EFF: Today—and Every Day—We Fight to Defend the Open Internet

Today—and Every Day—We Fight to Defend the Open Internet

Today, we heard from the Federal Communications Commission (FCC) about its plans to devastate Network Neutrality.  Instead of responding to the millions of Americans who want to protect the free and open Internet, the FCC instead is ceding to the demands of a handful of massive ISPs, like Comcast, Verizon, and AT&T.

EFF will be analyzing the full plan when it is released.  But based on what we know so far, it’s clear that Chairman Pai is seeking to reverse the 2015 Open Internet Order that established clear but light touch protections for Internet users and Internet innovation. The FCC’s new approach invites a future where only the largest Internet, cable, and telephone companies survive, while every start-up, small business, and new innovator is crowded out—and the voice of nonprofits and ordinarily individuals are suppressed. Costs will go up, as ISPs take advantage of monopoly power to raise rates on edge providers and consumers alike. And the FCC’s proposed plan adds salt to the wound by interfering with state efforts to protect consumer privacy and competition.

The FCC today abdicates a fundamental responsibility—but Internet users won’t. Today, and every day, we will fight to defend net neutrality. Tell Congress that lawmakers must act to defend our open Internet.

Add your voice

Contact Congress now.

Published November 21, 2017 at 09:37PM
Read more on eff.org

Advertisements

EFF: Treasury Department Concludes Fraud Investigation into ComputerCOP „Internet Safety“ Software

Treasury Department Concludes Fraud Investigation into ComputerCOP „Internet Safety“ Software

Three years ago, EFF exposed how hundreds of law enforcement agencies were putting families at risk by distributing free ComputerCOP “Internet safety” software that actually transmitted keystrokes unencrypted to a third-party server. Our report also raised serious questions about whether the company was deceiving government agencies by circulating a bogus letter of endorsement from a top official in the U.S. Treasury Department.

 This month, our suspicions were confirmed. A document obtained through the Freedom of Information Act shows that, in response to EFF’s research, the Treasury Department’s Inspector General launched an investigation into ComputerCOP. The final report concluded that the company had, in fact, doctored a government letter to improperly convince law enforcement agencies to spend asset forfeiture funds to buy the product.

Read the Treasury Department’s investigative report and exhibits

Unfortunately, the report shows that ComputerCOP dodged criminal prosecution because the statute of limitations expired. Nevertheless, the records should serve as the final nail in the coffin for this software. It was bad enough that the software was proven dangerous; it is even worse for law enforcement agencies to do business with a company that federal investigators caught forging documents. 

ComputerCOP is a CD-ROM (now also available on a USB storage stick) that promises to help parents protect their children from Internet predators. More than 240 agencies signed contracts with ComputerCOP, often worth tens of thousands of dollars. But the software was less about safety than it was about self-promotion. Elected law enforcement officials—including sheriffs, mayors and district attorneys—placed their images on the cover and recorded promotional videos about how the software was the “first step” to protecting children online. By and large, the “free” software giveaway was used to generate positive media coverage. In Arizona, for example, the software project was spearheaded by the Maricopa County District Attorney’s press officer, rather than a member of the Internet Crimes Against Children team. Marketing materials proclaimed that the software was a „Perfect Election and Fundraising Tool!“

mytubethumb
play

%3Ciframe%20src%3D%22https%3A%2F%2Fwww.youtube-nocookie.com%2Fembed%2FTUZIooo9jgM%3Frel%3D0%26autoplay%3D1%22%20allowfullscreen%3D%22%22%20width%3D%22560%22%20height%3D%22315%22%20frameborder%3D%220%22%3E%3C%2Fiframe%3E

Privacy info. This embed will serve content from youtube-nocookie.com

EFF technologists dissected the software and discovered that it contained a keylogging feature that monitored everything a computer user typed. Whenever a keyword was entered, the software transmitted the text to a third-party commercial email server, which then sent alerts to the master user (often a parent) in real time. Not only was this feature invasive and easily abused, it also had a major technical vulnerability: the software transmitted communications openly and unencrypted, so that it could be easily intercepted and read by malicious actors. The San Diego County District Attorney, which had distributed the software, issued a warning to families about the keylogging feature after EFF published its findings.

Law enforcement agencies often paid for ComputerCOP with asset forfeiture funds, that is, money seized from suspected criminals during investigations. When agencies assist in federal investigations, they sometimes receive a portion of the money through a process called “equitable sharing.” As part of its marketing materials, ComputerCOP circulated a letter from the director of the Treasury Executive Office for Asset Forfeiture, which oversees equitable sharing spending, that seemed to endorse the product. 

EFF obtained this letter through a state-level public records request, and it immediately struck us as odd. The letterhead seemed off-kilter, some of the text was misaligned, and the letter was undated, unsigned, and did not even include the full name of the person it was addressed to. (EFF separately discovered ComputerCOP had falsely claimed endorsements by the ACLU and National Center for Missing and Exploited Children.)

So, we filed a FOIA request with the Treasury Department to obtain the original letter, if one existed.  Not long after, the Treasury Department issued a fraud alert for the letter, and the Treasury Department Inspector General launched a formal inquest. 

New FOIA documents show that, after a multi-year investigation, the Inspector General concluded that ComputerCOP had indeed “altered the 2001 letter from TEOAF and made it appear to be blanket permission for all law enforcement agencies to use equitable sharing funds to purchase the software.” Indeed, ComputerCOP made this claim on the rate card it provided to agencies. 

As part of its investigation into the letter, Treasury investigators sent questionnaires to 240 agencies that had purchased ComputerCOP. Of the few dozen that responded, three law enforcement agencies—the Peabody Police Department in Massachusetts, the Alaska Department of Public Safety, and the Greene County Sheriff’s Office in Missouri—told Treasury that the fraudulent letter had directly influenced their decision to purchase the product. 

The closed investigative report indicates the Treasury Inspector General was unable to send the case for prosecution “due to the fact that the three year statute of limitations on the offense had lapsed.” Instead, after discussions with the Justice Department and the U.S. Marshal Service, Treasury concluded it was enough for ComputerCOP to cease using the altered letter and to post a disclaimer on their website.

Unfortunately, it may be time for the Treasury Department to re-open the case. While ComputerCOP did once advertise the disclaimer, EFF could no longer find that language anywhere on its website.  

Making matters worse, the company’s website now claims that the keylogging feature “is not intrusive in any way.” This is an outrageous claim considering that this type of technology is more commonly deployed by stalkers and malicious hackers, and, in certain circumstances, its use could violate wiretapping laws.

For the most part, law enforcement purchases of ComputerCOP have significantly declined since we issued our first report. However, the company does continue to find buyers. For example, the Lake County Sheriff’s Office, Florida purchased 1,000 copies for $5,975 in 2017, according to SmartProcure. Meanwhile McGruff the Crime Dog was handing out copies as recently as this summer at a community screening of the film “Elf.”

To law enforcement agencies, here’s some rock-solid advice: before you purchase so-called Internet safety software, spend a few moments on the Internet researching whether the software is actually safe and above board. 

ComputerCOP is neither.

Published November 21, 2017 at 08:46PM
Read more on eff.org

EFF: Court Rules That EFF’s Stupid Patent of the Month Post Is Protected Speech

Court Rules That EFF’s Stupid Patent of the Month Post Is Protected Speech

A federal judge has ruled that EFF need not obey an Australian injunction ordering EFF to take down a “Stupid Patent of the Month” blog post and never speaking of the patent owner’s intellectual property again.

It all started when Global Equity Management (SA) Pty Ltd (GEMSA)’s patent was featured as the June 2016 entry in our Stupid Patent of the Month blog series. GEMSA wrote to EFF accusing us of “false and malicious slander.” It subsequently filed a lawsuit and obtained an injunction from a South Australia court purporting to require EFF to censor itself. We declined and filed a suit in the U.S. District Court for the Northern District of California seeking a declaration that EFF’s post is protected speech.

The court agreed, finding that the South Australian injunction can’t be enforced in the U.S. under a 2010 federal law that took aim against “libel tourism,” a practice by which plaintiffs—often billionaires, celebrities, or oligarchs—sued U.S. writers and academics in countries like England where it was easier to win a defamation case. The Securing the Protection of Our Enduring and Established Constitutional Heritage Act (SPEECH Act) says foreign orders aren’t enforceable in the United States unless they are consistent with the free speech protections provided by the U.S. and state constitutions, as well as state law.

The Court analyzed each of GEMSA’s claims for defamation, and found “[n]one of these claims could give rise to defamation under U.S. and California law, and accordingly “EFF would not have been found liable for defamation under U.S. and California law.” For example, GEMSA’s lead complaint was that EFF had called its patent “stupid.” GEMSA protested that its patent is not “in fact” stupid but the court found that this was clearly protected opinion. Moreover, the Court found “that the Australian court lacked jurisdiction over EFF, and that this constitutes a separate and independent reason that EFF would prevail under the SPEECH Act.”

Furthermore, the Court found that the Australian order was not enforceable under the SPEECH Act because “U.S. and California would provide substantially more First Amendment protection by prohibiting prior restraints on speech in all but the most extreme circumstances, and providing additional procedural protections in the form of California’s anti-SLAPP law.” 

After its thorough analysis, the Court declared “(1) that the Australian Injunction is repugnant to the United States Constitution and the laws of California and the Unites States; and (2) that the Australian injunction cannot be recognized or enforced in the United States.”

The decision was a default judgment. GEMSA, which has three pending patent lawsuits in in the Northern District of California, had until May 23 to respond to our case. That day came and went without a word. While GEMSA knows its way around U.S. courts—having filed dozens of lawsuits against big tech companies claiming patent infringement—it failed to respond to ours.

EFF thanks our counsel from Ballard Spahr LLP and Jassy Vick Carolan LLP.

Published November 20, 2017 at 11:52PM
Read more on eff.org

EFF: EFF’s Newest Case: Why We’re Helping to Unseal Court Records in Washington Federal Court

EFF’s Newest Case: Why We’re Helping to Unseal Court Records in Washington Federal Court

Consider this: Deputy Attorney General Rod Rosenstein has been going around talking about “responsible encryption” for some time now proselytizing for encryption that’s somehow only accessible by the government—something we all know to be unworkable. If the Department of Justice (DOJ) is taking this aggressive public position about what kind of access it should have to user data, it begs the question—what kind of technical assistance from companies and orders for user data is the DOJ demanding in sealed court documents? EFF’s client The Stranger, a Seattle-based newspaper, has filed a petition with one court to find out.

What’s at Stake?

In a democracy, we as citizens deserve to know what our government is up to, especially its interpretation of the law. A major reason we all knew about the government using the All Writs Act—a law originally passed in 1789—to compel Apple to design a backdoor for the iOS operating system is because the court order was public. However, there are many instances where we may not know what the government is asking. For example, could the government be asking Amazon to turn on the mic on its smart assistant product, the Echo, so they can listen in on people? This is not without precedent. In the past, the government has tried to compel automobile manufacturers to turn on mics in cars for surveillance.

Beyond the All Writs Act, we need to know what kind of warrantless surveillance the government is conducting under statutes like the Stored Communications Act (SCA) and the Pen Register Act. For instance, under certain authorities of the SCA, the government can obtain very private details about people’s email records, such as who they communicate with and when, and that in itself can be revealing regardless of the content of the messages.

The privacy problems of these non-warrant orders is compounded by the secrecy associated with them. The government files papers asking for such orders under seal, giving the public no opportunity to scrutinize them or to see how many are actually filed with the court. The people deserve to know and we support The Stranger’s efforts to seek access to these records.

Of course, the government may have good reasons to prevent disclosure of surveillance orders as part of an ongoing investigation, but under the current regime, next to no information is available even for the existence of such requests, including how many are filed each year. There are ways to meet government’s priorities—by redacting the name of the suspect to avoid tipping them off, for instance—without sacrificing transparency and access to court records for the American people under the First Amendment.

The Specifics of the Case

Our client The Stranger is a Pulitzer Prize-winning newspaper with a history of covering stories that focus on law enforcement surveillance capabilities. In 2013, The Stranger was the first local media organization to report on the surveillance devices installed by the Seattle Police Department that were capable of tracking people’s digital devices around the city. Apart from local law enforcement, The Stranger also covers federal surveillance activities in the city of Seattle. For instance, it investigated Alcohol, Tobacco, Firearms and Explosives bureau’s operation of a network of sophisticated surveillance cameras in the city.

To better report on government surveillance capabilities, the newspaper is petitioning the federal court in Seattle—home to companies like Microsoft and Amazon—to unseal government requests for electronic surveillance orders and warrants filed with the Court.

As the petition points out, the current court procedures are inadequate and counter to the widely recognized presumption of public access and openness to U.S. court records. In the Western District of Washington, government applications for electronic surveillance warrants or orders are designated as Magistrate Judge (MJ) matters. But for warrantless surveillance orders, the cases are marked as Grand Jury (GJ) proceedings. By default, anything filed as a Grand Jury case is automatically sealed and completely inaccessible to the public. This is troubling.

Support EFF’s Transparency Work

EFF has a long history of fighting for transparency by representing clients in litigation or filing public records requests for state and federal records. If you’d like to show your support for this lawsuit, please support our work and donate today.

We would like to thank Geoff M. Godfrey, Nathan D. Alexander, and David H. Tseng of Dorsey & Whitney LLP in Seattle for co-counseling with us in representing The Stranger.

Published November 20, 2017 at 09:35PM
Read more on eff.org

EFF: Will Congress Bless Internet Fast Lanes?

Will Congress Bless Internet Fast Lanes?

As the Federal Communications Commission (FCC) gets ready to abandon a decade of progress on net neutrality, some in Congress are considering how new legislation could fill the gap and protect users from unfair ISP practices. Unfortunately, too many lawmakers seem to be embracing the idea that they should allow ISPs to create Internet “fast lanes” — also known as “paid prioritization,” one of the harmful practices that violates net neutrality. They are also looking to re-assign the job of protecting customers from ISP abuses to the Federal Trade Commission.

These are both bad ideas.  Let’s start with paid prioritization. In response to widespread public demand from across the political spectrum, the 2015 Open Internet Order expressly prohibited paid prioritization, along with other unfair practices like blocking and throttling. ISPs have operated under the threat or the reality of these prohibitions for at least a decade, and continue to be immensely profitable. But they’d like to make even more money by double-dipping: charging customers for access to the Internet, and then charging services for (better) access to customers. And some lawmakers seem keen to allow it.

That desire was all too evident in a recent hearing on the role of antitrust in defending net neutrality principles. Subcommittee Chairman Tom Marino gave a baffling defense of prioritization, suggesting that it’s necessary or even beneficial to users for ISPs to give preferential treatment to certain content sources. Rep. Marino said that users should be able to choose between a more expensive Internet experience and a cheaper one that prioritizes the ISPs preferred content sources. He likened Internet service to groceries, implying that by disallowing paid prioritization, the Open Internet Order forced more casual Internet users to waste their money: “Families who just want the basics or are on a limited income aren’t forced to subsidize the preferences of shoppers with higher-end preferences.”

Rep. Darrel Issa took the grocery metaphor a step further, saying that paid prioritization is the modern day equivalent of the practice of grocery stores selling prime placement to manufacturers: “Within Safeway, they’ve decided that each endcap is going to be sold to whoever is going to pay the most – Pepsi, Coke, whoever – that’s certainly a prioritization that’s paid for.”

That’s an absurd analogy. Unlike goods at a physical store, every bit of Internet traffic can get the best placement, and no one on a limited income is “subsidizing” their richer neighbors. When providers choose to slow down certain types of traffic, they’re not doing it because that traffic is somehow more burdensome; they’re doing it to push users toward the content and service the ISP favors (or has been paid to favor)—the very behavior the Open Internet Order was intended to prevent. ISPs become gatekeepers rather than conduit.

As ISPs and content companies have become increasingly intertwined, the dangers of ISPs giving preferential treatment to their own content sources—and locking out alternative sources—have become ever more pronounced. That’s why in 2016 the FCC launched a lengthy investigation into ISPs’ zero-rating practices and whether they violated the Open Internet Order. The FCC focused in particular on cases where an ISP has an obvious economic incentive to slow down competing content providers, as was the case with AT&T prioritizing its own DirecTV services. Some members of Congress fail to see the dangers to users of these “vertical integration” arrangements. Rep. Bob Goodlatte said in the hearing that “Blanket regulation… would deny consumers the potential benefits in cost savings and improved services that would result from vertical agreements.” But if zero-rating arrangements keep new edge providers from getting a fair playing field to compete for users’ attention, services won’t improve at all. Certainly, an entity with a monopoly could choose to turn every advantage into savings for its customers, but we know from history and common sense that monopolies gouge customers instead. It’s telling—and unfortunate—that one of Ajit Pai’s first actions as FCC Chairman was to shelve the Commission’s zero-rating investigation.

The other goal of the hearing was to consider whether to assign net neutrality enforcement power to the Federal Trade Commission instead of the FCC. This is a rehash of long-standing argument that the best way to defend the Internet is to have ISPs publicly promise to behave. If they break that promise or undermine competition, the FTC can go after them.

Federal Trade Commissioner Terrell McSweeny correctly explained why that approach won’t cut it: “a framework that relies solely on backward-looking consumer protection and antitrust enforcement” just cannot “provide the same assurances to innovators and consumers as the forward-looking rules contained in the FCC’s open internet order.”

For example, as McSweeny noted, large ISPs have a huge incentive to unfairly prioritize certain content sources: their own bottom line. Every major ISP also offers streaming media services, and these ISPs naturally will want to direct users to those offerings. Antitrust law alone can’t stop these practices because the threat that paid prioritization poses isn’t to competition between ISPs; it’s to the users themselves.

If the FCC abandons its commitment to net neutrality, Congress can and should step in to put it back on course.  That means enacting real, forward-looking legislation that embraces all of the bright-line rules, not just the ones ISPs don’t mind. And it means forcing the FCC to its job, rather than handing it off to another agency that’s not well-positioned to do the work.

 

 

Published November 20, 2017 at 06:56PM
Read more on eff.org