defense, the first sale limitation, and other vital limits on copyright.

Since two other state high courts have already ruled that their laws don’t include a public performance right in sound recordings, we’re hopeful that California’s Supreme Court will follow suit.

A final loss for Flo & Eddie would not be the end of this story, because Congress has already taken up the pre-1972 recordings issue. A bill, the CLASSICS Act [PDF], would create a federal public performance right for those recordings, even though they are otherwise governed by state law until 2067. The new federal right would cover only “digital audio transmissions,” not traditional radio broadcasts, or playing music in restaurants and stores. And the bill explicitly applies fair use, the library and archive exceptions, and part of the Section 114 statutory license used by companies like Pandora and Sirius.

Copyright is supposed to provide an incentive for people to create new creative works. The CLASSICS Act doesn’t do that, because it doesn’t apply to new works. Rather, it takes away the public’s ability to perform decades-old, lawfully purchased recordings without permission, and gives control back to the copyright holders. Rather than benefiting the public, this bill is a subsidy to the record labels, and some artists and investors, who hold the rights in hit records from the 1960s and before.

On the other hand, this bill advances some of the goals that EFF has argued for in the Flo & Eddie lawsuits: making the law on performances of pre-1972 sound recordings uniform across the U.S., and making sure it includes robust exceptions and limitations. That will give new digital music businesses a chance to thrive, and help prevent lock-in of the current music giants.

If Congress needs to act at all, a better approach would be to put pre-1972 recordings fully under federal law, as the Copyright Office recommended in its 2011 report. Full federalization would make it easier for music businesses to operate across state lines, and reduce the risk of state-by-state legal opportunism by rightsholders like Flo & Eddie.

On the whole, the Flo & Eddie decisions and the CLASSICS Act are moving this obscure but important corner of copyright law in a positive direction. A win for Pandora in California, and amending the CLASSICS Act to add a complete federalization of copyright in sound recordings, would help even more.

Related Cases: Pre-1972 Sound Recordings State Law Copyright Litigation

California Police Chiefs Misrepresent License Plate Privacy Bill

Thu, 01/18/2018 - 3:18pm

EFF supports S.B. 712, a California bill that would allow drivers to cover their plates when they’re parked. This simple privacy measure would create an opportunity for drivers to protect sensitive information about their travel and whereabouts from mass collection by law enforcement and private data brokers.

The threat is all too real. Police agencies have surveilled Muslims by collecting plates in parking lots at mosques. Police officers have used license plates of vehicles parked at gay clubs to blackmail patrons. Anti-choice activists are trained to amass license plates of doctors and patients parked at reproductive health centers. Immigration & Customs Enforcement plans to use private license plate databases, effectively dodging state restrictions on data sharing, as it ramps up its deportation efforts. 

The California Police Chiefs Association opposes our bill. This week, its lobbyists issued a “floor alert” to state senators that misrepresents how the bill would work.

S.B. 712 Would Not Undermine Amber Alerts

Amber Alerts are designed to put the public and the police on the look-out for kidnappers and their victims based on their images and description, and in some cases their vehicles. 

In opposing S.B. 712, the police lobbyists erroneously claim: “Amber alerts don’t work if kidnappers can hide their license plate.” But the evidence does not support their claim that somehow Amber Alerts will no longer be effective.

Here are some examples of how Amber Alerts actually play out. 

November 4, 2017: A 2-month-old child in Los Angeles County was rescued after the “vehicle was seen Friday heading north on Interstate 5.”

Under S.B. 712, it would remain a crime to cover your plate while driving your vehicle. Vehicles in motion would still be visible to law enforcement. 

July 17, 2017: An 8-month-old child was rescued after “A good Samaritan pulled a car seat from the back of a car Monday after spotting a missing baby with a man who appeared to be under the influence of drugs.” 

S.B. 712 would not prevent good Samaritans from identifying a missing child. 

October 25, 2016: Solano County Sheriff patrols received an alert of a vehicle suspected of being involved in a kidnapping, but were unable to find the vehicle. Later, patrols spotted the vehicle, but the vehicle evaded them. Eventually a store clerk recognized the kidnapper and flagged down a California Highway Patrol vehicle.   

S.B. 712 would not prevent a clerk from recognizing a kidnapper based on an image.

September, 23, 2015: After an Amber Alert was issued for a 5-year-old, the alleged kidnapper—the father—called police directly and asked for assistance. 

S.B. 712 would not prevent family members suspected of kidnapping from turning themselves in.

Again, under S.B. 712, it would still be illegal to cover your plate in motion. So the bill would have zero effect on how law enforcement uses automated license plate readers to receive real-time alerts on the plates of vehicles in motion. 

S.B. 712 Would Not Help Criminals Hide Their Parked Cars 

The chiefs’ floor alert makes the dubious claim that criminal will use S.B. 712 “to park in plain sight, undetected by law enforcement.” This claim lacks merit for several reasons. 

This is illogical.

First, it’s already legal to use a tarp to cover an entire vehicle, including the plate. So anyone seeking to evade arrest while parking in plain sight already has the legal ability to cover their plate. It is actually easier for police to capture a criminal who covers just their plate, as opposed to their entire vehicle, because law enforcement would still be able to identify the make, model, and color of the vehicle. 

Second, S.B. 712 would require people who choose to cover just their plate to do so in a manner that allows law enforcement to lift the cover to inspect their plate. So if a parked vehicle matches the description of a wanted vehicle, officers can confirm their suspicions by lifting the cover. 

Third, criminals already have many illegal means of evading license plate detection. They can steal someone else’s plate, or acquire an expired plate on eBay. They can affix a reflective mask or shade over their plate. If a vehicle’s make, model, and color match an Amber Alert, a license plate cover could draw attention, while an inauthentic plate may not.

Finally, criminals already can easily and lawfully hide the plates of their parked cars from ALPR detection by parking their cars in their home garages. 

S.B. 712 Would Advance Officer Safety

The California legislature has long recognized that peace officers have an interest in protecting their privacy due to the threat of retaliation. As part of this, law enforcement personnel, and certain other state employees, are granted the ability to hide their address on DMV records

But ALPR data provides the means to undermine the confidentiality of peace officer home addresses. A private company, for example, could a run a license plate through an ALPR database to identify where that license plate parks overnight—revealing the driver’s home address. In the case of a data breach, criminal elements could also gain access to this sensitive data. 

Thus, by empowering peace officers to cover their plates when parked in front of their homes, S.B. 712 would advance officer safety. 

S.B. 712 Is Sound Law Enforcement Policy

 In sum, the police chiefs incorrectly claim that S.B. 712 would have a detrimental effect on law enforcement. 

The police chiefs also fail to recognize the evidence that ALPRs provide little or no law enforcement value. Data collected by EFF from across the state show that only .08% of vehicle plates captured by police ALPRs are connected to a crime. And of those, the overwhelming majority were for stolen vehicles and license plates. Notably, the entire San Diego Police Department had only one ALPR felony “hit” in all of 2016.  

And once again: the large portion of that data involves moving vehicles, not parked ones, and so would be unaffected by S.B. 712. For example, law enforcement would still collect information from cameras positioned along highways or on street lights. 

S.B. 712 is very simple. You’re allowed to cover your entire parked vehicle in California—including the license plate—so it stands to reason you should be able to cover just the license plate too. 

Take Action 

Tell your state senator to vote yes on S.B. 712

How License Plate Covers Would Protect Vulnerable Communities

Thu, 01/18/2018 - 1:21pm

EFF is a strong supporter of S.B. 712, a California bill that would allow vulnerable communities to cover their license plates when parked. This provides a way for individuals to protect their confidentiality when visiting sensitive locations, such as religious sites of worship, medical facilities, and social support centers.

Under current law, drivers can cover their entire vehicles, including the license plates, when parked. S.B. 712 simply says that you are allowed to cover just the plate when you are parked. This common-sense solution allows drivers to opt-out of unwanted data collection when they have reached their destinations, not unlike how installing an ad-blocker may prevent online advertisers from gathering your information. 

The threat to privacy is increasing as automated license plate readers (ALPRs) have made it easier for private companies to amass billions of records in commercial databases. This data can be used to track drivers in real time or to reveal their travel patterns and community networks. 

The danger is not hypothetical, as the examples below prove.  

Reproductive Health Services

License plate data gathered from and around reproductive health centers jeopardizes the privacy and safety of patients and health providers, and impedes access to these services. Already, anti-choice activists are trained to use license plate data to surveil patients and doctors, with one activist collecting more than 7,000 plates from facilities in Texas. As the Houston Chronicle reported:

One trainer bragged that her group not only tracked patient license plates, but also used plates to identify abortion doctors to see if they had admitting privileges at a nearby hospital, as required by law.

"We have a very sophisticated spreadsheet," said the trainer, Karen Garnett, executive director of the Catholic Pro-Life Committee, adding, "You have license plates, car model, make, description of the person."

Source: “Anti-abortion activists adopt a new tactic: tracking license plates.” Houston Chronicle, August 13, 2014

LGBTQ+ Communities 

As far back as the 1990s, license plates have been used to blackmail members of the LGBTQ community. As the Washington Post reported: 

It's quite simple as extortion goes: Trail a married man out of a gay sex club. Take his license plate number. And later threaten to expose him unless he pays hush money. 

The term "fairy shaking" needs no definition within certain circles of the D.C. police department: A few rogue cops have been doing it for years and getting away with it, several law enforcement sources said. 

Source: “Stowe’s Sudden Fall from Grace.” Washington Post, November 30, 1997  

Religious Minorities

License plate data can be used to identify visitors to religious centers, a practice that has already been deployed to spy on Muslim-Americans in New York City. As Associated Press reported:

The NYPD Intelligence Division snapped pictures and collected license plate numbers of congregants as they arrived to pray…

If the NYPD badly wanted to know who was attending the mosque, they could write down the license plates of cars in the mosque parking lots, documents show. In some instances, police in unmarked cars outfitted with electronic license plate readers would drive down the street and record the plates of everyone parked near the mosque.

Source: “With cameras, informants, NYPD eyed mosques.” Associated Press.  February 23, 2012

Immigrant Communities 

Immigration & Customs Enforcement subscribes to a commercial database containing billions of ALPR data points collected by a private company.  This system allows a user to create alerts for targeted vehicles, allowing for real-time tracking of drivers.

ICE law enforcement personnel will query the LPR database using known license plate numbers associated with the aliens who are immigration enforcement priorities, based on investigative leads, to determine where and when the vehicle has traveled within a specified period of time. The results of the queries can assist in identifying the location of aliens who are immigration enforcement priorities… 

Source: “Access to License Plate Reader Commercial Data Service.” FBO.gov. April 2, 2015

License Plate Covers as a Solution

S.B. 712 would help protect the privacy of a driver by allowing them to cover their plate when they are lawfully parked. 

S.B. 712 would not prevent all forms of ALPR collection. For example, S.B. 712 would not prevent ALPRs from collecting plate data while a vehicle is in motion. Furthermore, S.B. 712 would allow law enforcement to inspect a covered license plate by lifting the flap, just as the current law allows police to inspect the license plate of a vehicle covered entirely by a tarp. 

What S.B. 712 does achieve is an important privacy protection: allowing the driver to protect the confidentiality of their destinations, be it their doctor’s office, house of worship, or their home. 

EFF to Court: Linking Is Not Copyright Infringement

Thu, 01/18/2018 - 12:58pm
Playboy Lawsuit Against Boing Boing Should Be Dismissed

Los Angeles, California—Playboy Entertainment's lawsuit accusing acclaimed website Boing Boing of copyright infringement—for doing nothing more than reporting on a historical collection of Playboy centerfolds—is groundless and should be thrown out, the Electronic Frontier Foundation (EFF) told a federal court today.

As EFF and co-counsel Durie Tangri LLP explain in a request to dismiss the lawsuit filed on behalf of Boing Boing owner Happy Mutants LLC, Playboy’s copyright claim seeks to punish Boing Boing for commenting on and linking to an archive of Playboy “playmate” centerfold images that a third party posted. The blog contained links to an imgur.com page and YouTube video—neither of which were created by Boing Boing. But courts have long recognized that simply linking to content on the web isn’t unlawful.

“Boing Boing didn’t upload, publish, host, or store any images that Playboy owns, didn’t control the images, and didn’t contribute to the infringement of any Playboy copyrights,” said EFF Legal Director Corynne McSherry. “It’s frankly mystifying that an entertainment company that has often fought to defend free speech rights  is trying to punish Boing Boing for doing what has made it a leading online source of news and commentary: unique and groundbreaking reporting on art, science, and popular culture.”

“Boing Boing’s reporting and commenting on the Playboy photos is protected by copyright’s fair use doctrine,” said EFF Senior Staff Attorney Daniel Nazer. “We’re asking the court to dismiss this deeply flawed lawsuit. Journalists, scientists, researchers, and everyday people on the web have the right to link to material, even copyrighted material, without having to worry about getting sued.”

For the brief:

For more on fair use:

Contact:  CorynneMcSherryLegal Directorcorynne@eff.org DanielNazerSenior Staff Attorney and Mark Cuban Chair to Eliminate Stupid Patentsdaniel@eff.org

EFF and Lookout Uncover New Malware Espionage Campaign Infecting Thousands Around the World

Thu, 01/18/2018 - 11:15am
Mobile Devices Compromised by Fake Secure Messaging Clients – Hundreds of Gigabytes of Data Stolen

San Francisco – The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign infecting thousands of people in more than 20 countries. Hundreds of gigabytes of data has been stolen, primarily through mobile devices compromised by fake secure messaging clients.

The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally. However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more.

The threat, called Dark Caracal by EFF and Lookout researchers, may be a nation-state actor and appears to employ shared infrastructure which has been linked to other nation-state actors. In a new report, EFF and Lookout trace Dark Caracal to a building belonging to the Lebanese General Security Directorate in Beirut.

“People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos,” said EFF Director of Cybersecurity Eva Galperin. “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”

“Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform,” said Mike Murray, Vice President of Security Intelligence at Lookout. “The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about.”

Dark Caracal has been operating since at least 2012. However, one reason it has been hard to track is the diversity of seemingly unrelated espionage campaigns originating from the same domain names. The researchers believe that Dark Caracal is only one of a number of different global attackers using this infrastructure. Over the years, Dark Caracal’s work has been repeatedly misattributed to other cybercrime groups. In fact, EFF’s Operation Manul report from 2016 misidentified espionage from these servers as coming from the Indian security company Appin.

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF Staff Technologist Cooper Quintin. “This research shows it’s not difficult to create a strategy allowing people and governments spy to on targets around the world.”

For the full report:

For more on Dark Caracal:

For more on how to avoid downloading malware:

Contact:  EvaGalperinDirector of Cybersecurityeva@eff.org CooperQuintinStaff Technologistcooperq@eff.org

Copyright, The First Wave of Internet Censorship

Thu, 01/18/2018 - 10:12am

We're taking part in Copyright Week, a series of actions and discussions supporting key principles that should guide copyright policy. Every day this week, various groups are taking on different elements of copyright law and policy, and addressing what's at stake, and what we need to do to make sure that copyright promotes creativity and innovation.

When someone wants to remove speech from the Internet, the Digital Millennium Copyright Act’s (DMCA) notice and takedown process can provide the quickest path. This has made copyright law a tempting tool for unscrupulous censors. As content companies push for even more control over what gets posted online, it’s important to remember that any tool used to police copyright will quickly be abused, then adapted, to censor speech more widely.
We’ve seen abusive DMCA takedown notices from a would-be Senate candidate, small businesses, and Ecuador’s President. We’ve also seen robots-run-amok and sending takedowns for public domain material and white noise. One disturbing trend involves businesses targeting bad reviews. The business, or a shadowy reputation management company acting on its behalf, copies the bad review and “publishes” it elsewhere on the Internet. The business then sends a DMCA takedown notice alleging infringement of the copied, and falsely backdated, review.

Other DMCA takedowns have targeted speech for its political or otherwise offensive content. Although we did not agree with the video’s message, EFF criticized a takedown directed at a video that briefly featured FCC chairman Ajit Pai doing the Harlem Shake. We had similar concerns about a game company that used the DMCA to take down a game stream after a certain YouTube “personality” uttered a racial slur. It is not copyright’s job to police speech.

Copyright as a censorship tool is not limited to the DMCA. For example, when Zillow first threatened architecture blog McMansion Hell, it claimed that the blog’s use of real estate photographs wasn’t fair use under copyright law. But the blog’s use of the photos – annotating them with humorous and critical commentary about McMansions – was a clear fair use (Zillow also didn’t own the photos). EFF responded on behalf of McMansion Hell and the blog remained.

Content owners continue to push for more powerful tools—like upload filtering or suspension of domain names—for removing online speech. While these tools are unlikely to help creators (and will entrench the position of platforms like YouTube that have already spent the money to build filtering mechanisms), they will be useful instruments for censors. The systems are designed to create a quick and easy way to make speech disappear from the Internet without any clear standards or meaningful recourse. When governments move to censor speech, the tools they use will likely have begun life as copyright filters. It is our job to keep those filters from being deployed in the first place.

How Closed Trade Deals Ratchet Up the Copyright Term Worldwide

Wed, 01/17/2018 - 1:47pm

We're taking part in Copyright Week, a series of actions and discussions supporting key principles that should guide copyright policy. Every day this week, various groups are taking on different elements of copyright law and policy, and addressing what's at stake, and what we need to do to make sure that copyright promotes creativity and innovation.

Although copyright is a subject of international law—principally the World Intellectual Property Organization (WIPO)'s Berne Convention from 1886 and its Internet Treaties from 1996—it is still implemented and enforced primarily through national laws. Those laws differ from one country to another in significant ways. One of the most significant differences is the length of the term of copyright protection, which varies from the life of the author plus 50 years (the Berne Convention's minimum requirement), up to life plus 100 years (in Mexico).

Differences in the law aren't a bug; they're a feature. Just as a country has the right to craft specific exceptions to copyright law based on its own national circumstances (for example in India, where many foreign books are not available for sale, copyright law allows public libraries to make up to three copies of such books), so too it should be able to adopt the copyright term that makes the most sense for its citizens—which in most if not all cases will be the shortest term allowed.

But because differences in copyright term make things more complicated for copyright holders, there are constant efforts by some copyright holders to try to homogenize the duration of copyright so that they can more easily enforce their copyrights worldwide—and of course, they would like them to be harmonized at the life-plus-70 year term, so that they can extract another 20 years of monopoly rents, over and above the Berne Convention's standard life-plus-50 year term. Trade agreements are one way that they are trying to achieve this. Here's how.

Trade Agreements

Like the WIPO Berne Convention, a trade agreement is essentially a treaty, but with two important differences. First, whereas WIPO treaties are negotiated with a pretty good degree of transparency and participation from users, including input from groups like EFF, library associations, and groups representing users with disabilities, trade agreements… aren't. The groups who have access to those negotiations are the cleared corporate lobbyists that staff the U.S. Trade Representative's (USTR) Trade Advisory Committees, or their equivalent advisory processes in other countries (we wrote more about this for last year's Copyright Week). Last month an EFF-led group associated with the United Nations Internet Governance Forum (IGF) issued recommendations about how trade negotiations could be made more transparent and inclusive, but this remains an ongoing battle for now.

The second big difference is that rather than dealing with a single, narrow topic like WIPO's treaties do, a trade agreement typically deals with a whole gamut of topics such as labeling standards for meat, inspections of clothing factories, and time limits for government tenders. Somehow, countries engaged in such a negotiation have to balance the value of preserving their autonomy to make their own copyright rules, against the demands of their negotiating partners—and those of their own industry lobbies—in diverse other areas. This typically results in countries trading away their locally-developed copyright rules almost as an afterthought. In a 2017 report, Australia's Productivity Commission observed:

A ‘more is better’ mindset, and poor consultation and transparency, have proven problematic in Australia’s international IP dealings. International agreements that commit Australia to implement specific IP provisions — such as the duration of patent or copyright protection — have worked against Australia’s interests. These agreements typically involve trade-offs, and keen to cut a deal, Australia has capitulated too readily.

One of the rules that is typically traded away is the extension of the copyright term. That's the one and only reason why Singapore and Chile extended their copyright terms in 2003, Australia did so in 2005, and Bahrain and Morocco did so in 2006, just to mention a few. Six of the parties to the Trans-Pacific Partnership (TPP) that had not already extended their copyright terms were a hair's breadth away from doing so until President Trump withdrew from the agreement, and with it, the imperative for them to agree to the extension fell away. In the TPP's current incarnation as the CPTPP, no copyright term extension is required.

Even as Japan was saved from being required to extend its copyright term under the TPP, it has agreed to do the same thing … with the European Union

However the threat that countries will be coerced into extending their copyright terms through closed, opaque trade agreements remains. For one thing, it's not just the United States pushing this agenda; Europe is doing so also. Tragically, even as Japan was saved from being required to extend its copyright term under the TPP, it has agreed to do the same thing under a pending trade agreement with the European Union that was released as a draft last month. Another European trade agreement currently under negotiation would require the Philippines—which is poorer than any European country—to extend its copyright term to life-plus-70 years. 

Special 301 Report

Even when the United States is not negotiating a trade agreement with another country, the USTR can still seek to influence that country's copyright law through the publication of its annual Special 301 Report. The Special 301 Report, a document with no international legal status or effect, contains a "Watch List" of countries that don't do enough to meet the United States' unilateral demands for changes to their copyright laws, with the implied threat that they may face trade retaliation if they continue refusing to do so.

In 2016, the United States added Switzerland to this Watch List, and like Swiss clockwork, a year later the country was proposing major reforms to its copyright law, including the extension of the term of protection for performances (which is strictly a "related right" rather than a copyright), from 50 to 70 years. This is the same change that Canada made in 2015, resulting in the country receiving a pat on the head in the USTR's 2016 Special 301 Report, though it still remains on the Watch List.

An Idea Whose Time Has Passed

At least three things have changed since trade agreements were first successfully used to push the life-plus-70 year bandwagon in the early 2000s. First, shortly after those agreements were negotiated, strong new evidence began to emerge from economists challenging the presumption that longer copyright terms would be linked to increased economic growth. This included a brief from 17 leading economists [PDF] in the case of Eldred v Ashcroft, which was an (ultimately unsuccessful) legal challenge to the U.S. copyright term extension law. Economists today commonly agree that a copyright term of around 14 years may have been a better choice.

Second, the unchallenged global economic dominance of the United States has steadily declined in recent decades. The economic giants of China and India, which are amongst the parties negotiating the Regional Comprehensive Economic Partnership (RCEP), are both countries that hold to the Berne life-plus-50 year term, and are unlikely to extend their copyright terms any time soon. Amongst the NAFTA negotiating parties, Canada still has a life-plus-50 year copyright term, and has expressed a firm resolve not to depart from this. Whereas once the United States might have had the clout to force Canada's hand, today it stands in a weaker position—particularly given the TPP parties' decision to excise copyright term extension from that agreement.

Third and most interestingly of all, even representatives of content producers are now having second thoughts about the desirability of long copyright terms. In a remarkable statement to Ars Technica last week, the Authors Guild reportedly expressed that it:

does not support extending the copyright term, especially since many of our members benefit from having access to a thriving and substantial public domain of older works. If anything, we would likely support a rollback to a term of life-plus-50 if it were politically feasible.

While it may not currently be politically feasible for the United States to roll back its own bloated copyright term, it is certainly feasible for it to stop attempting to force this term onto other countries through secretive trade agreements. Indeed, there are very good reasons why U.S. trade negotiators should cease wasting their political capital on an issue that even the creative sector is no longer concerned about, when they could be expending that capital on some of their other, even more contentious demands.

Copyright term extension was never a good idea. But it's a much worse idea when it's being forced upon countries that don't want it, as part and parcel of a closed, exclusionary, and lobbyist-driven trade agreement. The United States and Europe must cease demanding that their trading partners increase their copyright term, and countries receiving such demands should feel empowered to refuse them, knowing that even the creative industries are now coming around to the idea that a longer copyright term is not better.

DRM Puts the Brakes on Innovation

Tue, 01/16/2018 - 7:13pm

We're taking part in Copyright Week, a series of actions and discussions supporting key principles that should guide copyright policy. Every day this week, various groups are taking on different elements of copyright law and policy, and addressing what's at stake, and what we need to do to make sure that copyright promotes creativity and innovation.

Copyright law is slow. Whenever you hear about a case of alleged copyright infringement and you think, “What was illegal about this?” consider that the law probably came many, many years before anyone conceived of the activity it’s being used to target. Then it starts to make a little bit more sense.

Look at how U.S. copyright law treats DRM, the annoying array of methods that digital content providers use to restrict their customers’ behavior. Passed in 1998, Section 1201 of the Digital Millennium Copyright Act made it illegal to bypass DRM or give others the means of doing so. When Congress passed Section 1201, it was mostly thinking of restrictions intended to stop users from making infringing copies of music and movies. The DMCA passed well before manufacturers began putting digital locks on cars, microwaves, toilets, and every other electronic product. We’re now living in a world where it might be a crime to modify the software on your rice cooker. If that sounds absurd, that’s because it is.

You can almost forgive Congress for this mess—it didn’t know that DRM would soon crawl into every aspect of your life. On the other hand, Congress helped bring the infestation on. The DMCA encouraged manufacturers to build DRM into their products, because doing so gave them ammunition to fight people using their products in ways they didn’t approve of. Can’t compete with unauthorized repair shops? Make them illegal.

Every three years, the public can ask the Copyright Office for exceptions to some of the DMCA’s prohibitions on bypassing DRM. We earned some very important exceptions last time around, including the right to circumvent DRM for the purposes of security research and auto repair.

But the exemption process is so onerous and limited that it does not effectively protect speech and innovation. That’s why we have brought a lawsuit explaining why it and the underlying regime of Section 1201 violate the First Amendment. Not to mention that the whole ordeal of the rulemaking is exasperating. Why are we asking the government for permission to bypass DRM? Why is it illegal in the first place?

If your child’s toy is recording their voice and sending it to the manufacturer, you should be able to find out. You should be able to remove that feature or connect it to a service of your choice, one that you trust. If your car needs repairs, you should be able to do those repairs or take it to a mechanic of your choice without copyright law getting in the way.

Innovation thrives where people have broad leeway to experiment and explore. The public’s right to sell and rent videos created competition among video stores. Blockbuster dominated the market until Netflix disrupted the business model with its switch to mail-order rentals. That kind of evolution-through-competition doesn’t happen when people and businesses aren’t allowed to tinker.

That’s a shame. New innovations come from edge cases, the “aha” moments that happen when someone first tries to use a product in a way in which the manufacturer hadn’t imagined. When entrenched players can make it illegal to modify their products and devices, then those players can slow innovation to a crawl.

Community Broadband: Privacy, Access, and Local Control

Tue, 01/16/2018 - 11:42am

Communities across the United States are considering strategies to protect residents’ access to information and their right to privacy. These experiments have a long history, but a new wave of activists have been inspired to seek a local response to federal setbacks to Internet freedom, such as the FCC’s decision to roll back net neutrality protections, and Congress’ early 2017 decision to eliminate user privacy protections.

Internet service providers (ISP) have a financial incentive and the technical ability to block or slow users' access, insert their own content on the sites we visit, or give preferential treatment to websites and services with which they have financial relationships. For many years, net neutrality principles and rules, most recently cemented in the FCC’s 2015 Open Internet Order, helped prevent much of this activity. Net neutrality helped create a landscape where new ideas and services could develop without being crowded out by political pressure or prioritized fast lanes for established commercial incumbents.

One need only look to two of America’s most dominant web presences to recognize how different the world might be without these protections. Both Facebook and Google began their path to dominance as dorm room experiments. How very different would our social, family, and professional lives look today if MySpace and AltaVista had been able to pay ISPs to prioritize their traffic and throttle that of competitors, hardening the market from competition and disruption?

While proponents of rolling back net neutrality regulations would have us believe that the market will force Internet providers to assure user access, the Federal Communication Commission's 2016 Broadband Progress Report notes that 51 percent of Americans have access to only one provider of high-speed Internet. As a result, incumbent service providers have little incentive to behave well.

Having fought and won the first round in the fight for net neutrality only a few short years ago, we know that there is enormous grassroots energy behind preserving the Internet as a democratic forum of ideas and innovation. We also know that lawmakers at all levels bear a fundamental responsibility to develop policies that maintain privacy protections, guarantee free speech and expression, and reduce the digital divide. Here’s how some are meeting the responsibility.

DIY Broadband

In the executive summary of its 2010 “National Broadband Plan,” the FCC noted:

Broadband is the great infrastructure challenge of the early 21st century. Like electricity a century ago, broadband is a foundation for economic growth, job creation, global competitiveness and a better way of life. It is enabling entire new industries and unlocking vast new possibilities for existing ones. It is changing how we educate children, deliver health care, manage energy, ensure public safety, engage government, and organize and disseminate knowledge.

Already many communities throughout the country have begun infrastructure-building projects aimed at answering these concerns. Local governments, like those in Ammon, ID, Nelson County, VA, and Santa Fe, NM have invested in building out community-funded broadband programs. These programs allow for the creation of high-capacity access for residents and businesses, as well as improving the accessibility of high-speed broadband service to their least-resourced community members.

While some cities have chosen to build and operate their own broadband networks, many choose instead to focus on developing just the physical infrastructure, establishing an open access network, leasing broadband service access to private ISPs who then maintain user care, service and billing. These communities avoid the high costs that can be involved in finding customers and providing technical assistance and customer service. Instead, by substantially reducing initial costs for new-to-market ISPs, this model overcomes the most significant barrier to competition.

Monopolies have been maintained in many areas not so much because of regulatory restrictions to access but instead by the high cost of building pathways from middle-road Internet junctions to users' homes. By initially assuming these costs, and later recouping them through lease fees to ISPs and substantial savings in their own access costs, cities lay the groundwork for competitive markets; spurring competition between providers. This competition ultimately benefits the residents and business owners purchasing services from these ISPs who, sharing the same open access network, are forced to compete through improved customer care, pricing, and services.

Dig Once, Choose Wisely

Many communities have also recognized that much like roads that are maintained by a city government and used by any trucking company, taxi driver, or individual to carry out business or see to their daily needs, broadband access is a necessary resource for economic growth as well as financial and personal wellbeing. Like roads, gas lines, and municipal water, however, this can mean significant costs. “Dig Once”—a principle often called on in the planning and development of Municipal Broadband infrastructure—is the idea that as roads are repaired, and other capital improvements are made, the cable infrastructure needed to build or improve Internet infrastructure be laid as well. This coordinated development allows for significantly reduced installation costs, but also requires that the hardware being installed have the ability to keep pace with emerging technologies.

Fiber optic cables, unlike copper lines laid many years ago by telephone service providers, or coaxial lines later laid by cable television service providers, allow for almost unlimited expansion as future technologies develop. Fiber optic networks contain the primary technology capable of delivering speeds of up to 1 gigabit per second (1 Gbps), the standard in next-generation broadband. According to numerous industry experts, this will be the baseline speed in the future to allow for full access to and use of the Internet for education, health care, civic engagement, entertainment and other services. Where copper lines and coaxial cable use electricity to transmit data, fiber optic strands use pulses of light. Not only do fiber optic lines, where available, already provide monumentally better speeds than the alternatives, but fiber strands also have the additional benefit of an upper limit that is only constrained by the speed of light. As technological improvements develop, service can be upgraded by simply replacing devices at either end of the send/receive path without the need for line replacement.

Much like the baseball legends in Kevin Costner’s Field of Dreams, if you build the network the providers will come, but history has already shown us that without strong incentives private ISPs are not likely to prioritize key user needs that don’t provide for immediate commodification. It is essential that policies are implemented that maintain confidentiality and integrity as well.

Tackling the Digital Divide

Open access policies must assure that under-served communities are guaranteed the same level of service as their well-resourced neighbors and local business. Currently, 34 million Americans lack access to high-speed Internet. Studies show that this digital divide increases barriers to employment, the ability for parents to facilitate their children's education, and the ability for families to stay connected. While this may result in increased costs, they would be offset by increased economic opportunity.

Protecting Privacy

Community broadband can have a corollary benefit. By developing policies to which ISPs must adhere in order to lease access to a community-owned network, we gain the ability to mandate the manner in which user information is shared, and how access to the Internet or a specific site can or cannot be manipulated. Current regulations like those included in CalECPA, and those guaranteed through the Warshak rule, suggest baselines for responsible information policies communities should consider.

Some of these baseline policies include guarantees that ISPs:

  • Not use, disclose, sell or provide access to a customer's Personally Identifiable Information without the customer’s prior opt-in consent.
    • Including:
      • Financial
      • Health
      • Web Browsing History
      • App Usage
  • Not refuse to serve, or otherwise prioritize, customers who do not provide this consent to share their information with third parties.
  • Not offer a discount or incentive based on customer consent to having their personal information shared.
    • This type of “pay for privacy” scheme would disadvantage low-income customers.
  • Get affirmative opt-in consent for use and disclosure of anonymized data.
  • Retain the most limited data that is required for security practices.
  • Require a valid warrant before releasing data in response to legal demands.
    • Providing prior notice to users when legally permitted to do so.
    • Assertively seek legal authorization to offer notice to users.

Community broadband isn’t a panacea. We must continue the fight to stop the FCC from empowering private ISPs to box and sell pieces of the Internet like cable television packages. But the FCC’s reversal of its 2015 Open Internet Order, combined with Congress’ decision to sign away protections—that would have prevented private ISPs from selling off your personal information—has sounded the whistle that we cannot depend on Washington to prevent the erosion of our privacy, expression, and access to information. Instead, local lawmakers and their constituents must work together to get the job done—and we will.

The Public Domain Starts Growing Again Next Year, and It’s About Time

Mon, 01/15/2018 - 12:17pm

We're taking part in Copyright Week, a series of actions and discussions supporting key principles that should guide copyright policy. Every day this week, various groups are taking on different elements of copyright law and policy, and addressing what's at stake, and what we need to do to make sure that copyright promotes creativity and innovation.

Have you ever wondered how it’s possible for there to be two Jungle Book movies to be in development at the same time? Why everything seems to be based on a work by Shakespeare? Or why it always seems like someone is telling a version of The Wizard of Oz? The answer is that these works are in the public domain, meaning that copyright law no longer prevents other artists from adapting them to create new works.

One major rationale for copyright is supposedly that, by giving an exclusive set of rights to artists for their work, we incentivize creativity by making it possible for artists to benefit from releasing works to the public. But copyright protection is supposed to be limited, and once it expires, a work enters the public domain, where anyone can use it.

In the United States, the length of the copyright term has been steadily extended so that published works are effectively copyrighted for 95 years (for corporate works) or until 70 years after an author’s death (for individual works). This has resulted in a public domain that saw increasingly less materials being added to it, limiting the ability of artists to build on works that came before them. The last time Congress changed the law in the 1998 Copyright Term Extension Act, it was applied retroactively. Effectively, it meant that nothing has entered the public domain in the United States for years. January 1, 2019 will mark the end of this dry spell as works first published in 1923 will finally enter the public domain. That mean works like Cecil B. DeMille's The Ten Commandments and Universal's silent version of The Hunchback of Notre Dame, two movies released in 1923, will be eligible to join the public domain.

Writers, filmmakers, musicians, and artists wear their influences on their sleeves, and whole branches of critique is devoted to teasing them out. It’s not new. The Aeneid was Virgil playing in the universe of Homer. Recently, and infamously, Fifty Shades of Grey was originally a piece of Twilight fanfiction. The Internet speaks in the language of pop culture: GIFs, mashups, retellings, fan fiction—all find life on the Internet.

It’s not just small artists that rely on the public domain. Disney’s built an empire on making movies based on public domain fairy tales. Just last year, Disney released a live-action version of its animated take on Beauty and the Beast, a story that has been around since the 1700s. But Disney hasn’t been the best in allowing its own works to become part of the public domain. Disney is a huge beneficiary of the extended copyright term, locking down more and more famous works and worlds for its sole use.

While new technology has made it easier to make art and find audiences, the expansion of the copyright term has made it easier for huge companies to devote resources to shutting them down. And even if a new creator is in the right, by relying on such doctrines as fair use for example, they often don’t have the resources to prove it. More works in the public domain mean more works indisputably available for new artists to build on. More public domain works mean more books available for free to read, movies to watch, music to listen to. And even if that does not inspire new works, it allows new generations to rediscover works of old.

Our language is made up of references, and our art should reflect that. Creativity is enriched when the public domain is robust and easily accessed, and we look forward to finally seeing it grow once again in 2019.