EFF News

Free Expression Activist and Poet Birgitta Jónsdóttir Joins EFF’s Advisory Board

EFF is thrilled to welcome Birgitta Jónsdóttir as a Technical Advisor on our Advisory Board. The founder of Iceland’s Pirate Party and a former member of Iceland’s Parliament, Birgitta is a poet, artist, and free expression and digital rights activist who is one of the world’s most inspiring voices for the possibility of the Internet as force for freedom.

Birgitta’s activism has been an inspiration to many, including EFF. In 2010, she worked with WikiLeaks to release a video of a U.S. helicopter gunning down a group of civilians and journalists in Baghdad. That put her on the radar screen of U.S. Justice Department, which sought to obtain her Twitter account records in an investigation of Wikileaks.

When Twitter notified Birgitta and others about the government request, EFF stepped in to ask a court to block the government from forcing Twitter to turn over Birgitta’s records. We sought to encourage other companies to follow Twitter and notify customers when law enforcement demands user data, which led to the creation of our annual “Who Has Your Back” report examining tech companys’ policies for protecting their users from the government.

 In 2008, EFF co-founder John Perry Barlow proposed in a speech that Iceland become a “Switzerland of bits,” where data gathered by whistleblowers, bloggers, and journalists could be safely stored in the public domain and remain online. Barlow’s proposal helped lead Birgitta to start the International Modern Media Institute, better known as IMMI, a nonprofit that seeks ways to enhance and empower freedom of expression, freedom of speech, dissemination of information and publication within Iceland as well as ensuring source protection and whistleblower protection. Iceland’s parliament unanimously voted in 2010 to make the proposals into law; Birgitta is now part of a steering committee group working to finalize all IMMI measures into law. In 2016 Fortune magazine named Birgitta as one of the World’s Most Powerful Women.

 Birgitta brings exceptional experience as a trailblazer on international issues concerning privacy, transparency, and free expression. We’re honored to have her as a technical advisor.

Categories: Privacy

Google Needs To Come Clean About Its Chinese Plans

Eight years after Google initially took a stand against Internet censorship by exiting the Chinese search market, we are disappointed to learn the company has been secretly re-considering an extended collaboration with the massive censorship and surveillance-wielding state. According to an Intercept report released at the beginning of the month, Google is working on a censored version of its search service for release in China.

In 2010, EFF and many other organizations praised Google for refusing to sacrifice the company’s values for access to the Chinese market. At the time, this move followed public backlash and several attacks on Google’s infrastructure that targeted the personal data of several prominent Chinese human rights activists. Google’s departure from China showed that strong core values in fundamental human rights could beat out short-term economic gain in the calculus of an Internet company.

But now it seems the company has reversed course.

This news comes amid other reports of American tech giants compromising values to enter or remain within China: Facebook has piloted a censored version of its own platform, and Apple recently faced criticism for moving its customers' data into China-hosted servers, and adding code to filter the Taiwanese flag emoji in Chinese locales.

Within China, Google’s direct competitor, Baidu, has been facing a significant amount of social, regulatory, and economic backlash over recent advertising malpractice, such as monetizing questionable medical advertisements, heavily deprioritizing non-Baidu services, and allegedly promoting phishing sites. There may well be a growing demand for competition within the Chinese search engine market.

In even considering these changes, Google needs to tread carefully. In the wake of the last wave of engagement with the Chinese market, and to prevent Internet companies being complicit with human rights’ violations, the company joined with Microsoft and Yahoo! to create a set of standards for working in countries with poor human rights records: the Global Network Initiative’s Implementation Guidelines. EFF was a founding member of the GNI, but subsequently left the coalition in 2013 due to concerns that the companies were unable to be forthcoming about their involvement in state surveillance, even within a confidential environment.

From the outside, it’s unclear to us whether this project has yet to be considered in the light of that agreement. GNI’s Executive Director has told reporters, in part, that “All member companies are expected to implement the GNI Principles wherever they operate, and are subject to independent assessment, which is overseen by our multi-stakeholder Board of Directors.” It might reassure Google’s own staff and external critics to be told that process was being followed, and if both the GNI and Google were more public about the results of that procedure.

But for now, it seems the company has opted to prepare new Chinese plans outside the view of the public, and even behind the backs of many of their own employees.

Our original concerns from 2006 still stand today, but in 2018, the potential for damage when large tech companies co-operate with repressive states has grown.

Since 2006, Google’s capabilities have expanded massively. We live in an era in which Google-owned tracking scripts are present on an incredible 75% of the top million websites. Google’s personalized profiles of its users across several online services help it provide “relevant” search results and advertisements.

Simultaneously, in order to sustain their position on strong censorship, the Chinese government has had to implement broad and pervasive surveillance laws and technology. In particular, the explosive dominance of centralized applications like Weibo and WeChat, whose communications and transactions are regularly surveilled and censored, has ultimately transformed the digital landscape in China.

2017 in particular saw a new wave of regulatory crackdowns aimed towards strengthening digital surveillance practices across the Chinese Internet. In particular, the government began restricting tools used for anonymity and privacy by arresting local VPN providers, banning end-to-end chat applications like WhatsApp, and mandating Internet platforms to require offline identity verification. In certain regions of China, citizens merely attempting to use foreign or encrypted applications like WhatsApp or Telegram can have their service cut off and are asked to report to the police.

It’s not clear how or whether Google’s planned offerings will comply with these new national regulations, or whether exemptions would be worked out for the tech giant.

At this early stage, it’s this lack of transparency that concerns us most.

Google once prided itself in its internal organizational transparency, especially when compared to giants like Apple, famous for their secrets veiled in black cloth. However, as we saw with Project Maven, Google’s controversial AI contract with the Department of Defense, executives within the organization are willing to keep projects quiet in the face of potential backlash. The initiative was not publicized, and came to light only when employees noticed and brought it to the forefront of internal discussion forums.

Unlike in 2006, when Google was open (and even apologetic) about the quality and nature of its service in China, this new iteration was developed with little external or internal visibility. A source at The Intercept reports that knowledge about Google’s China project was “restricted to just a few hundred members of the Internet giant’s 88,000-strong workforce.” Though Project Maven was not publicized, this information was at least available to employees. This time, the vast majority of employees discovered the existence of the China project only after these emails were leaked to the public media.

That means certain questions remain unanswered, not just publicly, but even among Google’s own staff. What sacrifices will Google make to its own operating practices in order to enter the Chinese market? Will it have to comply with China’s internal strict regulations, and how will these compromises affect its offerings outside of China?

The public, Google’s users, and Google’s employees have been kept increasingly in the dark about compromises on the company’s own values that could massively affect the lives of not only citizens within China or the U.S., but also Internet users around the world. Google has already committed to processes that consider human rights when entering new markets in the Global Network Initiative. Is it following them?

Google is an effective gatekeeper of the Internet for a large majority of the world. It’s the portal through which many access the Internet, and through which Google itself continues to collect troves of information about these users across a variety of platforms. With that kind of responsibility, everyone — inside and outside Google — needs to stay vigilant and continue to hold the giant accountable. Avoiding internal oversight and criticism will not evade the backlash that will come from launching a complicit service, or the damaging consequences to Chinese users when Google’s compromises are used against them. It is better to have this debate now, in public, than to pick up the pieces when the damage has been done.

Categories: Privacy

Telling the Truth About Defects in Technology Should Never, Ever, Ever Be Illegal. EVER.

Congress has never made a law saying, "Corporations should get to decide who gets to publish truthful information about defects in their products,"— and the First Amendment wouldn't allow such a law — but that hasn't stopped corporations from conjuring one out of thin air, and then defending it as though it was a natural right they'd had all along.

Some background: in 1986, Ronald Reagan, spooked by the Matthew Broderick movie Wargames (true story!) worked with Congress to pass a sweeping cybercrime bill called the Computer Fraud and Abuse Act (CFAA) that was exceedingly sloppily drafted. CFAA makes it a felony to "exceed[] authorized access" on someone else's computer in many instances.

Fast forward to 1998, when Bill Clinton and his Congress enacted the Digital Millennium Copyright Act (DMCA), a giant, gnarly hairball of digital copyright law that included section 1201, which bans bypassing any "technological measure" that "effectively controls access" to copyrighted works, or "traffic[ing]" in devices or services that bypass digital locks.

Notice that neither of these laws bans disclosure of defects, including security disclosures! But decades later, corporate lawyers and federal prosecutors have constructed a body of legal precedents that twist these overbroad laws into a rule that effectively gives corporations the power to decide who gets to tell the truth about flaws and bugs in their products.

Businesses and prosecutors have brought civil and criminal actions against researchers and whistleblowers who violated a company's terms of service in the process of discovering a defect. The argument goes like this: "Our terms of service ban probing our system for security defects. When you login to our server for that purpose, you 'exceed your authorization,' and that violates the Computer Fraud and Abuse Act."

Likewise, businesses and prosecutors have used Section 1201 of the DMCA to attack researchers who exposed defects in software and hardware. Here's how that argument goes: "We designed our products with a lock that you have to get around to discover the defects in our software. Since our software is copyrighted, that lock is an 'access control for a copyrighted work' and that means that your research is prohibited, and any publication you make explaining how to replicate your findings is illegal speech, because helping other people get around our locks is 'trafficking.'"

The First Amendment would certainly not allow Congress to enact a law that banned making true, technical disclosures. Even (especially!) if those disclosures revealed security defects that the public needed to be aware of before deciding whether to trust a product or service.

But the presence of these laws has convinced the tech industry — and corporations that have added 'smart' tech to their otherwise 'dumb' products — that it's only natural that they should be the sole custodians of the authority to embarrass or inconvenience them. The worst of these actors use threats of invoking CFAA and DMCA 1201 to silence researchers altogether, so the first time you discover that you've been trusting a defective product is when it is so widely exploited by criminals and grifters that it's impossible to keep the problem from becoming widely known.

Even the best, most responsible corporate actors get this wrong. Tech companies like Mozilla, Dropbox and, most recently, Tesla, have crafted "coordinated disclosure" policies in which they make sincere and legally enforceable promises to take security disclosures seriously and act on them within a defined period, and they even promise not to use laws like DMCA 1201 to retaliate against security researchers who follow their guidelines.

This is a great start, but it's a late and limited solution to a much bigger problem.

The point is that almost every company is a "tech company" — from medical implant vendors to voting machine companies — and not all of them are as upstanding and public-spirited as Mozilla.

Many of these companies do have "coordinated disclosure" policies by which they hope to tempt security researchers into coming to them first when they discover problems with their products and services. But these companies don't make these policies out of the goodness of their hearts: those policies exist because they're the companies' best hope of keeping security researchers from embarrassing them and leaving them scrambling by just publishing the bug without warning.

If corporations can simply silence researchers who don't play ball, we should expect them to do so. There is no shortage of CEOs who are lulling themselves to sleep tonight with fantasies about getting to shut their critics up.

EFF is currently suing the US government to invalidate DMCA 1201 and the ACLU is trying to chip away at CFAA, and there will come a day when we succeed, because the idea of suppressing bug reports (even ones made in disrespectful or rude ways) is totally incompatible with the First Amendment.

Rather than crafting a disclosure policy that says "We'll stay away from these unjust and absurd interpretations of these badly written laws, provided you only tell the truth in ways we approve of," companies that want to lead by example could do so by putting something like this in their disclosure policies:

We believe that conveying truthful warnings about defects in systems is always legal. Of course, we have a strong preference for you to use our disclosure system [LINK] where we promise to investigate your bugs and fix them in a timely manner. But we don't believe we have the right to force you to use our system.

Accordingly, we promise to NEVER invoke any statutory right — for example, rights we are granted under trade secret law, anti-hacking law, or anti-circumvention law — against ANYONE who makes a truthful disclosure about a defect in one of our products or services, regardless of the manner of that disclosure.

We really do think that the best way to keep our customers safe and our products bug-free is to enter into a cooperative relationship with security researchers and that's why our disclosure system exists and we really hope you'll use it, but we don't think we should have the right to force you to use it.

Companies should not rely on these laws to silence security researchers who displease them with the time and manner of their truthful disclosures — if their threats ever materialize into full-blown lawsuits, there's a reasonable chance that they'll find themselves facing down public-spirited litigators (ahem) who will use those suits as a fast-track to overturning these laws in the courts.

But while we wait for the slow wheels of justice to turn, the specter of legal retaliation haunts the best and most public-spirited security researchers (the researchers who work for cyber-criminals and state surveillance contractors don't have to worry about these laws, because they never make their findings public). That is bad for all of us, because for every Tesla, Dropbox and Mozilla, there are a thousand puny tyrants who are using these good-citizen companies' backhanded insistence that disclosure should be subject to  their corporate approval to intimidate their own critics into silence.

Those intimidated researchers? They've discovered true facts about why we shouldn't trust systems with our data, our finances, our personal communications, the security of our homes and businesses, and even our lives.

EFF has sued the US government to overturn DMCA 1201 and we just asked the US Copyright Office to reassure security researchers that DMCA 1201 does not prevent them from telling the truth.

We're discussing all this in a Reddit AMA next Tuesday, August 21, from 12-3PM Pacific (3-6PM Eastern). We hope you'll come and join us.

Categories: Privacy

Help Send EFF to SXSW 2019

Want to see the Electronic Frontier Foundation at the annual SXSW conference and festival in 2019? Help us get there by voting for our panels in the SXSW Panel Picker!

Every year, the Internet has a chance to choose what panels will be featured at the event. We’re asking friends and fans to take a moment to vote for us.

Here's how you can help EFF:

1. Visit the Panel Picker site and login or register for a new account.
2. Click each of the links below.
3. Click the “Vote up” button on the left of the page, next to the panel description.
4. Share this blog post!
   Suggested tweet: Help @EFF get to SXSW! You can vote in SXSW's Panel Picker: https://www.eff.org/deeplinks/2018/08/help-send-eff-sxsw-2019

Here are the panels with EFF staff members—please upvote!

• 8-Bit Policies in a 4K World: Adapting Law to Tech
• Fighting Misinformation and Defending the Open Web
• Beyond the Surveillance Business Model: Why & How
• Untold AI: Is Sci-Fi Telling Us the Right Stories?

With four exciting panel proposals on subjects from combating misinformation on the web to a discussion of whether or not science-fiction is doing a good job at talking about AI, you can help us keep SXSW as an incubator of cutting-edge technologies and digital creativity, and also as a place where experts discuss what those technologies mean for digital rights.

Here is more info on the panels we’re hoping to join:

The speed at which technology is developing is unprecedented in our history, yet politicians are as jammed up and at loggerheads as ever. The Senate hearing with Mark Zuckerberg revealed how little our political leaders actually understand what's going on, but we're still bound by the decisions they make regarding the technology we use on a daily basis. SOPA, PIPA, and the FCC's vote against Net Neutrality are specific instances of politicians being at odds with public opinion, where technology enthusiasts feel the constant struggle to stem the tide of harmful legislation, and many may be left wondering - where is this going?

Speakers:

• Alex Shahrestani, Board Member, EFF-Austin, Digital Arts Coalition 
• Shahid Buttar, Director of Grassroots Advocacy, Electronic Frontier Foundation
• Jan Gerlach, Public Policy Manager, Wikimedia Foundation

Join us as we discuss how to engage with our representatives and help them craft flexible policies that address the ever-changing tech landscape.

The spread of misinformation is becoming an increasing problem in countries around the world. In particular during election times, social media platforms have been used to strategically to influence public opinion – from the Philippines, to Kenya, from Germany to the USA. Lack of net neutrality and the dominance of platforms like Facebook with its zero rating services are contributing to this becoming an increasing problem for democracy.

Internet activists from Africa, Europe and the USA will give insights into different government attempts to introduce new legislation combating the spread of misinformation as well as civil society strategies to defend freedom of speech and promote access to pluralistic information sources.

Speakers:

• Geraldine de Bastion, Founder / International Executive Director, Global Innovation Gathering
• Nanjira Sambuli, Consultant , Web Foundation
• Markus Beckedahl, Founder, Netzpolitik
• Jillian York, Director for International Freedom of Expression, EFF
  
  

It’s time to talk about the future – how technology developers and companies can successfully move beyond the surveillance business model.

Trump, Cambridge Analytica and the growing scope of cybersecurity crises have been a wake-up call to the public, tech employees, and investors about the high price of the collect-it-all business model and the grave impact it can have on society. New comprehensive European and California privacy law have changed the landscape and the risk for surveillance business models.

Get the inside track from Silicon Valley journalist and author Brad Stone, Duck Duck Go Founder and CEO Gabriel Weinberg, EFF’s Executive Director Cindy Cohn, and the ACLU’s Nicole Ozer on why and how to build a successful business model beyond surveillance.

Speakers:

• Nicole Ozer, Technology & Civil Liberties Director, ACLU of California
• Gabriel Weinberg, Founder and CEO, Duck Duck Go
• Brad Stone, Senior Executive Editor, Bloomberg Technology
• Cindy Cohn, Executive Director, Electronic Frontier Foundation
  
  

How do depictions of Artificial Intelligence in popular science fiction affect how we think about real AI and its future? How has fiction about AI influenced the development of AI technology and policy in the real world? (And do we really have to talk about Terminator’s Skynet or 2001’s Hal 9000 every damned time we talk about the risks of AI?) Join bestselling sci-fi authors Cory Doctorow and Malka Older, scifiinterfaces.com editor Chris Noessel, along with futurism and AI policy experts as they examine what TV, movies, games, and sci-fi literature are telling us about AI, compare those lessons to real-world AI tech & policy, and identify the stories that we should be telling ourselves about AI, but aren’t.

Speakers:

• Christopher Noessel, Designer, IBM
• Cory Doctorow, Apollo 1201, Electronic Frontier Foundation
• Malka Older, Author, Self-employed
• Rashida Richardson, Director of Policy Research, AI Now Institute

Thanks for your help!

Categories: Privacy

How Militaries Should Plan for AI

Today we are publishing a new EFF white paper, The Cautious Path to Strategic Advantage: How Militaries Should Plan for AI. This paper analyzes the risks and implications of military AI projects in the wake of Google's decision to discontinue AI assistance to the US military's drone program and adopt AI ethics principles that preclude many forms of military work.

The key audiences for this paper are military planners and defense contractors, who may find the objections to military uses of AI from Google's employees and others in Silicon Valley hard to understand. Hoping to bridge the gap, we urge our key audiences to consider several guiding questions. What are the major technical and strategic risks of applying current machine learning methods in weapons systems or military command and control? What are the appropriate responses that states and militaries can adopt in response? What kinds of AI are safe for military use, and what kinds aren't?

Militaries must make sure they don't buy into the machine learning hype while missing the warning label.

We are at a critical juncture. Machine learning technologies have received incredible hype, and indeed they have made exciting progress on some fronts, but they remain brittle, subject to novel failure modes, and vulnerable to diverse forms of adversarial attack and manipulation. They also lack the basic forms of common sense and judgment on which humans usually rely.[1]

Militaries must make sure they don't buy into the machine learning hype while missing the warning label. There's much to be done with machine learning, but plenty of reasons to keep it away from things like target selection, fire control, and most command, control, and intelligence (C2I) roles in the near future, and perhaps beyond that too.

The U.S. Department of Defense and its counterparts have an opportunity to show leadership and move AI technologies in a direction that improves our odds of security, peace, and stability in the long run—or they could quickly push us in the opposite direction. We hope this white paper will help them chart the former course.

Part I identifies how military use of AI could create unexpected dangers and risks, laying out four major dangers:

• Machine learning systems can be easily fooled or subverted: neural networks are vulnerable to a range of novel attacks including adversarial examples, model stealing, and data poisoning. Until these attacks are better understood and defended against, militaries should avoid ML applications that are exposed to input (either direct input or anticipatable indirect input) by their adversaries.
• The current balance of power in cybersecurity significantly favors attackers over defenders. Until that changes, AI applications will necessarily be running on insecure platforms, and this is a grave concern for command, control, and intelligence (C2I), as well as autonomous and partially autonomous weapons.
• Many of the most dramatic and hyped recent AI accomplishments have come from the field of reinforcement learning (RL), but current state-of-the-art RL systems are particularly unpredictable, hard to control, and unsuited to complex real-world deployment.
• The greatest risk posed by military applications of AI, increasingly autonomous weapons, and algorithmic C2I is that the interactions between the systems deployed will be extremely complex, impossible to model, and subject to catastrophic forms of failure that are hard to mitigate. This is true both of use by a single military over time, and, even more importantly, between those of opposing nations. As a result, there is a serious risk of accidental conflict, or accidental escalation of conflict, if ML or algorithmic automation is used in these kinds of military applications.

Part II offers and elaborates on an agenda for mitigating these risks:

• Support and establish international institutions and agreements for managing AI, and AI-related risks, in military contexts.
• Focus on machine learning applications that lie outside of the "kill chain," including logistics, system diagnostics and repair, and defensive cybersecurity.
• Focus R&D effort on increasing the predictability, robustness, and safety of ML systems.
• Share predictability and safety research with the wider academic and civilian research community.
• Focus on defensive cybersecurity (including fixing vulnerabilities in widespread platforms and civilian infrastructure) as a major strategic objective, since the security of hardware and software platforms is a precondition for many military uses of AI. The national security community has a key role to play in changing the balance between cyber offense and defense.
• Engage in military-to-military dialogue, and pursue memoranda of understanding and other instruments, agreements, or treaties to prevent the risks of accidental conflict, and accidental escalation, that increasing automation of weapons systems and C2I would inherently create.

Finally, Part III provides strategic questions to consider in the future that are intended to help the defense community contribute to building safe and controllable AI systems, rather than making vulnerable systems and processes that we may regret in decades to come.

Read the full white paper as a PDF or on the Web.

Categories: Privacy