On October 1, 2011, over 700 Occupy Wall Street protesters were arrested on the Brooklyn Bridge. Most of the protesters, including Malcolm Harris, were charged with the mundane crime of disorderly conduct, a "violation" under New York law that has a maximum punishment of 15 days in jail or a $250 fine. 

And yet on the basis of a charge no more consequential than speeding ticket, the New York City District Attorney's office sent a poorly worded subpoena to Twitter requesting "any and all user information, including email address, as well as any and all tweets posted for the period of 9/15/2011-12/31/2011" regarding Mr. Harris' Twitter account, @destructuremal. Unsurprisingly, the government wanted to keep it quiet, but thankfully Twitter didn't listen. Instead, as it has consistently warned law enforcement, Twitter notified Mr. Harris, who through his lawyer, Martin Stolar of the National Lawyers Guild, has moved to challenge the subpoena in court.

The subpoena is astonishing not only for its poor grammar, but also for the breadth of information the government wants for a trivial crime that hardly requires it. The government's request that Twitter hand over Tweets is unlikely to succeed because consistent with the Stored Communications Act, Twitter releases "contents of communication" (effectively Tweets and private messages between Twitter users) only with a search warrant. In any event, Mr. Harris' account is "public", meaning the government could obtain Tweets simply by checking out Mr. Harris' Twitter feed. Plus, requesting Tweets only highlights the absurdity of the entire situation: why would the government need Tweets from both before and after the October 1 protest to prove he was obstructing traffic on the bridge? Government fishing expeditions like this raise serious First Amendment concerns. Mr. Harris was very outspoken about his support of and involvement in the Occupy Wall Street movement. With this overbroad subpoena, the government would be able to learn about who Mr. Harris was communicating with for an extensive period of time not only through Tweets, but through direct messages. And with the government's request for all email addresses associated with @destructuremal, they could subpoena Mr. Harris' email provider to get even more information about who he communicated with. The First Amendment shouldn't be trampled with only an expansive subpoena in a case that barely registers as "criminal."

Given that much of Mr. Harris' Twitter information (like Tweets and followers) is already public, it's very likely that the government was really after something else: location data. By attempting to subpoena these records, the government can get around the Fourth Amendment's prohibition against warrantless searches by requesting information that includes IP addresses. Twitter keeps track of IP address information regarding every time a person logged into Twitter, as well as the IP address information related to a Twitter user's direct messages to other users, and the date and time information related to these log ins and direct messages. Armed with IP addresses, the government — without a warrant — can go to an ISP to determine who was assigned that particular IP address. And if that person connected on a mobile device — which is where the majority of Twitter users access their accounts — the ISP will hand over to the government the specific cell tower (and its corresponding geographic location) which that person used to access Twitter. This allows the government to piece together a map of where a person physically is when he opens Twitter on his smartphone, sends a direct message to a friend, or Tweets. And with that information, the government could get a record of Mr. Harris' movement over the three months it requested from Twitter. It's no surprise then that the government singled out Mr. Harris for this request: he currently has over 1,500 followers and 7,200 Tweets. 

Allowing the government to gets its hands on this data with nothing more than an administrative subpoena renders the Fourth Amendment meaningless. Only with the protection of a search warrant, and the heightened judicial supervision that comes along with it, can the voracious appetite of law enforcement be curbed. As we've consistently argued, the Fourth Amendment protects this information. But another way to impose privacy protection from the prying hands of law enforcement is through Congressional reform of the badly outdated Electronic Communications Privacy Act ("ECPA"). As part of the Digital Due Process coalition, EFF has been calling for Congress to update ECPA to conform with the realities of the 21st century. 

It looks like judicial momentum may finally be on our side. In January of this year, the United States Supreme Court issued a landmark decision in United States v. Jones (PDF), ruling that law enforcement could not physically install a GPS device on private property without a search warrant. The majority opinion resolved the Fourth Amendment issue by looking exclusively at the physical installation of the GPS device. Importantly, however, in a concurring opinion, Justice Sotomayor warned that "physical intrusion is now unnecessary to many forms of surveillance." Collecting IP addresses of a prolific Tweeter, and matching it with other easily obtainable information from other service providers, demonstrates this problem. In writing that society is unlikely to accept extensive warrantless surveillance as "reasonable", Justice Sotomayor called into question "the appropriateness of entrusting to the Executive, in the absence of any oversight from a coordinate branch, a tool so amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent 'a too permeating police surveillance.'” Similarly, Justice Alito's concurring opinion noted that with "dramatic technological change, the best solution to privacy concerns may be legislative." 

Hopefully with the public breathing down its neck, Congress can finally act to fix a antequated set of laws. Malcolm Harris, like Birgitta Jonsdottir before him, took a stand to protect our privacy rights. You can too by telling Congress that its time to update ECPA and tell law enforcement once and for all that in order to get a person's location data, it needs to come back with a warrant. 

When Stanford researcher Jonathan Mayer uncovered a Google workaround to circumvent the default privacy settings on Safari, EFF called on Google to change their tune on privacy by respecting the Do Not Track flag and building it into the Chrome browser. We specifically praised the World Wide Web Consortium (W3C) multi-stakeholder process, which for a year has been convening consumer advocates, Internet companies, and technologists to craft how companies that receive the Do Not Track signal should respond. Today, in conjunction with the White House’s new publication Consumer Data Privacy in a Networked World (PDF), the Digital Advertising Alliance (DAA) announced (PDF) that it will embrace Do Not Track. (The DAA is the latest self-regulatory organization for online advertising companies.) This is a big step in the right direction for securing user privacy rights in the digital environment, but we’ve still got a long way to go. And, unfortunately, it looks like online advertisers are already working to water down the Do Not Track protections.

There are two parts to Do Not Track: technology and policy. The technology, a simple HTTP header (“DNT: 1”), allows a consumer to signal her privacy preference. The policy specifies what companies can and can’t do when they receive the signal. Read more.

Today’s announcements are great news for the Do Not Track technology. Google, a member of the DAA, has committed to add the feature to Chrome. While we haven’t seen the user interface, presumably it’ll be a one-click check box easily accessible through your browser settings, similar to what other browsers offer. Even better, Google and other members of the DAA — including Yahoo!, Microsoft, and AOL — are committing to adding support for the Do Not Track technical signal.

Today also brought good news for enforcing Do Not Track. The White House recognized that user privacy protections are nearly useless without a method of enforcement, so it has reaffirmed that companies that commit to respecting Do Not Track will be subject to Federal Trade Commission (FTC) enforcement.

Time to celebrate? Should we declare February 23rd V-DNT Day? Not quite. While today was a great advancement on the Do Not Track technology, it did not meaningfully move the ball forward on the Do Not Track policy. Even as Google and the other giant advertisers make strong gestures toward giving users meaningful choice when it comes to online tracking, portions of today’s two announcements are also undermining some of the most powerful consumer protections. Specifically:

Favoring industry-crafted standards

The W3C is a long-respected Internet governance body that brings together a wide range of stakeholders — including civil liberties advocates, engineers, and industry representatives — to reach accord about standards affecting the future of the Internet. EFF and lots of other consumer groups are involved in the process, and anybody can read up on what’s happening through the publicly available meeting notes. For a year, W3C has been working to pin down how various websites should respect the Do Not Track header. Internet companies, including Google, have been actively participating.

The DAA, on the other hand, is an industry group for online advertisers. It includes no consumer advocates or regulators and it doesn’t offer an opportunity for public participation in their decision-making process. Historically, the DAA has eschewed providing users with powerful mechanisms for choices when it comes to online tracking. The self-regulatory standards for behavioral advertising have offered consumers a way to opt out of viewing behaviorally targeted ads without actually stopping the online tracking which is the root of the privacy concern.

While we appreciate that DAA is interested in respecting the Do Not Track flag, it’s important that they engage with the larger Internet community in doing so. DAA should use the W3C for the purposes of defining Do Not Track and determining how websites that receive this signal should react. And the White House, similarly, should turn to the well-established W3C multi-stakeholder process for addressing these issues.

Chipping away at Do Not Track’s simplicity

If you’re using the most recent version of Firefox, you can turn on Do Not Track by going into your preferences and checking the box that says “Tell websites I do not want to be tracked.”  Pretty straightforward, from a user’s standpoint. But DAA is trying to tamper with this simplicity. In its statement, the coalition of online advertisers say that they'll respect Do Not Track where a consumer "has been provided language that describes to consumers the effect of exercising such choice including that some data may still be collected." Then they noted their intention to “begin work immediately with browser providers to develop consistent language across browsers.”

The most skeptical interpretation of this statement is that the straightforward language for turning on Do Not Track might turn into some slippery legalese that doesn’t promise to do much of anything about tracking. We hope that’s not the case; much of Do Not Track’s power came from its straightforward, human-readable format.

No privacy-protective default settings

The DAA added another exception into their promise to respect Do Not Track: they won’t respect the setting unless a user affirmatively chooses Do Not Track and won’t respect it if “any entity or software or technology provider other than the user exercises such a choice.” This seems geared toward preventing a privacy-protective browser from turning Do Not Track on by default.

It’s important that advertising companies remember that users can express a preference simply by choosing a privacy-protective browser. In the same way many users may have chosen the Safari browser because of its privacy-protective policies regarding third-party tracking, many users in the future might affirmatively choose a browser that has Do Not Track enabled by default. 

While there remain serious concerns about attempts to water down enforceable tracking protection for consumers, one thing is clear: Today represents a powerful step forward in helping users protect their online privacy. We applaud Google’s decision to implement Do Not Track in the Chrome browser, and we’re looking forward to collaborating with the DAA and other stakeholders in the W3C to communicate the concerns of users and advocates in online tracking issues.

Earlier today, the Wall Street Journal published evidence that Google has been circumventing the privacy settings of Safari and iPhone users, tracking them on non-Google sites despite Apple's default settings, which were intended to prevent such tracking.

This tracking, discovered by Stanford researcher Jonathan Mayer, was a technical side-effect—probably an unintended side-effect—of a system that Google built to pass social personalization information (like, “your friend Suzy +1'ed this ad about candy”) from the google.com domain to the doubleclick.net domain. Further technical explanation can be found below.

Coming on the heels of Google’s controversial decision to tear down the privacy-protective walls between some of its other services, this is bad news for the company. It’s time for Google to acknowledge that it can do a better job of respecting the privacy of Web users. One way that Google can prove itself as a good actor in the online privacy debate is by providing meaningful ways for users to limit what data Google collects about them. Specifically, it’s time that Google's third-party web servers start respecting Do Not Track requests, and time for Google to offer a built-in Do Not Track option.

Meanwhile, users who want to be safe against web tracking can't rely on Safari's well-intentioned but circumventable protections. Until Do Not Track is more widely respected, users who wish to defend themselves against online tracking should use AdBlock Plus for Firefox or Chrome, or Tracking Protection Lists for Internet Explorer.1 AdBlock needs to be used with EasyPrivacy and EasyList in order to offer maximal protection.

Technical details: Google tries to poke a small hole in Safari's privacy protections, but the hole becomes very large

The Safari and iOS browsers have a useful privacy feature: they automatically reject third-party tracking cookies unless a user actively interacts with a widget or clicks on the third party's ads. This is a big step up from the default settings on most browsers. Advertisers typically use tracking cookies to create an invisible record of your online browsing habits, and large advertisers can track you across huge swaths of the web. Safari offers some protection against this type of passive tracking: it specifically prevents a site from setting cookies unless those cookies are from a domain name that you have visited or interacted with directly.

As Google engineers were building the system for passing facts like "your friend Suzy +1'ed this ad" from google.com to doubleclick.net, they would have likely realized that Safari was stopping them from linking this data using third-party DoubleClick cookies. So it appears they added special JavaScript code that tricked Safari into thinking the user was interacting with DoubleClick,2 causing Safari to allow the cookies that would facilitate social personalization (and perhaps, at some point, other forms of pseudonymous behavioral targeting). This was a small hole in Safari's privacy protections.

Unfortunately, that had the side effect of completely undoing all of Safari's protections against doubleclick.net. It caused Safari to allow other DoubleClick cookies, and especially the main "id" tracking cookie that Safari normally blocked. Like a balloon popped with a pinprick, all of Safari's protections against DoubleClick were gone.

The Wall Street Journal has an excellent infographic explaining this process.

The right hand is not talking to the left

Public statements by Google have indicated that parts of the company had a fairly good understanding of Safari's privacy protections:

In the screenshot above, Google states: “While we don’t yet have a Safari version of the Google advertising cookie opt-out plugin, Safari is set by default to block all third party cookies. If you have not changed those settings, this option effectively accomplished the same thing as setting the opt-out cookie.” If only that had stayed true.

Safari gives users an opportunity to block passive tracking by online advertisers. Google's decision to route around those settings took it down a dangerous road. Any code that was specifically designed to circumvent privacy protection features should have triggered a much higher level of review and caution, and that clearly did not happen.

Can Advertisers Learn That "No Means No" (PDF), a research study on flash cookies published in 2011, characterized online advertisers who used flash cookies to override user privacy settings as paternalistic:

Advertisers see individuals as objects. When conceived of as objects, consumers’ preferences no longer matter. Privacy can be coded into oblivion or be circumvented with technology. Our 2009 and 2011 work empirically demonstrates that advertisers implement paternalistic judgments that subjects of targeted marketing cannot make proper judgments for themselves.

Today, Google looks just as paternalistic as ad networks setting flash cookies to outfox people who try to delete their cookies.

People around the world rely on Safari to browse the web, including iPhone users, whose choices are severely limited by Apple's walled garden. That’s a lot of people who are denied a voice when it comes to online tracking.

It’s Time for Google to Make Amends: an Open Letter to Google

Google, the time has finally come. You need to make a pro-privacy offering to restore your users’ trust.

Internet users worldwide have loved your products for years, and we’ve often praised your stance on free expression and transparency and your efforts to limit government access to users’ information. But when it comes to consumer choice around privacy, your commitment to users has been weaker. That’s bad for users, for the future of the Internet, and ultimately, for you. We need to create an Internet that gives users meaningful choice about sharing their personal data, and we need your help to do it.

It’s time for a new chapter in Google’s policy regarding privacy. It’s time to commit to giving users a voice about tracking and then respecting those wishes.

For a long time, we’ve hoped to see Google respect Do Not Track requests when it acts as a third party on the Web, and implement Do Not Track in the Chrome browser. This privacy setting, available in every other major browser, lets users express their choice about whether they want to be tracked by mysterious third parties with whom they have no relationship. And even if a user deleted her cookies, the setting would still be there.

Right now, EFF, Google, and many other groups are involved in a multi-stakeholder process to define the scope and execution of Do Not Track through the Tracking Protection Working Group. Through this participatory forum, civil liberties organizations, advertisers, and leading technologists are working together to define how Do Not Track will give users a meaningful way to control online tracking without unduly burdening companies. This is the perfect forum for Google to engage on the technical specifications of the Do Not Track signal, and an opportunity to bring all parties together to fight for user rights. While the Do Not Track specification is not yet final, there's no reason to wait. Google has repeatedly led the way on web security by implementing features long before they were standardized. Google should do the same with web privacy. Get started today by linking Do Not Track to your existing opt-out mechanisms for advertising, +1, and analytics.

Google, make this a new era in your commitment to defending user privacy. Commit to offering and respecting Do Not Track.

• 1. As this blog goes to press, we are unsure whether ad blockers for Safari can prevent the browser from sending requests, which is essential for this kind of privacy protection to be effective.
• 2. The code was web developers call a "hidden form submission", contained in a DoubleClick iframe. This code was only sent to Apple's browsers: Mayer tested 400 user-agent strings, and found that only Safari received the JavaScript that performed hidden form submissions.

News broke Tuesday that a British police agency called the Serious Organised Crime Agency (SOCA), had taken control of the popular music blog RnBXclusive and arrested one of the site’s creators for fraud. The normal content from the site was completely unavailable, replaced with a new splash page: a notice from SOCA stating that it had taken control of the domain. Initial reports claimed that that the RnBXclusive.com domain had been seized by the UK government agency — bringing to mind images of a post-SOPA fractured Internet — but it turned out that the website takeover was done with the cooperation of the UK-based hosting company, Rackspace’s UK arm. For its part, Rackspace claimed that the music site was taken down for breaching its Terms and Conditions.

The initial splash page that the site displayed after the takedown was replete with exaggerations and misstatements of law. Techdirt’s Mike Masnick ripped the notice apart, explaining the problems with the way that SOCA handled the situation. The original SOCA notice has since been taken down and replaced with a more accurately worded statement, but an image of the original is viewable here.

The baseless claims in the original notice included the statement that a majority of the music files previously available via the site had been stolen, and that:

As a result of illegal downloads young, emerging artists may have had their careers damaged. If you have illegally downloaded music you will have damaged the future of the music industry.

Most disconcertingly, the notice stated that visitors who had downloaded music from RnBXclusive may have committed a crime with a penalty of 10 years imprisonment and an unlimited fine. It also stated that SOCA has "the capability to monitor and investigate you, and can inform your Internet service provider of these infringements."

Then, in a move that could only be described as intimidating, it went on to display the visitor’s operating system and IP address with a statement below that read, "The above information can be used to identify you and your location."

This situation is alarming on several levels. It is unknown whether there was a court order that directed the hosting provider to take down this site, or whether the hosting company voluntarily removed the previous content. Open Rights Group is reporting that Rackspace’s UK arm is hosting the holding page. Why would it allow SOCA to put up the holding page without a court order?

We initially feared that this was a domain seizure, as when last year the domain registrar for .uk domains, Nominet, admitted to helping police authorities seize 3,000 websites and proposed new rules to expedite domain takedowns so that police authorities would not need court orders to do so. Whether this proposal was actually enacted remains unclear, but the chilling effect that both these cases have on free expression is undeniable.

Technology writer Glyn Moody reports that SOCA charged fraud because the music blog had allegedly been sharing pre-release works somehow obtained without authorization from music industry sites. If that’s true, SOCA’s involvement may not be quite as surprising as it initially appeared. But as SOCA has released no evidence in support of its allegation, it will be interesting to see how this proceeds.

In any case, this week’s takeover sets a dangerous precedent for copyright enforcement measures in the UK. If the hosting provider took down this site voluntarily without any court oversight, it raises the prospects of future cases being dealt with in a similar extrajudicial manner. Though the Internet blacklist legislation which would have facilitated similar takedowns in the U.S. has been stopped for now, we must keep a close eye on these sorts of alternative methods of online censorship that are implemented in the name of copyright enforcement.

~

For more updates on this story visit Open Rights Group or follow them on twitter at @Openrightsgroup

The SABAM v. Netlog decision follows a landmark ruling by the ECJ in the SABAM v. Scarlet Extended case in November 2011, where the Court held that a Belgian ISP (Scarlet) could not be required to adopt a system to filter and block the transfer of potentially copyright infringing music files on its network. In that case, the Belgian copyright collective management organization SABAM had obtained an injunction (a court order) against the ISP, requiring it to install a system that would filter all of its users’ communications for potential copyright-infringing material.

Yesterday’s ruling also involved SABAM. It had sought a similarly broad injunction against Belgian social media platform Netlog.  The 2001 EU copyright directive mandates that copyright holders be able to obtain injunctions against intermediaries whose services are used by third parties to infringe copyright, but that is bounded by other EU obligations, including protection of citizens’ fundamental rights. The ECJ was asked to rule on the permissible scope of these injunctions, given their impact on Internet users’ fundamental rights and online service providers’ businesses.

The ECJ found that forcing Netlog to install a filtering system that would identify and prevent its users from making available any potentially copyright infringing files would require “active observation” of Netlog’s users. Following the 2011 SABAM v Scarlet decision, it held that implementing such a system would fall afoul of the key principle in Article 15 of the EU e-Commerce Directive, which prohibits EU member states from imposing a general obligation on ISPs and hosting services to monitor information they transmit or store, or to actively seek facts or circumstances that indicate illegal activity.

The Court also criticized the injunction on a second basis. In the 2011 Scarlet ruling and the 2008 Promusicae v. Telefonica decision, the ECJ held that in adopting measures to protect copyright holders, EU member states and courts must strike a fair balance between the protection of copyright, and the protection of the fundamental rights of individuals and businesses who are affected by those measures. The Court found that the filtering system being sought by SABAM required the identification, systematic analysis, and processing of information connected with the profiles of Netlog’s users. This would violate Netlog’s users’ right to protection of their personal data, enshrined in Article 8 of the Charter of Fundamental Rights of the EU. In addition, because the filtering system could not effectively distinguish between lawful and unlawful content, it could block lawful content, and undermine Netlog users’ right to receive and impart information protected under Article 11 of the Charter.

Given the protection required of citizens’ fundamental rights under the Charter of Fundamental Rights, the ECJ concluded that courts in EU countries can’t issue injunctions against hosting service providers that require them to install a filtering system with features as broad as the one in this case which (a) was directed at information stored on the hosting platform’s servers by its users, (b) applied indiscriminately to all its users, (c) was installed as a preventative measure (requiring hosting services to decide whether content is infringing), (d) was at the sole expense of the hosting provider, and (e) for an unlimited period of time.

So what does all this mean? Here’s a couple of our thoughts.

The ECJ ruling is directed at EU member countries, but it will have significant implications for the future of the global Internet. Injunctions are one of several strategies that intellectual property rightsholders have been pursuing to force Internet intermediaries to become copyright police. In countries around the world, IP rightsholders have used injunctions to impose filtering, blocking and user termination obligations on Internet intermediaries. These efforts are likely to expand under ACTA, because it requires signatory countries to make available broad injunctions to IP rightsholders, including temporary injunctions while a case is pending. By precluding pre-emptive filtering and blocking injunctions, the SABAM v. Scarlet and SABAM v. Netlog rulings set an important limit on this strategy for EU countries.

Because injunctions are issued by courts, usually after a process of weighing up all affected parties’ interests, measures imposed in this way theoretically provide better protection for Internet users than those adopted in private party voluntary agreements such as those we’ve seen in Ireland and Belgium. As we’ve noted elsewhere, Internet intermediaries are not competent to make legal determinations about whether particular content or conduct infringes copyright. Copyright holders’ efforts to require Internet intermediaries to take on this role under the guise of greater “co-operation” raise serious concerns about due process, transparency and accountability, and online free expression. In that respect, we welcome the ECJ’s clarification on the scope of injunctions available under EU law.

At the same time, we recognize that the ECJ’s Scarlet and Netlog decisions will now lead to increased lobbying pressure from rightsholder groups to change EU law, perhaps as part of the European Commission’s review of the 2004 Intellectual Property Rights Enforcement Directive. Let’s hope that EU policymakers approach this in as thoughtful and balanced a way as the ECJ.