EFF Challenges Secret Government Order to Shut Down Media Websites

Google took an unprecedented and fantastic step towards greater transparency earlier this week by releasing data about National Security Letters that it receives, but there is another class of government orders for user data that we are still totally in the dark about: Foreign Intelligence Surveillance Act (FISA) court orders. More transparency – even in broad brush strokes – related to how FISA orders are used to access user data would be extremely helpful for users concerned about government access and the opaque FISA process.

Congress passed FISA in 1978 to create a legal framework for conducting surveillance during foreign intelligence investigations. Prior to the passage of this law, there was some ambiguity about the role of the courts and Congress in regulating the Executive's conduct in national security investigations. But FISA changed that: it created a procedure and a specialized court, the so-called FISA court, to oversee national security surveillance and to serve as a check on the government's surveillance powers.

Unlike most American courts, the FISA court is a secret court, so its proceedings are done behind closed doors and any orders it issues come accompanied with a gag order (meaning that people and companies who receive an order can't tell anyone about it). There are open questions about how the government is interpreting and implementing many provisions of FISA, including the recently reauthorized FISA Amendments Act and Section 215 of the PATRIOT Act, the so-called “business records” provision. The specifics remain shrouded in secrecy, but Senators Ron Wyden, Mark Udall, Rand Paul, and Jeff Merkley, among others, have indicated repeatedly that Americans would be “stunned” to find out how the government is interpreting and using these provisions.

Given the secrecy surrounding FISA and the public condemnation of elected officials, it's understandable that the public is concerned about how the law is being interpreted and used as well. Releasing data about FISA court orders, even aggregated data, would help shed light on what is, presumably, the most secretive tool in the federal government's surveillance toolkit. Such a release from Google, for example, could demonstrate (or disprove) that FISA orders do NOT authorize dragnet surveillance of large numbers of Google users at once.

Getting more clarity would be a good thing for Google users and  the American public, and we hope that Google finds a way to navigate the legal waters in order to publish aggregated data about the orders it receives through FISA.

It was the best of times, it was the worst of times, for the latest installment in the popular SimCity video game franchise, which was released this week to massive sales, and then just as quickly, an epic fail as the paying customers were unable to play the game they just bought. The culprit isn't the game itself, which by most accounts is pretty good; no, the problem is the game's DRM scheme.

That software requires each user to maintain an "always online" connection to the publisher's authentication server—even for single player mode—but the publisher, Electronic Arts, is having trouble keeping that server available. Even if you connected, the double helping of fail continued: all cities are saved to the cloud, and if the servers bug out, hours of work can go up in smoke faster than Godzilla can decimate a metropolis. No more local saves, lest you manage to defeat the DRM.

EA has had so many problems, in fact, that it's temporarily disabled the kinds of features that might actually benefit from an online connection. You know, the very reason that the online connection was supposed to be a "feature" for users. As a result users are currently suffering through all of the headaches of buggy DRM without any of the upsides of being online.

This story may sound familiar. That's because SimCity is just the latest big flop for DRM, which hurts consumers, undermines innovation and competition, and unnecessarily preempts users' fair use rights — all without having a real effect on "piracy." Last year's blockbuster game Diablo III suffered from many of the same problems. And another publisher, Ubisoft, insisted on using "always online" DRM for all of their top titles for years, before finally accepting that it was harming legitimate purchasers without slowing down the "pirates" at all. In fact, unauthorized copies of the games had removed the need to maintain a constant connection with the authentication servers, making the playing experience better in some cases. Publishers may disagree about the solution to problems posed by unauthorized copying and the challenges of "competing with free," but surely the first step in that competition is not making the legitimate product worse than the free one.

In the few days since the new Sim City's launch, the game has racked up over 1,000 1-star reviews on Amazon, followed by its temporary suspension from the store. An online petition aimed at Electronic Arts dropping its "always online" DRM from Sim City and future games has racked up 35,000 signatures and counting. A Reddit AMA with the developers was dominated by disgust for the DRM. Clearly, the decision to include DRM on this title has been a major problem for Electronic Arts, but the underlying problem is much larger.

DRM's Ugly History

Even outside of the world of video games, DRM's got an ugly history of upsetting consumers and even leading to legal action. The most notorious may be Sony's inclusion of a rootkit on music CDs — essentially a malware tool — that raised major security and privacy concerns among CD buyers.

Since then, music companies have mostly seen the light and dropped DRM, but other media lag behind. Ebooks, for example, are largely sold wrapped in the digital locks, though a few forward-thinking publishers have seen good results dropping it. The movie studios are working hard to push the latest DRM-laden movie format, a physical/digital combination called UltraViolet, but early reviews are in and not very positive.

And the troubles with DRM are not limited to reducing access in bits and pieces — it can extend to disabling content altogether. When the company running the authentication server decides the maintenance costs are too high, it can flick a switch and render the content useless. This isn't hypothetical, either: Google, for example, killed its video offerings after buying YouTube, making previously purchased videos unplayable. Electronic Arts itself regularly announces which games it will be turning off for legitimate users.

DRM's Evil Henchman: DMCA 1201

While DRM software is busy keeping you from freely using all the content you legitimately bought, the worst kept secret in the industry is that it always gets broken. And of course, once it is broken even once, DRM-free copies become available for unauthorized download. So in order to give this ineffective software some legal teeth, the content industry pushed for a law that became section 1201 of the Digital Millennium Copyright Act (DMCA).

Section 1201 regulates the circumvention of "access control measures" like DRM. Never mind that there is already law that covers actual infringement; because of section 1201, bypassing DRM systems even for noninfringing fair uses might get you targeted for a lawsuit. This is the same law that might affect cell phone unlocking, a rule that the Obama administration has said is out of line with common sense.

Congress knew an outright ban on circumvention tools wasn't workable, so it included a process for the Librarian of Congress to establish some temporary exemptions. EFF has worked to put some important exemptions in place, but those must be renewed every three years. The process is time-consuming and difficult, and as we explained before the 2006 rulemaking, "fundamentally broken."

No wonder, then, that there's a growing movement to fix this part of the DMCA. You can join EFF and a number of other groups on a campaign to called Fix the DMCA that targets section 1201 for reform or repeal.

What Can Users Do?

Video game players frustrated with the DRM situation can vote with their thumbs, sending a message by rejecting games that come tangled up with anti-consumer software. The success of sales platforms like Humble Bundle — which sells collections of DRM-free games and supports EFF with a user-determined portion of the proceeds, and is offering a new bundle now — demonstrates that companies can have success and respect their users at the same time.

image: A screenshot from SimCity 2013

H.R. 983 seeks to reform outdated Electronic Communications Privacy Act

Wednesday, Representatives Zoe Lofgren (D-Calif.), Ted Poe (R-Texas) and Suzan DelBene (D-Wash.) introduced legislation (H.R. 983) that would ensure law enforcement obtains a warrant before accessing our private electronic communications or location data. This bill, while not a complete fix, is trying to provide a much-needed update to the Electronic Communications Privacy Act (ECPA) of 1986. Though forward-thinking when it was first introduced, ECPA unfortunately was written for the technologies of the 80’s – long before the advent of cloud storage, modern webmail, and location-aware tablets and phones. ECPA’s outdated language has left loopholes which the government has attempted to exploit by arguing that they can access your old emails and documents you store in the cloud without going to a judge and getting a court-issued warrant. 

Honestly, we think that’s an absurd argument and runs totally contrary to the principles of the Fourth Amendment. In fact, we’ve fought in court again and again for user privacy when it comes to their digital documents and electronic communications. But even as we continue to fight this issue in the courts, we’re asking Congress to step in and update ECPA to make sure that the Department of Justice knows they can’t read our emails, rummage through our Google documents, or track our cell phones without a warrant.

One of the best parts of H.R. 983 pertains specifically to government collection of location data. The bill says:

No person may obtain the geolocation information of a person for protective activities or law enforcement or intelligence purposes except pursuant to a warrant…

So what happens if the government disregards this rule and collects location information anyway? That information can’t be used as evidence in court - thus ensuring law enforcement is incentivized to get a warrant before tracking our locations.

Protecting the privacy of users’ location data is an issue we’ve long championed in court, submitting numerous amicus briefs arguing for a search warrant requirement in cases involving cell phone location records [PDF] and GPS devices. It’s also a fundamental component of our ECPA activism campaign.

For the last couple years, we’ve been advocating for ECPA reform through a petition on our website.  And last year, the Senate Judiciary Committee responded by passing ECPA reform out of committee – a huge step forward to getting these reforms codified into law. We're also pleased to see states taking up this issue, including proposals in Texas and California.

We’re pleased to see Representatives Lofgren, Poe, and DelBene take up this crucial issue, but the current draft isn’t a perfect solution to all ECPA woes. For example, the bill has room for improvement on the issue of evidence suppression for email content collected without a warrant. We hope this already promising bill can be further improved through amendments.

By introducing this reform bill, the 113^th Congress has an opportunity to enact powerful protections for everyday Internet users – which would be particularly appreciated, since all too often Congress uses its power to try to undermine our digital civil liberties.

If you agree that the government shouldn’t be snooping through inboxes without a warrant, then please sign our petition, which will automatically send an email to Congress demanding they reform ECPA.

Read the bill here (PDF).

Facebook has announced that it’s teaming up with four of the world’s largest corporate data brokers to “enhance” the ad experience for users. Datalogix, Epsilon, Acxiom, and BlueKai obtain information gathered about users through online means (such as through cookies when users surf the web) as well as through offline means (such as through loyalty cards at supermarkets and product warranty cards)1.  Through the new relationship with Facebook, companies will be able to display advertisements to Facebook users based on data that these data brokers have on individuals.

In practical terms, this means that limiting how much information you put on Facebook is not enough to limit how ads are targeted to you on Facebook. Your interests, age, shopping history (including offline), web browsing, location, and much more could be stored by these data brokers and utilized to market to you – even if you’ve been careful not to share this type of information with Facebook.

So, what can users do? If you’re concerned about this practice, you can opt out of the targeted advertisements by individually visiting each of the data broker partners currently working with Facebook. We've got directions below for opting out of each site2.

We also have two general tips:

1.  Install an add-on to protect your privacy online. Facebook is using "blind cookie-matching" to match up users of online marketer BlueKai with specific Facebook accounts. We'll explain the mechanics of this more in another post, but for now it's good to know that blocking trackers is a good general practice for stopping this type of tracking. We recommend you use a tool such as Ghostery (now available on Firefox, Safari, Chrome, Opera and Internet Explorer) or Abine's DoNotTrackMe (available in Firefox, Safari, Chrome and Internet Explorer) or AdBlockPlus with EasyPrivacy Lists. See more comprehensive instructions in our 4 Simple Changes to Stop Online Tracking.

2. Avoid giving your phone number and email address to companies when possible. Facebook and these companies are primarily using hashed email addresses to match users between databases, though they may also use hashed phone numbers. If you’re filling out a survey or signing up to receive email updates from a website, consider creating and using a different email address than the one you associate with your Facebook account. Similarly, consider setting up an alternate phone number you can give to companies apart from the phone number you connect with your social media accounts.

Opt Out Instructions:

Note that in general, opting out of data brokers will not necessarily result in your data being removed from their lists. Instead, these companies will generally 'suppress' your information from certain uses -- including, hopefully, in the batches of data sent to Facebook. The process below is rather Byzantine, but you really do need to opt out of all four data brokers separately to get out of this program.

Acxiom

Datalogix

Epsilon

BlueKai

Acxiom

1. To get started, visit Acxiom's Opt Out Form. Then scroll down until you see your "opt-out choices." Here there will be a list of the types of media you would like to opt out of (mail, telemarketing, email, and online advertising).  You can check all four, though note that their online advertising opt-out is cookie-based, meaning it will disappear every time you clear your cookies. 

2. Certify that you are just a single person.

3. Fill out the form with your personal information. In order to be sure that Acxiom doesn't target advertisements at you through Facebook, you'll want to provide Acxiom with the phone number and email address associated with your Facebook profile. Use the green + signs on the form to add information.

4. Click submit. After you hit submit (and get through a CAPTCHA), you'll be offered a chance to install Acxiom's opt out cookie. You can choose to do this or not, but remember that this is not a persistent method of protecting your privacy: the opt out cookie will disappear as soon as you clear your cookies. See instructions below for opting out of BlueKai for advice on dealing with web tracking.

5.  You will then receive an email with a link in it from Acxiom. You can click on this link or else copy and paste it into a new browser window. Visiting this page will take you to another CAPTCHA. Fill this out. Congratulations - you've opted out of Acxiom!

Datalogix

1. To opt out of this program, visit the Datalogix.com privacy page. Scroll down to the word “Choice” and the last sentence in the first paragraph says:

If you wish to opt out of all Datalogix-enabled advertising across channels including direct mail, online, mobile and analytic products, click here.

2. Click there and a form will pop up that asks for your name, address, and email address. Fill this out and click submit.

Datalogix promises that the opt-out will take effect within 30 days. Once you’ve been opted out, Datalogix will no longer include your information in the hashed data they provide to Facebook. 

Epsilon

As Epsilon explains on their Consumer Preference Center page, there are several ways to opt out of the Epsilon marketing database: 

EMAIL: Email optout@epsilon.com and include the following information:

• full name (including middle initial)
• current address
• previous address if you have been at your current address fewer than six months

PHONE: Phone 1.888.780.3869 and leave the above information.

MAIL: Mail the above information to the below addresses:

U.S. Consumers: Epsilon
P.O. Box 1478
Broomfield, CO 80036

Canadian Consumers: Epsilon
41 Metropolitan Rd.
Toronto, Ontario
M1R 2T5

We note that not all of these methods require you to provide an email address.  Epsilon may have methods to match your name with your email, but you can also provide your email address to be sure.

Note that opting out doesn't actually remove the data from Epsilon's database but rather just marks it as "suppressed" to they will stop sharing it for marketing purposes. This means that if the information is ever re-submitted, you won't be added back to the list.

BlueKai

Unlike the other data brokers Facebook is working with on this new project, BlueKai does not directly collect data from your offline activities. Instead, they use tracking cookies that collect data about your online browsing habits and then use that information to infer what types of products you might like to buy.

The best way to opt out of this is to use a browser add-on to block third-party tracking. Rather than try to block only BlueKai, we recommend you block all third-party trackers. You can use a tool such as Ghostery (now available on Firefox, Safari, Chrome, Opera and Internet Explorer) or Abine's DoNotTrackMe (available in Firefox, Safari, Chrome and Internet Explorer) or AdBlockPlus with EasyPrivacy Lists. See more comprehensive instructions in our 4 Simple Changes to Stop Online Tracking. For a discussion on the relative efficacy of different anti-tracking tools, check out Stanford researcher Jonathan Mayer's analysis.3

If you've made it this far, then congratulations -- you've managed to get out of Facebook's new data broker-driven targeted marketing, and helped protect yourself from several important data brokers.  

You may have noticed that protecting yourself from this type of targeted advertising is cumbersome and complex. The data brokers' opt-out process is unnecessarily complicated, suggesting that the brokers have no confidence people would stay within their program if opt-out were easy.  This illustrates the problem--the supposed enhancement of targeted ads is not something the consumers want or would choose if the option were readily available.

Given these challenges, Facebook could do more to help their users, providing an one-click opt-out for those who would like to socialize with their friends without seeing advertisements that are targeted to them based on things they did off of Facebook. With an opt-out on Facebook, you would never find yourself back in the program on Facebook, even if it decided to add another data broker partner.  

And Facebook could insist that its partners respect these opt-out across their networks. Facebook has enough market power over the data brokers to really help their users, by encouraging these companies to respect user choice and make it easy for users to opt out.

• 1. Some companies are engaged in strictly-offline data collection, others in strictly-online data collection, while others use a combination.
• 2. Note that some data brokers act as third-party data storage companies, hosting data that is owned by other companies. Opting out through the process described in this blog post will not remove your data from databases in which the broker is merely acting as a service provider for another company's data storage needs.
• 3. You could also install BlueKai's opt out cookie. We don't recommend this because you'll lose the opt-out cookie as soon as you clear your cookies.

Members of Congress continue to demand more answers from the Department of Justice (DOJ) about the aggressive prosecution of the late Aaron Swartz. Yesterday, at a Senate Judiciary Committee hearing about general Justice Department oversight, Senator Cornyn—who initiated one of the two congressional investigations into Aaron's death—asked Attorney General Holder about Aaron's prosecution.

The Attorney General denied any prosecutorial misconduct, but, at the behest of Senator Leahy, did promise to look into the aggressive use of the Computer Fraud and Abuse Act (CFAA)—one of the laws used to prosecute Aaron. Aaron’s case proved the CFAA is ripe for abuse. You can go here to tell your representative to support reform.

The other congressional investigation, led by Rep. Darrell Issa, has not released anything publicly, but received a closed door briefing two weeks ago by the DOJ. At the briefing, prosecutors admitted that Aaron’s political speech, specifically his Guerilla Open Access Manifesto, a document collaboratively written years before his alleged crime, was a main motivator in pursuing a case against Aaron. Of course, prosecuting someone, or prosecuting them more severely, because of their speech should raise red flags for Congress. Additionally, according to Techdirt, a DOJ representative also admitted “that part of the reason it insisted on having Swartz plead guilty to a felony and go to jail, no matter what, was that it feared the public backlash for the original arrest if they couldn't then show a felony conviction and jailtime.” The investigations intend to get at the root of these troubling facts.

Congress’ attention to Aaron's case is a good first step. But more must be done: users can join us and urge Congress to reform the draconian CFAA to scale back the discretion that prosecutors have against people like Aaron. A hearing is scheduled next week on the issue, but so far it seems that it may be focused on the DOJ’s dream of getting even more power and making the CFAA even more draconian, rather than on rationalizing it. 

Investigations Into Aaron's Prosecution Still Unanswered

The public is still waiting to hear the outcome of investigations into Aaron's death and we urge Congress to be as transparent as possible about them. Rep. Issa and Senator Cornyn's investigations have each asked important questions about the CFAA and the aggressive prosecution of Aaron. The public needs to know the DOJ’s specific answers and whether Congress is satisfied with them. Rep. Issa has said he plans to hold a hearing on the issue, but no date has been announced.

In the Senate, Cornyn has not received any responses from the DOJ. Answers to Cornyn's letter will shed light on many of the core problems in the DOJ's prosecution. One question asks to know why the prosecution continued after JSTOR withdrew its support. Even the state prosecutor in Massachusetts decided to let Aaron off with a stern warning until federal prosecutors stepped in. How did this prosecution get so far off track? Outside of Congress, MIT is investigating the school's role in the government's prosecution. All three investigations should be completed soon, but no updates have been released.

More Can Be Done

The Senators' questions are a good first step, but they are no replacement to reforming the CFAA—a law that allowed prosecutors to charge Aaron with felonies that carried 35 years in prison and over $1 million in damages. It's a law that is far too often used to stifle innovation with excessive penalties. Orin Kerr, an ex-DOJ prosecutor and Professor, described the CFAA as a law the government could use to put "any Internet user they want [in jail]." The law’s wide latitude must be narrowed to go after real cyber criminals, not security researchers and activists. Tell Congress now is the time to reform the law.

Steve Jobs, Bill Gates, and Mark Zuckerberg. All three are credited with creating some of the most successful businesses in the history of the Internet, but they also have something else in common: they got their start by innovating near the edge of the law.

If these titans of industry had faced the sort of overly aggressive prosecution that the late Aaron Swartz did, they could have been threatened with being locked away and branded felons before ever starting Apple, Microsoft, or Facebook. They might have even faced a ban against their use of computers, rather than using them to create hundreds of thousands of jobs.

Their stories are one of the most important reasons why the CFAA must be reformed (please go here to take action).

Mark Zuckerberg and the Precurser to Facebook

Mark Zuckerberg, the billionaire founder of Facebook, recently defended the oft-maligned term “hacker,” recognizing that testing boundaries is a key part of innovation:

“The word “hacker” has an unfairly negative connotation from being portrayed in the media as people who break into computers. In reality, hacking just means building something quickly or testing the boundaries of what can be done. Like most things, it can be used for good or bad, but the vast majority of hackers I’ve met tend to be idealistic people who want to have a positive impact on the world.”

Zuckerberg may have been speaking from personal knowledge. In 2006, while a sophomore at Harvard, Zuckerberg created a website called “Facemash” which compared photographs of Harvard’s entire population, asking users to compare two photos and vote on who looked better. Zuckerberg allegedly got access to these photos by “hacking” into each of Harvard’s nine House websites and then collecting them all on one site. It’s not clear what this “hacking” was, but since the charges against him included “breaching security,” it may have fun afoul of the law.

What is known is that Zuckerberg claimed he only wanted a few people to see the site and, despite that, the site’s popularity exploded. He was called before the school’s disciplinary board and took down the website permanently due to privacy concerns, but was not forced to leave school. Most importantly for the rest of us, it appears that Harvard did not involve law enforcement in the matter and Zuckerberg was never prosecuted.

What Steve Jobs and Steve Wozniak Did Before Apple

Zuckerberg was following in the footsteps of the technology giants before him. Columbia Law Professor Tim Wu notes in the New Yorker that Apple co-founders Steve Jobs and Steve Wozniak, did acts that were “more economically damaging than, Swartz’s.” The two college roommates made what were called “blue boxes,” cheap devices that mimicked a certain frequency that allowed them to trick AT&T’s telephone system into making free long-distance calls. They also sold blue boxes before moving onto bigger and better ideas.

Years later, Jobs would say in an interview, “Experiences like that taught us the power of ideas…And if we hadn’t have made blue boxes, there would’ve been no Apple.”

Bill Gates and Paul Allen's Youthful Indescretion

Wu, writing about Jobs and Wozniak in the context of Aaron’s death, remarked, “The great ones almost always operate at the edge.” Bill Gates and his Microsoft co-founder Paul Allen may have even gone beyond that edge.

In his autobiography, Allen told the story of when the two future billionaires “got hold of” an administrator password at the company they worked at before starting Microsoft. The company had timeshared computers and Allen and Gates were getting charged for using them for their personal work.

The two men used the password to access the company's accounts and set about trying to find a free runtime account so that they could carry on programming without having to pay for the time. They also copied the account database for later perusal. However, management got wise to the plan.

"We hoped we'd get let off with a slap on the wrist, considering we hadn't done anything yet. But then the stern man said it could be 'criminal' to manipulate a commercial account. Bill and I were almost quivering."

They got off with a warning instead. The rest is history.

Protecting Innovators and Entrepreneurs

After their close calls, Gates, Allen, Jobs, and Zuckerberg went on to create three of the biggest technology companies in the world. While Aaron’s interests were not corporate, the technological innovation he helped create and foster during his short life makes clear how much we've lost with his passing. As Kevin Poulsen of Wired put it:

Worthy, important causes will surface without a champion equal to their measure. Technological problems will go unsolved, or be solved a little less brilliantly than they might have been. And that’s just what we know. The world is robbed of a half-century of all the things we can’t even imagine Aaron would have accomplished with the remainder of his life.

The CFAA and other computer crime laws shouldn’t allow overzealous prosecutors to lock away the next Steve Jobs or Aaron Swartz for years, or even to threaten to do so in order to force them to plead guilty. In all of their names, it’s time we bring some proportionality back to computer crime laws, both in their scope and in the penalties they provide.  

The CFAA can (and should) reach serious computer intrusions that cause real damage, as should related laws criminalizing identity theft, stealing trade secrets, or engaging in massive fraud. But the law needs to recognize the difference between commercial criminals and those who are merely “testing the boundaries” or engaging in youthful indiscretions. Right now, it hands prosecutors the same sledgehammer regardless. 

Please go here to take action and tell your Congressional representative to fix the CFAA and support Aaron’s Law. Remind them that fixing computer crime law is not only fair and just, it’s also good for America’s future entrepreneurs and innovators. 

~

Image credits: California Department of Corrections and Rehabilitation, Liam Quinn US Treasury Department, Guillaume Paumier, Acaben. Used under a Creative Commons Attribution-ShareAlike 2.0 Generic license.

Many schools have associated nonprofit publishing bodies known as university presses. These institutions usually publish academic books with the intent of disseminating important knowledge and promoting the public good. With this mission in mind, it would seem as though these academic centers would be among the first to support the Fair Access to Science & Technology Research Act, or FASTR, a bill that would provide public access to a huge majority of taxpayer-funded research—much of which happens at colleges and universities.

Many university presses, however, are members of the Association of American Publishers (AAP), an organization that opposes FASTR (yet supports the White House public access memo). The AAP had earlier supported the ill-fated Research Works Act, a bill that would severely curb open access policies that thousands of researchers—and eventually scientific journal powerhouse Elsevier—came out against.

Ask your university press to disavow the AAP stance on FASTR. Universities, as major recipients of federal funding for research, should be in support of a strong public access bill; their own publishing shops should not, by default, subscribe to the AAP's position.

You can use the following letter:

To Whom It May Concern:

As a student, I care about having access to the latest scientific research—especially research that is funded by taxpayer money.

The Fair Access to Science & Technology Research (FASTR) Act, introduced with bipartisan support in the House and Senate, would sanction a public access policy across major federal government funding bodies—including those that support our university's research.

Our university is dedicated to advancing knowledge and promoting the public good. In keeping with this mission, our university press should come out in support of FASTR and disavow the negative stance taken by the Association of American Publishers, which has a history of rejecting strong open access policies.

Sincerely,

[Your Name]

When EFF considers a job applicant, we ask for the usual information: a resume, references, maybe writing samples. When we decide to hire someone, we require a few more pieces of personal data, the standard HR stuff, to ensure the lucky employee gets paid on time and is covered by health insurance.

What doesn’t EFF demand? Social media passwords.

We don’t require applicants to unlock their Facebook accounts and reveal their private communications, photo albums or calendars. No one here demands the potential employees unlock their Twitter or Google+ accounts to expose their private, direct messages. We certainly don’t want to know what they’re posting about themselves on online dating sites or on closed Bible study messageboards.

This isn’t only because EFF respects its employees’ privacy. It’s because, as of Jan. 1, it’s the law in California.

Last year, Maryland became the first state to explicitly prohibit employers from forcing applicants or workers to disclose their personal names or passwords as a condition of employment. California followed soon after with its own measure, which further bars private employers from even requesting access to their workers social-media accounts. According to the National Conference of State Legislatures, some 28 states are weighing legislation addressing the issue in one regard or another in 2013.

Broadly speaking, an individual should not have to open up their online private lives to get or keep a job. Not only is it an invasion of the job-seeker’s privacy, but such practices expose personal information belonging to friends and family members who thought they were communicating privately within a closed network.

Think of it another way: You wouldn’t want to hand the keys to your apartment to a potential employer and let them rummage through your cupboards, pick through your diary and sit in the corner during your dinner parties. And, even if you were open to that, you’d probably have some pretty irritated houseguests and roommates.

The legislative proposals across the country vary. In one case brought to our attention by the Columbus Dispatch, the state senate in Ohio began hearings last week on legislation that includes a peculiar twist.

The language in SB 45 only bans employers from “recklessly” demanding applicants provide access to their social media accounts. On one hand, it’s encouraging that the Ohio legislature is looking at the issue, but we’re curious why the authors would only ban reckless privacy invasion rather than propose an across-the-board ban on the practice. After all, that kind of qualifier is fairly subjective; what we might consider abuse in regards to privacy, a company might deem responsible to its corporate mandate.

While Ohio seeks limited reforms, California is seeking to expand its ban this session to cover public entities, including law enforcement agencies. The bill, AB 25, raises some fascinating questions, especially with regard to civil liberties.

According to U-T San Diego, local law-enforcement agencies require recruits to sit down with an officer and open their Facebook accounts. Although the agencies already run applicants through rigorous background checks, recruiters claim a social-media inspection is one more way to “weed out weak links,” as the columnist put it.

A citizen’s gut reaction might be, “OK, sure, we do want to know what potential cops are saying on Facebook.” But imagine this scenario: A Facebook friend of yours is applying to be a deputy and gives the recruiter the password to his account. Suddenly, a law enforcement agency has access to your private posts—the ones that would only show up in your friend’s feed or mailbox—without anything remotely resembling a warrant and certainly not your consent.

In an economy where jobs are scarce, an unemployed individual is under significant pressure to yield to whatever requirements an employer might set, no matter how invasive. This is just another way concepts of privacy are under attack in the digital age and, as always, a social media user needs to consider that what they post online might not be as confidential as they assume. Employers are frequently using search engines to vet recruits and so it’s important to be aware of your privacy settings on sites such as Facebook (here's one guide to locking down your account).

If you’re an employee or looking for a job, it can help to become familiar with your state laws as well as the social-media policies for the companies where you’re applying. The Privacy Rights Clearinghouse has a comprehensive fact sheet on social media privacy that covers these issues, as well as resources to help you understand the pitfalls and limits to background checks. ComplianceBuilding.com has a running spreadsheet of social-media policies enacted by more than 230 large employers.

Fortunately, in some states you do have rights and in other states you will have rights soon. That is, if the forces of privacy prevail. While a step in the right direction, legislators could do a lot more to protect and employer employees in a digital age.

In an unprecedented win for transparency, yesterday Google began publishing generalized information about the number of National Security Letters that the company received in the past year as well as the total number of user accounts affected by those requests. Of all the dangerous government surveillance powers that were expanded by the USA PATRIOT Act, the National Security Letter (NSL) power provided by five statutory provisions is one of the most frightening and invasive. These letters--the type served on communications service providers such as phone companies and ISPs and are authorized by 18 U.S.C. 2709--allow the FBI to secretly demand data about ordinary American citizens' private communications and Internet activity without any prior judicial review. To make matters worse, recipients of NSLs are subject to gag orders that forbid them from ever revealing the letters' existence to anyone.

Google has led the way among large companies in providing transparency with respect to legal and law enforcement requests with its transparency report, but until now, it has always left NSL requests out of its tally of requests for user data, in part, presumably, due to concerns about the accompanying gag order. By including this data, even in a generalized way that only tells us that Google received somewhere between 0 and 999 NSLs in 2012, Google has helped to at least shed some limited light on the ways in which the US government uses these secretive demands for data about users.

By law, NSLs can only be used to obtain information “relevant” to certain national security investigations and only then to obtain transactional user data--subscriber data and information such as which user account is communicating with whom--rather than user-generated content such as emails. However, the NSL process suffers from an inherent lack of checks that would curb abuse, such as any kind of meaningful judicial review. The FBI's abuse of this power has been documented both by a series of Congressionally-mandated Department of Justice investigations and in documents obtained by EFF through a Freedom of Information Act request. Yet there are only a handful of lawsuits (including EFF's) challenging the FBI's underlying authority to issue such information demands, despite the hundreds of thousands of NSLs that have been issued over the past decade.

While we continue to be in the dark about the full extent of how the law is being applied, this new data allays fears that NSLs are being used for sweeping access to large numbers of user accounts--at Google, at least. Indeed, though the numbers are rounded to the nearest thousand, there were under a thousand NSLs issued every year from 2009 to 2012, and the total number of user accounts targeted by the requests never exceeded 3,000 users per year, according to Google.

Serious concerns and questions remain about the use of NSLs. For one, this report only gives us a bit of insight into the scope of NSLs for Google, and we strongly believe that other companies should follow Google's lead where possible in order to give us a more complete picture. Second, the company has not released granular information about the nature of the data being requested, although Google assures us in the expanded FAQ that despite evidence of abuse--for an example, see page 66 of this report--the FBI "can't use NSLs to obtain anything else from Google, such as Gmail content, search queries, YouTube videos or user IP addresses."

Google's addition of NSLs to its transparency report is a big step forward for users who are unsure about what happens with their data. As the company stated in its announcement, “[o]ur users trust Google with a lot of very important data, whether it’s emails, photos, documents, posts or videos.” We are very glad to see Google working hard to maintain and build that trust, and hope that other companies follow suit.

The 16th round of negotiations over the Trans-Pacific Partnership agreement (TPP) began in Singapore today, as trade delegates and private stakeholders from 11 participating countries gather to discuss this the contours of Pacific trade. EFF and many others are deeply concerned about TPP, because it appears to contain an intellectual property (IP) chapter that would ratchet up IP enforcement at the expense of digital rights. The TPP could turn Internet Service Providers into copyright cops, prompt ever-higher criminal and civil penalties for sharing content, and expand protections for Digital Rights Management. The Office of the US Trade Representative (USTR) has announced that they plan to complete the TPP by the fall of this year.

We say “appears to contain” because the negotiations have been carried out in secret: our understanding of the U.S. proposal is based primarily on leaked texts from February 2011. However, there have been some additional leaks, like those following the USTR announcement that the TPP would include exceptions and limitations to copyright. Despite the USTR’s effort to suggest that introducing fair use into the TPP was its idea, the leaked negotiating text made it clear that the U.S. was likely pressured into agreeing to exceptions and limitations as a concession. The leak also showed that the U.S. and Australia opposed any fair use that would extend to the “digital environment.” Thus, it appears the USTR continues to lobby for ever more stringent international IP standards without much regard for the collateral damage to the public interest.

As the deadline for concluding the TPP is fast approaching, it’s likely that they’ll be attempting to resolve disagreements in the IP language this round. Guess who won’t be part of that resolution? Yep: civil society.

What makes TPP—and in fact any trade agreement that carries copyright provisions—dangerous for Internet users is that IP enforcement is only one issue out of many others that are being negotiated within these agreements. Therefore countries may trade away their sovereign ability to make copyright regulations in the future if other terms of the TPP are more appealing to particular powerful industries in their country.

Our digital rights should not be traded away at these secretive negotiations for the benefit of a few corporate interests. Join EFF and more than 28,000 people in sending a message to Congress members to demand an end to these secret backdoor meetings: