You are here


Subscribe to EFF feed
EFF's Deeplinks Blog: Noteworthy news from around the internet
Updated: 12 hours 27 min ago

ICANN Needs To Ask More Questions About the Sale of .ORG

Fri, 01/17/2020 - 18:50

Over 21,000 people, 660 organizations, and now six Members of Congress have asked ICANN, the organization that regulates the Internet’s domain name system, to halt the $1.135 billion deal that would hand control over PIR, the .ORG domain registry, to private equity. There are crucial reasons this sale is facing significant backlash from the nonprofit and NGO communities who make the .ORG domain their online home, and perhaps none of them are more concerning than the speed of the deal and the dangerous lack of transparency that’s accompanied it. 

Less than three months have passed from the announcement of the sale—which took the nonprofit community by surprise—to the final weeks in which ICANN is expected to make its decision, giving those affected almost no chance to have a voice, much less stop it. The process so far, including information that the buyer, Ethos Capital, provided to ICANN in late December, raises more questions than it answers. U.S. lawmakers are correct that “the Ethos Capital takeover of the .ORG domain fails the public interest test in numerous ways.”

Before any change in who operates the .ORG registry can take place, ICANN, which oversees the domain name system, needs to answer important questions about the deal from those who use .ORG domain names as the foundation of their online identity. Working with the nonprofit community, we’re asking ICANN to ask more questions to confirm how the deal will protect .ORG users—questions that are still unanswered. And next week, on January 24th, nonprofits and supporters will protest at ICANN’s headquarters in Los Angeles. You can join us to tell ICANN that it must be more than a rubber stamp.


Tell ICANN: Nonprofits Are Not For Sale

A Dangerous Deal

The Internet Society (ISOC)—which has controlled .ORG for the past 16 years—and Ethos Capital are treating the .ORG registry as an asset that can be bought and sold at will. But ISOC didn’t pay to acquire the .ORG registry—indeed, PIR, the organization that was founded by ISOC to run .ORG was given $5 million to help it do so. Now, ISOC plans to profit off of the value of the registry by converting PIR into a for-profit LLC in the hands of Ethos Capital.

ICANN delegated the task of running .ORG to ISOC in 2002 because ISOC was best positioned to run the domain for the benefit of nonprofit users. The excess funds from .ORG registration fees that have supported the work of ISOC for the past 16 years were a side benefit, not a sacred entitlement. Rather than an asset, like a building, the registry should be thought of as a public function—like the assigning of street addresses. It should be (and has been) administered in the public interest. But in the hands of private equity, the registry will become something altogether different from what it’s been in the past: a tool for making profits from nonprofits.

After the sale, Ethos Capital, having paid $1.135 billion for .ORG to ISOC, will have to recoup that investment on a scale that’s expected of a private equity firm. This week, Ethos revealed for the first time that some $360 million of the purchase price will be financed with a loan. The payments on that loan will have to come out of Ethos’s profits, so they will probably need to raise more money per year than ISOC currently does. While Ethos could try to simply increase the number of its “customers” for .ORGs, PIR has tried this in the past, and the demand for the domains has remained largely flat. This is no surprise; the nonprofit sector just doesn’t grow at exponential rates.

That brings us to the myriad reasons nonprofits have criticized the deal: every other way that Ethos might increase profits is bad news for .ORG users. And these tactics aren’t farfetched: every one of them is already delivering profits in other sectors, often while harming domain registrants and their visitors.

Squeezing Profits from Nonprofits Harms Civil Society
  1. The most obvious way to profit from the registry is for Ethos to raise the annual registration fees on .ORG names. Under pressure, Ethos has promised to keep fee increases to 10% per year “on average.” But they haven’t made that promise legally binding. There won’t be any way for .ORG users to challenge future fee increases without changing domain names, an expensive and risky process well-known to any organization or which has had to shift away from a trusted domain. And even more worrisome, Ethos could begin charging different rates for different domains. Other registries already charge considerably higher fees for names they designate as “premium.” Ethos could base fees entirely on an organization’s ability to pay, essentially holding nonprofits’ domain names for ransom.
  2. Ethos could also engage in censorship-for-profit. As we’ve described before, other domain registries have made deals with powerful corporate interests, like movie studios and pharmaceutical interests, to suspend the domains of websites, even if that means suppressing truthful information. But .ORGs don’t just have corporate interests hoping to control their voices: the world over, including within authoritarian regimes, .ORGs are the home of important critical speech on the Internet. Ethos would have a clear incentive to take down domains at the request of repressive governments, just as governments often demand takedowns of speech on social networks, in exchange for tax or other financial benefits.
  3. Ethos could sell the browsing data of users who visit .ORGs. The operator of a domain registry can, if it chooses, track every look-up of an address within that domain. Ethos could track visits to nonprofit organizations around the world, perhaps to target advertising on behalf of Vidmob, the advertising company they also own, invading the privacy of everyone who visits .ORG websites.
  4. Ethos could cut back on the important technical upkeep of the domains. Domain name lookups must be available worldwide, and quickly. Technical failures can mean being unable to connect to a website, or to send and receive email. This doesn’t just mean 404s: because the .ORG registry is home to relief agencies, news media, and other groups that provide life-saving services, technical failures could result in actual harm. Aid might not reach people in need during a crisis; news and information could be stopped dead during an emergency. The .ORG registry has had no downtime in over a decade. If that changes, it’s not just websites that would be in danger.
Not Enough Safeguards

In response to public pressure, Ethos has made a loose commitment about future pricing. It has also proposed adding text about acting in the public benefit into the “Certificate of Formation” for the new holding company they’re creating. And it’s promised to create a “Stewardship Council” to “help guide” the company’s management.

But there’s no force behind these words. Under corporate law, only the company itself has the power to decide whether it’s acting for the public benefit. Putting vague commitments into a “Certificate of Formation” doesn’t give the users of .ORG domains any mechanism of enforcement. And a “Stewardship Council” will not be able to override the decisions of the company’s owners and management. There’s no guarantee that the council will even be informed about what the company is doing. In fact, PIR already has an advisory council—and it wasn’t even told that the sale to Ethos was going to happen.

Luckily, there are other options on the table. If the .ORG registry needs to change hands, ICANN must take the time to consider all the alternatives, such as the Cooperative Corporation of dot-org Registrants, and determine which organization will best uphold the commitments that were made when .ORG was last re-assigned, in 2002. Instead of a rushed and secretive vote, ICANN should engage in a careful decision-making process that gives all .ORG registrants a voice in decisions around the registry in the future.

The Benefits Are Vague, At Best

In defending the deal, ISOC’s leadership has talked about the good they can do with a $1.1 billion endowment. Those good works, though, don’t excuse breaking trust with thousands of nonprofits. Several proponents of the deal, echoing Ethos’s talking points, claim that turning .ORG into a for-profit registry will lead to “new products and services” for the .ORG community. No one explains what those would be, though, or what they have to do with maintaining a reliable database of domain names. And there is no benefit at all if these vague opportunities in the future come at the cost of functional, censorship-free websites for millions of nonprofits, associations, and clubs around the world. 

ICANN Needs To Ask More Questions

As the group that controls the top level of the domain name system, ICANN has the power to stop .ORG from changing hands, and to name a new organization to steward that important resource. Before the deal goes any further, ICANN needs to ask more questions of ISOC and Ethos. We’ve compiled a handy list.

Anyone who’s concerned about selling a public trust for private profit can sign the petition to #SaveDotOrg, which we’ll be presenting along with other nonprofits to ICANN in person next week. And if you’ll be in the Los Angeles area on Friday, January 24th, come join us at the protest at ICANN’s headquarters, organized by EFF, NTEN, and Fight for the Future. Help us tell ICANN: .ORG is not for sale.


Tell ICANN: Nonprofits Are Not For Sale

EFF Asks the Supreme Court to Put a Stop to Dangerously Broad Interpretations of the Computer Fraud and Abuse Act

Fri, 01/17/2020 - 15:21

At EFF, we have spent years fighting the Computer Fraud and Abuse Act (CFAA). The law was aimed at computer crime, but it is both vague and draconian—putting people at risk for prison sentences for ordinary Internet behavior. Now, we are asking the Supreme Court to step in and stop dangerous overbroad interpretations of the CFAA.

The CFAA was passed more than 30 years ago, before the invention of the World Wide Web. Consequently, the law is hard to make sense of in our increasingly digital world. Some courts have rightly interpreted the law narrowly, focusing on hacking and other illegal computer intrusions. But other courts have bought into tactics used by creative prosecutors, who argue that when the statute outlaws “exceeding authorized access” to a computer, it also covers violating the “terms of service” of websites and other apps.

Let’s be clear: violating a website’s “terms of service” is very easy to do. You’ve probably done it repeatedly. It can include things like logging into your spouse’s bank account, checking your personal email on your work computer, or sharing a social media password—all behavior that companies may not like, but should not result in criminal penalties. If violating terms of use is a crime, then private companies across the country get to decide who goes to prison for what, instead of lawmakers. That’s a dangerous result that puts us all at risk.

Now, a former Georgia police officer who was wrongly convicted under the CFAA is asking the Supreme Court to take his case. In Van Buren v. United States, Van Buren was accused of taking money in exchange for looking up a license plate in a law enforcement database. This was a database he was otherwise entitled to access, meaning the CFAA is the wrong law to use when prosecuting his alleged behavior. In our amicus brief filed today with the Center for Democracy and Technology and New America’s Open Technology Institute, EFF argues that Congress intended to outlaw computer break-ins that disrupted or destroyed computer functionality, not anything that the service provider simply didn’t want to have happen.

It’s time we got some clarity about the CFAA. We hope the Supreme Court takes Van Buren and agrees on a narrow interpretation of this messy and confusing law.

Tuesday Hearing: EFF Argues in New Jersey Supreme Court That Defendant Can’t Be Forced to Turn Over Password to Encrypted iPhone

Fri, 01/17/2020 - 11:53
U.S. Constitution Protects Rights Against Self-Incrimination

Trenton, New Jersey—On Tuesday, January 21, at 1 pm, EFF Senior Staff Attorney Andrew Crocker will ask the New Jersey Supreme Court to rule that the state can’t force a defendant to turn over the passcode for his encrypted iPhone under the Fifth Amendment, which protects American’s rights against self-incrimination.

The Fifth Amendment states that people cannot be forced to incriminate themselves, and it’s well settled that this privilege against self-incrimination covers compelled “testimonial” communications, including physical acts. However, courts have split over how to apply the Fifth Amendment to compelled decryption of encrypted devices.

EFF, ACLU, and ACLU of New Jersey filed a brief in the case State v. Andrews arguing that the state can’t compel a suspect to recall and use information that exists only in his memory to aid law enforcement’s prosecution of him.

At Tuesday’s hearing, Crocker will tell the court that reciting, writing, typing or otherwise reproducing a password from memory is testimony protected by the Fifth Amendment.

Read the amicus brief EFF filed in the Andrews case:

WHO: EFF Senior Staff Attorney Andrew Crocker

WHAT: New Jersey v. Andrews

Supreme Court of New Jersey
25 Market St.
Trenton, NJ 08611
The argument will also be live-streamed.

January 21
1 pm

Iranian Tech Users Are Getting Knocked Off the Web by Ambiguous Sanctions

Fri, 01/17/2020 - 11:28

Between targeted killings, retaliatory air strikes, and the shooting of a civilian passenger plane, the last few weeks have been marked by tragedy as tensions rise between the U.S. and Iranian governments. In the wake of these events, Iranians within the country and in the broader diaspora have suffered further from actions by both administrations—including violence and lethal force against protesters and internet shutdowns in Iran, as well as detention, surveillance and device seizure at the U.S. border and exacerbating economic conditions from U.S. sanctions. And to make matters worse, American tech companies are acting on sanctions through an overbroad lens, making it much harder for Iranian people to be able to share their stories with each other and with the broader world.

The Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury administers and enforces economic and trade sanctions that target foreign countries, groups, and individuals. Some of these sanctions impact the export to Iran (or use by residents of the country) of certain types of technology, although trying to parse precisely which types are affected appears to have left some companies puzzled.

For example, this week Instagram removed a number of accounts from its service that were affiliated with the Iranian Revolutionary Guard Corps (IRGC)—which is specially designated by OFAC—as well as some accounts praising the IRGC and some condemning the group. The platform initially justified its actions stating:

We review content against our policies and our obligations to US sanctions laws, and specifically those related to the US government’s designation of the IRGC and its leadership as a terrorist organization.

While Instagram is indeed obligated to remove accounts affiliated with the IRGC, the law does not extend to unaffiliated accounts providing commentary on the IRGC—although some experts say that posts supporting a specially designated group could be seen as providing support to the group, thus violating sanctions.

In any case, Instagram may choose to remove accounts praising the IRGC under its own community standards. In the end, Instagram ended up restoring at least one account following media criticism.

A long hard road

EFF has long observed tech companies’ struggle with OFAC sanctions. In 2012, an Apple employee refused to sell a laptop to a customer who was overheard speaking Persian, prompting the State Department to issue a clarifying statement:

[T]here is no U.S. policy or law that prohibits Apple or any other company from selling products in the United States to anybody who’s intending to use the product in the United States, including somebody of Iranian descent or an Iranian citizen or any of that stuff.

In 2013, we spoke up when Airbnb booted an Iranian resident of Switzerland from their platform without recourse, resulting in a reversal of the decision.

And now, as tensions between the U.S. and Iran heat up, we’re seeing tech companies booting Iranians from their platforms left and right. For example:

...But are these companies correct in stripping Iranians of their accounts? The answer: It’s complicated.

Iran is subject to certain OFAC sanctions, and in addition to that, the IRGC and certain Iranian nationals are on OFAC’s list of “specially designated nationals.” OFAC sanctions can be interpreted broadly by tech companies, which is why in 2010, the Treasury Department issued a general license intended as a blanket license for the export of “certain services and software incident to the exchange of personal communications over the Internet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging, provided that such services are publicly available at no cost to the user.”

In 2014, that license was amended to include even more products, including certain fee-based services “incident to the exchange of personal communications over the Internet” including social networking. The new license, General License D-1, provided greater clarity to companies on what is and is not subject to sanctions. As the National Iranian American Council pointed out in a 2017 letter, General License D-1 has been widely praised for “securing human rights, protecting access to online information, and avoiding government censors.”

As the events of this week demonstrate, companies are still struggling to understand the rules. And understandably so—as Richard Nephew, a sanctions expert and senior research scholar at Columbia University told CNN:

[T]his is a tough gray area as we also have free speech protections too.  This is why I think companies often make mistakes in this area, both by preventing such posts or activities and by allowing them …

But while the rules might be difficult, companies are making things worse by failing to properly communicate to users about why their accounts have been suspended—and by giving misleading or incorrect statements to the media.

Why does this matter?

Sanctions that prevent the free flow of communications on the internet and hamper ordinary the ability of ordinary Iranians to express themselves often harm the very people they’re intended to help. Over the years, we’ve seen how sanctions on tech—as well as misapplication or overbroad application of such sanctions—hurt individuals from all walks of life by denying them access to information and cutting them off from communication with the rest of the world.

After the 2014 issuance of General License D-1 for Iranians, Sudanese citizens embarked on a campaign for a similar license, arguing that sanctions prevented them from accessing e-books, online courses, and other information. In a country where the government bans books and at times seizes newspapers, the knowledge that can be gained online can make all the difference. For Iranians, greater access can also mean safer access—to VPNs, secure messaging apps, and other vital tools.

But it isn’t just access to information—it’s also the information coming out of Iran that’s affected. When a Ukrainian airliner was struck down in Iranian airspace, it was video taken from inside the country—as well as efforts by individuals in Iran—that led to verification that Iran’s government had struck the plane with a missile. As we’ve pointed out before, policies intended to prevent violent extremists from using online services often have the effect of silencing human rights content. And given how little access international media has to Iran, hearing from Iranians about what’s happening on the ground is vital.

Furthermore, Iran has seen fit in the past to shut down the Internet, preventing its residents from accessing the outside world. If the U.S. government truly believes in the internet freedom policy that it continues to pour millions of dollars into, it should see how its own policies are working against freedom and pushing Iranians toward local services that are likely heavily surveilled or censored. As it stands, the U.S. is just helping Iran do the job of silencing its citizens.

A clearer way forward

As moral panic and confusion set in, more and more companies are seeking to enforce sanctions law—and as they do, it’s vital that they have the best possible information at hand so ordinary citizens aren’t unduly impacted. As such, we are reiterating our ask for the Department of Treasury to update General License D-1 and provide guidance to U.S. tech companies to ensure the minimal amount of damage to users.

But although sanctions are hard, we also call on tech companies to exercise both caution and compassion as they navigate these murky waters. Companies should ensure that they’re using the best possible means to identify potentially impacted users; notify them clearly (by providing information about specific statutes and links to relevant information from the Department of Treasury); and most importantly, provide an appeals system so that users who are wrongly identified have a path of recourse to regain access to their accounts.

Rights Groups to European Commission: Prioritize Users’ Rights, Get Public Input For Article 17 Application Guidelines

Wed, 01/15/2020 - 16:12

The implementation of Art 17 (formerly Article 13) into national laws will have a profound effect on what users can say and share online. The controversial rule, part of the EU’s copyright directive approved last year, turns tech companies and online services operators into copyright police. Platforms are liable for any uploaded content on their sites that infringes someone’s copyright, absent authorization from rightsholders. To escape liability, online service operators have to make best efforts to ensure that infringing content is not available on their platforms, which in practice is likely to require scanning and filtering of billions of daily social media posts and content uploads containing copyrighted material.

The content moderation practices of Internet platforms are already faulty and opaque. Layering copyright enforcement onto this already broken system will censor even more speech. It’s paramount that preserving and protecting users’ rights are baked into guidelines the EC is developing for how member states should implement the controversial rule. The guidelines are non-binding but politically influential.

The commission has held four meetings with stakeholders in recent months to gather information about copyright licensing and content moderation practices. Two more meetings are scheduled for this spring, after which the EC is expected to begin drafting guidelines for the application of Article 17, which must be implemented in national laws by June 7, 2021.

The fifth meeting was held today in Brussels. The good news is EFF and other digital rights organizations have a seat at the table, alongside rightsholders from the music and film industries and representatives of big tech companies like Google and Facebook. The bad news is that the commission’s proposed guidelines probably won’t keep users’ rights to free speech and freedom of expression from being trampled as internet service providers, fearful of liability, race to over-block content.

That’s why EFF and more than 40 user advocate and digital rights groups sent an open letter to the EC asking the commissioners to ensure that implementation guidelines focus on user rights, specifically free speech, and limit the use of automated filtering, which is notoriously inaccurate. The guidelines must ensure that protecting legitimate, fair uses of copyrighted material for research, criticism, review, or parody takes precedence over content blocking measures Internet service providers employ to comply with Article 17, the letter says. What’s more, the guidelines must make clear that automated filtering technologies can only be used if content-sharing providers can show that users aren’t being negatively affected.

Further, we asked the commission to share the draft guidelines with rights organizations and the public, and allow both to comment on and suggest improvements to ensure that they comply with European Union civil and human rights requirements. As we told the EC in the letter, “This request is based on the requirement of transparency, which is a core principle of the rule of law.” EFF and its partners want to “ensure that the guidelines are in line with the right to freedom of expression and information and also data protection guaranteed by the Charter of Fundamental Rights.”

The EC is scheduled to hold the next stakeholder meeting in February in preparation for drafting guidelines. We will keep the pressure on to protect users from censorship and content blocking brought on by this incredibly dangerous directive.

Strange Bedfellows: EFF Sides with PTO in Trademark Battle Over ‘’

Tue, 01/14/2020 - 17:59

EFF often criticizes the Patent and Trademark Office (PTO) for granting bad patents, but a case in the Supreme Court has us on the same side.

On Monday, EFF filed an amicus brief asking the court to reject trademark protection for “,” pointing out that other travel companies that use variations of the word “booking” in their domain names could face legal threats if the mark were granted.

The case started in 2016, when sued the PTO for refusing its trademark application on the basis that “” is a generic term for the services it provides. Generic terms refer to categories or classes of things that can’t be trademarked because of the effect on free speech and competition. For example, you wouldn’t want Apple to have a trademark for the word “computer,” because other computer manufacturers should be allowed to accurately describe their products. However, a lower court judge decided that adding the “.com” to the end of the generic word “booking” made it eligible for trademark protection. Last year, an appeals court agreed.

The PTO rightly took its case to the Supreme Court. In our brief, we argued that granting a mark like this would hurt both consumer rights and competition. For example, there are a number of companies with domain names like “” and “” Even if the names are not identical to, they could be at risk of lawsuits under trademark liability’s “likelihood of confusion” standard. Additionally, a win for would likely kick off a flood of additional trademark requests for combinations of generic words and top-level domains, leading to even more uncertainty and drawn-out court cases.

The Supreme Court has granted certiorari and will likely hear oral arguments in the case later this year. We hope the justices recognize that the PTO had it right: generic words with “.com” at the end don’t deserve trademark protection.

Top Apps Invade User Privacy By Collecting and Sharing Personal Data, New Report Finds

Tue, 01/14/2020 - 11:43

A new year often starts with good resolutions. Some resolve to change a certain habit, others resolve to abandon an undesired trait. Mobile app makers, too, claim to have user behavior and their preferences at their heart. From dating to health to music, their promise is to add convenience to consumers’ lives or to offer support when needed. The bad news is that the ecosystem of the underlying ad tech industry has not changed and still does not respect user privacy. A new report, called Out of Control: How Consumers Are Exploited by the Online Advertising Industry, published today by the Norwegian Consumer Council (NCC), looks at the hidden side of the data economy and its findings are alarming.

Discrimination, Manipulation, Exploitation

Scrutinizing 10 popular apps in Google Play Store, such as Grindr, Clue, and Perfect365, the NCC report’s technical analysis reveals comprehensive tracking and profiling practices. Personal data is systematically collected and shared with dozens of third-party companies without users’ knowledge. EFF’s recent report on third-party tracking documents additional ways that companies profit from invading our digital privacy.

The NCC’s legal analysis concludes that companies have not obtained valid consent from consumers to process their data under the EU General Data Protection Regulation (GDPR) and consumers have no practical option to avoid being tracked. The report highlights that profiling practices may not only be used to personalize advertising, but could also result in discrimination, manipulation, and exploitation of users.

Actions by Consumer and Digital Rights Organizations

Current tracking and profiling practices translate into exploitative practices in contradiction to the GDPR, the report says. While the research was carried out in the EU, the analyzed apps are available around the globe, and many are owned by companies headquartered in the U.S. Responding to the report, consumer and digital rights organizations globally are notifying their data protection authorities.

What Needs to Be Done: Strong Privacy Rights and Alternative Solutions

EFF has long advocated for critical and tangible privacy rights for users, including the right to opt-in consent, the right to know, and the right to data portability. Rules should not only exist on paper but users should also be empowered to bring their own lawsuits against companies that violate their privacy rights.

The NCC report shows that a huge surveillance industry has built up around us. Instead, we need a user-oriented tech ecosystem that does not treat user data like a free resource to be exploited. To build alternative solutions to the incumbent online advertising systems, we need new laws that create strong privacy rights.

Report and materials:

Bay Staters Continue to Lead in Right to Repair, and EFF Is There to Help

Mon, 01/13/2020 - 18:27

Massachusetts has long been a leader in the Right to Repair movement, thanks to a combination of principled lawmakers and a motivated citizenry that refuses to back down when well-heeled lobbyists subvert the legislative process.

In 2012, Massachusetts became the first US state to enact Right to Repair legislation, with an automotive law that protected the right of drivers to get their cars repaired by independent mechanics if they preferred them to the manufacturers' service depots. Though wildly popular, it took the threat of a ballot initiative to get the legislature to act, an initiative that ultimately garnered 86% of the vote. The initiative led to strong protections for independent repair in Massachusetts and set the stage for a compromise agreement leading to better access to repair information for most of the country.

Now Bay Staters are back in the legislature: in the years since the original automotive Right to Repair law was enacted, manufacturers have redesigned their products in ways that exploit loopholes in the 2012 law, effectively shutting out independent repair.

House Bill 4122 closes the loopholes in the 2012 law, and in-state advocates are gathering signatures for another ballot initiative should lobbyists defeat the bill in the legislature.

EFF was pleased to submit comments to the Massachusetts Legislature's Joint Committee on Consumer Protection and Professional Licensure for a hearing on January 13 in support of HB4122.

In those comments, sent to each member of the Committee, EFF Special Consultant Cory Doctorow wrote:

Auto manufacturers have argued that independent service endangers drivers' cybersecurity. In reality, the opposite is true: security is weakened by secrecy and strengthened by independent testing and scrutiny. It is an iron law of information security that "there is no security in obscurity"—that is, security cannot depend on keeping defects a secret in the hopes that "bad guys" won't discover and exploit those defects. And since anyone can design a security system that they themselves can't imagine any way of breaking, allowing manufacturers to shroud their security measures in secrecy doesn't mean that their cars can't be hacked—in fact, history has shown that vehicle computers depending on secrecy for security are, in fact, frequently vulnerable to hacking.

In 2018 and 2019, cities, hospitals, and other large institutions had their informatics systems seized by petty criminals using off-the-shelf ransomware that had combined with a defect in Windows that the NSA had discovered and kept secret—until an NSA leaker released it to the world. As these cities discovered, the NSA's decision to keep these defects secret did not put them out of reach of bad guys—it just meant that institutional Microsoft customers were put at grave risk, and that Microsoft itself did not know about the devastating bugs in its own products and so could not fix them.

Information security is absolutely reliant upon independent security researchers probing systems and disclosing what they discover. Allowing car manufacturers to monopolize service—and thus scrutiny—over their products ensures that the defects in these fast-moving, heavy machines will primarily become generally known after they are exploited to the potentially lethal detriment of drivers and the pedestrians around them.

The manufacturers' desire to monopolize bad news about design defects in their own products is especially dire because it rides on the tails of a strategy of monopolizing service and parts for those products. The uncompetitive, concentrated automotive sector has already brought itself to the brink of ruin—averted only by the infusion of $80.7B in tax-funded bailouts. More than a decade later, it remains in dire need of competitive discipline, as is evidenced by a commercial strategy dominated by reducing public choice, surveilling their own customers and selling their data, and extracting monopoly rents from luckless drivers who are locked into their proprietary ecosystems.

The German Constitutional Court Will Revisit the Question of Mass Surveillance, Will the U.S.?

Mon, 01/13/2020 - 18:21

On January 14 and 15, 2020, the German Federal Constitutional Court will be holding a hearing to reevaluate the Bundesnachrichtendienst (BND) Act, which gives the BND agency (similar to the National Security Agency in the United States) broad surveillance authority. The hearing comes after a coalition of media and activist organizations including the Gesellschaft für Freiheistrechte filed a constitutional complaint against the BND for its drag net collection and storage of telecommunications data. This new hearing continues a renewed effort on the part of countries around the world to re-access the high cost of liberty that comes with operating an invasive drag net surveillance program and may increase global pressure on the United States’ intelligence community.

One of the coalitions leading arguments against massive data collection by the foreign intelligence service is the fear that sensitive communications between sources and journalists may be swept up and made accessible by the government. Surveillance which, purposefully or inadvertently, sweeps up the messages of journalists jeopardizes the integrity and health of a free and functioning press and could chill the willingness of sources or whistleblowers to expose corruption or wrongdoing in the country.

In September 2019, based on similar concerns about the surveillance of journalists, South Africa’s High Court issued a watershed ruling that the country’s laws do not authorize bulk surveillance. In part, because there were no special protections to ensure that the communications of lawyers and journalists were not also swept up and stored by the government.

In EFF’s own landmark case against the NSA’s dragnet surveillance program, Jewel v. NSA, the Reporters Committee for Freedom of the Press recently filed an Amicus brief making similar arguments about surveillance in the United States. “When the threat of surveillance reaches these sources,” the brief argues, “there is a real chilling effect on quality reporting and the flow of information to the public.”

This new complaint comes years after the revelations of global surveillance coalitions exposed by Edward Snowden, and only two years after a report revealed that BND had surveyed at least 50 phone numbers, fax numbers, and email addresses of known foreign journalists starting in 1999.  

In 2016, Germany’s Bundestag passed intelligence reform that many argued did not go far enough. Under the post-2016 order, an independent panel oversees the BND and any foreign intelligence collected from international communications networks must be authorized by the chancellor. However, the new reform explicitly allowed surveillance to be conducted on EU states and institutions for the purpose of “foreign policy and security,” and permitted the BND to collaborate with the NSA—both of which allow for the privacy of foreign individuals to be invaded.

It is worth noting that part of what allows a case like this to move forward is the ability of German citizens to know more about the surveillance programs their nation operates. In the United States, our lawsuit against NSA mass surveillance is being held up by the government argument that it cannot submit into evidence any of the requisite documents necessary to adjudicate the case. In Germany, both the BND Act and its sibling, the G10 Act, as well as their technological underpinnings, are both openly discussed making it easier to confront their legality.

We eagerly await the outcome of the German hearing and hope that the BND will be another fallen domino in the movement to restore global privacy.  Meanwhile, EFF will continue to litigate our constitutional challenge to the U.S. government’s mass surveillance of telephone and internet communications and will complete briefing in the Ninth circuit in late January 2020.

Related Cases: Jewel v. NSA

Virginia Needs a Strong Anti-SLAPP Law to Stop Bogus Lawsuits

Mon, 01/13/2020 - 15:10

Sometimes lawsuits get filed to chill speech or harass people, rather than resolve legitimate legal disputes. Unfortunately, this trend has increased over the past few decades. Since the 1980s, these lawsuits have been called SLAPPs—or Strategic Lawsuits Against Public Participation.

The best solution to stop SLAPPs are strong anti-SLAPP laws. The specifics vary by state, but in general, anti-SLAPP laws allow courts to expedite cases in which a defendant’s free speech rights are at risk. The laws also allow defendants who win anti-SLAPP motions to get their legal fees paid.

This year, the Commonwealth of Virginia has a chance to pass a strong anti-SLAPP law by passing H.B. 759. This bill would be a huge improvement over Virginia’s current law, and we’re asking EFF supporters who are Virginia residents to contact their lawmakers and express their support.


Defend Free Speech in Virginia

Virginia has a particular need for a strong anti-SLAPP law. In recent years, it’s become a magnet for questionable legal claims. Some recent examples—all from 2019—include cases like these:

  • U.S. Representative Devin Nunes, of Bakersfield, Calif., has filed several lawsuits in Virginia, seeking hundreds of millions of dollars in damages, including against CNN, his hometown newspaper, the Fresno (Calif.) Bee, Twitter, and two Twitter users who created the parody accounts @DevinCow and @DevinNunesMom.  
  • Actor Johnny Depp sued his ex-wife Amber Heard for $50 million in Virginia after she published an op-ed in The Washington Post about domestic abuse.
  • A man sued a Charlottesville, Virginia weekly newspaper for publishing a news story about his support for preserving Confederate monuments in Charlottesville, as well as the reporter who wrote the story, and a University of Virginia professor who commented on the issue. The case was dismissed, but the judge would not consider the existing Virginia anti-SLAPP statute or treat the case as a SLAPP.
  • A San Francisco doctor sued her former customers, who complained about her shoddy work in online forums like Yelp, in Virginia.

Courtroom abuses like these have flourished because Virginia’s current law doesn’t prevent them. Virginia has no special procedure to determine whether a case is a SLAPP and then quickly resolve it. The law only covers certain types of claims, whereas strong anti-SLAPP laws apply to a broad range of speakers, speech, and forums. And finally, there’s no mandatory fee provision—meaning that even if individuals prevail over SLAPP lawsuits, they could face bank-busting legal fees.

Even when the defendant prevails, without strong anti-SLAPP laws, defamation lawsuits can be ruinous. In 2012, a Washington D.C. contractor sued a Fairfax, Virginia, homeowner, Jane Perez, over a negative Yelp review. At first, a judge issued an injunction ordering her review to be deleted. That was overturned by the Virginia Supreme Court. But Perez still had to go through a jury trial, which ultimately ended with a ‘take-nothing’ verdict.

But the damage had been done, as Public Citizen, which represented Perez at the appeal level, later explained to the Virginia legislature:

“Being a defendant in this case ruined our client’s life. She had left the service with an honorable discharge while suffering from a stress disorder, and having to respond to the lawsuit increased her stress. But even more important, she was working for the air force in a civilian capacity, and having to report that she was a defendant in a lawsuit apparently cost her security clearance and she lost her job.

Had Virginia had an anti-SLAPP statute in place, she would have had an extra opportunity to obtain a private lawyer, even without the generosity of this retired lawyer, because of the prospect of an award of fees. And the contractor would have had an extra reason not to put Jane Perez through this ordeal because Perez’s prevailing on her statutory immunity against being sued for defamation could have led to an award of attorney fees against him.

The increase in SLAPP lawsuits is one of the reasons why, in 2018, EFF joined the Protect the Protest coalition. EFF has also long-supported the Public Participation Project’s work to pass a federal anti-SLAPP bill. We’re working with other non-profits to build strong anti-SLAPP laws at both the state and federal level, and to protect organizations and individuals who are victimized by SLAPPs.

If you live in Virginia, now’s a chance for a big step forward. Tell your lawmaker you want to pass H.B. 759, and protect free speech in Virginia.


Defend Free Speech in Virginia

EFF Asks Supreme Court To Reverse Dangerous Rulings About API Copyrightability and Fair Use

Mon, 01/13/2020 - 13:54
High Court Can Put Computer Copyright Law Back on Track

Washington D.C.—The Electronic Frontier Foundation (EFF) today asked the U.S. Supreme Court to rule that functional aspects of Oracle’s Java programming language are not copyrightable, and even if they were, employing them to create new computer code falls under fair use protections.

The court is reviewing a long-running lawsuit Oracle filed against Google, which claimed that Google’s use of certain Java application programming interfaces (APIs) in its Android operating system violated Oracle’s copyrights. The case has far-reaching implications for innovation in software development, competition, and interoperability.

In a brief filed today, EFF argues that the Federal Circuit, in ruling APIs were copyrightable, ignored clear and specific language in the copyright statute that excludes copyright protection for procedures, processes, and methods of operation.

“Instead of following the law, the Federal Circuit decided to rewrite it to eliminate almost all the exclusions from copyright protection that Congress put in the statute,” said EFF Legal Director Corynne McSherry. “APIs are not copyrightable. The Federal Circuit’s ruling has created a dangerous precedent that will encourage more lawsuits and make innovative software development prohibitively expensive. Fortunately, the Supreme Court can and should fix this mess.”

In the first round of the case, in 2014, the Federal Circuit reversed a lower court to find that APIs were copyrightable, but sent the case back for trial on fair use. In the second round, the court took the almost unprecedented step of overturning a jury verdict of fair use. If upheld, these dangerous and flawed decisions will continue to put at risk the ability of developers to freely create innovative software that benefit the public because it can be used across platforms and services.

“Treating the Java APIs as copyrightable gives Oracle, which stands to make billions from that decision, outsized control and monopoly power over the development of Java-compatible programs. Copyright law aims to stimulate creativity for the public good, not lock developers into a licensing scheme for the functional aspects of software,” said EFF Special Counsel Michael Barclay. “We’re strongly urging the Supreme Court to correctly apply copyright law in this case, and put right what the Federal Circuit got wrong.”

For EFF’s brief:

For more about this case:

Contact:  CorynneMcSherryLegal MichaelBarclayEFF Special