EFF News

It's Repair Day: No One Should Be Punished for "Contempt of Business Model"

Repair is one of the secret keys to a better life. Repairs keep our gadgets in use longer (saving our pocketbooks) and divert e-waste from landfills or toxic recycling processes (saving our planet). Repair is an engine of community prosperity: when you get your phone screen fixed at your corner repair shop, your money goes to a locally owned small business (my daughter and the phone screen guy's daughter go to the same school and he always tut-tuts over the state of my chipped and dented phone at parent-teacher nights).

Fixing stuff has deep roots in the American psyche, from the motorheads who rebuilt and souped-up their cars, to the farmers whose ingenuity wrung every last bit of value out of their heavy equipment, to the electronics tinkerers who are lionized today as some of the founders of Silicon Valley.

Repairs are amazing: they account for up to 4% of GDP, create local jobs (fix a ton of electronics and generate 200 jobs, send a ton of electronics to a dump to be dismantled and recycled and you create a measly 15 jobs, along with a mountain of toxic waste – reuse is always greener than recycling), and they generate a stream of low-cost, refurbished devices and products that are within reach of low-income Americans.

The twenty-first century should be a golden age of repairs. A simple web-search can yield up instructions for fixing your stuff, a wealth of replacement-part options, and thriving communities of other people in the same boat as you, ready to brainstorm solutions when you hit a wall.

But instead, digital technology has been a godsend for big corporations that want to control how you use, fix, and replace your property.

One trick is to put small, inexpensive microprocessors on each part in a complex product -- everything from tractors to phones -- that force you to use the manufacturer's authorized parts and service technicians. Third-party parts may be functionally identical to the manufacturer's own parts (or even better!), but your device won't recognize them unless they have the manufacturer's "security" chip and its associated cryptographic authentication systems. Even if you put an original manufacturer's part in your device (say, one you've bought from the manufacturer or harvested from a scrapped system), some devices won't start using the original part until an authorized service technician inputs an activation code.

As if that wasn't bad enough, corporations routinely withhold service manuals, lists of diagnostic codes, and parts.

This would be merely unconscionable and obnoxious, but thanks to some toxic technology laws, these practices become more than a hurdle for independent service technicians to overcome – they become a legal risk.

Section 1201 of the Digital Millennium Copyright Act (DMCA 1201) contains broad prohibitions on bypassing "access controls" for "copyrighted works," with potentially stiff criminal penalties (five years in prison and a $500,000 fine for a first offense) for "commercial trafficking" in tools to bypass an access control. Manufacturers have interpreted this law very broadly, asserting that the software in their gadgets – cars, medical implants, HVAC systems and thermostats, phones, TVs, etc. – is a "copyrighted work" and the systems that block independent service (checks for original parts, activation codes for new parts, access to diagnostic systems) are "access controls." If the firmware in your car is a "copyrighted work" and the system that stops it from recognizing a new engine part is an "access control" then your auto manufacturer can threaten a competitor with civil prosecution and prison time for making a gadget that allows your corner mechanic to figure out what's wrong with your car and fix it.

Manufacturers can also look to other notorious tech laws, like the Computer Fraud and Abuse Act (CFAA), as well as end-user license agreements, nondisclosure agreements, trade secrecy, and onerous supply-chain deals. Taken together, these rules and agreements have allowed the country's increasingly concentrated industries to turn purchasing a simple device, appliance, or vehicle into a long-term relationship with the manufacturer, like it or not.

The corporations involved make all kinds of bad faith arguments, claiming that they are protecting their customers from safety risks, like getting malware on their phone via an unscrupulous service technician or winding up with defective replacement parts.

But the reality is that anyone can screw up a repair, including the manufacturer's authorized technicians. Only in the bizarro universe of monopoly corporatethink do consumers get a better deal and more reliable service when companies don't have to compete to get their business (and of course, controlling repairs means controlling product life: in California, a law requires manufacturers to supply parts for seven years, and in California, laptops and phones and other electronics last for seven years, while manufacturers in neighboring states often declare their products to be obsolete after three or five years).

Last year, 18 states introduced Right to Repair legislation that requires manufacturers to get out of the way of independent repair: to make parts, manuals and diagnostic codes available to third-party service depots and refrain from other practices that limit your ability to decide who can fix your things.

The corporate blowback from these bills was massive: with so much money at stake when it comes to monopolizing repair, and so many manufacturers using Big Tech's tricks for freezing out indie service, millions were on the line, and the lobbying money managed to stifle these proposals – for now.

But there is nothing harder to kill than an idea whose time has come. This is the golden age of repairs, a moment made for a renaissance of shade-tree mechanics, electronics tinkerers, jackleg fixit shops, and mom-and-pop service depots. It has to be: our planet, our pocketbooks, and our neighborhoods all benefit when our property lasts longer, works better and does more.

Categories: Privacy

We’re Telling a Court (Again) That President Trump and Other Government Officials Can’t Block People on Twitter For Disagreeing With Them

President Donald Trump and his lawyers still believe he can block people on Twitter because he doesn’t like their views, so today we’ve filed a brief telling a court, again, that doing so violates the First Amendment. We’re hopeful that the court, like the last one that considered the case, will side with the plaintiffs, seven individuals blocked by Trump who are represented by the Knight First Amendment Institute. As we explain in the brief, the case has broad implications for the public as social media use by the government becomes more and more ubiquitous.

Trump lost the first round of the case when a judge sided with the plaintiffs, who include a university professor, a surgeon, a comedy writer, a community organizer, an author, a legal analyst, and a police officer. The judge agreed with the Knight Institute, which argued that the interactive spaces associated with the @realDonaldTrump account are “public forums” under the First Amendment, meaning that the government cannot exclude people from them simply because it disagrees with their views. In a brief filed in round one, we argued governmental use of social media platforms to communicate to and with the public—and allow the public to communication with each other—is now the rule of democratic engagement, not the exception. As a result, First Amendment rights of both access to those accounts and the ability to speak in them must apply in full force.

The ruling in round one was a great victory for free speech and recognizes that in the digital age, when a local, state, or federal agent officially communicates, through Twitter, with the public about the government’s business, he or she doesn’t get to block people from receiving those messages because they’ve used the forum to express their disagreement with the official’s policies. Trump was forced to unblock the plaintiffs.

The president’s attorneys are now trying to convince an appeals court to overturn this ruling, making the same arguments they made in the lower court that @realDonaldTrump, Trump’s Twitter handle, is the president’s private property and he can block people if he wants.

In the brief we filed today we’ve told the appeals court that those arguments—which were wrong on the law in the first place—are still wrong. The president has chosen to use his longtime Twitter handle to communicate his administration’s goals, announce policy decisions, and talk about government activity. Similarly, public agencies and officials, from city mayors and county sheriff offices to U.S. Secretaries of State and members of Congress, routinely use social media to communicate official positions, services, and important public safety and policy messages. Twitter has become a vital communications tool for government, allowing local and federal officials to transmit information when natural disasters such as hurricanes and wildfires strike, hold online town halls, and answer citizens’ questions about programs.

When governmental officials and agencies choose a particular technique or technology to communicate with the public about governmental affairs, they have endowed the public with First Amendment rights to receive those messages. And this right, we told the appeals court, is infringed when government denies access to these messages because it disagrees with someone’s viewpoints.

Categories: Privacy

Federal Circuit Overturns Fee Award In Crowdsourcing Patent Case

Patent trolls know that it costs a lot of money to defend a patent case. The high cost of defensive litigation means that defendants are pressured to settle even if the patent is invalid. Fee awards can change this calculus and give defendants a chance to fight back against weak claims. A recent decision [PDF] from the Federal Circuit has overturned a fee award in a case involving an abstract software patent on crowdsourcing. This disappointing ruling may encourage other patent trolls to file meritless cases.

Patent troll AlphaCap Ventures claimed that its patent covered various forms of online equity financing. It filed suit against ten different crowdfunding platforms. Most of the defendants settled quickly. But one defendant, Gust, fought back. After nearly two years of litigation in both the Eastern District of Texas and the Southern District of New York, AlphaCap Ventures dismissed its claim against Gust. The judge in the Southern District of New York ruled that AlphaCap Ventures’ attorneys had litigated unreasonably and ordered them to pay Gust’s attorneys’ fees. Those lawyers then appealed.

EFF filed an amicus brief [PDF] to respond to one of the lawyers’ key arguments. AlphaCap Ventures’ attorneys argued that the law of patent eligibility—particularly the law regarding when a claimed invention is an abstract idea and thus ineligible for patent protection under the Supreme Court’s decision in Alice v. CLS Bank—is so unsettled that a court should never award fees when a party loses on the issue. Our brief argued that such a rule could embolden lawyers to file suits with patents they should know are invalid.

As we were drafting our brief in the AlphaCap Ventures case, the Federal Circuit issued a decision in Inventor Holdings v. Bed Bath & Beyond. The patent owner in Inventor Holdings had asked the court to overturn a fee award against it on the ground that the law of patent eligibility was too uncertain for its arguments to have been unreasonable. The Federal Circuit rejected this in a unanimous panel opinion. It wrote:

[W]hile we agree with [Inventor Holdings] as a general matter that it was and is sometimes difficult to analyze patent eligibility under the framework prescribed by the Supreme Court . . . , there is no uncertainty or difficulty in applying the principles set out in Alice to reach the conclusion that the ’582 patent's claims are ineligible.

In other words, it rejected a very similar argument to the one advanced by Alphacap Ventures’ lawyers.

In the Alphacap Ventures decision, in contrast, the two-judge majority emphasized that “abstract idea law was unsettled” and found that the lawyers’ arguments were not so unreasonable to warrant fees. The majority did not distinguish or even cite Inventor Holdings. (Judge Wallach’s dissent does cite Inventor Holdings.) The appeals involved different patents, and the fee awards were made under different statutes, but it was still surprising that the majority did not discuss the Inventor Holdings decision at all.

We hope that the decision in Alphacap Ventures does not encourage other patent trolls to bring suits with invalid patents. The Inventor Holdings decision remains good law and shows that, at least sometimes, they will be held to account for bringing unreasonable cases.

Categories: Privacy

Open Access Is the Law in California

Governor Jerry Brown recently signed A.B. 2192, a law requiring that all peer-reviewed, scientific research funded by the state of California be made available to the public no later than one year after publication.

EFF applauds Governor Brown for signing A.B. 2192 and the legislature for unanimously passing it—particularly Assemblymember Mark Stone, who introduced the bill and championed it at every step. To our knowledge, no other state has adopted an open access bill this comprehensive.

As we’ve explained before, it’s a problem when cutting-edge scientific research is available only to people who can afford expensive journal subscriptions and academic databases. It insulates scientific research from a broader field of innovators: if the latest research is only available to people with the most resources, then the next breakthroughs will only come from that group.

A.B. 2192 doesn’t solve that problem entirely, but it does limit it. Under the new law, researchers can still publish their papers in subscription-based journals so long as they upload them to public open access repositories no later than one year after publication.

While legislators were considering passing A.B. 2192, we urged them to consider passing a stronger law making research available to the public on the date of publication. In the fast-moving world of science, a one-year embargo period is simply too long.

The best way to maximize the public benefit of state-funded research is to publish it in an open access journal, so that everyone can read it for free on the day it’s published—ideally under an open license that allows anyone to adapt and republish it.

Opponents of open access sometimes claim that open publishing hurts researchers’ reputations, but increasingly, the exact opposite is true; indeed, some of the most important discoveries of the modern era were published in open access journals. That change in practices has come thanks in no small part to a growing list of foundations requiring their grantees to publish in open access journals. Funders can use their influence to change norms in publishing to benefit the public. With the majority of scientific research in the United States funded by government bodies, lawmakers ought to use their power to push for open access. Ultimately, requiring government grantees to publish in open access journals won’t hurt scientists’ reputations; it will help open access’ reputation.

While A.B. 2192’s passage is good news, Congress has still failed to pass an open access law covering science funded by the federal government. FASTR—the Fair Access to Science and Technology Act (S. 1701, H.R. 3427)—is very similar to the California law. It would require every federal agency that spends more than $100 million on grants for research to adopt an open access policy. The bill gives each agency flexibility to choose a policy suited to the work it funds, as long as research is made available to the general public no later than one year after publication. Like the California law, FASTR isn’t perfect, but it’s a great start. Unfortunately, despite strong support in both political parties, FASTR has floundered in Congressional gridlock for five years.

As we celebrate the win for open access in California, please take a moment to write your members of Congress and urge them to pass FASTR.

Take action

Tell Congress: It’s time to move FASTR

Categories: Privacy

From Canada to Argentina, Security Researchers Have Rights—Our New Report

EFF is introducing a new Coders' Rights project to connect the work of security research with the fundamental rights of its practitioners throughout the Americas. The project seeks to support the right of free expression that lies at the heart of researchers' creations and use of computer code to examine computer systems, and relay their discoveries among their peers and to the wider public.  

To kick off the project, EFF published a whitepaper today, “Protecting Security Researchers' Rights in the Americas” (PDF), to provide the legal and policy basis for our work, outlining human rights standards that lawmakers, judges, and most particularly the Inter-American Commission on Human Rights, should use to protect the fundamental rights of security researchers.

We started this project because hackers and security researchers have never been more important to the security of the Internet. By identifying and disclosing vulnerabilities, hackers are able to improve security for every user who depends on information systems for their daily life and work.

Computer security researchers work, often independently from large public and private institutions, to analyze, explore, and fix the vulnerabilities that are scattered across the digital landscape. While most of this work is conducted unobtrusively as consultants or as employees, sometimes their work is done in the public interest—which gathers researchers headlines and plaudits, but can also attract civil or criminal suits. They can be targeted and threatened with laws intended to prevent malicious intrusion, even when their own work is anything but malicious. The result is that security researchers work in an environment of legal uncertainty, even as their job becomes more vital to the orderly functioning of society.

Drawing on rights recognized by the American Convention on Human Rights, and examples from North and South American jurisprudence, this paper analyzes what rights security researchers have; how those rights are expressed in the Americas’ unique arrangement of human rights instruments, and how we might best interpret the requirements of human rights law—including rights of privacy, free expression, and due process—when applied to the domain of computer security research and its practitioners. In cooperation with technical and legal experts across the continent, we explain that:

• Computer programming is expressive activity protected by the American Convention of Human Rights. We explain how free expression lies at the heart of researchers’ creation and use of computer code to examine computer systems and to relay their discoveries among their peers and to the wider public.
• Courts and the law should guarantee that the creation, possession or distribution of tools related to cybersecurity are protected by Article 13 of the American Convention of Human Rights, as legitimate acts of free expression, and should not be criminalized or otherwise restricted. These tools are critical to the practice of defensive security and have legitimate, socially desirable uses, such as identifying and testing practical vulnerabilities.
• Lawmakers and judges should discourage the use of criminal law as a response to behavior by security researchers which, while technically in violation of a computer crime law, is socially beneficial.
  Cybercrime laws should include malicious intent and actual damage in its definition of criminal liability.
• The “Terms of service” (ToS) of private entities have created inappropriate and dangerous criminal liability among researchers by redefining “unauthorized access” in the United States. In Latin America, under the Legality Principle, ToS provisions cannot be used to meet the vague and ambiguous standards established in criminal provisions (for example, "without authorization"). Criminal liability cannot be based on how private companies would like their services to be used. On the contrary, criminal liability must be based on laws which describe in a precise manner which conduct is forbidden and which is punishable.
• Penalties for crimes committed with computers should, at a minimum, be no higher than penalties for analogous crimes committed without computers.
• Criminal law punishment provisions should be proportionate to the crime, especially when cybercrimes demonstrate little harmful effects, or are comparable to minor traditional infractions.
• Proactive actions that will secure the free flow of information in the security research community are needed.

We’d like to thank EFF Senior Staff Attorney Nate Cardozo, Deputy Executive Director and General Counsel Kurt Opsahl, International Rights Director Katitza Rodríguez, Staff Attorney Jamie Lee Williams, as well as consultant Ramiro Ugarte and Tamir Israel, Staff Attorney at Canadian Internet Policy and Public Interest Clinic at the Centre for Law, Technology and Society at the University of Ottawa, for their assistance in researching and writing this paper.

Categories: Privacy

What To Do If Your Account Was Caught in the Facebook Breach

Keeping up with Facebook privacy scandals is basically a full-time job these days. Two weeks ago, it announced a massive breach with scant details. Then, this past Friday, Facebook released more information, revising earlier estimates about the number of affected users and outlining exactly what types of user data were accessed. Here are the key details you need to know, as well as recommendations about what to do if your account was affected.

The number of users whose access tokens were stolen is lower than Facebook originally estimated. When Facebook first announced this incident, it stated that attackers may have been able to steal access tokens—digital “keys” that control your login information and keep you logged in—from 50 to 90 million accounts. Since then, further investigation has revised that number down to 30 million accounts.

The attackers were able to access an incredibly broad array of information from those accounts. The 30 million compromised accounts fall into three main categories. For 15 million users, attackers access names and phone numbers, emails, or both (depending on what people had listed).

For 14 million, attackers access those two sets of information as well as extensive profile details including:

• Username
• Gender
• Locale/language
• Relationship status
• Religion
• Hometown
• Self-reported current city
• Birthdate
• Device types used to access Facebook
• Education
• Work
• The last 10 places they checked into or were tagged in
• Website
• People or Pages they follow
• Their 15 most recent searches

For the remaining 1 million users whose access tokens were stolen, attackers did not access any information.

Facebook is in the process of sending messages to affected users. In the meantime, you can also check Facebook’s Help Center to find out if your account was among the 30 million compromised—and if it was, which of the three rough groups above it fell into. Information about your account will be at the bottom in the box titled “Is my Facebook account impacted by this security issue?”

The most worrying potential outcome of this hack for most people is what someone might be able to do with this mountain of sensitive personal information. In particular, adversaries could use this information to turbocharge their efforts to break into other accounts, particularly by using phishing messages or exploiting legitimate account recovery flows. With that in mind, the best thing to do is stay on top of some digital security basics: look out for common signs of phishing, keep your software updated, consider using a password manager, and avoid using easy-to-guess security questions that rely on personal information.

The difference between a clumsy, obviously fake phishing email and a frighteningly convincing phishing email is personal information. The information that attackers stole from Facebook is essentially a database connecting millions of people’s contact information to their personal information, which amounts to a treasure trove for phishers and scammers. Details about your hometown, education, and places you recently checked in, for example, could allow scammers to craft emails impersonating your college, your employer, or even an old friend.

In addition, the combination of email addresses and personal details could help someone break into one of your accounts on another service. All a would-be hacker needs to do is impersonate you and pretend to be locked out of your account—usually starting with the “Forgot your password?” option you see on log-in pages. Because so many services across the web still have insecure methods of account recovery like security questions, information like birthdate, hometown, and alternate contact methods like phone numbers could give hackers more than enough to break into weakly protected accounts.

Facebook stated that it has not seen evidence of this kind of information being used “in the wild” for phishing attempts or account recovery break-ins. Facebook has also assured users that no credit card information or actual passwords were stolen (which means you don’t need to change those) but for many that is cold comfort. Credit card numbers and passwords can be changed, but the deeply private insights revealed by your 15 most recent searches or 10 most recent locations cannot be so easily reset.

Because it’s cooperating with the FBI, Facebook cannot discuss any findings about the hackers’ identity or motivations. However, from Facebook’s more detailed description of how they carried out the attack, it’s clear that the attackers were determined and coordinated enough to find an obscure, complex vulnerability in Facebook’s code. It’s also clear that they had the resources necessary to automatically exfiltrate data on a large scale.

We still don’t know what exactly the hackers were after: were they targeting particular individuals or groups, or did they just want to gather as much information as possible? It’s also unclear if the attackers abused the platform in ways beyond what Facebook has reported, or used the particular vulnerability behind this attack to launch other, more subtle attacks that Facebook has not yet found.

There is only so much individual users can do to protect themselves from this kind of attack and its aftermath. Ultimately, it is Facebook’s and other companies’ responsibility to not only protect against these kinds of attacks, but also to avoid retaining and making vulnerable so much personal information in the first place.

Categories: Privacy

Lawsuit Seeking to Unmask Contributors to ‘Shitty Media Men’ List Would Violate Anonymous Speakers’ First Amendment Rights

A lawsuit filed in New York federal court last week against the creator of the “Shitty Media Men” list and its anonymous contributors exemplifies how individuals often misuse the court system to unmask anonymous speakers and chill their speech. That’s why we’re watching this case closely, and we’re prepared to advocate for the First Amendment rights of the list’s anonymous contributors.

On paper, the lawsuit is a defamation case brought by the writer Stephen Elliott, who was named on the list. The Shitty Media Men list was a Google spreadsheet shared via link and made editable by anyone, making it particularly easy for anonymous speakers to share their experiences with men identified on the list. But a review of the complaint suggests that the lawsuit is focused more broadly on retaliating against the list’s creator, Moira Donegan, and publicly identifying those who contributed to it.

For example, after naming several anonymous defendants as Jane Does, the complaint stresses that “Plaintiff will know, through initial discovery, the names, email addresses, pseudonyms and/or ‘Internet handles’ used by Jane Doe Defendants to create the List, enter information into the List, circulate the List, and otherwise publish information in the List or publicize the List.”

In other words, Elliott wants to obtain identifying information about anyone and everyone who contributed to, distributed, or called attention to the list, not just those who provided information about Elliot specifically.

The First Amendment, however, protects anonymous speakers like the contributors to the Shitty Media Men list, who were trying to raise awareness about what they see as a pervasive problem: predatory men in media. As the Supreme Court has ruled, anonymity is a historic and essential way of speaking on matters of public concern—it is a “shield against the tyranny of the majority.”

Anonymity is particularly critical for people who need to communicate honestly and openly without fear of retribution. People rely on anonymity in a variety of contexts, including reporting harassment, violence, and other abusive behavior they’ve experienced or witnessed. This was the exact purpose behind the Shitty Media Men list. Donegan, who after learning she would be identified as the creator of the list, came forward and wrote that she “wanted to create a place for women to share their stories of harassment and assault without being needlessly discredited or judged. The hope was to create an alternate avenue to report this kind of behavior and warn others without fear of retaliation.”

It’s easy to understand why contributors to the list did so anonymously, and that they very likely would not have provided the information had they not been able to remain anonymous. By threatening that anonymity, lawsuits like this one risk discouraging anyone in the future from creating similar tools that share information and warn people about violence, abuse, and harassment.

To be clear, our courts do allow plaintiffs to pierce anonymity if they can show need to do so in order to pursue legitimate claims. That does not seem to be the case here, because the claims against Donegan appear to be without merit. Given that she initially created the spreadsheet as a platform to allow others to provide information, Donegan is likely immune from suit under Section 230, the federal law that protects creators of online forums like the “Shitty Media Men” list from being treated as the publisher of the information added by other users, here the list’s contributors. And even if Donegan did in fact create the content about Elliott, she could still argue that the First Amendment requires that he show that the allegations were not only false but also made with actual malice.

EFF has long fought for robust protections for anonymous online speakers, representing speakers in court cases and also pushing courts to adopt broad protections for them. Given the potential dangers to anonymous contributors to this list and the thin allegations in the complaint, we hope the court hearing the lawsuit quickly dismisses the case and protects the First Amendment rights of the speakers who provided information to it. We also applaud Google, which has said that it will fight any subpoenas seeking information on its users who contributed to the list. 

EFF will continue to monitor the case and seek to advocate for the First Amendment rights of those who contributed to the list should it become necessary. If you contributed to the list and are concerned about being identified or otherwise have questions, contact us at info@eff.org. As with all inquiries about legal assistance from EFF, the attorney/client privilege applies, even if we can’t take your case.

Categories: Privacy

Federal Circuit (Finally) Makes Briefs Immediately Available to the Public

In a victory for transparency, the Federal Circuit has changed its policies to give the public immediate access to briefs. Previously, the court had marked submitted briefs as “tendered” and withheld them from the public pending review by the Clerk’s Office. That process sometimes took a number of days. EFF wrote a letter [PDF] asking the court to make briefs available as soon as they are filed. The court has published new procedures [PDF] that will allow immediate access to submitted briefs.

Regular readers might note that this is the second time we have announced this modest victory. Unfortunately, our earlier blog post was wrong and arose out of a miscommunication with the court (the Clerk’s Office informed us of our mistake and we corrected that post). This time, the new policy clearly provides for briefs to be immediately available to the public. The announcement states:

The revised procedure will allow for the immediate filing and public availability of all electronically-filed briefs and appendices. … As of December 1, 2018, when a party files a brief or appendix with the court, the document will immediately appear on the public docket as filed, with a notation of pending compliance review.

In our letter to the Federal Circuit, we had explained that the public’s right of access to courts includes a right to timely access. The Federal Circuit is the federal court of appeal that hears appeals in patent cases from all across the country, and many of its cases are of interest to the public at large. We are glad that the court will now give the press and the public immediate access to filed briefs.

Overall, the Federal Circuit has a good record on transparency. The court has issued rulings making it clear that it will only allow material to be sealed for good reason. The court’s rules of practice require parties to file a separate motion if they want to seal more than 15 consecutive words in a motion or a brief. The Federal Circuit’s new filing policy brings its docketing practices in line with this record of transparency and promotes timely access to court records.

Categories: Privacy

Ten Legislative Victories You Helped Us Win in California

 Your strong support helped us persuade California’s lawmakers to do the right thing on many important technology bills debated on the chamber floors this year. With your help, EFF won an unprecedented number of victories, supporting good bills and stopping those that would have hurt innovation and digital freedoms.

Here’s a list of victories you helped us get the legislature to pass and the governor to sign, through your direct participation in our advocacy campaigns and your other contributions to support our work.

Our biggest win of the year, the quest to pass California’s net neutrality law and set a gold standard for the whole country, was hard-fought. S.B. 822 not only prevents Internet service providers from blocking or interfering with traffic, but also from prioritizing their own services in ways that discriminate.

California made a bold declaration to support the nation’s strongest protections of a free and open Internet. As the state fights for the ability to enact its law—following an ill-conceived legal challenge from the Trump administration—you can continue to let lawmakers know that you support its principles.

Transparency is the foundation of trust. Thanks to the passage of S.B. 978, California police departments and sheriff’s offices will now be required to post their policies and training materials online, starting in January 2020. The California Commission on Peace Officer Standards and Training will be required to make its vast catalog of trainings available as well. This will encourage better and more open relationships between law enforcement agencies and the communities they serve.

Increasing public access to police materials about training and procedures benefits everyone by making it easier to understand what to expect from a police encounter. It also helps ensure that communities have a better grasp of new police surveillance technologies, including body cameras and drones.

Cameras worn by police officers are increasingly common. While intended to promote police accountability, unregulated body cams can instead become high tech police snooping devices.

Some police departments have withheld recordings of high-profile police use of force against civilians, even when communities demand release. Prior to this bill’s introduction, Los Angeles, for example, had a policy that didn’t allow for any kind of public access at all.

 The public now has the right to access those recordings. A.B. 748 ensures that starting July 1, 2019, you will have the right to access this important transparency resource.

EFF sent a letter stating its support for this law, which makes it more likely that body-worn cameras will be used as a tool for holding officers accountable, rather than a tool of police surveillance against the public.

As the legal marijuana market develops in California, it is critical that the state protects the data privacy rights of cannabis users. A.B. 2402 is a step in the right direction, providing modest but vital privacy measures.

A.B. 2402 stops cannabis distributors from sharing the personal information of their customers without their consent, granting cannabis users an important data privacy right. The bill also prohibits dispensaries from discriminating against a customer who chooses to withhold that consent.

As more vendors use technology such as apps and websites to market marijuana, the breadth of their data collection continues to grow. News reports have found that dispensaries are scanning and retaining driver license data, as well as requiring names and phone numbers before purchases. This new law ensures that users can deny consent to having their personal information shared with other companies, without penalty.

DNA information reveals a tremendous amount about a person – their medical conditions, their ancestry, and many other immutable traits – and handing over a sample to law enforcement has long-lasting consequences. Unfortunately, at least one police agency has demanded DNA from youths in circumstances that are confusing and coercive.

A.B. 1584 makes sure that before this happens, kids will have an adult in the room to explain the implications of handing a DNA sample over to law enforcement. Once this law takes effect in January 2019, law enforcement officials must have the consent of a parent, guardian, or attorney, in addition to consent from the minor, to collect a DNA sample.

EFF wrote a letter supporting this bill as a vital protection for California’s youths, particularly in light of press reports about police demanding DNA from young people without a clear reason. In one case, police approached kids coming back from a basketball game at a rec center and had them sign forms “consenting” to check swabs.

A.B. 1584 adds sensible privacy protections for children, to ensure that they fully understand how police may use these DNA samples. It also guarantees that, if the sample doesn’t implicate them in a crime, it will be deleted from the system promptly.

Internet access is vital to succeeding in today’s world. With your support, we persuaded lawmakers to recognize how important it is for some of California’s most vulnerable young people—those involved in the child welfare and juvenile justice systems— to be able to access the Internet, as a way to further their education. A.B. 2448 guarantees that access.

EFF testified before a Senate committee to advocate for the 2017 version of this bill, which the governor vetoed with the condition that he would sign a more narrow text. The second version, however, passed Gov. Brown’s muster. Throughout the process, EFF launched email campaigns and enlisted the help of tech companies, including Facebook, to lend their support to the effort.

This law affirms that some of the state’s most at-risk young people have access to all the resources the Internet has to offer. And it shows the country that if California can promise Internet access to disadvantaged youth, then other states can, too.

Getting your ID card checked at a bar? The bouncer may be extracting digital information from your ID, and the bar may then be sharing that information with others. California law limits bars from sharing information they collected through swiping your ID, but some companies and police departments believed they could bypass those safeguards as long as IDs were “scanned” rather than “swiped.”

 A.B. 2769 closes this loophole. It makes sure that you have the same protections against having your information shared without your consent whether the bouncer checking you out is swiping your card or scanning it.

EFF sent a letter in support of this bill to the governor. People shouldn’t lose the right to consent to data sharing simply because the place they go chooses a different method of checking their identification.

Thankfully, the governor signed this common-sense bill.

A.B. 2192 was a huge victory for open access to knowledge in the state of California. It gives everyone access to research that’s been funded by the government within a year of its publication date.

EFF went to Sacramento to testify in support of this bill. We also wrote to explain that it would have at most a negligible financial impact on the state budget to require researchers to make their reports open to the public. This prompted lawmakers to reconsider the bill after previously setting it aside.

A.B. 2192 is a good first step. EFF would like to see other states adopt similar measures. We also want California to take further strides to make research available to other researchers looking to advance their work, and to the general public.

Fighting “fake news” has become a priority for a lot of lawmakers, but S.B. 1424, a bill EFF opposed, was not the way to do it. The bill would have set up a state advisory committee to recommend ways to “mitigate” the spread of “fake news.” That would have created an excessive risk of new laws that restrict the First Amendment rights of Californians.

EFF sent a letter to the governor, outlining our concerns about having the government be the arbiter of what is true and what isn’t. This is an especially difficult task when censors examine complex speech, such as parody and satire.

Gov. Brown vetoed this bill, ultimately concluding that it was not needed. “As evidenced by the numerous studies by academic and policy groups on the spread of false information, the creation of a statutory advisory group to examine this issue is not necessary,” he wrote.

California's new bot-labeling bill, S.B. 1001, initially included overbroad language that would have swept up bots used for ordinary and protected speech activities. Early drafts of the bill would have regulated accounts used for poetry, political speech, or satire. The original bill also created a takedown system that could have been used to censor or discredit important voices, like civil rights leaders or activists.

EFF worked with the bill's sponsor, Senator Robert Hertzberg, to remove the dangerous language and think through the original bill's unintended negative consequences. We thank the California legislature for hearing our concerns and amending this bill.

You spoke, and California’s legislature and governor listened. In 2018, we made great progress for digital liberty. With your help, we look forward to more successes in 2019. Thank you!

Categories: Privacy