You are hereFeed aggregator / Sources / CDT


Syndicate content
Keeping the Internet Open, Innovative and Free
Updated: 1 hour 29 min ago

Embedded Tweets and Display Rights: Dangerous Legal Ground for the Web

Thu, 2018-02-22 11:28

In a troubling recent decision (Goldman v. Breitbart) a court in the Southern District of New York found that embedding an image from Twitter in a web page hosted by a news sites can infringe on the exclusive right of the photographer to control the public display of the image. In the case, photographer Justin Goldman said that new sites, including Breitbart, infringed on this right when they included an embedded image of a tweet that contained a photograph he took of Patriots quarterback Tom Brady in the Hamptons.

Putting aside the fact that the photographer could have used a more direct method of controlling the use of his image, like a DMCA 512 take-down notice, interpreting an embed (or even worse, a hyperlink) as a form of  copyright infringement is a bad idea. The various forms of hyperlinking, including embedded content, form the connective tissue of the web. They provide instant connections between separate sites and various forms of content, allowing sites to offer a more streamlined experience and layered information. They are a crucial part of what makes the web open and accessible, which is why judges and policy makers should exercise caution when changing the legal landscape for links.

Disregarding the way technology works is a flawed approach to legal reasoning. For copyright and technology, the details matter.

To help understand why the recent ruling in Goldman is so troubling, here’s a brief explanation of how embedded links work. When you use a browser to access a website, the browser basically reads a set of instructions from the server hosting the website about where to find the bits and pieces of the site and how to assemble them. Some of those pieces will probably be stored on the same server as the website’s instructional code. Other pieces may be stored elsewhere, on different servers. The assembly instructions for websites with embedded content tell the browser where to look for the content (using a uniform resource locator or URL), and where to put it on the page. The browser then locates the proper server and asks it to send the file for the embedded content. If it agrees, the server sends the content directly to the browser on the user’s computer. The website’s server has no interaction with or control over the embedded content other than pointing to its address.

In 2007, the 9th Circuit considered whether Google infringed the display rights of photographers with its “framing” feature of Google Image Search. It reasoned that because Google did not host the images on its own server, but rather provided instructions (to browsers) to find the images on servers not under Google’s control, Google was not responsible for infringement. This became known as the “server test.” The legal reasoning applies the language of the Copyright Act to the technical details of how browsers interact with websites. The Court found that, since only the server hosting the linked content had control of the files, it alone was capable of “communicating” the image files and therefore Google’s embedded link did not constitute a “display” under the Act.

In the recent case, Judge Forrest declined to apply the “server test,” finding that “a website’s servers need not actually store a copy of the work in order to ‘display’ it.” But servers don’t “display” embedded files because they can’t “transmit” or “communicate” a file they don’t possess. There is an important technical difference between sending a copy of an image file and sending instructions for where to look for a file. In the latter case, the website sending “embed” instructions has no control over the third-party servers, or the content they host. In this case, the third-party servers were operated by Twitter, which, had they been asked, could have removed or blocked access to the offending tweets. Instead, they were publicly accessible to anyone with the proper URL, including Breitbart reporters.

There is a much smaller technical difference between embedding and linking, which is why the argument that “sending instructions is the same as sending a file” is so troubling. They both consist of instructions, one of which directs the browser to retrieve the content automatically (the embed) and the other one requiring a click (or even just a “hover”). In both cases, the actions are performed by the end user’s browser and the image file is “communicated” by the third party directly to the end user. Although Judge Forrest tries to distinguish hyperlinks as different based on the “volitional” element, it is unclear how variations on hyperlink technology might fit that reasoning. For instance, would a hover-to-show type link satisfy the volitional element? Even just the possibility of infringement liability for links could chill their usage, reducing the utility and the “depth” of the web.

The technical workings of the internet have, in many ways, developed in response to judicial interpretations of copyright law. Moving away from a technically detailed approach to the law’s application creates fundamental problems for the open web, and could discourage innovative new ways to create and share information. This is why technically detailed applications of law like the “server test” make sense; it is based on concrete and verifiable information and keeps the liability on the party with actual control over the copyrighted work. More generally, disregarding the way technology works is a flawed approach to legal reasoning. For copyright and technology, the details matter.

Categories: Privacy

State Progress on Election Cybersecurity

Wed, 2018-02-21 13:43

The Center for American Progress (CAP) recently released a report titled, “Election Security in All 50 States,” which gave a grade of C or lower to 40 states. In fact, no state received a perfect A grade. While Former Homeland Security Secretary Jeh Johnson also said that many states have done little to nothing to prepare since 2016, we don’t believe that’s true. To the contrary, states are well underway in their preparations for the 2018 midterm elections, which are expected to be under increased scrutiny as a result of Russian influence operations designed to sow doubt and fear in the US election process. Director of National Intelligence Daniel Coats stated, “At a minimum, we expect Russia to continue using propaganda, social media, false-flag personas, sympathetic spokespeople, and other means of influence to try to exacerbate social and political fissures in the United States.” It is important to recognize that states in many cases are doing very important work to make their election infrastructure more resilient. Here we highlight six states that, over the past six months, have made substantial progress in improving the security of their election systems and making them more resistant to foreign influence.

Colorado: Risk-limiting Audits

The Colorado Secretary of State adopted Election Rule 25 to mandate how counties would conduct risk-limiting audits (RLAs) beginning with the November 7, 2017 election. An RLA of the results bridges the gap between wholly trusting vote tabulation machine results and completing a full manual recount of all ballots. The audit involves a manual recount of a random sample of the ballots using statistics to determine with a high level of confidence that that voting machine count is accurate. Implementing RLAs required Colorado to have capable voting machines and significant training in the state’s 64 counties. The RLAs were successfully completed just two weeks after the election.

Illinois: Mandatory Cybersecurity Training

For many election officials and staff, cybersecurity may be a new concept, requiring training and recalibration to the new reality that cybersecurity is everyone’s responsibility. In Illinois, annual cybersecurity training from the Department of Innovation and Technology (DoIT) became mandatory for state employees as of January 1, 2018. DoIT is focused on preventing phishing attacks like those used against Clinton campaign chairman John Podesta, 122 state and local election jurisdictions, and voting machine manufacturers. People will always be the weakest link in the cybersecurity chain. Mandatory annual cybersecurity training will provide the state with the opportunity to reinforce fundamental practices and adapt training to meet new threats.

Rhode Island: Security Risk Assessment

The state issued a Request for Proposals (RFP) for a Security Risk Assessment of its Department of State according to the ISO 27001/27002 or NIST Cybersecurity Framework standard. Such assessments are a key part of understanding how current activities may need to be modified or supplemented to address new threats. The Assessment is slated to be completed by May 2018. It should provide the Rhode Island Secretary of State with a roadmap of gaps and deficiencies as well as remediation options to address them. This systematic approach recognizes the ever-evolving nature of the election security threat landscape.

Washington: Multi-State Information Sharing

As one of the 21 states identified as being targets of Russian hacking attempts, Washington partnered with the Department of Homeland Security (DHS) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) in September. The goal of the three-month pilot project announced in September was to assess vulnerabilities and identify mitigation plans; share information; rely on DHS for local in-person support; and report incidents or threats. Sharing technical and non-technical data about incidents to other states via the MS-ISAC is critical in keeping election officials and DHS informed of potential attacks and defensive measures.

West Virginia: Air National Guard

The West Virginia Secretary of State announced in September a partnership with the Air National Guard to assess election systems and monitor those systems for malicious activity. Under the partnership, an Air National Guard Cyber Systems Operations specialist will be embedded in the Secretary of State’s office, as well as in the West Virginia Intelligence Fusion Center. The benefit of embedding a specialist in those offices is to link the mission of the National Guard with the needs of the election officials and the situational awareness of law enforcement officials monitoring criminal and terrorist activities in the state.

Election security is the process of anticipating and responding to ever-evolving threats in an environment where voter confidence can be swayed just as much by perception as reality. The CAP report and recent news reports only provide a snapshot of where states fall short in their security efforts. Some states, like Colorado, Illinois, Rhode Island, Washington, and West Virginia, are already on their way to improving their election security grade. We would love to hear about other efforts states are engaged in to better defend against, detect, and recover from attacks.

Election Security Grades by State – Center for American Progress (February 2018)

Categories: Privacy

Opposing the Mandating of Kill Switches to Address Contraband Cell Phones

Wed, 2018-02-21 11:52

Citing the potential threat to law enforcement and the general public, correctional facility officials have pushed for the FCC to address the issue of contraband phone use in prisons. In a recent meeting hosted by the FCC, Department of Justice officials and local law enforcement argued for aggressive technological approaches to addressing contraband phones.  

Now, the FCC is considering a mandate for hard kill switches on all wireless devices. This proposal would provide correctional facility officers with the ability to permanently disable (or “brick”) a phone upon request. However, the broad scope of this proposal will create new security vulnerabilities, and the lack of judicial review would violate established protections for due process. CDT has joined our colleagues at the Electronic Frontier Foundation (EFF) in opposing this proposal and expressing our concerns in an ex parte filing to the FCC.

The mandatory installation of a hard kill switch on all wireless devices would create an explicit security vulnerability on every phone.

From a technological perspective, the mandatory installation of a hard kill switch on all wireless devices would create an explicit security vulnerability on every phone. While corrections officers are seeking a method to disable contraband phones within the confines of their facilities, this vulnerability will not exist in a vacuum. It will be difficult to secure, and malicious actors may hijack or create their own hard kill signals, regardless of where the phone is being used.

The use of a hard kill switch also poses serious risks to users when the wrong phone is identified. If a device is misidentified as contraband and subsequently disabled, the owner of the device will be permanently deprived of their device without any warning or explanation. This would represent more than a minor inconvenience for a handful of people–95 percent of Americans now rely upon a cellphone for communication and information. Under these circumstances, the use of a hard kill switch would cut off access to friends, family, and emergency services. Ultimately, this mandate represents an overly broad and severe technological remedy that will only undermine the security and integrity of wireless devices.

The FCC must avoid any technological mandates that would undermine the security of all cell phone users (aka everyone in the country) and needs include due process safeguards in any proposal.

Additionally, the proposal fails to provide any form of judicial review to enable oversight of the process and ensure accuracy. Instead, the process outlined by the Commission would shoehorn providers into the role reserved by judges. Providers would be asked to evaluate whether a request meets the necessary legal criteria without the procedural structure, experience, or institutional authority of the courts. By incorporating judicial review, judges would be empowered to lend their expertise and critically assess claims from law enforcement–potentially providing a valuable check against misidentification.

Most importantly, courts provide legal safeguards and preserve fundamental due process rights. When correctional officials activate the hard kill switch, they are permanently disabling the phone–effectively destroying it and depriving an individual of their property. And although prisoners are entitled to fewer due process protections, the proposal outlined by the FCC may end up disabling phones found outside the correctional facility, placing the legitimate devices of law-abiding individuals at risk.

In working to address the issue of contraband phones in prisons, the FCC must avoid any technological mandates that would undermine the security of all cell phone users (aka everyone in the country) and needs to include due process safeguards in any proposal.

Categories: Privacy