You are here

EFF

Subscribe to EFF feed
EFF's Deeplinks Blog: Noteworthy news from around the internet
Updated: 8 hours 27 min ago

EFF Calls on California to End Vendor-Driven ALPR Training

Mon, 08/19/2019 - 14:09

A single surveillance vendor has garnered a monopoly on training law enforcement in California on the use of automated license plate readers (ALPRs)—a mass surveillance technology used to track the movements of drivers. After examining the course materials, EFF is now calling on the state body that oversees police standards to revoke the training certification. 

In a letter to the California Commission on Peace Officer Standards and Training (POST) sent today, EFF raises a variety of concerns related to factual accuracy of its ALPR training on legal matters. Additionally, we are concerned about the apparent conflict of interest and threat to civil liberties that occurs when a sales-driven company also provides instruction on “best practices” to police.

ALPRs are camera systems that capture license plates and character-recognition software to document the travel patterns of vehicles. The cameras are often attached to fixed locations, such as streetlights and overpasses, and to police cars, which collect data while patrolling neighborhoods. This data is uploaded to a central database that investigators can use to analyze a driver’s travel patterns, identify visitors to particular destinations, predict individuals’ locations, and track targeted vehicles in real-time. ALPR is a mass surveillance technology in the sense that the systems collect information on every driver—regardless of whether the vehicles have a nexus to a criminal investigation. 

In California, Vigilant Solutions offers ALPR training through a program it calls the “Vigilant Solutions Law Enforcement Academy,” which advertises training courses that come with free trial accounts for the company’s ALPR and face recognition platforms. Vigilant has garnered controversy due to its data-sharing contracts with ICE and its business model, which includes selling data collected with its own ALPR cameras to the private sector in addition to law enforcement. The company also has a history of requiring government agencies to sign agreements prohibiting them from talking publicly without the company’s sign-off in an effort to control media messaging. 

Vigilant claims to be the sole entity capable of providing POST-certified training on ALPR to law enforcement agencies. Through the California Public Records Act, EFF obtained copies of the training, as well as the submission materials seeking certification. These records triggered several concerns.

Most notably, the training presentation instructs police that there are no laws in California regulating the use of ALPR. While that may have been true in 2014, it has not been the case for nearly four years. In 2015, California passed a law, S.B. 34, regulating the use of ALPR systems and data collected by ALPR. These regulations include developing policies that protect civil liberties and privacy, as well as a long list of requirements related to cybersecurity and transparency. The training also does not touch on the California Values Act, a law passed in 2017 to protect California resources and data from being used in immigration enforcement. Additionally, the training module includes outdated information on case law, such as claims EFF and the ACLU lost a lawsuit over public access to ALPR data. The California Supreme Court ultimately reversed the lower court rulings outlined in the presentation. 

In emails to EFF, Vigilant has indicated that it may have updated the presentation. But if so, that version was not resubmitted for certification, as required by POST regulations, according to records obtained by EFF. POST should investigate whether Vigilant is providing its own interpretation of recent developments in law, and if so, whether that instruction serves the public interest. When a surveillance vendor offers cloud storage and sharing services, it has a profit incentive when police collect more data and share it widely. 

Troublingly, Vigilant Solutions uses the ALPR training as a platform to sell its products. The training materials are filled with promotion, such as a pitch for its ALPR databases consisting of law enforcement and commercial data, and its mobile software that comes with face recognition capabilities. By having a monopoly on ALPR trainings, Vigilant is able to promote its products and its version of the law surrounding ALPR at the expense of protecting civil liberties and privacy. 

Over the last few years, EFF has filed public records requests with hundreds of agencies throughout California and found widespread failure to comply with state law for regulating ALPR technology. These failures necessitate an examination of whether agencies are being properly trained on the use of ALPR. So far, EFF’s research has led the legislature to order the California State Auditor to initiate a statewide investigation into the use of ALPR, including deep audits of entities using Vigilant’s products. In this case, EFF urges POST to initiate the decertification proceeding for the Vigilant course and encourages law enforcement agencies to seek alternatives to Vigilant’s training.

Related Cases: Automated License Plate Readers (ALPR)

A Cycle of Renewal, Broken: How Big Tech and Big Media Abuse Copyright Law to Slay Competition

Mon, 08/19/2019 - 10:12

As long we've had electronic mass media, audiences and creators have benefited from periods of technological upheaval that force old gatekeepers to compete with brash newcomers with new ideas about what constitutes acceptable culture and art. Those newcomers eventually became gatekeepers themselves, who then faced their own crop of revolutionaries. But today, the cycle is broken: as media, telecoms, and tech have all grown concentrated, the markets have become winner-take-all clashes among titans who seek to dominate our culture, our discourse and our communications.

How did the cycle end? Can we bring it back? To understand the answers to these questions, we need to consider how the cycle worked — back when it was still working.

How Things Used to Work

In 1950, a television salesman named Robert Tarlton put together a consortium of TV merchants in the town of Lansford, Pennsylvania to erect an antenna tall enough to pull down signals from Philadelphia, about 90 miles to the southeast. The antenna connected to a web of cables that the consortium strung up and down the streets of Lansford, bringing big-city TV to their customers — and making TV ownership for Lansfordites far more attractive. Though hobbyists had been jury-rigging their own "community antenna television" networks since 1948, no one had ever tried to go into business with such an operation. The first commercial cable TV company was born.

The rise of cable over the following years kicked off decades of political controversy over whether the cable operators should be allowed to stay in business, seeing as they were retransmitting broadcast signals without payment or permission and collecting money for the service. Broadcasters took a dim view of people using their signals without permission, which is a little rich, given that the broadcasting industry itself owed its existence to the ability to play sound recordings over the air without permission or payment.

The FCC brokered a series of compromises in the years that followed, coming up with complex rules governing which signals a cable operator could retransmit, which ones they must retransmit, and how much all this would cost. The end result was a second way to get TV, one that made peace with—and grew alongside—broadcasters, eventually coming to dominate how we get cable TV in our homes.

By 1976, cable and broadcasters joined forces to fight a new technology: home video recorders, starting with Sony's Betamax recorders. In the eyes of the cable operators, broadcasters, and movie studios, these were as illegitimate as the playing of records over the air had been, or as retransmitting those broadcasts over cable had been. Lawsuits over the VCR continued for the next eight years. In 1984, the Supreme Court finally weighed in, legalizing the VCR, and finding that new technologies were not illegal under copyright law if they were "capable of substantial noninfringing uses."

It's hard to imagine how controversial the VCR was in its day. MPAA president Jack Valenti made history by attending a congressional hearing where he thundered ,"I say to you that the VCR is to the American film producer and the American public as the Boston Strangler is to the woman home alone."

Despite that unequivocal condemnation, home recording is so normal today that your cable operator likely offers to bundle a digital recorder with your subscription. Just as the record companies made peace with broadcasters, and broadcasters made peace with cable, cable has made its peace with home recording.

It's easy to imagine that this is the general cycle of technology: a new technology comes along and rudely shoulders its way into the marketplace, pouring the old wine of the old guard into its shiny new bottles. The old guard insist that these brash newcomers are mere criminals, and demand justice.

The public flocks to the new technology, and, before you know it, the old guard and the newcomers are toasting one another at banquets and getting ready to sue the next vulgarian who has the temerity to enter their market and pour their old wine into even newer bottles.

That's how it used to work, but the cycle has been interrupted.

The Cycle is Broken

In 1998, Congress passed the Digital Millennium Copyright Act, whose Section 1201 bans bypassing a "technical measure" that “controls access” to copyrighted works. The statute does not make an exemption for people who need to bypass a copyright lock to do something legal, so traditional acts of "adversarial interoperability" (making a new thing that plugs into an old thing without asking for permission) can be headed off before they even get started. Once a company adds a digital lock to its products, it can scare away other companies that want to give it the broadcasters vs records/cable vs broadcasters/VCRs vs cable treatment. These challengers will have to overcome their fear that "trafficking” in a “circumvention device" could trigger DMCA 1201's civil damages or even criminal penalties—$500,000 and 5 years in prison...for a first offense.

When companies like Sony made the first analog TV recorders, they focused on what their customer wanted, not what the winners of last year's technological battle thought was proper. That's how we got VCRs that could record off the air or cable (so you could record any show, even major Hollywood movies getting their first broadcast airing) and that allowed recordings made on one VCR to be played on another recorder (so you could bring that movie over to a friend's house to watch with a bowl of popcorn).

Today's digital video products are different. Cable TV, satellite TV, DVDs/HD DVDs/Blu-Ray, and streaming services all use digital locks that scramble their videos. This allows them to threaten any would-be adversarial interoperators with legal reprisals under DMCA 1201, should they have the temerity to make a user-focused recorder for their products. That stifles a lot of common-sense ideas: for example, a recorder that works on all the programs your cable delivers (even pay-per-views and blockbusters); a recorder that lets you store the Christmas videos that Netflix and Amazon Prime take out of rotation at Christmastime so that you have to pay an upcharge to watch them when they're most relevant; or a recorder that lets you record a video and take it over to a friend's house or transfer it to an archival drive so you can be sure you can watch it ten years (or even ten minutes from now.

Since the first record players, every generation of entertainment technology has been overtaken by a new generation—a generation that allowed new artists to find new audiences, a new generation that overturned the biases and preconceptions of the executives that controlled the industry and allowed for new modes of expression and new ideas.

Today, as markets concentrate—cable, telecoms, movie studios, and tech platforms—the competition is shifting from the short-lived drive to produce the best TV possible to a long-term strategy of figuring out how to use a few successful shows to sell bundles of mediocre ones.

In a world where the cycle that led to the rise of cable and streaming was still in effect, you could record your favorite shows before they were locked behind a rival's paywalls. You could search all the streaming services' catalogs from a single interface and figure out how to make your dollar go farther by automatically assembling a mix of one-off payments and subscriptions. You could stream the videos your home devices received to your phone while you were on the road...and more.

And just as last year's pirates — the broadcasters, the cable operators, the VCR makers — became this year's admirals, the companies that got their start by making new services that centered your satisfaction instead of the goodwill of the entrenched industries would someday grow to be tomorrow's Goliaths, facing a new army of Davids.

Fatalistic explanations for the unchecked rise of today's monopolized markets—things like network effects and first-mover advantage—are not the whole story. They are not unstoppable forces of nature. The cycle of concentration and renewal in media-tech shows us that, whatever role the forces of first-mover advantage and network effects are playing in market concentration, they are abetted by some badly written and oft-abused legal rules.

DMCA 1201 let companies declare certain kinds of competition illegal: adversarial interoperability, one of the most historically tried-and-true methods for challenging dominant companies, can be made into a crime simply by designing products so that connecting to them requires you to bypass a copyright lock. Since DMCA 1201 bans this "circumvention," it also bans any competition that requires circumvention.

That's why we're challenging DMCA 1201 in court: we don't think that companies should be able to make up their own laws, because inevitably, these turn into "Felony Contempt of Business Model."

DMCA 1201 is just one of the laws and policies that have created the thicket that would-be adversarial interoperators run up against when they seek to upend the established hierarchy: software patents, overreaching license agreements, and theories of tortious interference with contractual relations are all so broadly worded and interpreted that they can be used to intimidate would-be competitors no matter how exciting their products are and no matter how big the market for them would be.

Victory! California Supreme Court Blocks Sweeping Search Condition of Minors’ Electronic Devices and Social Media Accounts

Thu, 08/15/2019 - 19:10

The California Supreme Court just rejected the government’s attempt to require a youth probationer, as a condition of release, to submit to random searches of his electronic devices and social media accounts. The trial court had imposed the condition because the judge believed teenagers “typically will brag” about drug use on the Internet—even though there was no evidence that the minor in this case, Ricardo P., had ever used any electronic devices in connection with any drugs or illegal activity, let alone ever previously bragged about drug use online.

EFF and the ACLU filed an amicus brief in the case back in 2016, warning that the search condition imposed here was highly invasive, unconstitutional, and in violation of the California Supreme Court’s own standard for probation conditions—which requires that search conditions be “reasonably related to future criminality.” We also warned of the far-reaching privacy implications of allowing courts to impose such broad electronic search conditions. We’re pleased that the California Supreme Court heeded our warnings and recognized the substantial burden this “sweeping probation condition” imposed on Ricardo’s privacy.

The court recognized that the probation condition would give Ricardo’s probation officers “full access, day or night, not only to his social media accounts but also to the contents of his e-mails, text messages, and search histories, all photographs and videos stored on his devices, as well as any other data accessible using electronic devices, which could include anything from banking information to private health or financial information to dating profiles.” And by allowing remote access to Ricardo’s online accounts, the condition would potentially allow his probation officers to monitor his communications in real time. According to the court:

“If we were to find this record sufficient to sustain the probation condition at issue, it is difficult to conceive of any case in which a comparable condition could not be imposed, especially given the constant and pervasive use of electronic devices and social media by juveniles today.”   

The court noted, for example, that if it were to hold—as the California Attorney General argued—that any search condition facilitating supervision of probationers was “reasonably related to future criminality,” it might be obligated to uphold “a condition mandating that probationers wear 24-hour body cameras or permit a probation officer to accompany them at all times.”

This is a critical ruling. The search condition imposed in this case was not unique, but one that many juvenile probationers have been subject to in California in recent years, under the same unsupported reasoning that the trial judge offered here. The California Supreme Court’s decision not only resolves a split in the lower courts regarding the legality of such probation conditions, but it sends a clear message: probation conditions that have “a very heavy burden on privacy with a very limited justification” are not entitled to deference.

We applaud the California Supreme Court for recognizing the serious privacy invasion imposed by the search condition issued in this case and for striking down the condition as invalid.

Trailblazing Tech Scholar danah boyd, Groundbreaking Cyberpunk Author William Gibson, and Influential Surveillance Fighters Oakland Privacy Win EFF’s Pioneer Awards

Thu, 08/15/2019 - 16:18
‘Savage Builds’ Star and Maker Advocate Adam Savage to Keynote September 12th Ceremony

San Francisco – The Electronic Frontier Foundation (EFF) is honored to announce the winners of its 2019 Pioneer Awards: trailblazing tech scholar danah boyd, groundbreaking cyberpunk author William Gibson, and the influential surveillance-fighting group Oakland Privacy. The ceremony will be held September 12th in San Francisco.

The keynote speaker for this year’s awards will be “Savage Builds” and Tested.com star—and all-around advocate for makers—Adam Savage. Tickets for the Pioneer Awards are $65 for current EFF members, or $75 for non-members.

danah boyd has consistently been one of the world’s smartest researchers, thinkers, and writers about how technology impacts society, especially for teens and young people. Currently, boyd is focused on detecting and mitigating vulnerabilities in sociotechnical systems. To better understand these vulnerabilities, boyd has been examining the challenges surrounding the 2020 U.S. CensusIn 2013, boyd created Data & Society, an independent nonprofit research institute that is committed to identifying thorny problems at the intersection of technology, culture, and community, and advances understanding of the implications of data technologies and automation. danah’s most recent books—“It’s Complicated: The Social Lives of Networked Teens” and “Participatory Culture in a Networked Age”—examine the intersection of everyday life and social media, and have helped families around the world navigate technologies like Facebook, Twitter, YouTube, and Instagram. In addition to her work as a partner researcher at Data & Society, boyd is also Principal Researcher at Microsoft Research and a Visiting Professor at New York University.

William Gibson coined the term “cyberspace.” Neuromancer, his first novel, won the Hugo Award, the Nebula Award, and the Philip K. Dick Award in 1984, and is a groundbreaking portrayal of an unforgiving high-tech future with heroes that are thoroughly flawed human beings who nonetheless resist corporate power by seizing the means of computation. His work presents an incisive look at how technology shapes identity, with sharp, prescient depictions of everything from reality TV to wearable computers. Gibson's canon includes such New York Times bestsellers as the Sprawl trilogy, the Bridge trilogy, the Blue Ant trilogy, and The Peripheral. Gibson’s newest novel, Agency, will be published in January of 2020.

Oakland Privacy is the group behind many influential anti-surveillance fights in Oakland, California and beyond. Oakland Privacy was born in 2013 when activists discovered a Homeland Security project called the Domain Awareness Center (DAC). DAC was meant to be an Oakland-wide surveillance gauntlet—with cameras, microphones, license plate readers—and a local data center to put it all together. But after Oakland Privacy led a ten-month campaign of opposition, the DAC was finally cancelled. Later, Oakland Privacy was one of the primary organizations behind the Oakland City Council’s creation of the first municipal privacy commission in the country, and then continued to be instrumental in bolstering opposition to surveillance around the San Francisco Bay Area and across the United States. For example, Oakland Privacy helped develop a comprehensive surveillance transparency regulatory law mandating use policies, civil rights impact reports, and annual audits, and pushed for its passage in multiple jurisdictions. The model is now in use in three Bay Area cities and other jurisdictions like Seattle, Nashville, and Cambridge, Massachusetts. Most recently, Oakland Privacy successfully worked to ban facial recognition in San Francisco and Oakland—two of the three cities in the country to enact such a ban.

The Pioneer Award winners will be awarded a “Barlow,” a statuette named after EFF’s late co-founder John Perry Barlow and the indelible mark he left on digital rights.

“John Perry Barlow knew that you had to visualize the future of technology—both the promise and the perils—in order to create the world we want. All of our winners this year have done just that,” said EFF Executive Director Cindy Cohn. “I’m so proud to be honoring these bold thinkers and brave activists.”

Awarded every year since 1992, EFF’s Pioneer Awards recognize the leaders who are extending freedom and innovation on the electronic frontier. Previous honorees have included Vint Cerf, Mitchell Baker and the Mozilla Foundation, Aaron Swartz, and Chelsea Manning.

Sponsors of the 2019 Pioneer Awards include Dropbox, O'Reilly Media, Matthew Prince, Medium, Ridder, Costa & Johnston LLP, and Ron Reed.

For tickets and event details:
https://supporters.eff.org/civicrm/event/register?id=230&reset=1

For more on the Pioneer Awards:
https://www.eff.org/awards/pioneer/2019

Contact:  RebeccaJeschkeMedia Relations Director and Digital Rights Analystpress@eff.org

EFF se suma a organizaciones de América Latina que se oponen a la acusación de Ola Bini

Tue, 08/13/2019 - 20:22

Este lunes se cumple el cuarto mes de procesamiento de Ola Bini, el desarrollador de código abierto que se encuentra, actualmente, bajo investigación por parte de las autoridades ecuatorianas. Los fiscales todavía no han revelado ninguna prueba real que apoye las acusaciones formuladas contra Bini. Tras el 12º Foro Regional de Gobernanza de Internet para América Latina y el Caribe (LACIGF) la semana pasada, organizaciones civiles de la región hicieron pública una declaración en la que destacaron las irregularidades en el debido proceso y las presiones políticas que han marcado el caso hasta ahora. EFF se les suma. Después de viajar a Quito para hablar con periodistas, políticos, abogados, académicos, así como con el propio Bini y su equipo de defensa, llegamos a conclusiones similares: que el procesamiento de Bini es un caso político, no criminal. Nosotros también nos oponemos al uso indebido de su enjuiciamiento en nombre de intereses políticos, lo que compromete su derecho a un juicio justo.

Desde la fundación de EFF en 1990, hemos trabajado para garantizar que los investigadores y expertos en seguridad como Bini puedan hacer su trabajo sin ser malinterpretados o perseguidos por los que están en el poder, un trabajo que mejora la seguridad de todos en línea. El trabajo de Bini no sólo es legal: ayuda a mejorar la privacidad y seguridad de todos en línea, como explicamos en nuestro documento Derechos de los codificadores en América Latina en 2018, donde conectamos dicho trabajo con los derechos fundamentales de sus profesionales y beneficiarios en la región.

Para mayor información, véase la declaración que figura a continuación:

Contra la persecución política a Ola Bini

Ola Bini es un reconocido activista por el software libre y experto en seguridad digital. Desde el 11 de abril de 2019 se encuentra sujeto a un proceso judicial en Ecuador, acusado de haber vulnerado sistemas informáticos. Tal proceso, sin embargo, ha sido ampliamente cuestionado por la multiplicidad de irregularidades cometidas y por estar bajo un sinnúmero de presiones políticas.

El primer elemento ha sido confirmado por el Habeas Corpus otorgado en junio pasado por parte del tribunal de la Corte Provincial de Pichincha y por las expresiones oportunamente realizadas por las Relatorías Especiales sobre la Libertad de Expresión de la Organización de Estados Americanos (OEA) y la Organización de las Naciones Unidas (ONU).[1] [2]

Por su parte, la Misión Internacional de la Electronic Frontier Foundation (EFF) enviada recientemente a Ecuador, tras conversar sobre esta situación con políticos, académicos y periodistas de distintas tendencias, ha concluido que la motivación tras el caso de Ola Bini es política, no criminal.[3] De hecho, todavía se desconoce cuáles son los sistemas informáticos de cuya vulneración se le acusó en un principio.

Junto con ello, una serie de hechos recientes han encendido nuevas alertas. En primer lugar, la vinculación de una nueva persona a la causa por el sólo hecho de mantener un vínculo profesional con Bini y a pesar de que en la audiencia respectiva no se presentaron los elementos jurídicos necesarios para cumplir con dicho trámite. Además, el Fiscal a cargo de la acusación decidió abrir dos nuevas líneas de investigación contra Ola Bini: por “defraudación fiscal” y “tráfico de influencias”. De tal forma, la fiscalía ahora se propone investigar por hasta el plazo de 2 años más al activista.

Esta última decisión sugiere que no se cuentan con pruebas que sustenten las acusaciones originalmente realizadas contra Bini y que la atención de la justicia y el gobierno ecuatoriano no está puesta en un delito, sino en una persona. Esto nos lleva a confirmar el temor expresado por algunas organizaciones internacionales que trabajan por los derechos humanos en internet que desde el momento de la detención de Ola Bini alertaron sobre la espiral de persecución política contra un activista de renombre internacional, cuyo trabajo es globalmente reconocido por la protección de la privacidad.

Considerando lo expresado más arriba y las conversaciones mantenidas en el marco del XII Foro de Gobernanza de Internet de América Latina y el Caribe (LACIGF por sus siglas en inglés), los abajo firmantes rechazamos el escenario persecutorio montado contra Bini, demandamos que se respete el debido proceso por parte de todas las funciones del Estado e instamos a que los actores políticos dejen de interferir en la justicia.

Asociación para el Progreso de la Comunicaciones

Derechos Digitales

Electronic Frontier Foundation

Internet Bolivia

Intervozes

Karisma

[1] https://cnnespanol.cnn.com/2019/06/20/tribunal-de-ecuador-acepta-recurso-de-habeas-corpus-para-ola-bini/

[2] https://www.eluniverso.com/noticias/2019/04/15/nota/7287350/relatorias-onu-oea-cuestionan-detencion-ola-bini

[3] https://www.eff.org/es/deeplinks/2019/08/ecuador-political-actors-must-step-away-ola-binis-case

Interoperability and Privacy: Squaring the Circle

Tue, 08/13/2019 - 07:32

Last summer, we published a comprehensive look at the ways that Facebook could and should open up its data so that users could control their experience on the service, and to make it easier for competing services to thrive.

In the time since, Facebook has continued to be rocked by scandals: privacy breaches, livestreamed terrorist attacks, harassment, and more. At the same time, competition regulators, scholars and technologists have stepped up calls for Facebook to create and/or adopt interoperability standards to open up its messenger products (and others) to competitors.

To make matters more complex, there is an increasing appetite in both the USA and Europe, to hold Facebook and other online services directly accountable for the actions of its users: both in terms of what those users make available (copyright infringement, political extremism, incitements to violence, etc) and in how they treat each other (harassment, stalking, etc).

Fool me twice...

Facebook execs have complained that these goals are in conflict: they say that for the company to detect and block undesirable user behaviors as well as interdicting future Cambridge Analytica-style data-hijacking, they need to be able to observe and analyze everything every user does, both to train automated filters and to allow them to block abusers. But by allowing third parties to both inject data into their network and pull data out of it--that is, allowing interoperability--the company's ability to monitor and control its users' bad behavior will be weakened.

There is a good deal of truth to this, but buried in that truth is a critical (and highly debatable) assumption: "If you believe that Facebook has the will and ability to stop 2.3 billion people from abusing its systems and each other, then weakening Facebook's control over these 2.3 billion people might limit the company's ability to make that happen."

But if there's one thing we've learned from more than a decade of Facebook scandals, it's that there's little reason to believe that Facebook possesses the requisite will and capabilities. Indeed, it may be that there is no automated system or system of human judgments that could serve as a moderator and arbiter of the daily lives of billions of people. Given Facebook's ambition to put more and more of our daily lives behind its walled garden, it's hard to see why we would ever trust Facebook to be the one to fix all that's wrong with Facebook.

After all, Facebook's moderation efforts to date have been a mess of backfiring, overblocking, and self-censorship, a "solution" that no one is happy with.

Which is why interoperability is an important piece of the puzzle when it comes to addressing the very real harms of market concentration in the tech sector, including Facebook's dominance over social media. Facebook users are eager for alternatives to the service, but are held back by the fact that the people they want to talk with are all locked within the company's walled garden. Interoperability presents a means for people to remain partially on Facebook, but while using third-party tools that are designed to respond to their idiosyncratic needs. While it seems likely that no one is able to build a single system that protects 2.3 billion users, it's certainly possible to build a service whose social norms and technological rules are suited to smaller groups. Facebook can't figure out how to serve every individual and community's needs--but those individuals and communities might be able to do so for themselves, especially if they get to choose which toolsmith's tools they use to mediate their Facebook experience.

Standards-washing: the lesson of Bush v Gore

But not all interoperability is created equal. Companies have historically shown themselves to be more than capable of subverting mandates to adhere to standards and allow for interconnection.

A good historic example of this is the drive to standardize voting machines in the wake of the Supreme Court's decision in Bush v Gore. Ambiguous results from voting machines resulted in an election whose outcome had to be determined by the Supreme Court, which led to Congress passing the Help America Vote Act, which mandated standards for voting machines.

The process did include a top-tier standards development organization to oversee its work: the Institute of Electrical and Electronics Engineers (IEEE), which set about creating a standard for their products. But rather than creating a "performance standard" describing how a voting machine should process ballots, the industry sneakily tried to get the IEEE to create a "design standard" that largely described the machines they'd already sold to local election officials: in other words, rather than using standards to describe how a good voting machine should work, the industry pushed a standard that described how their existing, flawed machines did work with some small changes in configurations. Had they succeeded, the could have simply slapped a "complies with IEEE standard" label on everything they were already selling and declared themselves to have fixed the problem...without doing the serious changes needed to fix their systems, including requiring a voter-verified paper ballot.

Big Tech is even more concentrated than the voting machine industry is, and it's far more concentrated than the voting machine industry was in 2003 (most industries are more concentrated today than they were in 2003). Legislatures, courts or regulators that seek to define "interoperability" should be aware of the real risk of the definition being hijacked by the dominant players (who are already very skilled at subverting standardization processes). Any interoperability standard developed without recognizing Facebook's current power and interest is at risk of standardizing the parts of Facebook's business that it does not view as competitive risks, while leaving the company's core business (and its bad business practices) untouched.

Even if we do manage to impose interoperability on Facebook in ways that allow for meaningful competition, in the absence of robust anti-monopoly rules, the ecosystem that grows up around that new standard is likely to view everything that's not a standard interoperable component as a competitive advantage, something that no competitor should be allowed to make incursions upon, on pain of a lawsuit for violating terms of service or infringing a patent or reverse-engineering a copyright lock or even more nebulous claims like "tortious interference with contract."

Everything not forbidden is mandatory

In other words, the risk of trusting competition to an interoperability mandate is that it will create a new ecosystem where everything that's not forbidden is mandatory, freezing in place the current situation, in which Facebook and the other giants dominate and new entrants are faced with onerous compliance burdens that make it more difficult to start a new service, and limit those new services to interoperating in ways that are carefully designed to prevent any kind of competitive challenge.

Standards should be the floor on interoperability, but adversarial interoperability should be the ceiling. Adversarial interoperability takes place when a new company designs a product or service that works with another company's existing products or services, without seeking permission to do so.

Facebook is a notorious opponent of adversarial interoperability. In 2008, Facebook successfully wielded a radical legal theory that allowed it to shut down Power Ventures, a competitor that allowed Facebook’s users who opted in, to use multiple social networks from a single interface. Facebook argued that by allowing users to log in and display Facebook with a different interface, even after receipt of a cease and desist letter telling Power Ventures to stop, the company had broken a Reagan-era anti-hacking law called the Computer Fraud and Abuse Act (CFAA). In other words, upsetting Facebook was at the center of their illegal conduct.

Adversarial interoperability flips the script

Clearing this legal thicket would go a long way toward allowing online communities to self-govern by federating their discussions with Facebook without relying on Facebook's privacy tools and practices. Software vendors could create tools that allowed community members to communicate in private, using encrypted messages that are unintelligible to Facebook's data-mining tools, but whose potential members could still discover and join the group using Facebook.

This could allow new entrants to flip the script on Facebook's "network effects" advantage: today, Facebook is viewed as holding all the cards because it has corralled everyone who might join a new service within its walled garden. But legal reforms to safeguard the right to adversarial interoperability would turn this on its head: Facebook would be the place that had conveniently organized all the people whom you might tempt to leave Facebook, and even supply you with the tools you need to target those people.

Revenge of Carterfone

There is good historic precedent for using a mix of interoperability mandates and a legal right to interoperate beyond those mandates to reduce monopoly power. The FCC has imposed a series of interoperability obligations on incumbent phone companies: for example, the rules that allow phone subscribers to choose their own long-distance carriers.

At the same time, federal agencies and courts have also stripped away many of the legal tools that phone companies once used to punish third parties who plugged gear into their networks. The incumbent telecom companies historically argued that they couldn't maintain a reliable phone network if they didn't get to specify which devices were connected to it, a position that also allowed the companies to extract rental payments for home phones for decades, selling you the same phone dozens or even hundreds of times over.

When agencies and courts cleared the legal thicket around adversarial interoperability in the phone network, it did not mean that the phone companies had to help new entrants connect stuff to their wires: manufacturers of modems, answering machines, and switchboards sometimes had to contend with technical changes in the Bell system that broke their products. Sometimes, this was an accident of some unrelated technical administration of the system; sometimes it seemed like a deliberate bid to harm a competitor. Often, it was ambiguous.

Monopolists don't have a monopoly on talent

But it turns out that you don't need the phone company's cooperation to design a device that works with its system. Careful reverse-engineering and diligent product updates meant that even devices that the phone companies hated--devices that eroded their most profitable markets--had long and profitable runs in the market, with devoted customers.

Those customers are key to the success of adversarial interoperators. Remember that the audience for a legitimate adversarial interoperability product are the customers of the existing service that it connects to. Anything that the Bell system did to block third-party phone devices ultimately punished the customers who bought those devices, creating ill will.

And when a critical mass of an incumbent giant's customer base depends on--and enjoys--a competitor's product, even the most jealous and uncooperative giants are often convinced to change tactics and support the businesses they've been trying to destroy. In a competitive market (which adversarial interoperability can help to bring into existence), even very large companies can't afford to enrage their customers.

Is Facebook better than everyone else?

Facebook is one of the largest companies in world. Many of the world's most talented engineers and security experts already work there, and many others aspire to do so. Given that, is it realistic to think that a would-be adversarial interoperator could design a service that plugs into Facebook without Facebook's permission?

Ultimately, this is not a question with an empirical answer. It's true that few have tried to pull this off since Power Ventures was destroyed by Facebook litigation, but it's not clear whether the competitive vacuum is the result of potential competitors who are too timid to lock engineering horns with Facebook's brain-trust, or potential competitors and investors whose legal departments won't let them even try.

But it is instructive to look at the history of the Bell system after Carterfone and Hush-a-Phone: though the Bell system was the single biggest employer of telephone technicians in the world and represented the best, safest, highest-paid opportunities for would-be telecoms innovators, after Carterfone and Hush-a-Phone, Bell's rivals proceeded to make device after device after device that extended the capabilities of the phone network, without permission, overcoming the impediments that the network's operator put in their way.

Closer to home, remember that when Facebook wanted to get Power Ventures out of its network, its primary tool of choice wasn't technical measures--Facebook didn't (or couldn't) use API changes or firewall rules alone to keep Power Ventures off the service--it was mainly lawsuits. Perhaps that's because Facebook wanted to set an example for later challengers by winning a definitive legal battle, but it's very telling that the company that operated the network didn't (or couldn't!) just kick its rival out, and instead went through a lengthy, expensive and risky legal battle when simple IP blocking didn’t work.

Facebook has a lot of talented engineers, but it doesn't have all of them.

Being a defender is hard

Facebook's problem with would-be future challengers is a familiar one: in security, it is easier to attack than to defend. For Facebook to keep a potential competitor off its network, it has to make no mistakes. In order for a third party to bypass Facebook's defenses in order to interoperate with Facebook without permission, it has only to find and exploit a single mistake.

And Facebook labors under other constraints: like the Bell system fending off Hush-a-Phone, the things that Facebook does to make life hard for competitors who are helping its users get more out of its service are also making life harder for all its users. For example, any tripwire that blocks logins by suspected bots will also block users whose behaviors appear bot-like: the more strict the bot-detector is, the more actual humans it will catch.

Here again, Facebook's dizzying user-base works against it: with billions of users, a one-in-a-million event is going to happen thousands of times every day, so Facebook has to accommodate a wide variety of use-cases, and some of those behaviors will be sufficiently weird to allow a rival's bot to slip through.

Back to privacy

Facebook users (and even non-Facebook users) who want more privacy have a variety of options, none of them very good. Users can tweak Facebook's famously hard-to-understand privacy dashboard to lock down their accounts and bet that Facebook will honor their settings (this has not always been a good bet).

Everyone can use tracker-blockers, ad-blockers and script-blockers to prevent Facebook from tracking them when they're not on Facebook, by watching how they interact with pages that have Facebook "Like" buttons and other beacons that let Facebook monitor activity elsewhere on the Internet. We’re rightfully proud of our own tracker blocker, Privacy Badger, but it doesn't stop Facebook from tracking you if you have a Facebook account and you're using Facebook's service.

Facebook users can also watch what they say on Facebook, hoping that they won't slip up and put something compromising on the service that will come back to haunt them (though this isn't always easy to predict).

But even if people do all this, they're still exposing themselves to Facebook's scrutiny when they use Facebook, which monitors how they use the service, every click and mouse-movement. What's more, anyone using a Facebook mobile app might be exposing themselves to incredibly intrusive data-gathering, including some suprisingly creepy and underhanded tactics.

If users could use a third-party service to exchange private messages with friends, or to participate in a group they're a member of, they can avoid much (but not all) of this surveillance.

Such a tool would allow a someone to use Facebook while minimizing how they are used by Facebook. For people who want to leave Facebook but whose friends, colleagues or fellow travelers are not ready to join them, a service like this could let Facebook refuseniks get out of the Facebook pool while still leaving a toe in its waters. What's more, it lets their friends follow them, by creating alternatives to Facebook where the people they want to talk to are still reachable. One user at a time, Facebook's rivals could siphon off whole communities. As Facebook's market power dwindled, so would the pressure that Web publishers feel to embed Facebook trackers on their sites, so that non-Facebook users would not be as likely to be tracked as they use the Web..

Third-party tools could automate the process of encrypting conversations, allowing users to communicate in private without having to trust Facebook's promises about its security.

Finally, such a system would put real competitive pressure on Facebook. Today, Facebook's scandals do not trigger mass departures from the service, and when users do leave, they tend to end up on Instagram, which is also owned by Facebook.

But if there was a constellation of third-party services that were constantly carving escape hatches in Facebook's walled garden, Facebook would have to contend with the very real possibility that a scandal could result in the permanent departure of its users. Just the possibility would change the way that Facebook made decisions: product designers and other internal personnel who argued for treating users with respect on ethical grounds would be able to add an instrumental benefit to being "good guys": failing to do so could trigger yet another exodus from the platform.

Lower and upper bounds

It's clear that online services need rules about privacy and interoperability setting out how they should treat their users, including those users who want to use a competing service.

The danger is that these rules will become the ceiling on competition and privacy, rather than the floor. For users who have privacy needs--and other needs--beyond those the big platforms are willing to fulfill, it's important that we keep the door open to competitors (for-profit, nonprofit, hobbyist and individuals) who are willing to fill those needs.

None of this means that we should have an online free-for-all. A rival of Facebook that bypassed its safeguards to raid user data should still get in trouble (just as Facebook should get in trouble for privacy violations, inadequate security, or other bad activity). Shouldering your way into Facebook in order to break the law is, and should remain, illegal, and the power of the courts and even law enforcement should remain a check on those activities. But helping Facebook's own users, or the users of any big service, to configure their experience to make their lives better should be legal and encouraged even (and especially) if it provides a path for users to either diversify their social media experience or move away entirely from the big, concentrated services. Either way, we’d be on our way to a more pluralistic, decentralized, diverse Internet.