Deeplinks
Noteworthy news from around the internet.
Viacom's Statement on YouTube User Data Controversy
Posted by Kurt OpsahlViacom released the following statement today in response to the YouTube user data controversy (first reported on this blog):
"It is unfortunate that we have been compelled to go to court to protect Viacom's rights and the rights of the artists who work with and depend on us. YouTube and Google have put us in this position by continuing to defend their illegal and irresponsible conduct and profiting from copyright infringement, when they could be implementing the safe and legal user generated content experience they promise.
The Court's recent decision has triggered concern about what information will be disclosed and how it will be used. Viacom has not asked for and will not be obtaining any personally identifiable information of any user. Any information that we or our outside advisors obtain -- which will not include personally identifiable information -- will be used exclusively for the purpose of proving our case against You Tube and Google, will be handled subject to a court protective order and in a highly confidential manner.
In addition, the New York Times reported that:
Google and Viacom said they had had discussions about ways to ensure the data is further protected to assure anonymity.
“We are disappointed the court granted Viacom’s overreaching demand for viewing history,” Catherine Lacavera, Google’s senior litigation counsel, said in a statement. “We are asking Viacom to respect users’ privacy and allow us to anonymize the logs before producing them under the court’s order.”
Michael Fricklas, Viacom’s general counsel said: “We are investigating techniques, including anonymization, to enhance the security of information that will be produced.”
Mr. Fricklas added that Viacom would not have direct access to the information Google produces, and that its use would be strictly limited. Viacom would not, for example, be able to chase down users who illegally posted clips from “The Colbert Report” on YouTube.
“The information that is produced by Google is going to be limited to outside advisers who can use it solely for the purpose of enforcing our rights against YouTube and Google,” Mr. Fricklas said. “I can unequivocally state that we will not use any of this information to enforce rights against end users.”
It is encouraging to see that both Viacom and Google are responding to the important privacy interest raised by the court's order. We plan to continue discussions with the parties on ways to protect the privacy of the YouTube users and ensure that their rights under the Video Privacy Protection Act are given effect.
Court Rejects Attempt to Expand the DMCA
Posted by Michael KwunYesterday, a district court dismissed several claims in the case Coupons, Inc. v. Stottlemire, in which we had, in March, filed an amicus brief. Coupons offers online coupons that consumers can access and print using software provided by Coupons. The software tries to limit the number of times a user can print each coupon. Coupons claims that John Stottlemire created a tool that modifies the Coupons software, allowing users to print more coupons.
The claims we were most interested were Coupons's "anti-circumvention" claims under the Digital Millennium Copyright Act (DMCA). Coupons claimed that Stottlemire's tool circumvents technological measures that limit use of its coupons (a "rights-control" claim), but also tried to allege that the tool circumvents measures that limit access to those coupons (an "access-control" claim). The problem is that the tool doesn't have anything to do with access - anyone can access the coupons whether they use the original software or the modified software.
This isn't just an academic issue. While the DMCA prohibits the distribution of tools that circumvent rights or access controls, it prohibits actual circumvention (e.g., through use of such tools) only in the case of access controls. This is because controlling use of copyrighted material is already addressed by copyright law, and addressing it again in the DMCA would upset the careful balance between the rights of copyright owners and those of the public. As the court properly understood, maintaining a clear distinction between access-control claims and rights-control claims "leaves room for individual fair uses, adaptations for the blind, library research, and the other statutory exceptions to copyright." Because the court agreed that Coupons's DMCA claims "blur the carefully constructed distinction between 'access controls' and 'rights controls,'" the court dismissed the access-control claim. (The court is giving Coupons a chance to try to amend its access-control claim to see if it can save it, but it seems unlikely to us that Coupons can do that.)
At the hearing, EFF's positions were ably argued by Hari O'Connell and Domenic Ippolito, law student members of the Samuelson Law, Technology and Policy Clinic at the Berkeley School of Law.
minilinks for 2008-07-02
Posted by Hugh D'Andrade
- Is the Gov't Tracking Us Through Our Cellphones? Lawsuit Seeks Answers
A lawsuit brought by EFF and the ACLU seeks to force release of documents on cellphone tracking.- RIAA requests internet filtering in international treaty
The ACTA treaty is too secret for the public to see, but the RIAA has been able to make suggestions -- including gutting "safe harbor" provisions that protect ISPs.- US and Europe near agreement on private data
Law enforcement agencies are looking for common ground to increase the sharing of private data across the Atlantic.- MPAA helps land criminal conviction in P2P case
A Homeland Security raid on EliteTorrents eventually led the first jury conviction for P2P piracy.
- Warning to copyright enforcers: 3 strikes and you're out
EFF Fellow Cory Doctorow has a modest proposal to punish serial abusers of copyright law.
Cartoon: The Return of Snuggly, the Security Bear
Posted by Hugh D'AndradeA few months back, SF Gate cartoonist Mark Fiore introduced his character Snuggly, the Security Bear, with a brilliant take on telecom immunity. Now, Snuggly is back, and he has a few words to say about "compromise."
What The New NSA Spying Decision Means for the Immunity Debate
Posted by Kevin BankstonAs we reported yesterday, Chief Judge Vaughn Walker of the Northern District of California has just issued a key ruling in Al Haramain v. Bush, one of the cases challenging the NSA's warrantless wiretapping program. Judge Walker is also overseeing the consolidated litigation against the telecoms. With the Senate poised to vote on the FISA Amendments Act and immunity this Tuesday, this decision is particularly timely, as it demolishes key arguments made by proponents of telecom immunity:
Myth: The telecoms can't defend themselves in court because of the government's assertion of the state secrets privilege.
Fact: The Al Haramain decision makes clear that the state secrets privilege will not prevent the telecoms from defending themselves, because FISA's evidentiary procedures preempt the privilege. See Opinion at p. 2 ("FISA preempts the state secrets privilege in connection with electronic surveillance for intelligence purposes.")
Myth: It's not fair to punish the telecoms for relying in good faith on the president's authorization to conduct the surveillance, even though it violated FISA.
Fact: In an extended discussion, the Al Haramain decision makes clear — or rather, shows how clear it already was — that the President's commander-in-chief powers do not give him the authority to ignore FISA. See Opinion at pp. 10-14, 23 ("[With FISA,] Congress appears clearly to have intended to — and did — establish the exclusive means for foreign intelligence surveillance activities to be conducted. Whatever power the executive may otherwise have had in this regard, FISA limits the power of the executive branch to conduct such activities....")
Myth: Getting new language in the FAA asserting that FISA is the exclusive means by which the President can conduct domestic surveillance is a fair trade for gutting FISA's long-standing protections and giving the telecoms immunity.
Fact: Again, the Al Haramain decision makes clear that FISA was already the exclusive means by which the President may authorize electronic surveillance. See Opinion at p. 13 ("[FISA's language] and its legislative history left no doubt that Congress intended to displace entirely the various warrantless wiretapping and surveillance programs undertaken by the executive branch and to leave no room for the president to undertake warrantless surveillance in the domestic sphere in the future.")
Myth: The cases against the telecoms were never going to go anywhere anyway, because of state secrets.
Fact: In discussing what level of evidence a plaintiff needs to demonstrate that they were "aggrieved" by electronic surveillance, and thereby avoid the state secrets issue by taking advantage of FISA's security procedures, Judge Walker specifically refers to the evidence put forward in the cases against the telecoms. See Opinion at p. 51 ("Plaintiff amici [i.e. EFF and others] hint at the proper showing when they refer to “independent evidence disclosing that plaintiffs have been surveilled” and a “rich lode of disclosure to support their claims” in various of the cases [against the telecoms].")
Myth: Letting the cases continue risks the disclosure to the public of information that would harm national security.
Fact: The Al Haramain decision makes clear that the telecom litigation would proceed under FISA's long-standing, never-breached security procedures, with classified evidence being considered by the court securely behind closed doors. See Opinion at pp. 18-19 (describing FISA security procedures, which preempt state secrets, as "Congress' specific and detailed prescription for how courts should handle claims by the government that the disclosure of material relating to or derived from electronic surveillance would harm national security....")
Myth: Anyone harmed by the surveillance program should just sue the government; why bother suing the telecoms?
Fact: Judge Walker's dismissal of Al Haramain's FISA claim, see Opinion at p. 56, following on the dismissal of the ACLU's case challenging the president's program in the Sixth Circuit, shows how cases against the government face their own challenges, and are no replacement for the telecom cases which remain the best bet for getting a ruling on the legality of the surveillance.
Myth: The telecoms have a "common law" defense for responding to the government's illegal requests.
Fact: As the Al Haramain decision explains, FISA's comprehensive regulation of electronic surveillance preempts the common law when it comes to such surveillance. See Opinion at pp. 16, 20 ("Congress through FISA established a comprehensive, detailed program to regulate foreign intelligence surveillance in the domestic context.... [Congress] inten[ded] that FISA should displace federal common law rules...with regard to matters within FISA's purview.")
Judge Walker's decision makes clear that Congress is about to pass telecom immunity based on arguments that are just plain wrong. Congress should take the time to look at the facts, rather than be fooled by the myths. It should not to rush to judgment next week. If you haven't already, phone your Senators now and urge them to vote against ending debate on the FISA bill, vote for the amendments to the bill that would strip or weaken the immunity provisions, and vote against final passage of the bill.
Legal Filesharing on Campus?
Posted by Hugh D'AndradeAs EFF has been saying for years, the best way forward in the wars over illegal filesharing is the creation of a Voluntary Collective Licensing system. It sounds simple enough: Music fans would pay a small fee each month in exchange for a blanket license to share and download whatever they like. Collecting societies would collect the money and divvy it up between rights-holders based on which files are shared the most.
But how would such a system get started? One way to get a system like this up and running would be to start up in a university setting. As the RIAA well knows, students are already sharing files with increasing regularity over university P2P networks -- and increasingly getting sued for it. And, since universities are already charging fees to their students, it would theoretically be possible for universities to add a voluntary option to charge for such a service.
Recent UC Berkeley School of Information graduates Matt Earp and Andrew McDiarmid have produced an excellent masters thesis on how such a university-based VCL system might work. Their report, Investigating Voluntary Collective Licensing for Music File-Sharing at UC Berkeley, starts with the following questions:
Would such a system be attractive to students?
Is it technically achievable?
Is it in Berkeley's best interest?
How might the industry respond?
Earp and McDiarmid conducted interviews and surveys with students, UC administrators, music informatics firms, and music professionals with experience in digital music licensing. Not surprisingly, they found strong support in the UC community for VCL, with administrators expressing frustration at their difficult balancing act between adhering to copyright law and maintaining student privacy (a statement echoed by UCLA Director of IT Strategic Policy Kent Wada in his Educause paper "Get me out of the Middle"). They also found that 65% of students surveyed said they were willing to pay into a VCL system.
Interviews with music industry insiders were less promising. Earp and McDiarmid found music industry executives "wedded to the physical model" of selling plastic CDs and reluctant to give up control of digital content in favor of alternative compensation schemes. But they also found some reason for hope, noting that Warner Music has recently hired digital music guru Jim Griffin to investigate licensing options for the company.
Voluntary Collective Licensing will happen sooner or later. Hopefully universities will take advantage of their unique position to become part of a solution that gets artists paid while protecting their students from the constant threat of strong-arm tactics from an out-of-touch music industry empire.
Senator Hatch and Tinfoil Hats
Posted by Tim JonesApparently no longer even bothering with coherent or rational arguments, supporters of the flawed surveillance bill have now resorted to namecalling. Here's Senator Orrin Hatch's argument in last Thursday's Senate debate. (h/t ThinkProgress)
"How many times have we heard claims that the Protect America Act would permit the government to spy on innocent American families overseas, on their vacations? Or innocent American soldiers overseas serving their country? Or innocent American students who are simply studying abroad?
Painting this type of picture only feeds the delusions of those who wear tinfoil hats around their house and think that Nine-Eleven was an inside job.
That's a strong statement. Who exactly is Senator Hatch referring to?
Here's USA Today in May of 2005:
"National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth... For the customers of these companies, it means that the government has detailed records of calls they made — across town or across the country — to family members, co-workers, business contacts and others."
Here's The New York Times' Pulitzer-winning coverage in December of 2005:
"As part of the program approved by President Bush for domestic surveillance without warrants, the N.S.A. has gained the cooperation of American telecommunications companies to obtain backdoor access to streams of domestic and international communications, the officials said."
And here's The Wall Street Journal in March of this year:
"According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches ... The haul can include records of phone calls, email headers and destinations, data on financial transactions and records of Internet browsing."
It's a simple fact: AT&T and other telcos illegally sent millions of Americans' private domestic communications to the NSA for at least five years. Senator Hatch and other telco allies continue to make nonsensical accusations like this because they know arguing their case with actual evidence and substance is a lost cause.
If you haven't already, call your Senators now and tell them to oppose telco immunity and the new surveillance bill.
Breaking News: Court Holds That FISA Preempts State Secret Privilege
Posted by Kurt OpsahlNew NSA Spying Decision Undermines Arguments for Telecom Immunity
Today, Chief Judge Vaughn Walker of the Northern District of California, issued an opinion in Al Haramain v. Bush, one of the cases challenging the NSA warrantless wiretapping program. The Court found that the Foreign Intelligence Surveillance Act (FISA) preempted the state secret privilege. This important decision is particularly timely, as it undermines key arguments for telecom immunity on the eve of the Senate vote on a FISA bill, set for next week.
The Court's Holding
The Al Haramain case alleges that the Bush Administration illegally targeted the leaders of an Islamic charity and their lawyers for warrantless surveillance by the NSA. Their claims are based on a secret document that was accidentally disclosed to the plaintiffs by the government that the plaintiffs allege demonstrates they were subjected to warrantless wiretapping (the contents of the document are tightly sealed as a state secret).
In today's decision, Judge Walker dismissed the Al Haramain case for the time being, but gave the plaintiffs leave to amend their complaint to assert more facts. This was the government's second attempt to dismiss the Al-Haramain case. The first motion to dismiss reached the Ninth Circuit Court of Appeals, which returned the case to Judge Walker's court to consider whether FISA preempted the government's claim to secrecy.
The good news is that the Court held that "FISA preempts the state secrets privilege in connection with electronic surveillance for intelligence purposes and would appear to displace the state secrets privilege for purposes of plaintiffs’ claims." The Court rejected the expansive view of executive power promoted by the government, holding that the President's authorities under Article II of the Constitution do not give him the power to overrule FISA.
The bad news is that "FISA nonetheless does not appear to provide plaintiffs a viable remedy unless they can show that they are 'aggrieved persons' within the meaning of FISA." The Court ultimately found that Al Haramain had not provided a sufficient showing that they were "aggrieved," but gave permission to re-file the complaint with more information.
Decision Undermines Telecom Immunity Arguments
While the case only directly addressed the Al Haramain case, Judge Walker did mention the cases against the telecommunications giants who participated in the illegal surveillance program:
Plaintiff amici [i.e. EFF and others] hint at the proper showing when they refer to “independent evidence disclosing that plaintiffs have been surveilled” and a “rich lode of disclosure to support their claims” in various of the [NSA spying] cases.
Accordingly, so long as the telecom plaintiffs have unclassified evidence tending to establish that they were surveilled--which exists, for example, in Hepting v. AT&T, via AT&T documents provided by whistleblower Mark Klein--FISA's procedures kick into effect and the Bush Administration cannot unilaterally get rid of the telecom cases pursuant to the state secret privilege.
Moreover, this ruling would allow the telecoms to present their defenses. A major talking point for telecom apologists is that the the telcos were unfairly prevented from mounting a defense by the state secret privilege. By holding that FISA's existing evidence security procedures preempt the state secrets privilege, the decision belies telecom immunity proponents' claims that the litigation was unfair because the privilege prevented the telecoms from defending themselves. It also refutes claims that the lawsuits against the telecoms weren't going to go anywhere anyway.
Yet, even as the prospects for accountability from the telecoms grow brighter with this decision, Congress is poised to prevent the courts from doing their job by unjustifiably granting immunity to these companies that violated the rights of millions.
Call your Senators today, and ask them to vote against retroactive immunity for law breaking telecommunications companies.
Court Ruling Will Expose Viewing Habits of YouTube Users
Posted by Kurt OpsahlYesterday, in the Viacom v. Google litigation, the federal court for the Southern District of New York ordered Google to produce to Viacom (over Google's objections):
all data from the Logging database concerning each time a YouTube video has been viewed on the YouTube website or through embedding on a third-party website
The court’s order grants Viacom's request and erroneously ignores the protections of the federal Video Privacy Protection Act (VPPA), and threatens to expose deeply private information about what videos are watched by YouTube users. The VPPA passed after a newspaper disclosed Supreme Court nominee Robert Bork's video rental records. As Congress recognized, your selection of videos to watch is deeply personal and deserves the strongest protection.
The Logging database contains:
for each instance a video is watched, the unique “login ID” of the user who watched it, the time when the user started to watch the video, the internet protocol address other devices connected to the internet use to identify the user’s computer (“IP address”), and the identifier for the video.
Google correctly argued that “the data should not be disclosed because of the users’ privacy concerns,” citing the VPPA, 18 U.S.C. § 2710. However, the Court dismissed this argument with no analysis, stating “defendants cite no authority barring them from disclosing such information in civil discovery proceedings, and their privacy concerns are speculative.”
In a footnote, the Court references the VPPA, noting that the federal law “prohibits video tape service providers from disclosing information on the specific video materials subscribers request or obtain.” It is possible that the reference to "video tapes" in the VPPA was confusing. However, the Act is not limited to the technology available at the time of its enactment.
To the contrary, the act refers to “prerecorded video cassette tapes or similar audio visual materials.” A YouTube video may not be a videotape, but certainly qualifies as audio visual material. Thus, YouTube is a “video tape service provider” under the act, because it is “engaged in the business [of] delivery of … audio visual materials.” The VPPA protects “personally identifiable information,” which is defined to include “information which identifies a person as having requested or obtained specific video materials or services.” This is exactly what is in the Logging database.
Accordingly, pursuant to this federal law, the Court may not order the production of “personally identifiable information”:
in a civil proceeding [except] upon a showing of compelling need for the information that cannot be accommodated by any other means, if—
(i) the consumer is given reasonable notice, by the person seeking the disclosure, of the court proceeding relevant to the issuance of the court order; and
(ii) the consumer is afforded the opportunity to appear and contest the claim of the person seeking the disclosure.
Today’s court order made no finding that Viacom could not be accommodated by any other means, nor were the YouTube users provided with notice and an opportunity to contest the claim.
Instead, the Court focused on some statements made by Google on its blog:
We . . . are strong supporters of the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an IP address without additional information cannot.
The Court also stated that Google did “not refute that the ‘login ID is an anonymous pseudonym that users create for themselves when they sign up with YouTube’ which without more ‘cannot identify specific individuals.’”
As an initial matter, this is factually insufficient. If any single one of the YouTube users in the Logging database picked a Login ID that does identify that user (i.e. if my YouTube login was kurtopsahl), then the Logging database' information about viewing habits is protected by the VPPA, even if others pick anonymous pseudonyms.
Furthermore, even Google’s IP address statement only asserts that “in most cases” the IP address is not identifiable, certainly not in all cases. Putting aside whether a Google Public Policy blog's statement on an unrelated topic can waive the privacy rights of YouTube users, the statement means that at least some YouTube users are identifiable, and must be protected by the VPPA.
In any event, the court ordered production of not just IP addresses, but also all the associated information in the Logging database. Whatever might be said about 'an IP address without additional information,' the the AOL search history leak fiasco shows that the material viewed by a user alone can be sufficient to identify the user, even with neither a login nor an IP address.
The Court's erroneous ruling is a set-back to privacy rights, and will allow Viacom to see what you are watching on YouTube. We urge Viacom to back off this overbroad request and Google to take all steps necessary to challenge this order and protect the rights of its users.
Surveilling Drivers For Safety, For The Environment, and For Profit
Posted by Peter EckersleyThere is a growing movement to surveil the drivers of cars — for insurance purposes.
One idea is that vehicle insurance premiums should depend on verifiable, periodic measurements of how far a car has been driven. The case for such premiums is strong: driving further clearly increases the risk of an accident, and "Pay As You Drive" premiums would allow (some) drivers to pay less for insurance; would allow insurance companies to make higher profits; and would reduce the congestion, greenhouse emission and traffic accident costs that each mile driven causes for society.
Another idea is that vehicles should collect data on the way that they are being driven (location, speed, acceleration and braking patterns, type of roads, time of day, smoothness of steering, etc). These measurements can be used to identify good drivers, and offer them insurance discounts — or to spot dangerous drivers, charge them higher premiums and encourage them to take driving skills courses. The policy case for this kind of measurement may turn out to be strong too, though it is less well-established.
The problem with these proposals is that they are often accompanied by a technical proposal for a tracking device that sits in your car and transmits voluminous data over wireless or satellite links, so that insurance companies can decide how much to charge you. Many modern vehicles are already collecting this information, and the insurance industry just needs to get a copy of it.
One state currently considering these schemes is California. The State's Department of Insurance held a workshop last week on how best to modify existing regulations to implement Pay As You Drive insurance. EFF participated in the process; you can read our letter to the Department (written with Andrew Blumberg at Stanford) here.
Briefly, EFF's view is that there is a perfectly good, ubiquitous and tamper-resistant device avaialable for measuring vehicle mileage: the odometer. It may be good policy to require fine-grained dependence of insurance premiums upon mileage — but if so, the data should be collected by examining odometers rather than 24/7 wireless or satellite surveillance. We think the public agrees: a similar tracking scheme by UK insurer Norwich Union was abandoned this week.
The best way to protect drivers' privacy, of course, is to not record any facts about where and when and how they are driving at all. But in the long run, there may be sound policy cases for devices that spot dangerous drivers, or charge road tolls based on congestion, etc. If policy-makers are persuaded that there is a strong need for such systems, they need to be built in a way that has the minimal possible privacy consequences. Cryptography offers many ways to implement these kinds of schemes without compromising locational privacy (one technical example is described in this paper). The general principle is that only the minimal amount of information should leave the vehicle: the total billable amount, for instance. If verification is an issue, cryptography and some extra hardware can provide it.
If governments are persuaded that they should allow insurers or anybody else to use detailed information on location or other vehicle observations, they should mandate that these schemes not upload any information from vehicles except for the premium itself, and they should require that the privacy properties of any technology being proposed for vehicles be audited by the computer security community before it is deployed.
If we let insurance companies, car manufacturers or tech companies build a gigantic driver surveillance system, it will be exceedingly difficult to go back to the days where you could drive to a church, or a gay bar, or a political meeting, or a cheap motel at lunchtime, without some company (or hacker) permanently recording that fact.
