Here at the Electronic Frontier Foundation, we have a guiding motto: “I Fight For the Users.” (We even put it on t-shirts from time to time!) We didn’t pick that one by accident (nor merely because we dig the 1982 classic film “Tron”), but because it provides such a clear moral compass when we sit down to work every day.
Some of the most important work we do at EFF is build technologies to protect users’ privacy and security, and give developers tools to make the entire Internet ecosystem more safe and secure. Every day, EFF’s talented and dedicated computer scientists and engineers are creating and making improvements to our free, open source extensions, add-ons, and software to solve the problems of creepy tracking and unreliable encryption on the web.
Joining EFF this week to direct and shepherd these technology projects is internationally-recognized cybersecurity and encryption expert Jon Callas. He will be working with our technologists on Privacy Badger, a browser add-on that stops advertisers and other third-party trackers from secretly tracking users’ web browsing, and HTTPS Everywhere, a Firefox, Chrome, and Opera extension that encrypts user communications with major websites, to name of few of EFF’s tech tools.
For years, free speech and press freedoms have been under attack in Turkey. The country has the distinction of being the world’s largest jailer of journalists and has in recent years been cracking down on online speech. Now, a new law, passed by the Turkish Parliament on the 29th of July, introduces sweeping new powers and takes the country another giant step towards further censoring speech online. The law was ushered through parliament quickly and without allowing for opposition or stakeholder inputs and aims for complete control over social media platforms and the speech they host. The bill was introduced after a series of allegedly insulting tweets aimed at President Erdogan’s daughter and son-in-law and ostensibly aims to eradicate hate speech and harassment online. Turkish lawyer and Vice President of Ankara Bar Association IT, Technology & Law Council Gülşah Deniz-Atalar called the law “an attempt to initiate censorship to erase social memory on digital spaces.”
Once ratified by President Erdogan, the law would mandate social media platforms with more than a million daily users to appoint a local representative in Turkey, which activists are concerned will enable the government to conduct even more censorship and surveillance. Failure to do so could result in advertisement bans, steep penalty fees, and, most troublingly, bandwidth reductions. Shockingly, the legislation introduces new powers for Courts to order Internet providers to throttle social media platforms’ bandwidth by up to 90%, practically blocking access to those sites. Local representatives would be tasked with responding to government requests to block or take down content. The law foresees that companies would be required to remove content that allegedly violates “personal rights” and the “privacy of personal life” within 48 hours of receiving a court order or face heavy fines. It also includes provisions that would require social media platforms to store users’ data locally, prompting fears that providers would be obliged to transmit those data to the authorities, which experts expect to aggravate the already rampant self-censorship of Turkish social media users.
While Turkey has a long history of Internet censorship, with several hundred thousand websites currently blocked, this new law would establish unprecedented control of speech online by the Turkish government. When introducing the new law, Turkish lawmakers explicitly referred to the controversial German NetzDG law and a similar initiative in France as a positive example.
Germany’s Network Enforcement Act, or NetzDG for short, claims to tackle “hate speech” and illegal content on social networks and passed into law in 2017 (and has been tightened twice since). Rushedly passed amidst vocal criticism from lawmakers, academia and civil experts, the law mandates social media platforms with one million users to name a local representative authorized to act as a focal point for law enforcement and receive content take down requests from public authorities. The law mandates social media companies with more than two million German users to remove or disable content that appears to be “manifestly illegal” within 24 hours of having been alerted of the content. The law has been heavily criticized in Germany and abroad, and experts have suggested that it interferes with the EU’s central Internet regulation, the e-Commerce Directive. Critics have also pointed out that the strict time window to remove content does not allow for a balanced legal analysis. Evidence is indeed mounting that NetzDG’s conferral of policing powers to private companies continuously leads to takedowns of innocuous posts, thereby undermining the freedom of expression.
The European Union’s highest court today made clear—once again—that the US government’s mass surveillance programs are incompatible with the privacy rights of EU citizens. The judgment was made in the latest case involving Austrian privacy advocate and EFF Pioneer Award winner Max Schrems. It invalidated the “Privacy Shield,” the data protection deal that secured the transatlantic data flow, and narrowed the ability of companies to transfer data using individual agreements (Standard Contractual Clauses, or SCCs).
Despite the many “we are disappointed” statements by the EU Commission, U.S. government officials, and businesses, it should come as no surprise, since it follows the reasoning the court made in Schrems’ previous case, in 2015.
Back then, the EU Court of Justice (CJEU) noted that European citizens had no real recourse in US law if their data was swept up in the U.S. governments’ surveillance schemes. Such a violation of their basic privacy rights meant that U.S. companies could not provide an “adequate level of [data] protection,” as required by EU law and promised by the EU/U.S. “Privacy Safe Harbor” self-regulation regime. Accordingly, the Safe Harbor was deemed inadequate, and data transfers by companies between the EU and the U.S. were forbidden.
Since that original decision, multinational companies, the U.S. government, and the European Commission sought to paper over the giant gaps between U.S. spying practices and the EU’s fundamental values. The U.S. government made clear that it did not intend to change its surveillance practices, nor push for legislative fixes in Congress. All parties instead agreed to merely fiddle around the edges of transatlantic data practices, reinventing the previous Safe Harbor agreement, which weakly governed corporate handling of EU citizen’s personal data, under a new name: the EU-U.S. Privacy Shield.
San Francisco—The Electronic Frontier Foundation (EFF), in partnership with the Reynolds School of Journalism at the University of Nevada, Reno, today launched the largest-ever collection of searchable data on police use of surveillance technologies, created as a tool for the public to learn about facial recognition, drones, license plate readers, and other devices law enforcement agencies are acquiring to spy on our communities.
The Atlas of Surveillance database, containing several thousand data points on over 3,000 city and local police departments and sheriffs’ offices nationwide, allows citizens, journalists, and academics to review details about the technologies police are deploying, and provides a resource to check what devices and systems have been purchased locally.
Users can search for information by clicking on regions, towns, and cities, such as Minneapolis, Tampa, or Tucson, on a U.S. map. They can also easily perform text searches by typing the names of cities, counties, or states on a search page that displays text results. The Atlas also allows people to search by specific technologies, which can show how surveillance tools are spreading across the country.
Built using crowdsourcing and data journalism over the last 18 months, the Atlas of Surveillance documents the alarming increase in the use of unchecked high-tech tools that collect biometric records, photos, and videos of people in their communities, locate and track them via their cell phones, and purport to predict where crimes will be committed.
While the use of surveillance apps and face recognition technologies are under scrutiny amid the COVID-19 pandemic and street protests, EFF and students at University of Nevada, Reno, have been studying and collecting information for more than a year in an effort to, for the first time, aggregate data collected from news articles, government meeting agendas, company press releases, and social media posts.
For years, EFF has been monitoring a dangerous situation in Egypt: journalists, bloggers, and activists have been harassed, detained, arrested, and jailed, sometimes without trial, in increasing numbers by the Sisi regime. Since the COVID-19 pandemic began, these incidents have skyrocketed, affecting free expression both online and offline.
As we’ve said before, this crisis means it is more important than ever for individuals to be able to speak out and share information with one another online. Free expression and access to information are particularly critical under authoritarian rulers and governments that dismiss or distort scientific data. But at a time when true information about the pandemic may save lives, instead, the Egyptian government has expelled journalists from the country for their reporting on the pandemic, and arrested others on spurious charges for seeking information about prison conditions. Shortly after the coronavirus crisis began, a reporter for The Guardian was deported, while a reporter for the The New York Times was issued a warning.. Just last week the editor of Al Manassa, Nora Younis, was arrested on cybercrime charges (and later released). And the Committee to Protect Journalists reported today that at least four journalists arrested during the pandemic remain imprisoned.
The push to minimize the government’s power to track and spy on people with surveillance technology has picked up steam as the Black-led movement against racism and police brutality continues to push politicians to reconsider the role policing plays in our lives. Thanks to the tireless efforts of activists and organizations in Massachusetts and around the country, including EFF, this week Boston joins the ranks of cities that have banned government use of face surveillance.
Boston will become the tenth city in the United States to ban government use of face recognition technology. Last year, the state of California passed a three-year moratorium on the use of FRT on police body-worn and hand-held cameras.
The Boston ordinance [PDF] declares:
Whereas, Governments around the world are responding to the COVID-19 pandemic with an unprecedented use of surveillance tools, including face surveillance technology, despite public health and privacy experts agreeing that public trust is essential to an effective response to the pandemic; and
Whereas, Facial surveillance technology has been proven to be less accurate for African American and AAPI faces, and racial bias in facial surveillance has the potential to harm communities of color who are already facing increased level of surveillance and harassment; and
Whereas, Several municipalities in Massachusetts, including Springfield, Somerville, Brookline, and Cambridge, have passed local legislation to ban face surveillance…
In courts across the country, EFF has been arguing that the police cannot constitutionally require you to unlock your phone or give them your password, and today the Indiana Supreme Court issued a strong opinion agreeing with us. In the case, Seo v. State, the court found that the Fifth Amendment privilege against self-incrimination protected a woman against unlocking her phone because complying with the order was a form of “testimony” under the Fifth Amendment. Indiana joins Pennsylvania, which ruled strongly in favor of the Fifth Amendment privilege in a compelled decryption case last year. Meanwhile, state supreme courts in New Jersey and Oregon are also considering this issue.
Regardless of your opinion about Google, their suite of collaborative document editing tools provides a powerful resource in this tumultuous time. Across the country, grassroots groups organizing mutual aid relief work in response to COVID-19 and legal aid as part of the recent wave of protests have relied on Google Docs to coordinate efforts and get help to those that need it. Alternatives to the collaborative tools either do not scale well, are not as usable or intuitive, or just plain aren’t available. Using Google Sheets to coordinate who needs help and how can provide much-needed relief to those hit hardest. But it’s easy to use these tools in a way Google didn’t envision, and trigger account security lockouts in the process.
The need for privacy when doing sensitive work is often paramount, so it’s understandable that organizers often won’t want to use their personal Google accounts. But administering aid documents from a single centralized account and sharing the password amongst peers is not recommended. If one person accessing the account connects from an IP address Google has marked as suspicious, it may lock that account for some time (this can happen for a variety of reasons—a neighbor piggybacking off of your WiFi and using it to hack a website, for example). The bottom line is: the more IPs that connect to a single account, the more likely the account will be flagged as suspicious.
In addition, sharing a password makes it easy for someone to change that password, locking everyone else out. It also means that you can’t protect the account with 2-step verification without a lot of difficulty. 2-step verification protects accounts so that you have to use an app that displays a temporary code or an authentication key every time you sign in to an account. This protects the account from various password-stealing attacks.
The inaptly named Executive Order on Preventing Online Censorship (EO) is a mess on many levels: it’s likely unconstitutional on several grounds, built on false premises, and bad policy to boot. We are no fans of the way dominant social media platforms moderate user content. But the EO, and its clear intent to retaliate against Twitter for marking the president’s tweets for fact-checking, demonstrates that governmental mandates are the wrong way to address concerns about faulty moderation practices.