February 28, 2012

Politics, Copyright and the First-Amendment Commons

February 21, 2012

On the eve of the Republican primary in Florida, the Romney campaign started running a new television ad called “History Lesson.” Romney was coming off Newt Gingrich’s double-digit win in South Carolina and the momentum in the campaign for the 2012 Republican seemed to be shifting, perhaps decisively, in Gingrich’s favor. With only ten days between primaries, the Romney campaign needed a new, hard-hitting approach and it needed to act quickly.

The new ad was a key part of that. The thirty-second ad was quite simple and straightforward. The last couple of seconds were the obligatory “I’m Mitt Romney and I approve this message” while the first twenty- seven seconds were just a video clip from the NBC Nightly News broadcast of January 21, 1997. The familiar voice but much-younger face of anchor Tom Brokaw came up and Brokaw opened that evening’s newcast with the lead story of the day: then Speaker of the House Newt Gingrich had been found guilty of ethics violations by the House of Representatives in a vote of 395-28 and had been ordered to pay a $300,000 fine in connection with the violations. (You can read the front page story of the January 22, 1997 Washington Post here.)

There can be little doubt about why the Romney campaign chose to run the clip from the Nightly News. The campaign wanted to hit Gingrich with what they say as a strong charge against him and they wanted to avoid accusations that they had cherry-picked the facts for the ad. What better way to do that than to use the expression of a highly-regarded, wholly independent source, such as Tom Brokaw and the Nightly News.

Brokaw and NBC saw the matter differently. As was widely reported, on January 28, 2012, three days before the Florida primary, NBC sent a letter to the Rommey campaign asking the campaign to cease using NBC news material in Romney campaign ads. NBC had made similar requests of other campaigns that had used material without first seeking permission from NBC. Brokaw himself was quoted as saying that “I am extremely uncomfortable with the extended use of my personal image in this political ad” as Brokaw did “not want my role as a journalist compromised for political gain by any campaign.”

The letter istelf (a copy is available at Politico.com) is short and to the point. The material used in the Romney ad was under copyright and the Romney campaign was using the material without permission. The letter further suggested that the way in which the material was being used suggested that NBC had consented to its use. And beyond copyright, NBC complained that “this use of the voice of Mr. Brokaw and the NBC News name exploits him and the jouralistic credibility of the NBC News.”

We start with legal issues and then turned to bigger picture considerations. On copyright, the core structure of copyright’s fair use is use without permission. To complain of use without permission is simply to complain about how copyright is organized, which is fine, but when we think of what scope fair use should have the use by the Romney campaign seems as fair as it can get. It is apparent to all, I think, that the reason the campaign used the materials was precisely that NBC and other leading news organizations are seen as having journalistic credibility. The Romney campaign wanted to offer up an independent framing of the 1997 ethics charge, not one that was somehow seen as concocted by the Romney campaign. A 15-year old news clip was the perfect was to do this. And, of course, the age of the clip meant that no one could seriously think that NBC or Brokaw were, in 1997, endorsing the 2012 Romney campaign.

Beyond this, the trump card that NBC and Brokaw sought to play would seem to mean that professional video representations of historical facts would simply be taken off of the table for political campaigns. It is hard to see how NBC and similar organizations could ever consent to use, given that consent itself would seem to be inconsistent with the neutral role of news organizations. Far better to have the fair use regime, where there is no consent and no sense of endorsement by a news organiation of one campaign over another.

Then we get to the bigger picture on this. I have this sense, with more frequency than I would like, that major media organizations think of the First Amendment as something that runs in their favor but never against them. A First Amendment for me but not for thee. It would have been nice if NBC and Mr. Brokaw had seen this as an opportunity to invest in the First Amendment ecosystem. That would have meant acknowledging the legitimacy of the use of the video clip by the Romney campaign and the need for such use in a vibrant democracy. Instead, NBC saw its interest in the narrowest terms possible and threw away a great opportunity to demonstrate how the First Amendment should work in a robust democracy.

Permalink • Print • Comment

Government Pressures Twitter to Hand Over Keys to Occupy Wall Street Protester’s Location Data Without a Warrant

February 21, 2012 | By Hanni Fakhoury

On October 1, 2011, over 700 Occupy Wall Street protesters were arrested on the Brooklyn Bridge. Most of the protesters, including Malcolm Harris, were charged with the mundane crime of disorderly conduct, a "violation" under New York law that has a maximum punishment of 15 days in jail or a $250 fine

And yet on the basis of a charge no more consequential than speeding ticket, the New York City District Attorney's office sent a poorly worded subpoena to Twitter requesting "any and all user information, including email address, as well as any and all tweets posted for the period of 9/15/2011-12/31/2011" regarding Mr. Harris' Twitter account, @destructuremal. Unsurprisingly, the government wanted to keep it quiet, but thankfully Twitter didn't listen. Instead, as it has consistently warned law enforcement, Twitter notified Mr. Harris, who through his lawyer, Martin Stolar of the National Lawyers Guild, has moved to challenge the subpoena in court.

The subpoena is astonishing not only for its poor grammar, but also for the breadth of information the government wants for a trivial crime that hardly requires it. The government's request that Twitter hand over Tweets is unlikely to succeed because consistent with the Stored Communications Act, Twitter releases "contents of communication" (effectively Tweets and private messages between Twitter users) only with a search warrant. In any event, Mr. Harris' account is "public", meaning the government could obtain Tweets simply by checking out Mr. Harris' Twitter feed. Plus, requesting Tweets only highlights the absurdity of the entire situation: why would the government need Tweets from both before and after the October 1 protest to prove he was obstructing traffic on the bridge? Government fishing expeditions like this raise serious First Amendment concerns. Mr. Harris was very outspoken about his support of and involvement in the Occupy Wall Street movement. With this overbroad subpoena, the government would be able to learn about who Mr. Harris was communicating with for an extensive period of time not only through Tweets, but through direct messages. And with the government's request for all email addresses associated with @destructuremal, they could subpoena Mr. Harris' email provider to get even more information about who he communicated with. The First Amendment shouldn't be trampled with only an expansive subpoena in a case that barely registers as "criminal."

Given that much of Mr. Harris' Twitter information (like Tweets and followers) is already public, it's very likely that the government was really after something else: location data. By attempting to subpoena these records, the government can get around the Fourth Amendment's prohibition against warrantless searches by requesting information that includes IP addresses. Twitter keeps track of IP address information regarding every time a person logged into Twitter, as well as the IP address information related to a Twitter user's direct messages to other users, and the date and time information related to these log ins and direct messages. Armed with IP addresses, the government — without a warrant — can go to an ISP to determine who was assigned that particular IP address. And if that person connected on a mobile device — which is where the majority of Twitter users access their accounts — the ISP will hand over to the government the specific cell tower (and its corresponding geographic location) which that person used to access Twitter. This allows the government to piece together a map of where a person physically is when he opens Twitter on his smartphone, sends a direct message to a friend, or Tweets. And with that information, the government could get a record of Mr. Harris' movement over the three months it requested from Twitter. It's no surprise then that the government singled out Mr. Harris for this request: he currently has over 1,500 followers and 7,200 Tweets. 

Allowing the government to gets its hands on this data with nothing more than an administrative subpoena renders the Fourth Amendment meaningless. Only with the protection of a search warrant, and the heightened judicial supervision that comes along with it, can the voracious appetite of law enforcement be curbed. As we've consistently argued, the Fourth Amendment protects this information. But another way to impose privacy protection from the prying hands of law enforcement is through Congressional reform of the badly outdated Electronic Communications Privacy Act ("ECPA"). As part of the Digital Due Process coalition, EFF has been calling for Congress to update ECPA to conform with the realities of the 21st century. 

It looks like judicial momentum may finally be on our side. In January of this year, the United States Supreme Court issued a landmark decision in United States v. Jones (PDF), ruling that law enforcement could not physically install a GPS device on private property without a search warrant. The majority opinion resolved the Fourth Amendment issue by looking exclusively at the physical installation of the GPS device. Importantly, however, in a concurring opinion, Justice Sotomayor warned that "physical intrusion is now unnecessary to many forms of surveillance." Collecting IP addresses of a prolific Tweeter, and matching it with other easily obtainable information from other service providers, demonstrates this problem. In writing that society is unlikely to accept extensive warrantless surveillance as "reasonable", Justice Sotomayor called into question "the appropriateness of entrusting to the Executive, in the absence of any oversight from a coordinate branch, a tool so amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent 'a too permeating police surveillance.'” Similarly, Justice Alito's concurring opinion noted that with "dramatic technological change, the best solution to privacy concerns may be legislative." 

Hopefully with the public breathing down its neck, Congress can finally act to fix a antequated set of laws. Malcolm Harris, like Birgitta Jonsdottir before him, took a stand to protect our privacy rights. You can too by telling Congress that its time to update ECPA and tell law enforcement once and for all that in order to get a person's location data, it needs to come back with a warrant. 

Permalink • Print • Comment

White House, Google, and Other Advertising Companies Commit to Supporting Do Not Track

February 23, 2012 | By Rainey Reitman

When Stanford researcher Jonathan Mayer uncovered a Google workaround to circumvent the default privacy settings on Safari, EFF called on Google to change their tune on privacy by respecting the Do Not Track flag and building it into the Chrome browser. We specifically praised the World Wide Web Consortium (W3C) multi-stakeholder process, which for a year has been convening consumer advocates, Internet companies, and technologists to craft how companies that receive the Do Not Track signal should respond. Today, in conjunction with the White House’s new publication Consumer Data Privacy in a Networked World (PDF), the Digital Advertising Alliance (DAA) announced (PDF) that it will embrace Do Not Track. (The DAA is the latest self-regulatory organization for online advertising companies.) This is a big step in the right direction for securing user privacy rights in the digital environment, but we’ve still got a long way to go. And, unfortunately, it looks like online advertisers are already working to water down the Do Not Track protections.

There are two parts to Do Not Track: technology and policy. The technology, a simple HTTP header (“DNT: 1”), allows a consumer to signal her privacy preference. The policy specifies what companies can and can’t do when they receive the signal. Read more.

Today’s announcements are great news for the Do Not Track technology. Google, a member of the DAA, has committed to add the feature to Chrome. While we haven’t seen the user interface, presumably it’ll be a one-click check box easily accessible through your browser settings, similar to what other browsers offer. Even better, Google and other members of the DAA — including Yahoo!, Microsoft, and AOL — are committing to adding support for the Do Not Track technical signal.

Today also brought good news for enforcing Do Not Track. The White House recognized that user privacy protections are nearly useless without a method of enforcement, so it has reaffirmed that companies that commit to respecting Do Not Track will be subject to Federal Trade Commission (FTC) enforcement.

Time to celebrate? Should we declare February 23rd V-DNT Day? Not quite. While today was a great advancement on the Do Not Track technology, it did not meaningfully move the ball forward on the Do Not Track policy. Even as Google and the other giant advertisers make strong gestures toward giving users meaningful choice when it comes to online tracking, portions of today’s two announcements are also undermining some of the most powerful consumer protections. Specifically:

Favoring industry-crafted standards

The W3C is a long-respected Internet governance body that brings together a wide range of stakeholders — including civil liberties advocates, engineers, and industry representatives — to reach accord about standards affecting the future of the Internet. EFF and lots of other consumer groups are involved in the process, and anybody can read up on what’s happening through the publicly available meeting notes. For a year, W3C has been working to pin down how various websites should respect the Do Not Track header. Internet companies, including Google, have been actively participating.

The DAA, on the other hand, is an industry group for online advertisers. It includes no consumer advocates or regulators and it doesn’t offer an opportunity for public participation in their decision-making process. Historically, the DAA has eschewed providing users with powerful mechanisms for choices when it comes to online tracking. The self-regulatory standards for behavioral advertising have offered consumers a way to opt out of viewing behaviorally targeted ads without actually stopping the online tracking which is the root of the privacy concern.

While we appreciate that DAA is interested in respecting the Do Not Track flag, it’s important that they engage with the larger Internet community in doing so. DAA should use the W3C for the purposes of defining Do Not Track and determining how websites that receive this signal should react. And the White House, similarly, should turn to the well-established W3C multi-stakeholder process for addressing these issues.

Chipping away at Do Not Track’s simplicity

If you’re using the most recent version of Firefox, you can turn on Do Not Track by going into your preferences and checking the box that says “Tell websites I do not want to be tracked.”  Pretty straightforward, from a user’s standpoint. But DAA is trying to tamper with this simplicity. In its statement, the coalition of online advertisers say that they'll respect Do Not Track where a consumer "has been provided language that describes to consumers the effect of exercising such choice including that some data may still be collected." Then they noted their intention to “begin work immediately with browser providers to develop consistent language across browsers.”

The most skeptical interpretation of this statement is that the straightforward language for turning on Do Not Track might turn into some slippery legalese that doesn’t promise to do much of anything about tracking. We hope that’s not the case; much of Do Not Track’s power came from its straightforward, human-readable format.

No privacy-protective default settings

The DAA added another exception into their promise to respect Do Not Track: they won’t respect the setting unless a user affirmatively chooses Do Not Track and won’t respect it if “any entity or software or technology provider other than the user exercises such a choice.” This seems geared toward preventing a privacy-protective browser from turning Do Not Track on by default.

It’s important that advertising companies remember that users can express a preference simply by choosing a privacy-protective browser. In the same way many users may have chosen the Safari browser because of its privacy-protective policies regarding third-party tracking, many users in the future might affirmatively choose a browser that has Do Not Track enabled by default. 

While there remain serious concerns about attempts to water down enforceable tracking protection for consumers, one thing is clear: Today represents a powerful step forward in helping users protect their online privacy. We applaud Google’s decision to implement Do Not Track in the Chrome browser, and we’re looking forward to collaborating with the DAA and other stakeholders in the W3C to communicate the concerns of users and advocates in online tracking issues.

Permalink • Print • Comment

Google Circumvents Safari Privacy Protections – This is Why We Need Do Not Track

February 16, 2012 | By Peter Eckersley and Rainey Reitman and Lee Tien

Earlier today, the Wall Street Journal published evidence that Google has been circumventing the privacy settings of Safari and iPhone users, tracking them on non-Google sites despite Apple's default settings, which were intended to prevent such tracking.

This tracking, discovered by Stanford researcher Jonathan Mayer, was a technical side-effect—probably an unintended side-effect—of a system that Google built to pass social personalization information (like, “your friend Suzy +1'ed this ad about candy”) from the google.com domain to the doubleclick.net domain. Further technical explanation can be found below.

Coming on the heels of Google’s controversial decision to tear down the privacy-protective walls between some of its other services, this is bad news for the company. It’s time for Google to acknowledge that it can do a better job of respecting the privacy of Web users. One way that Google can prove itself as a good actor in the online privacy debate is by providing meaningful ways for users to limit what data Google collects about them. Specifically, it’s time that Google's third-party web servers start respecting Do Not Track requests, and time for Google to offer a built-in Do Not Track option.

Meanwhile, users who want to be safe against web tracking can't rely on Safari's well-intentioned but circumventable protections. Until Do Not Track is more widely respected, users who wish to defend themselves against online tracking should use AdBlock Plus for Firefox or Chrome, or Tracking Protection Lists for Internet Explorer.1 AdBlock needs to be used with EasyPrivacy and EasyList in order to offer maximal protection.

Technical details: Google tries to poke a small hole in Safari's privacy protections, but the hole becomes very large

The Safari and iOS browsers have a useful privacy feature: they automatically reject third-party tracking cookies unless a user actively interacts with a widget or clicks on the third party's ads. This is a big step up from the default settings on most browsers. Advertisers typically use tracking cookies to create an invisible record of your online browsing habits, and large advertisers can track you across huge swaths of the web. Safari offers some protection against this type of passive tracking: it specifically prevents a site from setting cookies unless those cookies are from a domain name that you have visited or interacted with directly.

As Google engineers were building the system for passing facts like "your friend Suzy +1'ed this ad" from google.com to doubleclick.net, they would have likely realized that Safari was stopping them from linking this data using third-party DoubleClick cookies. So it appears they added special JavaScript code that tricked Safari into thinking the user was interacting with DoubleClick,2 causing Safari to allow the cookies that would facilitate social personalization (and perhaps, at some point, other forms of pseudonymous behavioral targeting). This was a small hole in Safari's privacy protections.

Unfortunately, that had the side effect of completely undoing all of Safari's protections against doubleclick.net. It caused Safari to allow other DoubleClick cookies, and especially the main "id" tracking cookie that Safari normally blocked. Like a balloon popped with a pinprick, all of Safari's protections against DoubleClick were gone.

The Wall Street Journal has an excellent infographic explaining this process.

The right hand is not talking to the left

Public statements by Google have indicated that parts of the company had a fairly good understanding of Safari's privacy protections:

In the screenshot above, Google states: “While we don’t yet have a Safari version of the Google advertising cookie opt-out plugin, Safari is set by default to block all third party cookies. If you have not changed those settings, this option effectively accomplished the same thing as setting the opt-out cookie.” If only that had stayed true.

Safari gives users an opportunity to block passive tracking by online advertisers. Google's decision to route around those settings took it down a dangerous road. Any code that was specifically designed to circumvent privacy protection features should have triggered a much higher level of review and caution, and that clearly did not happen.

Can Advertisers Learn That "No Means No" (PDF), a research study on flash cookies published in 2011, characterized online advertisers who used flash cookies to override user privacy settings as paternalistic:

Advertisers see individuals as objects. When conceived of as objects, consumers’ preferences no longer matter. Privacy can be coded into oblivion or be circumvented with technology. Our 2009 and 2011 work empirically demonstrates that advertisers implement paternalistic judgments that subjects of targeted marketing cannot make proper judgments for themselves.

Today, Google looks just as paternalistic as ad networks setting flash cookies to outfox people who try to delete their cookies.

People around the world rely on Safari to browse the web, including iPhone users, whose choices are severely limited by Apple's walled garden. That’s a lot of people who are denied a voice when it comes to online tracking.

It’s Time for Google to Make Amends: an Open Letter to Google

Google, the time has finally come. You need to make a pro-privacy offering to restore your users’ trust.

Internet users worldwide have loved your products for years, and we’ve often praised your stance on free expression and transparency and your efforts to limit government access to users’ information. But when it comes to consumer choice around privacy, your commitment to users has been weaker. That’s bad for users, for the future of the Internet, and ultimately, for you. We need to create an Internet that gives users meaningful choice about sharing their personal data, and we need your help to do it.

It’s time for a new chapter in Google’s policy regarding privacy. It’s time to commit to giving users a voice about tracking and then respecting those wishes.

For a long time, we’ve hoped to see Google respect Do Not Track requests when it acts as a third party on the Web, and implement Do Not Track in the Chrome browser. This privacy setting, available in every other major browser, lets users express their choice about whether they want to be tracked by mysterious third parties with whom they have no relationship. And even if a user deleted her cookies, the setting would still be there.

Right now, EFF, Google, and many other groups are involved in a multi-stakeholder process to define the scope and execution of Do Not Track through the Tracking Protection Working Group. Through this participatory forum, civil liberties organizations, advertisers, and leading technologists are working together to define how Do Not Track will give users a meaningful way to control online tracking without unduly burdening companies. This is the perfect forum for Google to engage on the technical specifications of the Do Not Track signal, and an opportunity to bring all parties together to fight for user rights. While the Do Not Track specification is not yet final, there's no reason to wait. Google has repeatedly led the way on web security by implementing features long before they were standardized. Google should do the same with web privacy. Get started today by linking Do Not Track to your existing opt-out mechanisms for advertising, +1, and analytics.

Google, make this a new era in your commitment to defending user privacy. Commit to offering and respecting Do Not Track.

  • 1. As this blog goes to press, we are unsure whether ad blockers for Safari can prevent the browser from sending requests, which is essential for this kind of privacy protection to be effective.
  • 2. The code was web developers call a "hidden form submission", contained in a DoubleClick iframe. This code was only sent to Apple's browsers: Mayer tested 400 user-agent strings, and found that only Safari received the JavaScript that performed hidden form submissions.

Permalink • Print • Comment

UK Police Agency Takes Over Popular Music Website

February 17, 2012 | By Maira Sutton

News broke Tuesday that a British police agency called the Serious Organised Crime Agency (SOCA), had taken control of the popular music blog RnBXclusive and arrested one of the site’s creators for fraud. The normal content from the site was completely unavailable, replaced with a new splash page: a notice from SOCA stating that it had taken control of the domain. Initial reports claimed that that the RnBXclusive.com domain had been seized by the UK government agency — bringing to mind images of a post-SOPA fractured Internet — but it turned out that the website takeover was done with the cooperation of the UK-based hosting company, Rackspace’s UK arm. For its part, Rackspace claimed that the music site was taken down for breaching its Terms and Conditions.

The initial splash page that the site displayed after the takedown was replete with exaggerations and misstatements of law. Techdirt’s Mike Masnick ripped the notice apart, explaining the problems with the way that SOCA handled the situation. The original SOCA notice has since been taken down and replaced with a more accurately worded statement, but an image of the original is viewable here.

The baseless claims in the original notice included the statement that a majority of the music files previously available via the site had been stolen, and that:

As a result of illegal downloads young, emerging artists may have had their careers damaged. If you have illegally downloaded music you will have damaged the future of the music industry.

Most disconcertingly, the notice stated that visitors who had downloaded music from RnBXclusive may have committed a crime with a penalty of 10 years imprisonment and an unlimited fine. It also stated that SOCA has "the capability to monitor and investigate you, and can inform your Internet service provider of these infringements."

Then, in a move that could only be described as intimidating, it went on to display the visitor’s operating system and IP address with a statement below that read, "The above information can be used to identify you and your location."

This situation is alarming on several levels. It is unknown whether there was a court order that directed the hosting provider to take down this site, or whether the hosting company voluntarily removed the previous content. Open Rights Group is reporting that Rackspace’s UK arm is hosting the holding page. Why would it allow SOCA to put up the holding page without a court order?

We initially feared that this was a domain seizure, as when last year the domain registrar for .uk domains, Nominet, admitted to helping police authorities seize 3,000 websites and proposed new rules to expedite domain takedowns so that police authorities would not need court orders to do so. Whether this proposal was actually enacted remains unclear, but the chilling effect that both these cases have on free expression is undeniable.

Technology writer Glyn Moody reports that SOCA charged fraud because the music blog had allegedly been sharing pre-release works somehow obtained without authorization from music industry sites. If that’s true, SOCA’s involvement may not be quite as surprising as it initially appeared. But as SOCA has released no evidence in support of its allegation, it will be interesting to see how this proceeds.

In any case, this week’s takeover sets a dangerous precedent for copyright enforcement measures in the UK. If the hosting provider took down this site voluntarily without any court oversight, it raises the prospects of future cases being dealt with in a similar extrajudicial manner. Though the Internet blacklist legislation which would have facilitated similar takedowns in the U.S. has been stopped for now, we must keep a close eye on these sorts of alternative methods of online censorship that are implemented in the name of copyright enforcement.

~

For more updates on this story visit Open Rights Group or follow them on twitter at @Openrightsgroup

Permalink • Print • Comment
Next Page »
Made with WordPress and Semiologic • Sky Gold skin by Denis de Bernardy