You are hereFeed aggregator / Categories / Privacy


EPIC Urges Senate Judiciary to Examine FBI Response to Russian Cyber Attacks

EPIC - Fri, 2018-06-15 17:23

PIC has sent a statement to the Senate Judiciary Committee ahead of Monday's hearing "Examining the Inspector General’s First Report on Justice Department and FBI Actions in Advance of the 2016 Presidential Election." EPIC urged the Committee to explore the FBI's ability to respond to future cyberattacks. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." But an AP investigation found that the FBI failed to notify hundreds of officials whose email was hacked during the 2016 election. EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI. Last month, a federal court ruled that the agency may withhold records still sought by EPIC but said that lawmakers should pursue threats to democratic institutions described in the EPIC lawsuit.

Categories: Privacy

Mega-Merger: Vertical Integration in a Deregulated Environment

CDT - Fri, 2018-06-15 16:41

It’s been a big week for the future of the internet. Monday marked the end of the FCC’s Open Internet Order (OIO) and its rules protecting net neutrality. Tuesday brought a decision from D.C. District Court Judge Richard Leon to allow telecom giant AT&T to purchase media giant Time Warner. Thursday, Comcast made a bid to buy all of Fox, and AT&T finalized its acquisition of Time Warner. The combination of massive vertical integration and deregulation could set off a tectonic shift in the landscape of the internet.

For years now, internet service providers (ISPs) like AT&T have wanted to get some of the action enjoyed by providers of content and services at the “edge” of their networks. Many of the concerns addressed by net neutrality regulations stem from ISPs’ incentives to extract payment from edge providers. Essentially, ISPs wanted to extract revenue from the popular services (especially video streaming services) that their subscribers access via their networks, thereby monetizing both “sides” of the gateway position they hold. For instance, Comcast deliberately degraded the interconnection points between its network and Netflix to gain leverage in its negotiations with the streaming provider regarding their interconnection arrangements. Other ways ISPs can use their position to cash in on the edge market include practices like paid prioritization and zero-rating.

Deregulation + Integration = Greater Threat to Open Internet

Before Monday, the OIO’s strong net neutrality protections prevented ISPs from engaging in practices that resulted in unreasonable discrimination or disadvantage to edge providers. Now, ISPs need only disclose any such practices to comply with the FCC’s only remaining regulation, the transparency rule. This leaves ISPs essentially unrestricted in their ability to leverage their position between users and edge providers, whether to extract rent from edge providers or to favor their affiliates. This deregulation favors all of the largest ISPs, but especially those who also own significant portions of the content served by edge providers.

Through paid prioritization, ISPs can charge edge providers in exchange for favorable treatment of the network traffic their services generate. The concern here is that well-funded companies will be able to buy better service than their competitors, and that users will turn away from providers with comparatively poorer performance. Edge providers’ ability to buy “fast lanes” for their data traffic makes it harder for smaller companies to compete and increases costs for those who can afford prioritized treatment. In the end, consumers will be stuck with the (double) bill if ISPs can charge for preferential treatment.

In the event of a merger and the absence of a rule against prioritization for commercial benefit, Time Warner’s offerings could potentially benefit from preferential treatment on AT&T’s networks without payment. Even under FTC oversight, any action to address this kind of discriminatory treatment would require not only detection of the problem but also protracted legal proceedings, all of which necessarily occur after the preferential treatment (and possibly the damage to competition among edge providers) takes place. In this way, vertical integration further enhances the advantages of prioritized treatment by producing them at no cost to the affiliated edge providers. It is unclear whether a competing service could even purchase a similar level of preferential treatment or whether paid “fast lanes” would always be second-best to AT&T’s treatment of Time Warner’s data.

For access providers like AT&T, whose subscription plans include data caps, zero-rated offerings can incentivize the use of certain edge services and applications. Depending on the structure of the plan, users might be more inclined to use the apps and services that do not count against their monthly data allowance than ones that do, giving the zero-rated services an advantage, both in terms of usage stats (and the related advertising revenue) and overall user base, as customers move away from non-zero-rated services. (AT&T announced Friday afternoon that it plans to offer its mobile subscribers with unlimited packages free access to television content from the Turner networks.)

Zero-rating in a vertically-integrated context gives both the ISP and its affiliated edge providers similar benefits at no cost. As with preferential treatment of network traffic, no-cost zero-rating further enhances the advantages for the ISP and its affiliates over those of other edge providers that would have to negotiate with the ISP for zero-rated carriage of their network traffic. While ISPs like AT&T may market access packages bundled with zero-rated content as a savings for consumers, it is only a savings from the costs arising from the artificial scarcity created by data caps.

Finally, AT&T’s ability to merge the data it collects about its subscribers and their internet usage with the data collected by each of the outlets under the Time Warner umbrella gives it a few advantages over non-vertically-integrated providers. First, the merger gives AT&T a major boost in terms of the amount and the kinds of data it can use for its own marketing purposes or sell to others. Second, the ability to merge these data sets gives AT&T a greater ability to track individuals (especially AT&T customers) across platforms by comparing user profiles from an affiliate’s web-based content service with AT&T’s own data set. Third, it gives AT&T and its newly acquired affiliates ready markets in which to deploy that data for advertising.

In the wake of Congress’s repeal of the FCC’s broadband privacy rules, there are few bounds on what kinds of data can be collected and how it can be used. Since the FCC’s repeal of its own net neutrality regulations, there is also little at the federal level to stop ISPs from leveraging their positions as access providers to discriminate for or against edge providers. (Net neutrality protections came into effect in Washington State with the repeal of the FCC’s rules.)

As vertical integration merges ISPs with edge providers, these protections are even more important. (In addition to the AT&T acquisition of Time Warner, Comcast is seeking to buy Fox.) Vertically-integrated ISPs will have an even greater incentive to favor their own content and edge providers, and will be better positioned to leverage their control of popular content to effect negotiations with competing services. In a world where a few ISPs control both access and content, protecting the rest of the internet against discriminatory treatment will be crucial to preserve the internet as an open and flat communications network.

The post Mega-Merger: Vertical Integration in a Deregulated Environment appeared first on Center for Democracy & Technology.

Categories: Privacy

EPIC Urges Safety Commission to Regulate Privacy and Security of IoT Device

EPIC - Fri, 2018-06-15 16:33

EPIC submitted comments to the Consumer Product Safety Commission, urging the agency to regulate the privacy and security of Internet of Things devices. EPIC advised the Commission to require IoT manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques (“PETs”). EPIC recently told Congress that “CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream.” EPIC has also called out the CPSC for its reluctance to address the privacy and security challenges of IoT. In the statement to Congress, EPIC described the increasing risks to American consumers.

Categories: Privacy

EPIC to House Committee: The "Digital Advertising Ecosystem" is Not Healthy

EPIC - Thu, 2018-06-14 19:10

EPIC has submitted a statement to the House Energy & Commerce Committee regarding today's hearing on "Understanding the Digital Advertising Ecosystem." EPIC told the Committee "The 'Digital Advertising Ecosystem' today is not healthy. Two companies dominate the market. The privacy of Internet users is under assault. The revenue model that sustained journalism is broken. The ad platforms are manipulated by foreign adversaries. Secrecy and complexity are increasing as accountability is diminished. It would be foolish to imagine that the current model is sustainable." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web.

Categories: Privacy

Apple Will Bolster Encryption Of Devices, Prevent Apps From Selling Contact Lists

EPIC - Thu, 2018-06-14 18:00

Apple announced two measures to strengthen the privacy and security of its devices: it will close a loophole that allowed law enforcement to access devices and it will prevent apps from secretly selling contact lists. In 2016, Apple refused a demand by the FBI to build backdoor access to iPhones to allow the FBI to unlock the phone of a criminal suspect. The FBI sued Apple, and EPIC filed an amicus brief in support of Apple, arguing that the FBI's demand "places at risk millions of cell phone users across the United States." The FBI eventually dropped the case. In a privacy complaint to the FTC, EPIC also opposed Google's plan to launch "Buzz," a social networking service, with private address book information. Google later backed off the plan and shuttered Buzz. In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption.

Categories: Privacy

EPIC Advises FCC on Robocalls Regulation

EPIC - Wed, 2018-06-13 17:25

EPIC advised the FCC on how to interpret the Telephone Communications Protection Act to best protect consumers in light of a recent decision in ACA Int'l v. FCC. EPIC filed a friend of the court brief in that case arguing that consumers could revoke consent by any "reasonable means." The court agreed but vacated other aspects of the rule. EPIC's comments argue that the FCC should require callers to meet three conditions to simplify the revocation of consent: (1) inform consumers of their right to revoke, (2) provide a simple means of revocation, and (3) comply in a timely manner. EPIC contributed to the development of the Telephone Communications Protection Act and regularly submits comments to the FCC.

Categories: Privacy

Tech Talk: Habeas Data and the Future of Work

CDT - Wed, 2018-06-13 14:31

CDT’s Tech Talk is a podcast where we dish on tech and Internet policy, while also explaining what these policies mean to our daily lives. You can find Tech Talk on SoundCloud iTunes, and Google Play.

In this episode of Tech Talk, we talking to the very engaging Cyrus Farivar about his new book Habeas Data. Cyrus, a Senior Editor at Ars Technica, takes a close look at the legal cases and policies that are shaping American surveillance practices, and shows how, not surprisingly, they have not kept up with new technologies.

After that, we welcome Aaron Pinto, a Canadian delegate to the G7 youth summit or Y7 who shared his insights on the future of work, highlighting how young leaders from the G7 countries see technology impacting their future. 


The post Tech Talk: Habeas Data and the Future of Work appeared first on Center for Democracy & Technology.

Categories: Privacy

EPIC to Senate Committee: Suspend Action on Drone Bill Until Agency Reports Complete

EPIC - Wed, 2018-06-13 11:25

As the Senate Commitee on Homeland Security and Government Affairs considers S. 2836, the Preventing Emerging Threats Act of 2018: Countering Malicious Drones, EPIC has sent a statement to the Committee urging that action on the bill be suspended until DHS and other federal agencies establish and publish drone privacy procedures as required by a 2015 Presidential Memorandum. EPIC has brought a series of open government cases against the DHS and the Department of Defense to determine the use of drones by the federal government in the United States. EPIC's cases have determined that drones operated by the DHS intercept private communications, conduct human identification at a distance, and may include military payloads.

Categories: Privacy

EPIC to Senate Commerce: Work with NTIA to Update U.S. Privacy Laws

EPIC - Tue, 2018-06-12 17:30

EPIC sent a statement to the Senate Commerce Committee in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC urged Congress and the NTIA to work together to update U.S. privacy laws and establish a data protection agency. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.

Categories: Privacy

California’s Net Neutrality Bill Has Strong Zero Rating Protections for Low-Income Internet Users, Yet Sacramento May Ditch Them to Appease AT&T

EFF News - Tue, 2018-06-12 17:20

California’s net neutrality bill, S.B. 822, is often referred to as the “gold standard” of state-based net neutrality laws. The bill tackles the full array of issues the FCC had addressed right up until the end of 2016 before it began repealing net neutrality. One such issue is the discriminatory use of zero rating, where ISPs could choose to give users access to certain content for “free”—that is, without digging into their data plans. ISPs can use zero rating to drive users to their own content and services to the detriment of competitors.

The FCC found that both AT&T’s and Verizon’s use of zero rating appeared to be in violation of the 2015 Open Internet Order, only to have those findings and investigations terminated as one of the first acts of President Trump’s FCC Chairman Ajit Pai. The core issue is the fact that companies like AT&T were simply exempting their own affiliated services from their datacaps in a blatant effort to drive wireless Internet users to their preferred products. Undoubtedly, AT&T’s recent victory over the Department of Justice’s antitrust lawsuit that sought to prevent the giant telecom company from becoming even bigger with Time-Warner content will result in even greater levels of self-dealing through discriminatory zero rating policies.

California’s legislature has so far opted to ban discriminatory users of zero rating and prevent the major wireless players from picking winners and losers online. But new and increased resistance by the ISP lobby (led by AT&T and their representative organization CALinnovates) unfortunately has legislators contemplating whether discriminatory zero rating practices should remain lawful despite their harms for low-income Internet users. In fact, AT&T and their representatives are even going so far as to argue that their discriminatory self-dealing practices that violate net neutrality are actually good for low income Internet users.

S.B. 822’s Zero Rating Provisions Ensure Low-Income Internet Users Get the Same Internet as All Other Internet Users

Studies by the Pew Research Center show that when an Internet user has limited income to purchase Internet access, they opt to get their entire Internet usage from a wireless device. As a result, the zero rating policies of wireless ISPs have a profound impact on shaping users’ Internet experience. Users who depend on their wireless device for Internet access are highly likely to pay overage fees when they try to take advantage of the full, open web. These overage fees are part of a scheme to force wireless Internet users to only use products and services that the wireless ISP has exempted from their own arbitrary data caps—and to punish users when they stray from those products and services. The CTIA’s own study confirms that if they can drive Internet users to their chosen zero rated products to the detriment of potentially superior services.

This is why California organizations that promote the digital civil rights of communities of color—such as the Center for Media Justice and Color of Change as well as experts who represent low income Californians such as the Western Center on Law and Poverty—have all come out in strong support for S.B. 822’s zero rating provisions.

S.B. 822 bans the practice of self-dealing and discriminatory gatekeeping by ISPs outright, which is why those same ISPs will fight to take it out of the legislation before it becomes law. It is why they are actively attempting to mislead legislators in Sacramento with bogus superficial studies from groups that represent ISP interests like CALinnovates that ignore the fact that the data cap is an artificial construct that is designed to raise rates on wireless users and zero rating is how they exploit that structure. There is no benefit to Internet users by simply saying the ISP’s selected services do not have additional fees associated with them and nothing about the current structure is “free” because we have all compensated companies like AT&T and Verizon to the tune of $26 billion in profits in just 2016 alone.

Without the ability to profit from discriminatory conduct, the wireless carriers will lose the financial incentive to use zero rating to create an inferior wireless Internet for those with limited income and will no longer be able to exploit their gatekeeper power.

Do Not Forget That the FCC Found That AT&T’s Zero Rating Practices Violated Net Neutrality Right Up Until It Began Repealing Net Neutrality

The FCC’s core issue with AT&T’s zero rating practices was that AT&T explicitly exempted its own products, such as DirecTV, while capping products that would compete with DirecTV. In effect, using something that was not owned by AT&T was more expensive for their wireless users forcing users with limited income to only use what AT&T had blessed. Even the Trump Administration’s Department of Justice, in its antitrust lawsuit against AT&T, cited concerns with the company weaponizing its ownership of content (in this instance HBO) against online video competitors. The only federal entity that did not seem concerned with AT&T’s discriminatory practices was the current FCC, which intentionally abandoned oversight over the industry and is even contemplating a new proposal by AT&T to impair private competition to the incumbents today.

Upholding S.B. 822 means upholding a free, open Internet for all Californians. Without it, ISPs may have free rein to create two Internets that will be premised on how much income you have to the benefit of their own services and partners. With AT&T's recent victory in the courts over the Department of Justice and the expiration of federal net neutrality rules, S.B. 822's net neutrality protections have become more important than ever. 

Take Action

Defend net neutrality in California


Categories: Privacy

European Civil Liberties Committee: 'Privacy Shield' Should Be Suspended

EPIC - Tue, 2018-06-12 14:40

Members of European Parliament are calling for the suspension of the EU-U.S. Privacy Shield if the U.S. does not comply in full by September 1, 2018. The Civil Liberties Committee ("LIBE") passed a resolution stating that the pact, which permits the flow of European consumers' personal data to the U.S, does not adequately protect privacy. LIBE urged US authorities to respond without delay to the Cambridge Analytica breach of 87 million Facebook users. The groups also expressed "strong concerns" about the CLOUD Act which permits US law enforcement to unilaterally access personal data stored in Europe. EPIC recently told the FTC that the Cambridge Analytica breach could have been avoided had the agency enforced a 2011 Consent Order that EPIC and a coalition of consumer privacy groups obtained.

Categories: Privacy

70+ Internet Luminaries Ring the Alarm on EU Copyright Filtering Proposal

EFF News - Tue, 2018-06-12 09:58

Vint Cerf, Tim Berners-Lee, and Dozens of Other Computing Experts Oppose Article 13

As Europe's latest copyright proposal heads to a critical vote on June 20-21, more than 70 Internet and computing luminaries have spoken out against a dangerous provision, Article 13, that would require Internet platforms to automatically filter uploaded content. The group, which includes Internet pioneer Vint Cerf, the inventor of the World Wide Web Tim Berners-Lee, Wikipedia co-founder Jimmy Wales, co-founder of the Mozilla Project Mitchell Baker, Internet Archive founder Brewster Kahle, cryptography expert Bruce Schneier, and net neutrality expert Tim Wu, wrote in a joint letter that was released today:

By requiring Internet platforms to perform automatic filtering all of the content that their users upload, Article 13 takes an unprecedented step towards the transformation of the Internet, from an open platform for sharing and innovation, into a tool for the automated surveillance and control of its users.

The prospects for the elimination of Article 13 have continued to worsen. Until late last month, there was the hope that that Member States (represented by the Council of the European Union) would find a compromise.  Instead, their final negotiating mandate doubled down on it.

The last hope for defeating the proposal now lies with the European Parliament. On June 20-21 the Legal Affairs (JURI) Committee will vote on the proposal. If it votes against upload filtering, the fight can continue in the Parliament's subsequent negotiations with the Council and the European Commission. If not, then automatic filtering of all uploaded content may become a mandatory requirement for all user content platforms that serve European users. Although this will pose little impediment to the largest platforms such as YouTube, which already uses its Content ID system to filter content, the law will create an expensive barrier to entry for smaller platforms and startups, which may choose to establish or move their operations overseas in order to avoid the European law.

For those platforms that do establish upload filtering, users will find that their contributions—including video, audio, text, and even source code—will be monitored and potentially blocked if the automated system detects what it believes to be a copyright infringement. Inevitably, mistakes will happen. There is no way for an automated system to reliably determine when the use of a copyright work falls within a copyright limitation or exception under European law, such as quotation or parody.

Moreover, because these exceptions are not consistent across Europe, and because there is no broad fair use right as in the United States, many harmless uses of copyright works in memes, mashups, and remixes probably are technically infringing even if no reasonable copyright owner would object. If an automated system monitors and filters out these technical infringements, then the permissible scope of freedom of expression in Europe will be radically curtailed, even without the need for any substantive changes in copyright law.

The upload filtering proposal stems from a misunderstanding about the purpose of copyright. Copyright isn't designed to compensate creators for each and every use of their works. It is meant to incentivize creators as part of an effort to promote the public interest in innovation and expression. But that public interest isn't served unless there are limitations on copyright that allow new generations to build and comment on the previous contributions. Those limitations are both legal, like fair dealing, and practical, like the zone of tolerance for harmless uses. Automated upload filtering will undermine both.

The authors of today's letter write:

We support the consideration of measures that would improve the ability for creators to receive fair remuneration for the use of their works online. But we cannot support Article 13, which would mandate Internet platforms to embed an automated infrastructure for monitoring and censorship deep into their networks. For the sake of the Internet’s future, we urge you to vote for the deletion of this proposal.

What began as a bad idea offered up to copyright lobbyists as a solution to an imaginary "value gap" has now become an outright crisis for future of the Internet as we know it. Indeed, if those who created and sustain the operation of the Internet recognize the scale of this threat, we should all be sitting up and taking notice.

If you live in Europe or have European friends or family, now could be your last opportunity to avert the upload filter. Please take action by clicking the button below, which will take you to a campaign website where you can phone, email, or Tweet at your representatives, urging them to stop this threat to the global Internet before it's too late. 


Categories: Privacy

The ENCRYPT Act Protects Encryption from U.S. State Prying

EFF News - Mon, 2018-06-11 19:32

It’s not just the Department of Justice and the FBI that want to undermine your right to private communications and secure devices—some state lawmakers want to weaken encryption, too. In recent years, a couple of state legislatures introduced bills to restrict or outright ban encryption on smartphones and other devices. Fortunately, several Congress members recently introduced their own bill to stop this dangerous trend before it goes any further.

The bill is called the ENCRYPT Act. EFF gladly supports it and thanks Representatives Ted Lieu (D-CA), Mike Bishop (R-MI), Suzan DelBene (D-WA), and Jim Jordan (R-OH) for sponsoring and co-sponsoring the bill.

Encryption—the technology used to secure data on phones and computers and keep digital messages safe from eavesdroppers—is under threat around the world. In the U.S., some of those threats have come from the Department of Justice and FBI, which want technology companies to purposefully and irresponsibly weaken encryption so that law enforcement can more easily get their hands on the contents of encrypted data and messages.

But the threats have come from individual U.S. states, too.

Two years ago, lawmakers in California and New York introduced statewide legislation that would’ve significantly limited their residents’ access to encrypted devices and services. In California, for example, Assembly Bill 1681 would have originally required that any smartphone sold in the state be “capable of being decrypted and unlocked by its manufacturer or its operating system provider.” To help compel this, manufacturers could have been subject to fines of $2,500 for every non-compliant device sold in the state.

This piecemeal approach to encryption is not just wrong-headed, it simply won’t work. If state legislatures individually meddle with encryption policy, we could see a landscape where Illinois residents can buy the latest iPhone and download messaging apps like Signal and WhatsApp, but Californians can’t. But the California and New York state bills, intended to help law enforcement catch criminals, ignored the reality that people could still cross into states where the technology is unrestricted to purchase encrypted devices. What’s more, it would be trivially easy for anyone to download encrypted messaging apps online, regardless of state laws.

The ENCRYPT Act would make sure this scenario doesn’t come to pass. In fact, the bill was originally introduced in 2016 as a bulwark against the California and New York state bills—both of which failed on their own.

The ENCRYPT Act would prevent U.S. states and local governments from compelling companies to weaken their encrypted products or store decryption keys for use on demand by law enforcement. It would also prevent states from prohibiting the sale and offering of certain devices and services based solely on their encryption capabilities. That means everyone across the United States, no matter what state they live in, could have equal access to strong encryption.

Of course, there are threats to encryption at the federal level as well, which is why EFF also supports the Secure Data Act. The Secure Data Act, which also has bipartisan sponsorship, would act as a perfect complement to the ENCRYPT Act by prohibiting courts and federal agencies from mandating weakened encryption or otherwise intentionally introducing security vulnerabilities. Together, the two bills would go a long way toward ensuring that strong encryption remains free of government interference in the United States.

In the meantime, the ENCRYPT Act gets encryption policy right. Your zip code shouldn’t determine your digital security.

Categories: Privacy

EPIC FOIA: EPIC Obtains Documents About Decision to Add Census Citizenship Question

EPIC - Mon, 2018-06-11 19:00

Through a Freedom of Information Act request, EPIC has obtained documents (part 1, part 2, part 3, part 4) considered by Commerce Secretary Wilbur Ross to add a citizenship question to the 2020 Census. Following a request from the Department of Justice, the Census Bureau announced that it would ask about citizenship status for the first time in over 50 years. The documents obtained by EPIC, and others who made similar requests, reflect the varying opinions from lawmakers, scientists, and immigration groups about the proposal. The documents also reveal that Kris Kobach, former Vice Chair of the now-defunct Presidential Advisory Commission on Election Integrity, urged Secretary Ross "on the direction of Steve Bannon" to add the citizenship question. According to an analysis conducted by the Census Bureau, the impact of asking about citizenship would be "very costly, harms the quality of the census count, and would use substantially less accurate citizenship data than are available" from other government resources. In a FOIA case against DHS, EPIC previously obtained documents which revealed that the Census Bureau transferred the personal data of Muslim Americans to the Department of Homeland Security after 9-11. As a consequence, the Census Bureau revised its policy on sharing statistical information about "sensitive populations" with law enforcement or intelligence agencies.

Categories: Privacy

What to Watch for in an Internet Without Net Neutrality (And How To Stop It)

EFF News - Mon, 2018-06-11 17:48

On Monday, June 11, the FCC's rollback of net neutrality rules goes into effect, but don't expect the Internet to change overnight.

We still have promising avenues to restore net neutrality rules, meaning that Internet Service Providers need to be careful how much ammunition they give us in that political fight. If they're overt about discrimination or gouging customers they increase the chance that we'll succeed and restore binding net neutrality rules.

Much like the ten years before the Open Internet Order in 2015, ISPs are still disciplined by the threat of regulation if they generate too many examples of abuse.

What will happen, though, and what we have already seen under the Trump FCC, is that ISPs play games at the margins. Both landline and mobile ISPs with data caps have already been pushing customers to particular services and media with zero-rating and throttling. And they've been pushing hard to stick us all in slow lanes unless the sites we visit pay protection money -- Verizon even told federal judges it would do this if there were no net neutrality rules.

ISPs stand to gain from creating artificial scarcity -- reducing the available bandwidth to reach their customers so they can make people bid for the privilege. We know this because they turn down offers to build up the infrastructure that would prevent congestion, as when Netflix offered to build a content delivery network for Comcast, for free. Comcast refused and was ultimately able to use congestion to force Netflix to pay up.

Removing net neutrality won't lead to more investment but rather less, because it means ISPs have the option of auctioning off limited access to customers.

You can look forward to an Internet that's slower when you're trying to visit less popular sites, and where online services get a bit more expensive because they have to pay protection money to the ISPs. It will be harder for new companies to come in and compete with the ones that paid for fast lanes, and the nonprofit information resources on the web will be harder to use.

It's not going to be a flashy apocalypse; it will be a slow decline into the Internet of ISP gatekeeping, and you probably won't even know what neat services and helpful resources you're missing. And one day, when the ISPs are secure in their victory, they'll test the waters and see if you'll pay extra to access anything that's not Facebook, or Comcast's video platform, or AT&T's paying partners.

There's still time to avoid this future, though. We won in the Senate and now it's time for the House of Representatives to vote to reinstate the Open Internet Order and protect the neutral, vibrant Internet.

Take Action

Save the net neutrality rules

Related Cases: Net Neutrality Lobbying

Categories: Privacy

Facebook Has A Consent Problem—And The Solution Starts With Transparency

EFF News - Mon, 2018-06-11 16:49

Last week, the New York Times and others reported that Facebook allowed hardware companies, including some in China, access to a broad range of Facebook users’ information, possibly without the users’ knowledge or consent. This included not only a given user’s personal information, but also that of their Facebook friends and friends-of-friends.

Right now, it's unclear precisely how much Facebook user data was shared through partnerships with third-party hardware manufacturers—but it is clear that Facebook has a consent problem. And the first step toward solving that problem is greater transparency about the full extent of Facebook’s data-sharing practices.

It might be tempting to think that the solution is for Facebook to cut off third-party hardware manufacturers and app developers entirely, but that would be a mistake. The solution to this latest issue is not to lock away user information. If we choose that as our aim, we risk enshrining Facebook as the sole guardian of its users’ data and leaving users with even less power to use third-party tools that they do trust to explore the data held by Facebook and hold the company accountable.

The solution to this latest issue is not to lock away user information from third parties entirely.

Instead, the problem is Facebook’s opacity about its data sharing practices. Facebook should have made available a list of all the third parties that might have had access to users’ data even after those users made clear they did not want their data shared. Facebook said that its agreements with device partners “strictly limited use of [user] data, including any stored on partners’ servers,” but more transparency is necessary if Facebook is to gain users’ informed consent and fulfill their right to know who has their personal data.

Understanding how this happened—and why the resolution should be transparency, not locking away data—requires a brief smartphone history lesson. About 10 years ago, app stores did not exist, and apps like Facebook were not widely available on most phones and mobile operating systems. To get Facebook on more phones, the company built “device-integrated” APIs that allowed device manufacturers to write and serve their own version of Facebook-like experiences for their users. Over the past decade, Facebook partnered with about 60 device manufacturers for this purpose—but the scope of these partnerships had not been fully reported until now.

The revelations of Facebook’s device partnerships seem to be inconsistent with reasonable interpretations of Facebook’s privacy settings and recent API changes, announcements, and even congressional testimony in the wake of Cambridge Analytica. The New York Times report also questions whether the sharing agreements violate a 2011 consent decree Facebook reached with the FTC, which required Facebook to get explicit consent before changing the way it shares users’ data.

Facebook changed its Graph API in 2015 to limit third-party developers’ access to users’ friends’ and friends-of-friends' data. But even after that change, device manufacturers—another type of third party—could still obtain data about a user’s Facebook friends and friends-of-friends, even those who had changed their settings to ostensibly prevent third-party sharing. In response to allegations that this violates the FTC consent decree, Facebook pointed out a difference in the legal consent requirements when sharing user friend data with third-party “developers” as opposed to with third-party “service providers.”

But to users, this is just a new twist on Cambridge Analytica: Facebook has shared our and our friends’ information with third parties without our knowledge or consent, and we only learn about it after the genie is already out of the bottle.

Protecting user privacy on a networked service poses a unique challenge—and Facebook has consistently failed to rise to that challenge. Much of the value of using Facebook comes from being able to see and engage with information from friends, raising the question of who must reasonably consent to what kind of sharing and to what degree. Until Facebook can navigate user expectations around meaningful, informed, ongoing consent and the transparency that requires, the company will continue to face these scandals and users’ trust in it will continue to diminish.

Categories: Privacy

California Can Lead the Way in Open Access

EFF News - Mon, 2018-06-11 16:26

There’s a bill in the California legislature that would be a huge win for open access to scientific research. The California Assembly recently passed A.B. 2192 unanimously. We hope to see it pass the Senate soon, and for other states to follow California’s lead in passing strong open access laws.

Under A.B. 2192, all peer-reviewed, scientific research funded by the state of California would be made available to the public no later than a year after publication. Under current law, research funded by the California Department of Public Health is covered by an open access law, but that provision is set to expire in 2020. A.B. 2192 would extend it indefinitely and expand it to cover research funded by any state agency.

A.B. 2192 is a huge step in the right direction. When scientific research is available only to people with access to expensive journal subscriptions or subscription-based academic databases, it puts those without institutional connections at a severe disadvantage.

When EFF’s Ernesto Falcon testified to the CA Assembly on A.B. 2192, he pointed out that locking science behind a paywall often has the unintended consequence of keeping that research out of the hands of the people who most need it.

In 2012 Malaria researcher Bart Knols noted that while western societies had made great advances in treatments for malaria, it was slow going in sub Sahara Africa. The cause for this disparity? More than half of the requisite information researchers needed for treatments was locked behind a paywall (while the other half was free to access). Researchers and medical professionals in some of the most impoverished parts of the world simply could not make use of the knowledge that had already been established.

While the California bill would be a big win for open access, it leaves a few things to be desired. Under the bill, grantees would be required to put their works in a state-provided open access repository within a year of publication. An earlier version of the bill set that embargo period at six months, but it was changed to a year under pressure from lobbyists.

It’s not a coincidence that the 12-month embargo matches the one set by most federal agencies that fund scientific research: since 2013, when the White House directed government agencies to adopt open access policies, publishers have largely fallen in line with the one-year embargo period. (We’ve also been advocating for years that Congress pass a bill to lock the U.S. government’s open access policies into law.)

But let’s face it: science moves quickly and a one-year embargo is simply too long. In our letter to the Legislature about A.B. 2192, we urged lawmakers to find ways to find ways to ensure that more state-funded research is published under a gold open access model; that is, published in open access journals, available to the public with no fee:

EFF recommends the legislature also consider additional ways to ensure that more state-funded research becomes available to the public immediately upon publication, not just within the six-month embargo period the bill permits. In the fast-moving world of scientific research, a six-month embargo can put scientists without access to paid repositories at a severe disadvantage. One way to achieve that goal would be to require that publications be either shared in a public repository upon publication or published in an open access journal, similar to the University of California system’s excellent open access policy.

We also urged the legislature to consider passing an open licensing requirement for the research that it funds. Requiring that grantees publish research under a license that allows others to republish, remix, and add value ensures that the public can get the maximum benefit of state-funded science.

We hope to see A.B. 2192 pass quickly and become a model for similar open access laws in other states.

Categories: Privacy

EU Tech Policy Brief: May 2018 Recap

CDT - Mon, 2018-06-11 15:59

This is the May recap issue of CDT’s monthly EU Tech Policy Brief. It highlights some of the most pressing technology and internet policy issues under debate in Europe, the U.S., and internationally, and gives CDT’s perspective on them.

Member States Move to Introduce Pervasive Upload Filtering – Can Parliament Do Better?  

On 25 May 2018, the Council’s permanent representatives committee (Coreper) agreed on a common position on the European Commission’s draft Directive on Copyright in the Digital Single Market. Unfortunately, Member State governments did not deviate substantially from the Commission’s position: upload filters (Article 13), a press publishers’ right, and a limited Text and Data Mining exception were agreed upon. The Council missed the opportunity to propose a forward-looking innovative and harmonised copyright framework. It is now up to the European Parliament to step up and fix this mess ahead of the JURI vote on 20/21 June. We encourage people to use Mozilla’s ChangeCopyright tool to contact parliamentarians. Other platforms include Vox Scientia, which brings together the knowledge community and allows awareness-raising via its “Call to Action” page.

GDPR Has Arrived: What CDT Would Like to See Next

With the General Data Protection Regulation (GDPR) being adopted on 25 May 2018, its true impact on society and businesses is yet to be seen. Will it introduce a new era of individual empowerment or raise new barriers to innovation in technology? CDT’s President and CEO Nuala O’Connor acknowledges that ‘while the GDPR is not perfect, the values it advances are the right ones: individual autonomy and dignity’. The key will be proper and targeted enforcement, but it is already clear that it sets new standards that many companies will seek to apply globally. The United States Congress should move ahead with long-overdue federal privacy legislation that mirrors international standards. This would move us towards creating a global framework on privacy that provides transparency, control, and autonomy to individuals online.

EC Public Consultation on Tackling Illegal Content Online Requires a Human Rights Approach

When we submitted our views on the European Commission’s Inception Impact Assessment, we called on the Commission to conduct and publish a comprehensive collection of data about the nature and volume of content it targets. Without such analysis, we deem it premature to propose any legislative option. Now the Commission is collecting responses to a public consultation on ‘measures to further improve the effectiveness of the fight against illegal content online’, deadline 25 June 2018. We continue to warn that ‘progress’ in tackling various types of content should not only be measured in terms of faster takedown of more content. Also, the Commission has to avoid extending its policy results in de facto censorship of legal political speech. In this respect, we highly recommend that the States and companies abide by the latest report of the UN Special Rapporteur on free expression and regulation of user-generated content online. David Kaye, amongst other recommendations, urges States to reconsider speech-based restrictions.

E-Evidence: European Parliament Appoints Rapporteur

On 17 April, the European Commission (EC) published its draft legislation on E-Evidence to facilitate cross-border law enforcement demands for internet users’ communications content and metadata. The proposed Regulation and Directive set out a great risk to privacy worldwide, given that the proposals would give each EU Member State access for law enforcement purposes to the data of internet users worldwide: each provider in the scope of the Regulation can be compelled to disclose its users’ data no matter where the user is located and no matter the country of citizenship of the user. Discussions in the European Parliament will begin soon, with MEP Birgit Sippel (German/S&D) as rapporteur in the Civil Liberties (LIBE) committee. Going forward in this debate, our main line of advocacy will be that enhanced access to electronic data by law enforcement authorities cannot come at the expense of fundamental privacy and procedural rights protections. We previously set out ten human rights standards to measure the proposal against. As it currently stands, the legislation needs to incorporate additional safeguards and remedies in order to meet those standards.

E-Privacy: Member States Continue to Struggle to Reach Compromise

Ahead of the Council meeting scheduled on 8 June, the Bulgarian Presidency issued its latest progress report on ePrivacy. The report highlights “considerable progress” but at the same time asks for political guidance on several questions. The latest text seems to exclude some machine-to-machine communications and add exceptions to enable efficient security and antivirus services, something we have advocated for. Whether Member States will be able to agree on a text remains unclear. Meanwhile, the newly established European Data Protection Board (EDPB) published a statement on the draft ePrivacy Regulation. The EDPB among other things supports the notion of explicitly banning ‘cookie walls’ or tracking walls. The EDPB argues that use of and access to a communications service cannot require the user to consent to tracking or monitoring with the use of cookies or any other technology. The European Parliament made a similar proposal. This will be one of many controversial issues to be negotiated between Parliament and Council at a later stage. 

The post EU Tech Policy Brief: May 2018 Recap appeared first on Center for Democracy & Technology.

Categories: Privacy

Even Though Net Neutrality Protections Are Ending, Congress Can Still Bring Them Back

EFF News - Mon, 2018-06-11 12:49

June 11, 2018 is the day that the FCC’s so-called “Restoring Internet Freedom Order” goes into effect. This represents the FCC’s abdication of authority in upholding the hard-won net neutrality protections of the 2015 Open Internet Order. But this does not mean the fight is over.

While the FCC ignored the will of the vast majority of Americans and voted not to enforce bans on blocking, throttling, and paid prioritization, it doesn’t get the final say. Congress, states, and the courts can all work to restore these protections. As we have seen, net neutrality needs and deserves as many strong protections as possible, be they state or federal. ISPs who control your access to the Internet shouldn’t get to decide how you use it once you get online.

Three states (Oregon, Washington, and Vermont) have passed state net neutrality laws. Six more (Hawai’i, Montana, New Jersey, New York, Rhode Island, and Vermont) have executive orders doing the same. Overall, 35 states have some form of net neutrality protections in the works.

Congress can overturn the FCC’s decision and reinstate the 2015 Open Internet Order with a simple majority vote under the Congressional Review Act (CRA). It passed the Senate on May 16 by a vote of 52-47. So now we have to ask the House of Representatives to follow suit. Even though House leadership has said they will not schedule a vote, one can still be called if a majority of representatives sign a discharge petition.

You can see where your representative stands and email them to support the CRA here. Now that the FCC repeal is in effect, we need to tell the House to restore protections and keep large ISPs from changing how we use the Internet.

Take Action

Save the net neutrality rules

Categories: Privacy

Wed, 1969-12-31 20:00

Categories: , Privacy