Electronic Freedom Foundation

To Search Through Millions of License Plates, Police Should Get a Warrant

EFF - Fri, 03/22/2019 - 2:26pm

Earlier this week, EFF filed a brief in one of the first cases to consider whether the use of automated license plate reader (ALPR) technology implicates the Fourth Amendment. Our amicus brief, filed in the Ninth Circuit Court of Appeals in United States v. Yang, argues that when a U.S. Postal Service inspector used a commercial ALPR database to locate a suspected mail thief, it was a Fourth Amendment search that required a warrant.

ALPRs are high-speed, computer-controlled camera systems. Some models can photograph up to 1,800 license plates every minute, and every week, law enforcement agencies across the country use these cameras to collect data on millions of license plates. The plate numbers, together with location, date, and time information, are uploaded to a central server, and made instantly available to other agencies. The data include photographs of the vehicle, and sometimes of its drivers and passengers. ALPRs are typically attached to vehicles, such as police cars, or can be mounted on street poles, highway overpasses, or mobile trailers.

One leading commercial database operated by DRN advertises that it contains 6.5 billion plates. DRN is owned by the same company as Vigilant Solutions, and according to testimony from a Vigilant executive in the Yang case, the Vigilant LEARN database used by the Postal Service to locate the defendant includes all of DRN’s records as well as a wealth of data available only to law enforcement agencies.

If police want to search through ALPR data, we believe they should get a warrant.

In recent years, EFF, the ACLU, and others have called attention to ALPR’s invasive tracking capabilities and its proliferation across the country. We won a major victory when the California Supreme Court agreed with us that the public has a right to know how police use this technology. Starting with Yang, we will be arguing that government use of ALPRs is a search that implicates the Fourth Amendment, and it should require a warrant in routine investigations.

ALPRs scan every car, regardless of whether the individual driver is suspected of criminal activity. Similar to cell site location information (CSLI) or GPS tracking, ALPR records can paint a picture of where a vehicle and its occupants have traveled—including sensitive and private places like our homes, doctors’ offices, and places of worship. Commercial vendors operate vast databases of ALPR records, and sell database access to not just law enforcement agencies, but private businesses like repo services and insurance companies. Government employees are frequently able to access records generated by cameras mounted on both private and law enforcement vehicles, giving them access to a vast array of location data. That’s why government use of ALPR could lead to invasive tracking, and necessitates safeguards, such as a warrant requirement.

The legal arguments against warrantless ALPR searches are even stronger after a landmark ruling from the Supreme Court last June. The Court’s ruling in United States v. Carpenter involved police tracking a suspect using location data obtained from his cellular provider, but much of its reasoning applies to ALPRs as well. For example, Chief Justice Roberts wrote that because nearly everyone uses a cell phone, the government’s tracking ability “runs against everyone,” and “[o]nly the few without cell phones could escape this tireless and absolute surveillance.” ALPR data collection is similarly indiscriminate; anyone who drives on public streets is likely to be tracked and logged in a database available to police.

Roberts also pointed to law enforcement’s ability to retrieve CSLI from years in the past, creating a virtual surveillance time machine which “gives police access to a category of information otherwise unknowable.” ALPR databases, too, facilitate retrospective searches of cars whose drivers were not under suspicion at the time they were photographed by an ALPR camera. As we wrote in our amicus brief in Yang, “The confluence of these factors—detailed location data collection about a vast swath of the American population allowing retrospective searches—is why technologies like ALPRs violate expectations of privacy under the Fourth Amendment.”

We’ll watch to see what the Ninth Circuit does in Yang, and we’ll be making similar arguments in other ALPR cases soon.

The U.S. Desperately Needs a “Fiber for All” Plan

EFF - Fri, 03/22/2019 - 12:57pm

We have a real, coming broadband access crisis in the United States. Data from the government and independent analysis show that we are falling behind the world. This crisis comes from the fact that fiber-to-the-home deployment, the alternative to your gigabit cable monopoly (if you even have that choice), is languishing and slowing down across the board.

In contrast to the United States, countries around the world are aggressively modernizing their telecommunications infrastructure. They are actively pushing fiber across the board, with advanced Asian markets like South Korea and Japan already finished, and countries in the EU heading towards universal access. China is predicted to have more than five times (around 80 percent of households totaling at 193.5 million homes) the U.S. number of fiber gigabit connections by 2023.

The big difference between the United States and the rest of the advanced economies around the world is that the U.S. is the only country that believes having no plan will solve this issue. We are the only country to completely abandon federal oversight of an uncompetitive, highly concentrated market that sells critical services to all people, yet we expect widely available, affordable, ultra-fast services. But if you live in a low-income neighborhood or in a rural market today, you know very well this is not working and the status quo is going to cement in your local broadband options to either one choice or no choice.

This Means 5G Wireless Is Not Going to Reach Most People

Congress and the FCC have been obsessing about 5G hype, but early estimates are that only about three to nine percent of the market will have 5G access by 2022. It’s important to remember that, no matter what ISPs try to say about 5G, there is no real equivalency between fiber to the home and wireless 5G broadband. The two are not direct competitors given the superiority of fiber as a transmission medium.

The less-spoken truth about 5G networks is that they need dense fiber networks to make them work. One estimate on the amount of fiber investment that needs to occur is as much as $150 billion—including fiber to the home deployments—in the near future, and we are far below that level of commitment to fiber. In other words, resolving the future of high-speed broadband competition with fiber to all Americans (which would help at least 68 million households stuck in monopoly cable markers) also carries the benefit of ensuring that 5G networks can reach all corners of the country as well.

Where Things Stand Now Without A Fiber Plan 

Very small ISPs and local governments with limited budgets are at the frontline of deploying fiber to the home to fix these problems, but policymakers from the federal, state, and local level need to step up and lead. At least 19 states still have laws that prohibit local governments from deploying community broadband projects. Worst yet, both AT&T and Verizon are actively asking the FCC to make it even harder for small private ISPs to deploy fiber, so that the big incumbents can raise prices and suppress competition, a proposal EFF has urged the FCC to reject.

This is why we need to push our elected officials and regulators for a fiber-for-all-people plan to ensure everyone can obtain the next generation of broadband access. Otherwise, the next generation of applications and services won’t be usable in the United States. They will be built instead for markets with better, faster, cheaper, and more accessible broadband. This dire outcome was the central thesis to a recently published book by Professor Susan Crawford (appropriately named Fiber) and EFF agrees with its findings. If American policymakers do not remedy the failings in the US market and actively pursue ways to drive fiber deployment with the goal of universal coverage, then a staggering number of Americans will miss out on the latest innovations that will occur on the Internet because it will be inaccessible or too expensive.

As a result, we will see a worsening of the digital divide as advances in virtual reality, cloud computing, gaming, education, and things we have not invented yet are going to carry a monopoly price tag for a majority of us—or just not be accessible here. This does not have to be so, but it requires federal, state, and local governments to get to work on policies that promote fiber infrastructure to all people.

This Could Be It: Key Polish Political Party Comes Out Against Article 13

EFF - Fri, 03/22/2019 - 12:03pm

With only days to go before the final EU debate and vote on the new Copyright Directive (we're told the debate will be at 0900h CET on Tuesday, 27 March, and the vote will happen at 1200h CET), things could not be more urgent and fraught. That's why today's announcement by Poland's Platformy Obywatelska—the second-largest party in the European People's Party (EPP) bloc—is so important.

Platformy Obywatelska has said that it will vote to block the entire Copyright Directive unless Article 13—a ground-breakingly terrible Internet law that will lead to widespread filtering of all Europeans' Internet speech, images, and videos—is stricken from the final draft.

EPP, a coalition of European national political parties, is the key backer of Article 13 and the largest party in the European Parliament. Without its support, Article 13 is very unlikely to make it through the final vote.

The EPP is deeply split on the issue. EPP parties from Luxembourg, Sweden and the Czech Republic all oppose the measure, so Poland is in good company.

The other blocs that strongly back Article 13 are the S&D (socialist) and ALDE (liberal) MEPs.

126 members of the Parliament have expressly pledged to vote against Article 13, and more than 5,000,000 Europeans have signed a petition against it. This is the largest petition in European history!

It's vital that Europeans contact their MEPs as soon as possible to urge them to vote against Articles 11 and 13.

On Sunday, the streets of Europe will be flooded with demonstrators marching against the Directive.

This could be the final battle over the Directive. If it dies in Tuesday's vote, there will be no chance to bring it back before EU elections in May. This is no time to sit on the sidelines. Step up and be heard. They have the money, but we have the people!

Take Action

Stop Article 13

Congress Has a Chance to Finally End the NSA’s Mass Telephone Records Program

EFF - Thu, 03/21/2019 - 1:56pm

Earlier this month, the New York Times published a major story reporting that the NSA has stopped using the authority to run its massive, ongoing surveillance of Americans’ telephone records. After years of fighting mass surveillance of telephone records, the story may make our jobs easier: NSA has consistently claimed this surveillance was critical to national security. But now it appears that the agency couldn’t properly use the authority Congress granted it in the 2015 USA Freedom Act, so it has simply given up. 

Coincidentally, EFF had organized a briefing of congressional staff the day after the Times report on the controversial surveillance law used to conduct telephone record surveillance: Section 215 of the Patriot Act. As we told Congress, it is long past time to end the telephone records program for good. Now, we’ve signed a letter to House Judiciary Committee leadership repeating that demand, along with a list of other important reforms we’d like to see before Section 215 and two other Patriot Act provisions expire in December. 

The Times story only added to a feeling of unfinished business from the last time Section 215 was set to sunset, in 2015. When Edward Snowden revealed the NSA’s use of Section 215 to conduct its telephone records program, EFF, the ACLU, and others sued to stop it. The courts, Congress, and public opinion seemed to be on our side: The Second Circuit Court of Appeals ruled that the government’s reliance on the law was “unprecedented and unwarranted,” and shortly afterward, Congress passed the USA Freedom Act, which was intended to stop this mass surveillance.

But USA Freedom was incomplete: it still allowed the government to conduct suspicionless, ongoing collection of Americans’ telephone records, although under tighter, more specific controls than the program revealed by Snowden. But as information has emerged about how Section 215 has been used (or not used) since the passage of USA Freedom, we have to question even those modest reforms. First, we learned that a law that was supposed to end mass surveillance still allowed the NSA to collect over 500 million telephone records in 2017 alone—a number that sounds a lot like mass surveillance.

In partial explanation of that statistic, the NSA reported last June that it had discovered “technical irregularities,” resulting in overcollection of telephone records. The agency addressed that discovery by purging all of the records it had collected since the passage of USA Freedom, and the recent New York Times report suggests that rather than addressing these technical irregularities, the government has simply stopped using Section 215 for this purpose. 

Given this newest chapter in a long, embarrassing history of post-9/11 surveillance, ending the telephone records program is the obvious step for Congress to take. If the NSA can simply delete every single telephone record it has collected since USA Freedom and not even attempt to fix the technical difficulties it encountered, the law authorizing this program should not remain on the books.  

That is just the beginning of the reforms Congress should be considering, however. Section 215 has become synonymous with the NSA’s database of billions of telephone records, but the law has an entirely different scope than that. Section 215 allows the government to obtain a secret court order requiring third parties, such as Internet providers and financial institutions, to hand over business records or any other “tangible thing” if the Foreign Intelligence Surveillance Court (FISC) deems them “relevant” to an international terrorism, counterespionage, or foreign intelligence investigation. 

The Snowden revelations focused attention on the NSA’s tortured interpretation of “relevance” to collect telephone records which it knew to be mostly irrelevant, but defenders of civil liberties and civil rights have worried about the “tangible things” language right from the start. Even if Congress entirely outlaws the most well-known use of Section 215, the government will still have the authority to collect “any tangible thing” based on a very loose relevance standard. We still know very little about these other uses of Section 215, and the government is currently mandated to report only bare minimum of data about them.

Congress should hold public hearings on uses of Section 215 to collect information other than telephone records, and investigate whether there are other still-secret uses of the law that would leave Americans “stunned and angry,” such as targeting individuals based on religion or other First-Amendment–protected activities. Our joint letter to Chairman Nadler details these questions as well as other important transparency reforms that fell by the wayside in the legislative debate around USA Freedom. 

Finally, it’s reasonable to wonder what happens if our legislative and executive branches fail to act before Section 215 sunsets at the end of this year. In that case, the law would revert to a pre-Patriot Act provision from 1998, which allowed the government to collect only a narrow range of business records (not communications records) only from a limited set of companies such as transportation common carriers and other lodging, storage and vehical facilities, and only if it could make the specific showing that the records belonged to an “agent of a foreign power.” The government might argue that this would be “throwing the baby out with the bathwater.” But any surveillance law needs to be justified on its own terms, and the intelligence community would still have many other powers at its disposal. In order to fully assess what reforms are needed, Congress and the public must know more about how Section 215 is used. Congress should demand those answers from the government now.

Related Cases: Klayman v. ObamaFirst Unitarian Church of Los Angeles v. NSAACLU v. Clapper

Who Defends Your Data? Report Reveals Peruvian ISPs Progress on User Privacy, Still Room for Improvement

EFF - Thu, 03/21/2019 - 3:00am

Hiperderecho, the leading digital rights organization in Peru, in collaboration with the Electronic Frontier Foundation, today launched its second ¿Quien Defiende Tus Datos? (Who Defends Your Data?), an evaluation of the privacy practices of the Internet Service Providers (ISPs) that millions of Peruvians use every day.  This year's results are more encouraging than those in 2015's report, with Telefonica's Movistar making significant improvement in its privacy policy, responses to judicial orders, and commitment to privacy. Five out of the six ISPs now publish specific, detailed policies on how they collect and process personal data. However, the report also revealed that there is plenty of room for improvement, especially when it comes to user notification and Peruvian ISPs' public commitment to privacy. 

Internet access has grown significantly in Peru in recent years, particularly through mobile networks. Movistar (Telefónica) and Claro (América Móvil) are the main players, making up 70% of the Internet market. For landline connections, these two ISPs connect more than 90% of users in Peru; Movistar alone has 74.4% of them. The report also evaluated four other telecom operators: Bitel, Entel, Olo, and Inkacel. Every day, these users provide these companies with specific information about their movements, routines, and relations - a treasure trove of data for government authorities, who can use unnecessary and disproportionate measures to access it. This constant threat from State authorities demands public awareness and oversight.

That’s why this new Peru report aims to push companies to counter surveillance measures that are conducted without proper safeguards, and to be transparent about their policies and practices.

This year’s report, available in Spanish, evaluated each ISP on five categories:

Privacy Policy:

To earn a star in this category, a company must have published a privacy policy that is easy to understand. It should inform the reader about what data is collected from them, how long it is stored, and for what purposes. Partial compliance got a partially filled star.

Judicial Order:

Companies earned a star in this category if they require that the government obtain a warrant from a judge before handing over user data (either content or metadata). Compliance with this requirement for the content of communications, but not for metadata, earned a company a half star.

User Notification:

To earn a star in this category, companies must promise to inform their customers of a government request at the earliest moment permitted by the law.


This category looked for companies publishing transparency reports about government requests for user data. To earn a full star, the report must provide useful data about how many requests have been received and complied with, and include details about the type of requests, the government agencies that made the requests, the reasons provided by the authority, and describe the guidelines and procedures the company adopts when an authority requests the data. We demanded high standards, but partial compliance gained companies part of a star.

Commitment to privacy:

This star recognizes companies who have challenged inaccurate or disproportionate access to data requests. It also rewards companies that have publicly taken a position in favor of their users’ privacy before Congress and other regulatory bodies. Partial compliance is rewarded with a half star.

The chart below ranks the six Peruvian telecommunications companies:

This latest report awards more stars than the first edition, which was published in 2015. Now, five out of the six ISPs have published their policies with specific information about the collection and processing of personal data. However, Claro and Entel provide this information using highly technical language, which reduced their score. In order to earn a full star, the information provided must be easily understandable, otherwise it is just a formal measure, with little to no effect in empowering users to fight for their rights. Still, all companies detail how long and for which purposes users’ data is stored. Even Olo, which doesn’t publish a privacy policy, added this information to its regular service provision agreement.

We also saw progress in the companies’ commitment to demanding a judicial order before handing over data to government authorities. Bitel and Claro were given a half star for explicitly demanding a warrant when the request was for the content of communications. Movistar received a full star for adhering to this commitment for users’ content and metadata. In 2015, only Movistar received any credit in this category, with a half star.

Movistar also stands out in the transparency category. The company’s annual transparency report outlines how many requests they’ve received and complied with, what types of requests they received, as well as the guidelines and procedures the company follows when an authority requests data. Being transparent about the law enforcement guidelines companies follow is crucial to shedding a light on how companies  deal internally with government requests for data. This information allows users to understand how they interpret and apply the legal requirements and whether their procedures follow national and international safeguards. Although Bitel and Claro publish the instances in which they hand user data over to government authorities, they did not go as deeply into detail as Movistar does.

There is still much work to be done. No company earned a star for a public commitment to speak up for their users’ privacy, either in the courts or in legislative and regulatory bodies. Similarly, none of the six companies commit to notify their customers of a government request at the earliest moment allowed by the law. Peru’s new Criminal Procedure Code states that once a judicial measure has been executed and immediate investigations have been carried out, the user affected must be informed of it whenever the investigation object permits the notification, and as long as it does not endanger life or the physical safety of third parties. In turn, no restriction for notice is provided by the controversial Legislative Decree 1182, which regulates the direct access by police authorities to location data.

Hiperderecho stressed in the report: “Even if the legal obligation is of the judicial authority’s responsibility, there is much more that companies could do in this context. They can keep a record of the interventions made, promote notification to users after the measure expires or make simultaneous notifications with the authorities (…) in a way that users can enforce their right to go to the courts to request reexamination of the measure or to challenge the decisions issued.” Such proactive measures are particularly important because the law only gives users three business days to challenge these measures.

Hiperderecho's report shows that telecommunications companies are making progress when it comes to complying with the law, but they’re not doing as well as they could. Yet the ¿Quién Defiende Tus Datos? reports, much like EFF’s Who Has Your Back? project, are not only about fulfilling established legal rules. Their aim is to push companies to go beyond the requirements of the law. Peru’s companies must do more, and we’ll remain vigilant to ensure that happens.

The report is part of a series across Latin America and Spain adapted from EFF’s Who Has Your Back? reports. Last year, Spain’s ETICAS Foundation, Argentina’s ADC, Chile’s Derechos Digitales, Brazil’s Internet Lab, and Colombia’s Karisma Foundation published their own reports.

The Best of Europe’s Web Went Dark Today. We Can’t Let That Be Our Future.

EFF - Wed, 03/20/2019 - 7:29pm

We’re into the final days before members of the European Parliament vote on the Copyright and the Digital Single Market Directive, home of the censoring Article 13, and the anti-news Article 11. Europeans are still urging their MEPs to vote down these articles (if you haven’t already, call now, and stepping up the visibility of their complaints in this final week.

Take Action

Stop Article 13

The first salvo drawing attention to the damage the directive will cause has come from the European Wikipedias. German Wikipedia has gone completely dark for today, along with the Czech, Slovak and Danish Wikipedias, German OpenStreetMap, and many more.

With confusing rhetoric, the Directive’s advocates have always claimed that they mean no harm to popular, user-driven sites like Wikipedia and OpenStreetMap. They’ve said that the law is aimed only at big American tech giants, even as drafters have scrambled to address the criticism that it affects all of the Internet. Late in the process, the drafters tried to carve out exceptions for “online encyclopedias,” and the German government and European Parliamentarians fought hard – though ultimately failed – to put in effective exceptions for European start-ups and other competitors.

Very few of the organizations and communities for whom these exceptions are meant to protect are happy with the end result. The Wikimedia Foundation, which worked valiantly to improve the Directive over its history, came out last week and declared that it could not support its final version. Even though copyright reform is badly needed online, and Wikipedians fought hard to include positive fixes in the rest of the Directive, Article 13 and Article 11 have effectively undermined all of those positive results.

As Wikimedia’s experts write:

Despite some good intentions, the wholly problematic inclusion of Articles 11 and 13 mean that fundamental principles of knowledge sharing are overturned: in practice users and projects will have to prove they are allowed to share knowledge before a platform permits an upload. The EU Copyright Directive envisions a technical and legal infrastructure that treats user generated content with suspicion unless proved legal. We cannot support this—it is better to have no reform at all, than to have one including these toxic provisions.

The European lawmakers who see Article 13 and Article 11 as a simple fix for the woes of entertainment and news media companies still don’t get that the Internet isn’t a competing “industry” – it’s an ecosystem. Companies like Google and Facebook are certainly supported by that ecosystem – but so too are the billions of individuals, thousands of European companies, families, and ad-hoc communities of creators, coders, and services. As Wikimedia says, this Directive turns the simplest basic actions of those Internet users - sharing and linking - suspect. Websites must check everything that users upload, because if they upload something that another person decided is their own, the website can be liable for unbounded costs. If Article 11 passes, everyone will have to make a legal assessment when linking to the news, out of fear the text accompanying their link contains one too many words, and triggers Article 11’s licensing requirements.

The sites that are shutting down today in protest are, without question, sites that are home to European creators: the very people that Article 13 and 11 adherents claim to be protecting. That these parts of the European creative community are so concerned about their own future, and the wider ecology of the Net, should be a giant, flashing, warning sign to all MEPs.

If you’re in Europe, contact your MEP, and join the protests this weekend. The future doesn’t have to be as dark as it looks today.

More than 130 European businesses tell the European Parliament: Reject the #CopyrightDirective

EFF - Wed, 03/20/2019 - 8:09am

The EU's Copyright Directive will be voted on in the week of March 25 (our sources suggest the vote will take place on March 27th, but that could change); the Directive has been controversial all along, but it took a turn for the catastrophic during the late stages of the negotiation, which yielded a final text that is alarming in its potential consequences for all internet activity in Europe and around the world.

More than 5,000,000 Europeans have signed a petition against Article 13 of the Directive, and there has been outcry from eminent technical experts, the United Nations' special rapporteur on free expression, and many other quarters.

Now, a coalition of more than 130 EU businesses have entered the fray, led by file storage service NextCloud. Their letter to the European Parliament calls Article 13—which will lead to mass adoption of copyright filters for online services that will monitor and block user-submitted text, audio, video and images—a "dangerous experiment with the core foundation of the Internet’s ecosystem." They also condemn Article 11, which will allow news publishers to decide who can quote and link to news stories and charge for the right to do so.

Importantly, they identify a key risk of the Directive, which is that it will end up advantaging US Big Tech firms that can afford monitoring duties, and that will collect "massive amounts of data" sent by Europeans.

March 21st is an EU-wide day of action on the Copyright Directive, with large site blackouts planned (including German Wikipedia), and on March 23, there will be mass demonstrations across the EU. Things are getting down to the wire here, folks.

Here's the text of the letter; you can find the original, with the full list of signatories, here.

The companies signing this letter to the European Parliament are urging you to vote against Articles 11 and 13 of the proposed copyright directive. The text of the trilogue agreement would harm the European economy and seriously undermine the ability of European businesses to compete with big Internet giants like Google.

We support the goal of the legislation to protect the rights of creators and publishers, but the proposed measures are inadequate to reap these benefits and also fail to strike a fair balance between creators and all other parts of society. The success of our business enterprises will be seriously jeopardized by these heavy-handed EU regulations.

Especially Article 13 is dangerously experimenting with the core foundation of the Internet’s ecosystem. Making companies directly liable for the content of their users forces these businesses to make billions of legal decisions about the legality of content. Most companies are neither equipped nor capable of implementing the automatic content filtering mechanisms this requires, which are expensive and prone to error.

Article 11 is creating a completely new intellectual property right for press publishers. The experience with similar laws in Germany and Spain raises serious doubts about the expected benefits, while the negative impact would be very real. An additional layer of exclusive rights would make it harder to clear the necessary legal hurdles to start new projects. It will make entrepreneurs more hesitant to just launch new projects. Europe would lose any chance to play a significant role on the world stage. Startups that build services based on aggregated online information would go out of business, and every company that publishes press summaries of their appearance in the media would be in violation of this law.

Although the purpose of these regulations is to limit the powers of big US Internet companies like Google or Facebook, the proposed legislation would end up having the opposite effect. Article 13 requires filtering of massive amounts of data, requiring technology only the Internet giants have the resources to build.

European companies will be thus forced to hand over their data to them, jeopardizing the independence of the European tech industry as well as the privacy of our users. European companies like ours will be hindered in their ability to compete or will have to abandon certain markets completely.

Given all of these issues it is noteworthy that the final trilogue agreement lacks meaningful safeguards for small and medium enterprises. The broad scope of this law would most likely lead to less new companies being founded in Europe and existing companies moving their headquarters out of Europe. For all those reasons we urge every pro-Startup politician to vote against Article 11 and Article 13.

We hope EU lawmakers hear the concerns of these businesses and take them to heart. If you live in the EU, consider taking part in the day of action on March 21; and contact your MEP right now. 

Take Action

Stop Article 13

EFF Submits Consumer Data Privacy Comment to the California Attorney General

EFF - Tue, 03/19/2019 - 4:33pm

The California Consumer Privacy Act (CCPA) requires the California Attorney General to take input from the public on regulations to implement the law, which does not go into effect until 2020.

The Electronic Frontier Foundation has filed comments on two issues: first, how to verify consumer requests to companies for access to personal information, and for deletion of that information; and second, how to make the process of opting out of the sale of data easy, using the framework already in place for the Do Not Track (DNT) system.

Verification of Requests

When it comes to verifying requests that users make of businesses to access their own data, EFF asked the Attorney General to carefully balance the interest of the consumer in obtaining their own personal information without undue delay or difficulty, with their interest in avoiding theft of their private data by people who might make fraudulent CCPA requests for data.

If a consumer already has a password-protected account, the Attorney General should mandate use of that password to verify the account. Further, the business must ensure that the requester really knows the password, and didn’t just steal a laptop with an open app, by requiring the requester to log out of the account and present the password again. The AG should also encourage, but not require, two-factor authentication as a form of verification in cases where doing so poses no risk to the user.

If a consumer does not have a password, the company must be as certain as is reasonably possible that the requester is the subject of the personal information being requested.

Opting Out of Sales

We also encourage the Attorney General to rely on the existing Do Not Track (DNT) system when issuing rules about consumer requests to opt-out of data sales. The DNT system combines a technology (a browsing header that announces the user prefers not to be tracked online) with a policy framework (how companies should respond to that signal).

The DNT header is already widely supported by most major web browsers, including Google Chrome, Mozilla Firefox, and Opera. EFF proposes that the Attorney General require any business that interacts with consumers directly over the Internet to treat a browser’s DNT request as a request to opt-out of data collection.

We thank the Attorney General’s office for the opportunity to comment on CCPA regulations, and look forward to making further comments about consumer data privacy.

To read EFF’s comments in full, please click here.

The European Copyright Directive: What Is It, and Why Has It Drawn More Controversy Than Any Other Directive In EU History?

EFF - Tue, 03/19/2019 - 12:34pm

During the week of March 25, the European Parliament will hold the final vote on the Copyright Directive, the first update to EU copyright rules since 2001; normally this would be a technical affair watched only by a handful of copyright wonks and industry figures, but the Directive has become the most controversial issue in EU history, literally, with the petition opposing it attracting more signatures than any other petition in change.org’s history.

How did we get here?

European regulations are marathon affairs, and the Copyright Directive is no exception: it had been debated and refined for years, and as of spring 2017, it was looking like all the major points of disagreement had been resolved. Then all hell broke loose. Under the leadership of German Member of the European Parliament (MEP) Axel Voss, acting as "rapporteur" (a sort of legislative custodian), two incredibly divisive clauses in the Directive (Articles 11 and 13) were reintroduced in forms that had already been discarded as unworkable after expert advice. Voss's insistence that Articles 11 and 13 be included in the final Directive has been a flashpoint for public anger, drawing criticism from the world's top technical, copyright, journalistic, and human rights experts and organizations.

Why can no one agree on what the Directive actually means?

"Directives" are rules made by the European Parliament, but they aren't binding law—not directly. After a Directive is adopted at the European level, each of the 28 countries in the EU is required to "transpose" it by passing national laws that meet its requirements. The Copyright Directive has lots of worrying ambiguity, and much of the disagreement about its meaning comes from different assumptions about what the EU nations do when they turn it into law: for example, Article 11 (see below) allows member states to ban links to news stories that contain more than a word or two from the story or its headline, but it only requires them to ban links that contain more than "brief snippets"—so one country might set up a linking rule that bans news links that reproduce three words of an article, and other countries might define "snippets" so broadly that very little changes. The problem is that EU-wide services will struggle to present different versions of their sites to people based on which country they're in, and so there's good reason to believe that online services will converge on the most restrictive national implementation of the Directive.

Take Action

Stop Article 13

What is Article 11 (The "Link Tax")?

Article 11 seeks to give news companies a negotiating edge with Google, Facebook and a few other Big Tech platforms that aggregate headlines and brief excerpts from news stories and refer users to the news companies' sites. Under Article 11, text that contains more than a "snippet" from an article are covered by a new form of copyright, and must be licensed and paid by whoever quotes the text, and while each country can define "snippet" however it wants, the Directive does not stop countries from making laws that pass using as little as three words from a news story.

What's wrong with Article 11/The Link Tax?

Article 11 has a lot of worrying ambiguity: it has a very vague definition of "news site" and leaves the definition of "snippet" up to each EU country's legislature. Worse, the final draft of Article 11 has no exceptions to protect small and noncommercial services, including Wikipedia but also your personal blog. The draft doesn’t just give news companies the right to charge for links to their articles—it also gives them the right to ban linking to those articles altogether, (where such a link includes a quote from the article) so sites can threaten critics writing about their articles. Article 11 will also accelerate market concentration in news media because giant companies will license the right to link to each other but not to smaller sites, who will not be able to point out deficiencies and contradictions in the big companies' stories.

What is Article 13 ("Censorship Machines")?

Article 13 is a fundamental reworking of how copyright works on the Internet. Today, online services are not required to check everything that their users post to prevent copyright infringement, and rightsholders don't have to get a court order to remove something they view as a copyright infringement—they just have to send a "takedown notice" and the services have to remove the post or face legal jeopardy. Article 13 removes the protection for online services and relieves rightsholders of the need to check the Internet for infringement and send out notices. Instead, it says that online platforms have a duty to ensure that none of their users infringe copyright, period. Article 13 is the most controversial part of the Copyright Directive.

What's a "copyright filter?"

The early versions of Article 13 were explicit about what online service providers were expected to do: they were supposed to implement "copyright filters" that would check every tweet, Facebook update, shared photo, uploaded video, and every other upload to see if anything in it was similar to items in a database of known copyrighted works, and block the upload if they found anything too similar. Some companies have already made crude versions of these filters, the most famous being YouTube's "ContentID," which blocks videos that match items identified by a small, trusted group of rightsholders. Google has spent $100m on ContentID so far.

Why do people hate filters?

Copyright filters are very controversial. All but the crudest filters cost so much that only the biggest tech companies can afford to build them—and most of those are US-based. What's more, filters are notoriously inaccurate, prone to overblocking legitimate material—and lacking in checks and balances, making it easy for censors to remove material they disagree with Filters assume that the people who claim copyrights are telling the truth, encouraging laziness and sloppiness that catches a lot of dolphins in the tuna-net.

Does Article 13 require "filters?"

Axel Voss and other proponents for Article 13 to remove references to them from the Directive in order to win a vote to remove them in the European Parliament. But the new text of Article 13 still demands that the people who operate online communities somehow examine and make copyright assessments about everything, hundreds of billions of social media posts and forum posts and video uploads. Article 13 advocates say that filters aren't required, but when challenged, not one has been able to explain how to comply with Article 13 without using filters. Put it this way: if I pass a law requiring you to produce a large African mammal with four legs, a trunk, and tusks, we definitely have an elephant in the room.

Will every online service need filters?

Europe has a thriving tech sector, composed mostly of "small and medium-sized enterprises" (SMEs), and the politicians negotiating the Directive have been under enormous pressure to protect these Made-In-Europe firms from a rule that would wipe them out and turn over permanent control over Europe's Internet to America's Big Tech companies. The political compromise that was struck makes a nod to protecting SME's but ultimately dooms them. The new rules grant partial limits on copyright liability only for the first three years of an online service's existence, and even these limits are mostly removed once a firm attains over 5m in unique visitors (an undefined term) in a given month, and once a European company hits annual revenues (not profits!) of €10m, it has all the same obligations as the biggest US platforms. That means that the 10,000,001st euro a company earns comes with a whopping bill for copyright filters. There are other, vaguer exemptions for not-for-profit services, but without a clear description of what they would mean. As with the rest of the law, it will depend on how each individual country implements the Directive. France’s negotiators, for example, made it clear that they believe no Internet service should be exempted from the Article’s demands, so we can expect their implementation to provide for the narrowest possible exemption. Smaller companies and informal organizations will have to prepare to lawyer up in these jurisdictions because that’s where rightsholders will seek to sue. A more precise, and hopefully equitable, solution could finally be decided by the European Court of Justice, but such suits will take years to resolve. Both the major rightsholders and Big Tech will strike their own compromise license agreements outside of the courts, and both will have an interest in limiting these exceptions, so it will come down to those same not-for-profit services or small companies to spend the costs required to win those cases and live in legal uncertainty until they have been decided.

Take Action

Stop Article 13

What about "licenses" instead of "filters"?

Article 13 only requires companies to block infringing uses of copyrighted material: Article 13 advocates argue that online services won't need to filter if they license the catalogues of big entertainment companies. But almost all creative content put online (from this FAQ to your latest tweet) is instantly and automatically copyrighted. Despite what EU lawmakers believe, we don’t live in a world where a few large rightsholders control the copyright of the majority of creative works. Every Internet user is a potential rightsholder. All three billion of them. Article 13 doesn't just require online services to police the copyrights of a few giant media companies; it covers everyone, meaning that a small forum for dog fanciers would have to show it had made "best efforts" to license photos from other dog fancier forums that their own users might report—every copyright holder is covered by Article 13. Even if an online platform could license all the commercial music, books, comics, TV shows, stock art, news photos, games, and so on (and assuming that media companies would sell them these licenses), they would still somehow have to make "best effort" to license other user's posts or stop their users from reposting them.

Doesn't Article 13 say that companies shouldn't overblock?

Article 13 has some language directing European countries to make laws that protect users from false copyright takedowns, but while EU copyright sets out financial damages for people whose copyrights are infringed, you aren't entitled to anything if your legitimate posts are censored. So if a company like Facebook, which sees billions of posts a day, accidentally blocks one percent of those posts, that would mean that it would have to screen and rule on millions of users' appeals every single day. If Facebook makes those users wait for days or weeks or months or years for a ruling, or if it hires moderators who make hasty, sloppy judgments, or both, Article 13 gives those users no rights to demand better treatment, and even the minimal protections under Article 13 can be waved away by platforms through a declaration that users' speech was removed because of a "terms of service violation" rather than a copyright enforcement.

Do Article 13's opponents only want to "save the memes?"

Not really. It's true that filters—and even human moderators—would struggle to figure out when a meme crosses the line from "fair dealing" (a suite of European exceptions to copyright for things like parody, criticism and commentary) into infringement, but "save the memes" is mostly a catchy way of talking about all the things that filters struggle to cope with, especially incidental use. If your kid takes her first steps in your living room while music is playing in the background, the "incidental" sound could trigger a filter, meaning you couldn't share an important family moment with your loved ones around the world. Or if a news photographer takes a picture of police violence at a demonstration, or the aftermath of a terrorist attack, and that picture captures a bus-ad with a copyrighted stock-photo, that incidental image might be enough to trigger a filter and block this incredibly newsworthy image in the days (or even weeks) following an event, while the photographer waits for a low-paid, overworked moderator at a big platform to review their appeal. It also affects independent creators whose content is used by established rightsholders. Current filters frequently block original content, uploaded by the original creator, because a news service or aggregator subsequently used that content, and then asserted copyright over it. (Funny story: MEP Axel Voss claimed that AI can distinguish memes from copyright infringement on the basis that a Google image search for "memes" displays a bunch of memes)

What can I do?

Please contact your MEP and tell them to vote against the Copyright Directive. The Copyright Directive vote is practically the last thing MEPs will do before they head home to start campaigning for EU elections in May, so they're very sensitive to voters right now! And on March 23, people from across Europe are marching against the Copyright Directive. The pro-Article 13 side has the money, but we have the people!

Take Action

Stop Article 13

Here’s Why You Can’t Trust What Cops and Companies Claim About Automated License Plate Readers

EFF - Tue, 03/19/2019 - 12:32pm
Shopping Centers Shut Down ALPR Program After Denying Data Was Shared with ICE. New Emails Show ICE Did Access Data Through a Fusion Center.

In response to an ACLU report on how law enforcement agencies share information collected by automated license plate readers (ALPRs) with Immigration and Customs Enforcement, officials have been quick to deny and obfuscate despite documentary evidence obtained directly from ICE itself through a Freedom of Information Act lawsuit

Let’s be clear: you can’t trust what ALPR company Vigilant Solutions and its clients says. It’s time for higher authorities to conduct an audit.

Through years of research spanning California (and beyond), EFF has discovered that agencies that access ALPR data are often ignorant or noncompliant when it comes to the transparency and accountability requirements of state law. Furthermore, their agreements with the vendor Vigilant Solutions often include “non-disparagement” and “non-publication” clauses that contractually bind them to Vigilant Solutions’ “media messaging” and prevent agencies from speaking candidly with the press. Meanwhile, training materials created by Vigilant Solutions explicitly recommend that police leave ALPR out of its reports whenever possible.

But documents obtained as part of the ACLU’s lawsuit brings another factor into play: sometimes the claims are just jaw-droppingly inaccurate.

One email in particular shows exactly how ICE could access data collected at shopping malls through a regional fusion center, despite the mall operator and Vigilant Solutions’ repeated denials that it was happening.

For background: ALPR is a technology that allows law enforcement and private companies to track the travel patterns of drivers, through networks of cameras that record license plates, along with time, date and location. That information is uploaded to a database that users can search to find out where a vehicle travelled, reveal what vehicles visited particular locations, and receive real-time alerts on vehicles added to watch lists. It is a mass surveillance technology that captures information on everyone, regardless of whether their vehicle is tied to an investigation.

Last summer, EFF volunteer Zoe Wheatcroft, a high school in student in Mesa, Ariz., discovered a curious document on a website belonging to the Irvine Company, a real estate developer based in Orange County. The document showed that private security patrols were using ALPR to gather data on customers at Irvine Company-owned shopping malls . As EFF reported, Irvine Company then transferred that information to Vigilant Solutions, a controversial ALPR vendor well-known for selling data to ICE.

We asked the mall operator, Irvine Company, to explain itself, but it refused to answer questions. However, after EFF published its report, Irvine Company told reporters ALPR data was not shared with ICE, but only three local police departments. Then Vigilant Solutions issued a press release saying “the entire premise of the article is false,” and accused EFF of “creating fake news.” Vigilant Solutions also demanded we retract the post and apologize, saying that it was “evaluating potential legal claims” against EFF.

What they wouldn’t say publicly is that within within two weeks, Irvine Company quietly terminated its whole ALPR program. EFF only learned of this six months later from Irvine Company directly, but the company’s spokesperson refused to tell us the motivation behind ending the surveillance, beyond it being a business decision.

What Really Happened in Orange County

EFF began to investigate Irvine’s Claims that its ALPR data from the shopping malls was tightly controlled and could never be shared with ICE.  We filed public records requests with the police department that Irvine Company said were the only agencies allowed to access the data. None of them were able to produce any documentation limiting data sharing—or indeed any limitations at all on data could be used or shared.

Then, earlier this year, the ACLU received more than 1,800 pages of ICE records about the agency’s use of ALPR and Vigilant Solutions’ technology. Buried in the set is an email exchange that shows unequivocally that ICE accessed the Irvine Company’s shopping center data just months before EFF’s report.

According to the records: In October 2017, an official with Homeland Security Investigations, an arm of ICE, sent an email to a detective with the La Habra Police Department, who was working out of the regional “fusion center,”  the Orange County Intelligence Assessment Center. The ICE HSI specialist asked the detective to run a license plate for them, with no explanation of the purpose of the search, even though documenting a purpose is required by California law.

A few hours laters, the La Habra detective responded with a PDF attachment exported from Vigilant Solutions’ LEARN software that included the plate scans:

"i attached the report... there are a LOT of scans, most of them from fashion island security.. he spends a lot of time parked there.."

This email wasn’t just the smoking gun: it was the bullet. The document demonstrates that data could be transferred to ICE

What They Claimed: The Irvine Company said the data was only shared with the Irvine, Newport and Tustin police departments. “We have been assured through conversations with Vigilant that only those police departments are receiving information,” a spokesperson told the Orange County Register. Vigilant Solutions backed up the claim, writing “As Irvine Company has stated, it is shared with select law enforcement agencies to ensure the security of mall patrons.”

What the Emails Actually Show: A La Habra Police detective had access to mall data through the fusion center. Neither La Habra nor OCIAC are one of the three agencies the data access was supposed to be limited to. This raises the question, who else had access to the data? As a fusion center, OCIAC exists to facilitate the exchange of information across agencies. “Intelligence processes—through which information is collected, integrated, evaluated, analyzed, and disseminated—are a primary focus” of the fusion center, according to OCIAC’s website.

What They Claimed: In its press release, Vigilant said, “These law enforcement agencies do not have the ability in Vigilant Solutions’ system to electronically copy this data or share this data with other persons or agencies, such as ICE.”

What the Emails Actually Show: Within hours of receiving the request from ICE, the La Habra Detective was easily able to copy the data as a PDF and share it with ICE via email.

EFF reached out both to Irvine Company and Vigilant Solutions prior to publishing this report. Irvine Company would only confirm the date that it stopped the ALPR program, but would provide no further information. Motorola Solutions, which acquired Vigilant Solutions earlier this year sent the following statement:

We are aware of the ACLU of Northern California's recent report on license plate recognition data and assertions regarding data access by the Irvine Company. The referenced incident predates Motorola Solutions' ownership of Vigilant Solutions, and we are currently working with Vigilant to assess the situation in greater detail.

Motorola Solutions is committed to the highest standard of integrity and data protection, which includes ensuring that vehicle location data is accessed only by authorized law enforcement agencies in accordance with applicable laws and industry standards. We also are committed to working with our customers and partners to ensure that use of vehicle location data hosted in our database is appropriately safeguarded to minimize the potential for misuse by any person.

Motorola Solutions deeply respects individual privacy rights and is committed to mitigating privacy risks associated with data collection, use and storage. 

Considering the historic wall of secrecy maintained by Vigilant Solutions and its clients, we believe it is time for a more thorough accounting than just an internal review. We urge the California legislature and the state auditor to investigate Vigilant Solutions and its government clients to find out the truth about how our data is shared with ICE and other agencies and whether these law enforcement agency are violating state laws regulating the use of this mass surveillance technology.

Related Cases: Automated License Plate Readers (ALPR)

Why the Debate Over Privacy Can't Rely on Tech Giants

EFF - Fri, 03/15/2019 - 7:42pm

Ever since the Cambridge Analytica scandal last summer, consumer data privacy has been a hot topic in Congress. The witness table has been dominated by the biggest platforms, with those in lockstep with the tech giants earning the vast majority of attention. However, this week marked the first time that opposing views had a chance to fight back. The Senate Judiciary committee held a hearing called GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation, and unlike previous hearings, this hearing featured two groups of panelists with contradictory viewpoints.

While we still call for a panel that puts consumer advocates and tech giants at the same table to discuss consumer privacy, we appreciate that Judiciary Chair Sen. Lindsey Graham included representatives from DuckDuckGo and Mapbox to discuss how they are able to run successful businesses while also respecting user privacy. It’s clear after this hearing that companies who deliberately over-collect data and sidestep user privacy are making a business choice, and they could choose to operate differently.

Privacy Can Be Good for Business

In his opening statement, CEO and Founder of DuckDuckGo Gabriel Weinberg said that, “Privacy legislation is not anti-advertising…[our] ads won’t follow [the user] around, because we don’t know who you are, where you’ve been, or where you go. It’s contextual advertising versus behavioral advertising.” Press investigations have exposed, time and again, that large tech companies will often choose their profits over your privacy. This underscores the need for stronger privacy laws across the country, and it helps to have another tech CEO tell the Senate that well-drafted privacy legislation can spur more competition and innovation.

In fact, Sen. Graham immediately followed up on this point, asking Google’s Senior Privacy Counsel, Will DeVries, to explain how much of Google’s revenue from search terms comes from contextual advertising versus behavioral advertising. Despite being repeatedly pressed by Sen. Graham, DeVries declined to answer and promised to get back to the Senator privately. It’s unfortunate that he couldn’t—or wouldn’t—answer the question. It’s not the first time companies have muddied the waters on this point. Facebook CEO Mark Zuckerberg has previously claimed that users prefer targeted ads, a claim without much merit. It would be useful for Congress (and users) to know if the reason for these claims is because the business models depend on it. We hope Sen. Graham keeps asking that question and receives a real answer.

But we cast doubt on the assertion that new privacy laws kill businesses. During the second panel, the Judiciary committee’s top Democrat, Senator Dianne Feinstein, asked if the GDPR was bad for business. CDT’s Michelle Richardson responded by saying that because the GDPR is so new, we don’t yet know its effects. Richardson also cited a Cisco study that cites evidence that organizations in Europe that are ready for the GDPR are benefiting from their privacy investments.

As we have said before, the real proof of the GDPR’s provisions will be in how they are enforced, and against whom. Those answers will only emerge as European regulators begin to use their new authorities. Similarly, state laws such as BIPA in Illinois and Vermont’s data privacy law, and the CCPA, are still so new that we don’t entirely know their impact. Congress needs to allow the laws to work and the courts to make decisions before they get involved. 

Privacy Doesn’t Have to Be Complicated

Many different senators criticized the idea that companies should be allowed to expect that their users fully understand what clicking “I agree” means on a terms of service agreement. While discussing the length and complexity of Google’s privacy policy, Sen. John Kennedy said “You can hide a dead body in there and no one would ever find it.”

And then there is the question of whether users actually have a choice. Freshman Sen. Josh Hawley asked DeVries whether users can fully turn off all Google’s location tracking services on their Android phones. DeVries responded that location tracking is required to "perform basic functions" on the phone. In other words, no—even if a consumer consciously chooses to turn off location tracking on their Android phone, Google is still tracking them. That’s a big deal, and Sen. Hawley noticed:

Here's my basic concern ... that Americans have not signed up for this…They think they can opt out of the tracking that you're performing, but they can't meaningfully opt out.

DeVries offered to follow up with Sen. Hawley later on Google’s tracking practices, saying, "I understand it's a complicated topic." "I don't think it's that complicated," Sen. Hawley responded. Again, it’s disappointing that DeVries wouldn’t answer the question in a public hearing. Android users should have the right to know why they can’t ever turn off collection of sensitive (and apparently, valuable) data.

Build a Floor, Not a Ceiling

States across the country have already enacted laws to create strong protections for user privacy. Republicans and tech industry leaders who resist these restrictions have gone on record calling for federal preemption of state privacy laws. They say they want “one national standard” in order to avoid a "patchwork" of regulations—which could moot an ongoing class action suit against Facebook in Illinois and wipe out the CCPA.

We were pleased to hear Senator Feinstein say that people should control their data with opt-in consent and that she would oppose efforts to water down the CCPA through a federal privacy law during the hearing, saying "I will not support any federal privacy bill that weakens the California standard.”

Senator Richard Blumenthal followed up by saying there is “a bipartisan core of support for adopting a law that regards California as a floor, not a ceiling, in terms of privacy standards for both the expectations of what the standard should be as well as enforcement.”

We are glad to see these senators take such a strong stand for privacy protections at the state level. We look forward to working with them and hope Congress will continue inviting different viewpoints to the table to work on strong, comprehensive privacy protections for all Americans.

Our Thoughts on the New Zealand Massacre

EFF - Fri, 03/15/2019 - 6:24pm

EFF is deeply saddened and disturbed by the massacre in New Zealand. We offer our condolences to the survivors and families of victims.

This horrific event had an online component; one gunman livestreamed the event, and it appears that he had an active and hateful online presence. Enforcing their terms of use, most web platforms appear to have removed the horrendous video and related content.

Incidents involving extreme violence invite hard questions about how platforms can enforce their policies without unfairly silencing innocent voices. Online platforms have the right to remove speech that violates their community standards, as is happening here.

But times of tragedy often bring calls for platforms to ramp up their speech-policing practices. Those practices often expand to silence legitimate voices—including those that have long sought to overcome marginalization.

It’s understandable to call for more aggressive moderation policies in the face of horrifying crimes. Unfortunately, history has shown that those proposals frequently backfire. When platforms over-censor, they often disproportionately silence the speech of their most vulnerable, at-risk users.

Egyptian journalist and anti-torture advocate Wael Abbas was kicked off YouTube for posting videos of police brutality. Twitter suspended his account, which contained thousands of photos, videos, and livestreams documenting human rights abuses. In 2017, YouTube inadvertently removed thousands of videos used by human rights groups to document atrocities in Syria. It is difficult to draw lines between the speech of violent extremists and those commenting on, criticizing, or defending themselves from such attacks. It’s much more difficult to make those judgment calls at the scale of a large Internet platform.

To make matters worse, bad actors can often take advantage of overly restrictive rules in order to censor innocent people—often the members of society who are most targeted by organized hate groups. It’s not just 8chan-style trolls, either: state actors have systematically abused Facebook’s flagging process to censor political enemies. On today’s Internet, if platforms don’t carefully consider the ways in which a takedown mechanism invites abuse, creating one risks doing more harm than good. And attempts to use government pressure to push platforms to more exhaustively police speech inevitably result in more censorship than intended.

Along with the American Civil Liberties Union, the Center for Democracy and Technology, and several other organizations and experts, EFF endorses the Santa Clara Principles, a simple set of guidelines for how online platforms should handle removal of speech. Simply put, the Principles say that platforms should:

  • provide transparent data about how many posts and accounts they remove;
  • give notice to users who’ve had something removed about what was removed, under what rules; and
  • give those users a meaningful opportunity to appeal the decision.

 The Santa Clara Principles help ensure that platforms’ content moderation decisions are consistent with human rights standards. Moderation decisions are one of the most difficult problems on the Internet today. Well-meaning platforms and organizations may disagree on specific community standards, but we should all work together to take steps to ensure that those rules aren’t wielded against the most vulnerable members of society.

Critical Free Speech Protections Are Under Attack in Texas

EFF - Thu, 03/14/2019 - 12:37pm

A bill introduced in Texas threatens the free speech rights of 28 million residents by making it easier to bring frivolous lawsuits against speakers and to harass or intimidate them into silence. 

EFF has long been concerned about these types of lawsuits, called Strategic Lawsuits Against Public Participation, or SLAPPs, as they use legal claims as a pretext to punish individuals exercising their First Amendment rights. That’s why EFF supports efforts to limit or prevent SLAPPs. 

28 states have so-called “anti-SLAPP” laws, which provide invaluable protections to speakers exercising their First Amendment rights, both online and off. While the laws vary, they typically allow the target of the SLAPP suit to quickly get a court to decide whether the case can go forward, and often require the party bringing the claims to demonstrate they have legitimate legal claims. Anti-SLAPP laws also often allow a victorious target of a SLAPP suit to recover attorneys’ fees from the party who brought the meritless claims. 

Without anti-SLAPP laws, plaintiffs could bring a meritless claim against speakers that they have no intention of winning—just to stop the speech or inflict financial stress by forcing those targeted by the suits to pay for attorneys to defend against meritless claims.

Texas has one of the premier anti-SLAPP laws in the country: the Texas Citizens Participation Act, or TCPA. The law currently applies to a broad range of protected First Amendment activity, including discussing matters of public importance or speaking at a government proceeding. A bill introduced earlier this month, H.B. 2730, would gut these and other important protections. 

The attempt to substantially weaken and narrow the TCPA is particularly concerning because, since its passage in 2011, the law has disposed of numerous lawsuits filed against Texans who were exercising their free speech rights.

Some examples of the TCPA’s success at stopping meritless lawsuits include:

  • A Dallas area couple who were sued by a pet-sitting company when they left a negative Yelp review
  • Individuals who complained about using a “fascia blaster” treatment on Facebook, which prompted the company selling the product to sue
  • Anonymous speakers who posted comments on a nonprofit’s website avoided being unmasked by a group of lawyers seeking to find out their identities
  • An online critic of a multi-level marketing company was sued after publishing blog posts that were critical of the company

If H.B. 2730 passes, the protections enjoyed by the speakers described above and others will be severely threatened. The bill eviscerates several key protections of the TCPA.

First, the bill narrows the scope of activity protected by the law in a way that will allow those bringing lawsuits against speakers to make an end-run around the TCPA’s protections. In short, H.B. 2730 will allow plaintiffs to argue that the because they are alleging the speech was defamatory, the TCPA simply does not apply. 

The bill also removes key definitions that explain what type of activity is protected by the TCPA, creating uncertainty for speakers as to whether the law would protect them, which will chill speech.

Additionally, the bill exempts lawsuits that are based on alleged breach of non-disparagement clauses. These types of contracts are notoriously speech restrictive and have been used by websites and other online services to limit users or customers’ ability to criticize products or services. Worse, these terms are often buried deep in form contracts.

H.B. 2730 would also exempt the TCPA from applying to a procedure under Texas law that allows parties to attempt to unmask anonymous online speakers without first filing a lawsuit. EFF has been particularly concerned about the use of this pre-litigation discovery process to target anonymous speakers because it can be abused to harass speakers rather than vindicate legitimate legal claims.

We filed a brief last year in support of anonymous speakers who posted on the employer review site Glassdoor after a business attempted to use Texas’ pre-lawsuit discovery process to learn their identities. Although the Texas Supreme Court declined to rule that the TCPA applied to the pre-suit discovery process, its ruling had the practical effect of protecting anonymous speakers.  

If H.B. 2730 passes, litigants will likely increase their use of Texas’ pre-lawsuit discovery process to attempt to unmask anonymous speakers. That result may well succeed in scaring off online critics, and chilling speech.

The TCPA needs to be defended. It’s a law that’s protected the free speech of more than 28 million Texans, and is a national model for other states.

If you live in Texas, tell your representatives to oppose H.B. 2730. The Texas Protect Free Speech Coalition is organizing opposition to the bill, and the group’s website has sample letters and information to help you make your voice heard. 

Regardless of where you live, join us in advocating for new federal anti-SLAPP protections that will protect those sued in federal court. EFF has supported such measures in the past and will be pushing for them again this year. Last year, we also launched an anti-SLAPP coalition of non-profit groups, to make sure that dissenting voices aren’t drowned out when they’re hit with a SLAPP. Rolling back laws that protect speakers from harassment isn’t the way to go—in Texas, or anywhere else.

If It Really Wants To Restore Debate, Facebook Should Update Its Ad Policy

EFF - Wed, 03/13/2019 - 11:48am

Last week, Facebook CEO Mark Zuckerberg announced a new “privacy-focused” direction for the company that, while sounding great in theory, also set off several alarm bells—including concerns about competition as the company moves to make its messaging properties indistinguishable from one another. As usual for Zuckerberg, it’s all frying pans and fires: just a few days later, it seemed the company had accidentally-on-purpose picked a fight with one leading competition critic — Senator and Presidential candidate Elizabeth Warren — by deleting Facebook ads, placed by her campaign, that advocated breaking up the platform.

Facebook has since restored the ads, and clarified that they were removed solely because they violated policies against the use of the company’s trademarks in advertising on the platform. The company’s advertising platform policy prohibits advertisers from  “represent[ing] the Facebook brand in a way that makes it the most distinctive or prominent feature” of the ad, and use of the logo itself is forbidden.

This policy goes well beyond what the law requires. Trademarks are intended to protect consumers by helping ensure that a person can identify a product’s source. If you prefer Coke over Pepsi, a logo helps you know which to buy. But advertisers, whether commercial or political, can normally use a trademark as part of speech criticizing conduct or to comment upon corporations and products, as long as the use doesn’t suggest endorsement. If an advertiser, especially a political campaign, is using Facebook’s trademark to identify the company in a critical comment, it’s unlikely people would think Facebook endorsed it.

There have always been two groups of people on the platform: those with the power to contest censorship and those without.

Given Facebook’s outsized influence on political discourse, the company’s choice to go beyond the law matters a lot. The ability to reference a company by name and logo in critical commentary is an extraordinarily important aspect of free speech and fair use. This is how Verizon can compare its wireless coverage to AT&T’s and Microsoft can compare its voice recognition to Apple’s—and how you can call the “Super Bowl” the Super Bowl in commentary (or criticism) despite the phrase being trademarked.

Facebook claims it restored Warren’s advertisements "in the interest of allowing robust debate,” and there’s no reason to look for more nefarious reasons for the takedown than the ads having violated the trademark policy. But trademark has often been used to limit debate, accidentally or intentionally, and if the company shuts down ads that use Facebook trademarks by default, then it is also censoring critics and silencing debate by default, as well. As Warren’s ads point out, using the platform is an important way to spread a political message—over 30% of the world’s population use the platform monthly. If it truly wants to restore debate, Facebook should stop censoring first and asking questions later.

This takedown is also a reminder that there have always been two groups of people on the platform: those with the power to contest censorship and those without. After the ads were restored, Warren wrote that “you shouldn't have to contact Facebook's publicists in order for them to decide to "allow robust debate" about Facebook,” and she’s right. If a candidate with less name recognition had their ads removed for a similar reason, it’s difficult to know if they would have been restored.

We’re just in the run-up to the 2020 Presidential campaign cycle, so this issue is only going to get more attention over the next twelve months. While no popular politician has taken a bigger swing at Facebook than Warren, criticisms of it are frequent across the political spectrum. The company is interwoven into the political process so deeply at this moment that every action it takes regarding political ads will be scrutinized closely. In a growing number of countries, Facebook requires a verification process to run such ads, which puts the company in control of whether or not an ad is “political.” Earlier this year, Facebook blocked transparency tools that inform users of how they were being targeted by advertisers. If Facebook wants to allow robust debate—and not be at the center of it—it should update its advertising policy, for political ads at least, and stop taking down uses of its trademark by default.

When Facial Recognition Is Used to Identify Defendants, They Have a Right to Obtain Information About the Algorithms Used on Them, EFF Tells Court

EFF - Tue, 03/12/2019 - 12:22pm

We urged the Florida Supreme Court yesterday to review a closely-watched lawsuit to clarify the due process rights of defendants identified by facial recognition algorithms used by law enforcement.

Specifically, we told the court that when facial recognition is secretly used on people later charged with a crime, those people have a right to obtain information about how the error-prone technology functions and whether it produced other matches.

EFF, ACLU, Georgetown Law’s Center on Privacy & Technology, and Innocence Project filed an amicus brief in support of the defendant’s petition for review in Willie Allen Lynch v. State of Florida. Prosecutors in the case didn’t disclose information about how the algorithm worked, that it produced other matches that were never considered, or why Lynch’s photo was targeted as the best match. This information qualifies as “Brady” material—evidence that might exonerate the defendant—and should have been turned over to Lynch.

We have written extensively about how facial recognition systems are prone to error and produce false positives, especially when the algorithms are used on African Americans, like the defendant in this case. Researchers at the FBI, MIT, and ProPublica have reported that facial recognition algorithms misidentify black people, young people, and women at higher rates that white people, the elderly, and men.

Facial recognition is increasingly being used by law enforcement agencies around the country to identify suspects. It’s unfathomable that technology that could help to put someone in prison is used mostly without question or oversight. In Lynch’s case, facial recognition could help to send him to prison for eight years.

Undercover police photographed Lynch using an older-model cell phone at an oblique angle while he was in motion. The photo, which is blurred in places, was run through a facial recognition algorithm to see whether it matched any images of a database of county booking photos. The program returned a list of four possible matches, the first of which was Lynch’s from a previous arrest. His photo was the only one sent on to prosecutors, along with his criminal records.

The algorithm used on Lynch is part of the Face Analysis Comparison Examination Systems (FACES), a program operated by the Pinellas County Sheriff’s Office and made available to law enforcement agencies throughout the state. The system can search over 33 million faces from drivers’ licenses and police photos. It doesn’t produce “yes” or “no” responses to matches; it rates matches as likely or less likely matches. Error rates in systems like this can be significant and the condition of Lynch’s photo only exacerbates the possibility of errors.

FACES is poorly regulated and shrouded in secrecy. The sheriff said that his office doesn’t audit the system, and there’s no written policy governing its use. The sheriff’s office said it hadn’t been able to validate the system, and “cannot speak to the algorithms and the process by which a match is made.”

That he was identified by a facial recognition algorithm wasn’t known by Lynch until just days before his final pretrial hearing, although prosecutors had known for months. Prior to that, prosecutors had never disclosed information about the algorithm to Lynch, including that it produced other possible matches. Neither the crime analyst who operated the system or the detective who accepted the analyst’s conclusion that Lynch’s face was a match knew how the algorithm functioned. The analyst said the first-listed photo in the search results is not necessarily the best match—it could be one further down the list. An Assistant State Attorney doubted the system was reliable enough to meet standards used by courts to assess the credibility of scientific testimony and whether it should be used at trial. Lynch asked for the other matches produced by FACES—the court refused.

If a human witness who identified Lynch in a line-up said others in the line-up also looked like the criminal, the state would have had to disclose that information, and Lynch could have investigated those alternate leads. The same principle should have required the state to disclose other people the algorithm produced as matches and information about how the algorithm functions, EFF and ACLU told the Florida Supreme Court.

When defendants are facing lengthy prison sentences or even the death penalty, tight controls on the use of facial recognition are crucial. Defendants have a due process right to information about the algorithms used and search results.  The Florida Supreme Court should accept this case for review and provide guidance to law enforcement who use facial recognition to arrest, charge, and deprive people of their liberty.

Related Cases: FBI Facial Recognition Documents

The Patent Office Can’t Ignore Law it Dislikes

EFF - Tue, 03/12/2019 - 10:27am

Last month, we asked EFF supporters to help save Alice v. CLS Bank, the 2014 Supreme Court decision that has helped stem the tide of stupid software patents and abusive patent litigation. The Patent Office received hundreds of comments from you, telling it to do the right thing and apply Alice, not narrow it. Thank you.

Last week, EFF submitted its own comments [PDF] to the Patent Office. In our comments, we explain that Patent Office’s new guidance on patent-eligibility will make it harder—if not impossible—for examiners to apply Supreme Court law correctly. If examiners cannot apply Alice to abstract patent applications, more invalid patents will issue. That’s not only bad for innovation, it also violates fundamental principles of divided government. The Supreme Court interprets laws that Congress passes, not executive branch agencies like the Patent Office.

The Patent Office’s new guidance aims to undermine Alice in two ways. First, the Guidance narrows ineligible abstract ideas to only three possibilities: mental processes, mathematical formula, and methods of organizing human activity. No Supreme Court or Federal Circuit has ever said only three categories of abstract ideas exist. In fact, the Supreme Court in Alice went out of its way to explain that it was not going to “labor to delimit the precise contours of the ‘abstract ideas’ category in this case.”

That omission is not incidental. Instead, of defining a precise “abstract idea” category, the Court endorsed an approach that should be familiar to lawyers: figuring out whether the claims in a given case are abstract, by using past cases. That's how the Court determined that the Alice patent—which covered the idea of using a third-party intermediary—was abstract. It was similar to other abstract patents, like one on the idea of hedging risk. Following Alice, courts have repeatedly recognized abstract ideas by comparing them to other abstract ideas. That is the method the Supreme Court has approved, and the Patent Office should instruct its examiners to apply it as well—not to effectively rewrite its own wishes into the Supreme Court’s decision.

Second, the Guidance creates an entirely new and unprecedented step within the Supreme Court’s two-step test. According to the Patent Office, an application that recites an abstract idea should still get a patent, as long as it integrates the idea into a “practical application.” That means examiners would bypass the critical second step of the Supreme Court’s patent-eligilibity test—identifying an "inventive concept." In Alice, the Supreme Court applied the entire two-step test, and did not suggest there were any loopholes. The idea that any "practical application" is enough to get a patent, even without inventiveness, fails to comply with Alice.

The Patent Office's new guidance cites a handful of Federal Circuit decisions in support of its approach. But it ignores countless cases in which the Federal Circuit has rejected ineligible abstract ideas that the Patent Office will now almost certainly approve, and it ignores key aspects of Alice itself.

The Patent Office has no authority to ignore case law it dislikes. With your help, we will keep fighting to ensure the patent system promotes innovation by limiting patent grants to actual inventions.

The Foilies 2019

EFF - Sun, 03/10/2019 - 11:08am
Recognizing the year’s worst in government transparency

The cause of government transparency finally broke through to the popular zeitgeist this year. It wasn’t an investigative journalism exposé or a civil rights lawsuit that did it, but a light-hearted sitcom about a Taiwanese American family set in Orlando, Florida, in the late 1990s.

In a January episode of ABC’s Fresh Off the Boat, the Huang family’s two youngest children—overachievers Evan and Emery—decide if they sprint on all their homework, they’ll have time to plan their father’s birthday party.

“Like the time we knocked out two English papers, a science experiment, and built the White House out of sugar cubes,” Evan said. “It opened up our Sunday for filing Freedom of Information requests.”

“They may not have figured out who shot JFK,” Emery added. “But we will.”

The eldest child, teenage slacker Eddie, concluded with a sage nod, “You know, once in a while, it’s good to know nerds.”

Amen to that. Around the world, nerds of all ages are using laws like the United States’ Freedom of Information Act (and state-level equivalent laws) to pry free secrets and expose the inner workings of our democracy. Each year, open government advocates celebrate these heroes during Sunshine Week, an annual advocacy campaign on transparency.

But the journalists and researchers who rely on these important measures every day can’t help but smirk at the boys’ scripted innocence. Too often, government officials will devise novel and outrageous ways to reject requests for information or otherwise stymie the public’s right to know. Even today—20 years after the events set in the episode—the White House continues to withhold key documents from the Kennedy assassination files.

Since 2015, the Electronic Frontier Foundation (a nonprofit that advocates for free speech, privacy and government transparency in the digital age) has published The Foilies to recognize the bad actors who attempted to thwart the quests for truth of today’s Evans and Emerys. With these tongue-in-cheek awards, we call out attempts to block transparency, retaliation against those who exercise their rights to information, and the most ridiculous examples of incompetence by government officials who handle these public records.

The Corporate Eclipse Award - Google, Amazon, and Facebook

Sunshine laws? Tech giants think they can just blot those out with secretive contracts. But two nonprofit groups—Working Partnerships and the First Amendment Coalition—are fighting this practice in California by suing the city of San Jose over an agreement with Google that prevents city officials from sharing the public impacts of development deals, circumventing the California Public Records Act.

Google’s proposed San Jose campus is poised to have a major effect on the city’s infrastructure, Bloomberg reported. Yet, according to the organization’s lawsuit, records analyzing issues of public importance such as traffic impacts and environmental compliance were among the sorts of discussions Google demanded be made private under their non-disclosure agreements.

And it’s not just Google using these tactics. An agreement between Amazon and Virginia includes a provision that the state will give the corporate giant—which is placing a major campus in the state—a heads-up when anyone files a public records request asking for information about them. The Columbia Journalism Review reported Facebook has also used this increasingly common strategy for companies to keep cities quiet and the public in the dark about major construction projects.

The Unnecessary Box Set Award - Central Intelligence Agency

Courtesy of National Security Counselors

After suing the CIA to get access to information about Trump’s classified briefings, Kel McClahanan of the National Security Law Center was expecting the agency to send over eight agreed-upon documents.

What he was not expecting was for the files—each between three and nine pages each—-to be spread out across six separate CD-ROMs, each burned within minutes of each other, making for perhaps the most unnecessary box set in the history of the compact disc.

What makes this “extra silly,” McClanahan said, is that the CIA has previously complained about how burdensome and costly fulfilling requests can be. Yet the CIA could have easily combined several requests onto the same disc and saved themselves some time and resources. After all, a a standard CD-ROM can hold 700 MB, and all of the files took only 304 MB of space.

The (Harlem) Shaky Grounds for Redaction Award - Federal Communications Commission

%3Ciframe%20width%3D%22560%22%20height%3D%22315%22%20src%3D%22https%3A%2F%2Fwww.youtube-nocookie.com%2Fembed%2FLFhT6H6pRWg%3Fautoplay%3D1%22%20frameborder%3D%220%22%20allow%3D%22accelerometer%3B%20autoplay%3B%20encrypted-media%3B%20gyroscope%3B%20picture-in-picture%22%20allowfullscreen%3D%22%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from youtube-nocookie.com

After repealing the Open Internet Order and ending net neutrality, Federal Communications Commission Chairman Ajit Pai doubled down on his efforts to ruin online culture. He released a cringe-inducing YouTube video titled “7 Things You Can Still Do on the Internet After Net Neutrality" that featured his own rendition of the infamous “Harlem Shake” meme. (For the uninitiated, the meme is characterized by one person subtly dancing in a room of people to Baauer’s track “Harlem Shake.” Then the bass drops and the crowd goes nuts, often with many people in costumes.)

Muckrock editor JPat Brown filed a Freedom of Information Act request for emails related to the video, but the FCC rejected the request, claiming the communications were protected “deliberative” records.

Brown appealed the decision, and the FCC responded by releasing all the email headers, while redacting the contents, claiming that anything more would cause  “foreseeable harm.” Brown did not relent, and a year later the FCC capitulated and released the unredacted emails.

“So, what did these emails contain that was so potentially damaging that it was worth risking a potential FOIA lawsuit over?” Brown writes. “Pai was curious when it was going live, and the FCC wanted to maintain a veto power over the video if they didn’t like it.” The most ridiculous redaction of all was a tiny black box in an email from the FCC media director. Once removed, all that was revealed was a single word: “OK.”

The Unreliable Narrator Award - President Donald Trump, the U.S. Department of Justice and U.S. District Court Judges

When President Trump tweets attacks about the intelligence community, transparency groups and journalists often file FOIA requests (and subsequently lawsuits) seeking the documents that underpin his claims. The question that often comes up: Do Trump’s smartphone rants break the seal of secrecy on confidential programs?

The answer seems to be no. Multiple judges have sided with Justice Department lawyers, concluding that his Twitter disclosures do not mean that the government has to confirm or deny whether records about those activities exist.

In a FOIA case seeking documents that would show whether Trump is under investigation, U.S. District Judge Amy Berman Jackson said that the President’s tweets to that effect are “speculation.” Similarly, in a FOIA suit to get more information about the widely publicized dossier of potential ties between Trump and Russia, U.S. District Judge Amir Mehta said that the President’s statements are political rather than “assertions of pure fact.”

And so, whether Trump actually knows what he’s talking about remains an open question.

The Cross-Contamination Award - Stanford Law Professor Daniel Ho

One of the benefits of public records laws is they allow almost anyone—regardless of legal acumen—to force government agencies to be more transparent, usually without having to file a lawsuit.

But in Washington State, filing a public records request can put the requester at legal risk of being named in a lawsuit should someone else not want the records to be made public.

This is what happened to Sarah Schacht, a Seattle-based open government advocate and consultant. For years Schacht has used public records to advocate for better food safety rules in King County, an effort that led to the adoption of food safety placards found in restaurants in the region.

After Schacht filed another round of requests with the county health department, she received a legal threat in November 2018 from Stanford Law School professor Daniel Ho’s attorney threatening to sue her unless she abandoned her request. Apparently, Ho has been working with the health department to study the new food safety and placard regulations. He had written draft studies that he shared with the health department, making them public records.

Ho’s threat amounted to an effort to intimidate Schacht from receiving public records, probably because he had not formally published his studies first. Regardless of motive, the threat was an awful look. But even when faced with the threat, Schacht refused to abandon her request.

Fortunately, the lawsuit never materialized, and Schacht was able to receive the records. Although Ho’s threats made him look like a bully, the real bad actor in this scenario is Washington State’s public records law. The state’s top court has interpreted the law to require parties seeking to stop agencies from releasing records (sometimes called reverse-FOIA suits) to also sue the original requester along with the government agency.

The Scanner Darkly Award - St. Joseph County Superior Court

Courtesy of Jessica Huseman

ProPublica reporter Jessica Huseman has been digging deep into the child welfare system and what happens when child abuse results in death. While following up on a series of strangulations, she requested a copy of a case file from the St. Joseph County Superior Court in Indiana. Apparently, the clerk on the other end simply took the entire file and ran everything through a scanner. The problem was that the file contained a CD-ROM, and that’s not how CD-ROMs work. “Well this is the first time this had happened,” Huseman posted to Twitter, along with the blotchy black-and-white image of the top of the disc. “They scanned a CD as part of my FOI and didn’t give me its contents. Cool cool.”

The Cash for Crash Award - Michigan State Police

As tech companies experiment with autonomous vehicles on public roadways, reporters are keeping tabs on how often these cars are involved in collisions. That’s why The Information’s Matt Drange has been filing records requests for the crash data held by state agencies. Some government departments have started claiming that every line of the dataset is its own, individual record and subject to a copy fee. Our winner, the Michigan State Police, proposed to charge Drange a 25-cent fee for each of a 1.9 million-line dataset, plus $20 for a thumbdrive, for a grand total of $485,645.24, with half of it due up front.  Runners-up that quoted similar line-by-line charges include the Indiana State Police ($346,000) and the North Carolina Department of Transportation ($82,000). Meanwhile, Florida’s government released its detailed dataset at no charge at all.

The Bartering with Extremists Award - California Highway Patrol

In 2016, the Traditionalist Worker Party (TWP), an infamous neo-Nazi group, staged a demonstration at the California State Capitol. Counter-protesters fiercely opposed the demonstration, and the scene soon descended into chaos, leaving multiple people injured. When the dust settled, a member of the public (disclosure: also a co-author of this piece) filed a California Public Records Act request to obtain a copy of the permit the white nationalist group filed for its rally. The California Highway Patrol rejected the request for this normally available document, claiming it was related to a criminal investigation.

Two years later, evidence emerged during criminal proceedings that a CHP detective used the public records request as a bargaining chip in a phone call with the TWP protest leader, who was initially reluctant to provide information. The officer told him how the request might reveal his name. “We don’t have a reason to...uh...deny [the request],” the officer said according a transcript of the call. But once the organizer decided to cooperate, the officer responded, “I’m gonna suggest that we hold that or redact your name or something...uh...until this thing gets resolved.” In light of these new facts, the First Amendment Coalition filed a new request for the same document. It too was denied.

The Preemptive Shredding Award - Inglewood Police Department

In defiance of the law enforcement lobby, California legislators passed a law (SB 1421) requiring police and sheriffs to disclose officer misconduct records in response to California Public Records Act requests. These documents, often contained in personnel files, had historically been untouchable by members of the public and the press.

Almost immediately, police unions across the Golden State began to launch lawsuits to undermine these new transparency measures. But the Inglewood Police Department takes the prize for its efforts to evade scrutiny. Mere weeks before the law took effect on Jan. 1, 2019, the agency began destroying records that were set to become publicly available.

“This premise that there was an intent to beat the clock is ridiculous,” Inglewood Mayor James T Butts Jr. told the LA Times in defending the purge. We imagine Butts would find it equally ridiculous to suggest that the fact he had also been a cop for more than 30 years, including serving in Inglewood and later as police chief of Santa Monica, may have factored into his support for the destruction of records.

The What the Swat? Award - Nova Scotia and Halifax Law Enforcement

One Wednesday morning in April, 15 Halifax police officers raided the home of a teenage boy and his family. “They read us our rights and told us not to talk," his mother would later tell CBC. “They rifled through everything. They turned over mattresses, they took drawers and emptied out drawers, they went through personal papers, pictures. It was totally devastating and traumatic."

You might well wonder, what was the Jack Bauer-class threat to geo-political stability? Nothing at all: The Canadian teen had just downloaded a host of public records from openly available URLs on a government website.

At the heart of the ordeal was some seriously terrible security practices by Nova Scotia officials. The website created to host the province’s public records was designed in such a way that every request and response had a nearly identical URL and placed no technical restrictions on the public’s ability to access any of the requests. This meant that regular public records requests and individuals’ requests to access government files about them, which included private information, were all stored together and available on the internet for anyone, including Google’s webcrawler, to access. All that was necessary was changing a number identifying the request at the end of the URL.

What Nova Scotian officials should have done upon learning about leaks in their own public records website’s problems was apologize to the public, thank the teen who found these gaping holes in their digital security practices, and implement proper restrictions to protect people’s private information. They didn’t do any of that, and instead sought to improperly bring the force of Canada’s criminal hacking law down on the very person who brought the problem to light.

The whole episode—which thankfully ended with the government dropping the charges—was a chilling example of how officials will often overreact and blame innocent third parties when trying to cover up for their own failings. This horror show just happened to involve public records. Do better, Canada.

The Outrageous Fee Request of the Year - City of Seattle

When self-described transparency advocate and civic hacker Matt Chapman sent his request to Seattle seeking the email metadata from all city email addresses (from/to/BCC addresses, time, date, etc), he expected some pushback, because it does sound like an incredible amount of data to wrangle.

Seattle’s response: All the data can be yours for a measly $33 million. Officials estimated that it would take 320 years worth of staff time to review the roughly 32 million emails responsive to Chapman’s request. Oh, and they estimated charging an additional $21,600 for storage costs associated with the records. The fee request is the second highest in the history of The Foilies (the Department of Defense won in 2016 for estimating it would take $660 million to produce records on a particular computer forensic tool).

Then the city did something entirely unexpected: It revisited the fee estimate and determined that the first batch of records would cost only $1.25 to process. We get it, math is hard.

But wait—that’s not all. After paying for the batches of records with a series of $1.25 checks, Chapman received more than he ever bargained for. Rather than disclosing just the metadata for all 32 million emails, Seattle had given him the first 256 characters of every email. Those snippets included passwords, credit card numbers, and other personally identifying information.

What followed was a series of conversations between Chapman, Seattle’s lawyers, and the city’s IT folks to ensure he’d deleted the records and that the city hadn’t just breached its own data via a public records request.

Ultimately, Seattle officials in January 2018 began sending the data to Chapman once more, this time without the actual content of email messages. The whole episode doesn’t exactly inspire confidence in Seattle officials’ ability to do basic math, comply with the public records law or protect sensitive information.

The Intern Art Project Award - Vermont Gov. Phil Scott

Seattle isn’t the only city to stumble in response to Matt Chapman’s public records requests for email metadata. The Vermont governor’s office also wins for its scissor-and-glue approach to releasing electronic information.

Rather than export the email information as a spreadsheet, the Vermont governor’s office told Chapman it had five interns (three of whom were unpaid) working six hours each, literally “cutting and pasting the emails from paper copies.” Next thing Chapman knew, he had a 43-page hodgepodge collage of email headers correlating with one day’s worth of messages. The governor’s attorney told Chapman it would cost $1,200 to process three more days’ worth of emails.

Chapman pushed back and provided his own instructions on exporting the data using a computer and not, you know, scissors and glue. Sure enough, he received a 5,500-line spreadsheet a couple weeks later at no charge.

The Least Transparent Employer Award - U.S. Department of Justice

In the last few years, we’ve seen some great resignation letters from public servants, ranging from Defense Secretary James Mattis telling President Trump “It’s not me, it’s you” to former Attorney General Jeff Sessions’ forced resignation.

But the Trump DOJ seems to have had enough of the tradition and has now determined that U.S. Attorney resignation letters are private in their entirety and cannot be released under the Freedom of Information Act. Of course, civil servants should have their private information protected by their employer, but that’s precisely what redactions should be used to protect.

Past administrations have released resignation letters that are critical of executive branch leaders. The change in policy raises the question: What are departing U.S. Attorneys now saying that the government wants to hide?

The Clawback Award - The Broward County School Board

After the tragic Parkland shooting, the South Florida Sun-Sentinel went to court to force the Broward County School Board to hand over documents detailing the shooter’s education and disciplinary record. A judge agreed and ordered the release, as long as sensitive information was redacted.

But when reporters copied and pasted the file into another document, they found that the content under the redactions was still there and readable. They broke the story of how the school denied the shooter therapeutic services and alternative education accommodations, but then uploaded the school board’s report with working redactions.  

Rather than simply do better with double-checking their redactions next time, the school board struck back at the newspaper. They petitioned the court to hold the newspaper in contempt and to prevent anyone from reporting on the legally obtained information. Although the local judge didn’t issue a fine, she lambasted the paper and threatened to dictate exactly what the paper could report about the case in the future (which is itself an unconstitutional prior restraint).

The Wrong Way to Plug a Leak Award -  City of Greenfield, California

The Monterey County Weekly unexpectedly found itself in court after the city of Greenfield, California sued to keep the newspaper from publishing documents about the surprising termination of its city manager.

When Editor Sara Rubin asked the interim city manager for the complaint the outgoing city manager filed after his termination, she got nothing but crickets. But then, an envelope containing details of a potential city political scandal appeared on the doorstep of one of the paper’s columnists.

The weekly reached out to the city for comment and began preparing for its normal Wednesday print deadline. Then, the morning of publication, the paper got a call saying that they were due in court. The city sued to block publication of the documents, to have the documents returned and to have the paper reveal the identity of the leaker.

Attorney Kelly Aviles of the First Amendment Coalition gave everyone a fast lesson in the First Amendment, pointing out that the paper had every right to publish. The judge ruled in the paper’s favor, and the city ended up paying all of the Monterey County Weekly’s attorney fees.

If it Looks like a Duck Award - Brigham Young University Police

Brigham Young University’s Police Department is certified by the state,* has the powers of the state, but says that they’re not actually a part of government for purposes of the Utah transparency law.

After the Salt Lake Tribune exposed that the University punished survivors of sexual assault for coming forward and reporting, the paper tried to get records of communications between the police department and the school’s federally required sexual assault coordinator. BYU pushed back, saying that the police department is not subject to Utah’s Government Records Access and Management Act because the police department is privately funded.

This actually turns out to be a trickier legal question than you’d expect. Brigham Young University itself isn’t covered by the state law because it is a private school. But the university police force was created by an act of the Utah legislature, and the law covers entities “established by the government to carry out the public’s business.” Investigating crime and arresting people seems like the public’s business.

Last summer, a judge ruled that the police department is clearly a state agency, but the issue is now on appeal at the Utah Supreme Court. Sometime this year we should learn if the police are a part of the government or not.

*Because BYU police failed to comply with state law, and was not responsive to an internal investigation, the Utah Office of Public Safety notified the department on February 20th that the BYU police department will be stripped of its certification on September 1, 2019. The University police also plan to appeal this decision.

The Insecure Security Check Award - U.S. Postal Service

Congressional elections can turn ugly, but the opponent of newly elected U.S. Rep. Abigail Spanberger got a boost when the U.S. Postal Service released Spanberger’s entire personnel file, including her security clearance application, without redaction of highly sensitive personal information.

When a third party requests a person’s federal employment file without the employee’s permission, the government agency normally releases only a bare-bones record of employment dates, according to a Postal Service spokesperson. But somehow Rep. Spanberger wasn’t afforded these protections, and the Postal Service has potentially made this mistake in a “small number” of other cases this year. Security clearance applications (Form SF-86) are supposed to be analyzed and investigated by the FBI, raising questions about how the FOIA officer got the information in the first place. The Postal Service has apologized for the mistake, which they say is human error, but maybe security clearance applications should be kept just as secure as the state secrets the clearance is meant to protect.

The Foilies were compiled by Electronic Frontier Foundation Senior Investigative Researcher Dave Maass, Staff Attorney Aaron Mackey, Frank Stanton Fellow Camille Fischer, and Activist Hayley Tsukayama. Illustrations by EFF Art Director Hugh D'Andrade. For more on our work visit eff.org.

The Inextricable Link Between Modern Free Speech Law and the Civil Rights Movement

EFF - Fri, 03/08/2019 - 1:46pm

No excuse is needed to celebrate the civil rights icon Rev. Fred Shuttleworth. But this weekend is an especially appropriate time to recognize his contributions to First Amendment jurisprudence, and the inextricable link between modern free speech law and the civil rights movement of the 1950s and 1960s. This link remains pertinent: the Internet is as important a venue for protest and dissent as streets and newspapers were then, especially in light of recent attacks on this legal legacy.

Why this weekend? It marks the anniversaries of the Supreme Court handing down three victories for Shuttlesworth, all three of which shed light on the civil rights-free speech link, and two of which are landmark First Amendment cases of the 20th Century.

March 9, 2019 marks the 55th birthday of the U.S. Supreme Court’s decision in  Abernathy v. Sullivan, 376 U.S. 254 (1964), in which Shuttlesworth was one of the defendants, and of the summarily decided Shuttlesworth v. Birmingham, 376 U.S. 339 (1964). March 10, 2019 marks the 50th birthday of a different Shuttlesworth v. Birmingham, 394 U.S. 147 (1969).1 All of these historically and doctrinally important cases are discussed below.

The Sullivan Cases

Abernathy v. Sullivan was decided in the same opinion as New York Times v. Sullivan.2 The Court’s joint opinion escalated the standards required of defamation lawsuits brought by public figures, protecting the rights of both the public and the press to criticize the operations of government. The decision was an historic free speech victory when it was decided in 1964, and continues to protect the Internet as a forum for free speech today.

This history reminds us that the development of modern First Amendment law was driven in large part by civil rights concerns. 

Because “New York Times v. Sullivan” is the name on the Court’s opinion and frequently talked about as a free press case, that they were also civil rights cases often gets overlooked. But the cases' civil rights history is crucially important for the contemporary debate about speech online. This history reminds us that the development of modern First Amendment law was driven in large part by civil rights concerns. And it reminds us that the First Amendment still serves civil rights concerns today by continuing to demand exacting scrutiny of race-neutral laws subject to race conscious applications.

This history also attains greater relevance in light of Justice Thomas’s recent troubling call for the U.S. Supreme Court to re-examine the landmark Sullivan ruling. Justice Thomas’s statement, while the voice of only one Supreme Court justice, is especially concerning in light of President Trump’s aspiration to “open up the libel laws,” which seems to be aimed at overruling Sullivan.

In Sullivan, the Supreme Court firmly rejected the efforts of Southern officials opposed to civil rights to strangle the civil rights movement through crushing defamation liability judgments in state courts in Alabama and elsewhere. Were it not for the Sullivan decision, they may well have succeeded. It’s a lesson we should not forget as we consider today’s debates about free speech online. The opinion addresses issues like what we might now call “fake news” and attacking intermediaries to silence the speakers who rely on them. The strategy of bringing defamation and similar claims to try to drown political opposition certainly continues today, for example, with recent efforts to sue Greenpeace and other protestors.

Contrary to Justice Thomas’ remarks in 2019 that “[t]he states are perfectly capable of striking an acceptable balance between encouraging robust public discourse and providing a meaningful remedy for reputational harm,” the Supreme Court in 1964 did not trust Alabama to do so, or to apply other seemingly neutral laws in an acceptable way. That lack of distrust was well-founded. The plaintiff-friendly common law of defamation applied by the Alabama courts, and most states, was just one tool that officials and courts used as part of a widespread effort to suppress the civil rights movement. Indeed, Sullivan was just one of several cases the Supreme Court decided against Alabama officials in 1964 alone repudiating their efforts to broadly suppress the civil rights movement.3

The civil rights background of the case was not incidental; rather, it played a critical role in the soaring First Amendment victory. The Court framed the case as an instance of government officials using the instruments of state tort law to punish those seeking to change governmental practices through protest and dissent. The Court acknowledged that officials had in effect reinstated the long-discredited law of seditious libel (the crime of criticizing the government). The Supreme Court rightfully recognized that while previous efforts to perpetuate institutionalized racial discrimination employed race-based laws, the use of race-neutral legal concepts4 like defamation law posed a uniquely dangerous threat.

Moreover, it was critical to the Court’s analysis that the New York Times was acting as an intermediary for the speech of civil rights activists. The Times was viewed by Southern segregationists as a vital avenue for communicating the messages of the civil rights movement, both through its intermediary function of running advertisements and letters to the editor, as well as through its own reporting.

Justice Brennan’s opinion, echoing the ministers’ arguments,5 emphasized that the First Amendment rights it vindicated were not just those of the press (the speech at issue was not the New York Times’ original content, but of a paid advertisement) but of those those who relied on the newspaper to disseminate their messages. Justice Brennan acknowledged that “‘editorial advertisements’” were “an important outlet for the promulgation of information and ideas by persons who do not themselves have access to publishing facilities—who wish to exercise their freedom of speech even though they are not members of the press. The effect would be to shackle the First Amendment in its attempt to secure ‘the widest possible dissemination of information from diverse and antagonistic sources.’”6 The Court further recognized the disastrous effects of civil damages awards on individual speakers: “Whether or not a newspaper can survive a succession of such judgments, the pall of fear and timidity imposed upon those who would give voice to public criticism is an atmosphere in which the First Amendment freedoms cannot survive.”7

Sullivan’s libel suit was just one of several similar attacks on the New York Times. Indeed, prior to filing his lawsuit, L.B. Sullivan himself issued a statement condemning “the prejudiced Northern press,” and “their program of racial strife and exploitation and financial gain and spectacular distorted news coverage.”8 These tactics were largely effective: because of the lawsuits, the New York Times pulled its Alabama reporter for several years, sharply limiting its original reporting on events there.9

Both NYT v Sullivan and Abernathy et al. v. Sullivan, were based on the same speech: the March 29, 1960 publication in the New York Times of an advertisement raising money for The Committee to Defend Martin Luther King and The Struggle for Freedom in The South.

The ad, “Heed Their Rising Voices,” alleged that law enforcement across the Southeast U.S. had committed various improper acts against nonviolent civil rights demonstrators, what the ad called “an unprecedented wave of terror by those who would deny and negate that document [the U.S. Constitution] which the whole world looks upon as setting the pattern for modern freedom.” The following were among the allegations:

In Montgomery, Alabama, after students sang “My Country, ‘Tis of Thee” on the State Capitol steps, their leaders were expelled from school, and truck-loads of police armed with shotguns and tear-gas ringed the Alabama State College Campus.  When the entire student body protested to state authorities by refusing to re-register, their dining hall was pad-locked in an attempt to starve them into submission. 

 . . . . 

Again and again the Southern violators have answered Dr. King’s peaceful protests with intimidation and violence.  They have bombed his home almost killing his wife and child.  They have assaulted his person.  They have arrested him seven times-for “speeding.” “loitering” and similar “offenses.”  And now they have charged with “perjury”—under which they could imprison him for ten years.   Obviously, their real purpose is to remove him physically as the leader to whom the students and millions of others—look for guidance and support, and thereby to intimidate all leaders who may rise in the South.  Their strategy is to behead this affirmative movement, and thus to demoralize Negro Americans and weaken their will to struggle.  The defense of Martin Luther King, spiritual leader of the student sit-in movement, clearly, therefore, is an integral part of the total struggle for freedom in the South.10

The ad listed as signatories 80 prominent persons from entertainment, politics, and the civil rights movement, and included the additional note that “We in the south who are struggling daily for dignity and freedom warmly endorse this appeal,” followed by the names and locations of 20 Southerners, mostly clergy members active in the civil rights movement. Among these endorsers were four prominent Alabama-based clergymen active in Dr. King’s Southern Christian Leadership Conference: Ralph Abernathy, Fred Shuttlesworth, S.S. Seay, Sr., and Joseph Lowery.

About two weeks after the publication of the ad, five Alabama officials (Alabama governor John Patterson, Montgomery mayor Earl D. James, and Montgomery city commissioners L.B. Sullivan, Franks Parks, and Clyde Sellers) each demanded that the four Alabama-based ministers and the New York Times retract the statements in the ad.11 The ministers did not respond to the demand, explaining later that they had not authorized the use of their names in the ad and knew nothing about it.12

Each of these officials then filed their own libel lawsuit. Each lawsuit named the same defendants: the New York Times and the four Alabama-based ministers. Neither the ad’s creator, the Committee to Defend Martin Luther King, nor any of the other signatories or endorsers—with one notable exception—were named in these lawsuits.13

Sullivan’s case was decided first and resulted in a $500,000 verdict against the ministers, delivered by an all-white jury. James received an identical $500,000 verdict a few months later.14 Because Alabama law required the ministers to post a $2 million bond against those damage awards in order to appeal the case, which they could not do, the state confiscated the ministers’ bank accounts and sold cars and real estate that they owned.15  This financial persecution of the ministers drove the leadership of the Southern Christian Leadership Conference out of “the toughest parts of the South.”16  

In appealing the Sullivan verdict, the ministers made not only First Amendment arguments, but due process and equal protection defenses, as well. The due process defenses were based on the lack of evidence that they had authorized the ad. The equal protection concerns reflected a series of problems: the trial courtroom was racially segregated, the jury was all-white, and the judge in a related case had said that the 14th Amendment was inapplicable in Alabama courts, which were instead governed by “white man’s justice.”17 In their petition for certiorari, the ministers claimed that if the verdict were not reversed, “not only will the struggles of Southern Negroes towards civil rights be impeded, but Alabama will have been given permission to place a curtain of silence over its wrongful activities.”

The ministers’ First Amendment arguments before the Supreme Court claimed infringements on the “freedoms of speech, press, assembly, and association.”18 Their brief portrayed the libel claims as part of a concerted effort to perpetuate segregation through “lynching, violence and intimidation, through restrictive covenants, Black Codes and Jim Crow laws” and “part of a concerted, calculated program to carry out a policy of punishing, intimidating and silencing all who criticize” Alabama’s enforced segregation.19 The broad reach of both the Abernathy case and the New York Times cases was acknowledged in the New York Times oral argument, when Justice Goldberg confirmed that the New York Times was not arguing for a special rule for newspapers, but rather for free speech rights generally.20

The Court issued one opinion to resolve both cases, importantly entering judgment in favor of the defendants rather than remanding the case back to Alabama state courts for new trials.21

Sullivan is revered today because it transformed the common law of defamation and firmly pushed back against of the use of libel actions to punish political criticism. Prior to the Court’s decision, defamation law in Alabama (like that of most states) allowed a plaintiff to win a defamation lawsuit with a relatively minimal showing. In particular, to state a defamation claim based on statements that naturally tended to injure a person’s reputation, profession, trade, or business, or bring them into public contempt, a plaintiff needed merely prove that the defendant published the statements to at least one other person, and that the statements were about the plaintiff. A successful plaintiff did not need to prove that anyone believed the statements to be true, or that their reputation was damaged in any way, or that they suffered any particular injury, financial or otherwise. The plaintiff did not need to prove that the defendant was at fault – they faced no requirement to prove either that the defendant made a mistake or acted unreasonably, or that the defendant acted with any intent to harm or spread falsehoods. The plaintiff did not have to prove falsity, though a defendant could successfully defend a case by proving that the statement was true.

But in Sullivan, the Court changed the longstanding common law in several ways, each of which protects speakers seeking to challenge oppression:

  • Sullivan shifted the burden of proving falsity to the plaintiff (Otherwise, “would-be critics of official conduct may be deterred from voicing their criticism, even though it is believed to be true and even though it is, in fact, true, because of doubt whether it can be proved in court or fear of the expense of having to do so.”).22
  • Sullivan required plaintiffs who are public officials to prove “actual malice” –that the defendant intended to lie, or recklessly spread statements despite strongly suspecting they were false. The decision recognized the “citizen-critic’s” duty to criticize public officials, and specifically held that a finding of mere negligence was not sufficient for defamation claims brought by public officials.23
  • Sullivan required that actual malice be proved with “convincing clarity,” a more demanding standard than preponderance of the evidence standard usually sufficient in civil cases.24
  • Sullivan held that statements about the operation of government generally are not statements about which a particular official can sue; this would be too close to the government itself suing for libel.25

The Court also assumed that the infamous Alien and Sedition Acts, passed by the very first Congress, were in retrospect unconstitutional, although they had expired without ever being tested by the Supreme Court.26

The Court found that the ministers could not have known of the false statements in the ad, and thus lacked the required actual malice—even if it could be proven that they had authorized the use of their names in the advertisement. This First Amendment ruling thus compelled judgment in their favor, and the Supreme Court found it unnecessary to rule on the ministers’ due process and equal protection arguments.27

The Court’s use of the First Amendment as an implement for civil rights in Sullivan is even more pronounced considering that later in its 1964 term, the Supreme Court issued another significant ruling against Alabama officials. In NAACP v. Alabama, 377 U.S. 288 (1964), the final ruling in the NAACP’s long legal battle to operate in Alabama, the Court rejected the last of the state’s procedural arguments. Alabama had asserted that the NAACP had not properly registered to operate in the state and the state judge hearing its challenge ordered the NAACP to disclose its membership. In the fourth iteration of the case to make it to the Supreme Court, the Court catalogued the history of the Alabama judiciary’s efforts to evade the Court’s rulings regarding the NAACP. Court then finally ended the case; defeating another seemingly race-neutral tactic—compelled disclosure of membership lists—that was a common tool of those trying to suppress civil rights activism.28 With the Court’s decision, the NAACP was able to resume operations in Alabama. EFF used this same precedent to challenge the NSA’s mass collection of telephone records as violating the right of several political groups to freely associate without governmental knowledge of their membership lists in First Unitarian Church v. NSA.

Shuttlesworth v. Birmingham (1964)

On the very same day the Supreme Court decided Sullivan, it also decided a different case in favor of Shuttlesworth, upholding his First Amendment rights to speak out against segregation.

In Shuttlesworth v. Birmingham (1964), the Court, unanimously and without an opinion, reversed Shuttleworth’s conviction for interfering with the chief of police during the Birmingham attacks on the Freedom Riders. The Freedom Riders were civil rights activists who, starting in 1961, rode interstate buses through the south to challenge illegal segregation. A group had been stranded in Birmingham after an attack by KKK members, purportedly aided by the local police, prompted the bus drivers there to refuse to drive them to their next stop. A crowd of approximately 300 supporters who showed up at the bus station to offer support to the Freedom Riders were met by the police.

During this confrontation, Shuttleworth was arrested for interfering with the chief of police’s effort to take the Freedom Riders into supposed “protective custody.” Shuttlesworth apparently interfered with this dubious effort by “block[ing] the chief’s path using words with an intent to do so ‘in rudeness and anger.’” Shuttlesworth was convicted, and his conviction was upheld by the Alabama Court of Appeals, which found that even if the chief was not conducting a valid operation, Shuttlesworth could still be convicted of the alternate crime of assault, again based solely on his spoken words. Shuttlesworth v. Birmingham, 41 Ala. App. 1, 2 (1962). The U.S. Supreme Court summarily reversed, seeming to hold that Shuttleworth’s conviction could not be based on a charge he did not have the opportunity to defend.

Shuttlesworth v. Birmingham (1969)

The Supreme Court’s 1969 decision in a different case also titled Shuttlesworth v. Birmingham remains one of the Court’s most important prior restraint cases. We’re relying on it now, in our ongoing challenges to National Security Letter (NSL) gag orders.  

In April 1963, Shuttleworth was one of three ministers who led a procession of 52 people from a church and through Birmingham. The march used the sidewalks and obeyed all traffic signals. The Birmingham police stopped the marchers after four blocks and arrested them for violating the local law that required a permit for any public protest. The law gave the city the power to deny a permit if “in its judgment the public welfare, peace, safety, health, decency, good order, morals or convenience require that it be refused.” Shuttlesworth was convicted and sentenced to 90 days in imprisonment at hard labor, and almost $100 in fines and costs. After his conviction was affirmed by the Alabama Supreme Court, he appealed to the U.S. Supreme Court.

In reversing the conviction, the Supreme Court set forth the requirements that still apply to day for permit schemes. These schemes cannot vest officials with permitting authority “without narrow, objective, and definite standards to guide” them. Permit schemes that vest officials with wholly subjective, unguided discretion, as the Birmingham law did, are unconstitutional, and may be ignored without penalty. The Court also used the case to affirm that protests, pickets, parades, marches, and demonstrations are indeed “speech” protected by the First Amendment. 

Free Speech and Civil Rights Continue to Intertwine

This history about the context in which these cases were decided helps clarify the profound importance of the decision—not only as a matter of constitutional jurisprudence, but also as a crucial moment in U.S. legal and political history. Far from being a seminal moment only for press freedom, the decision ushered in a new era of respect for First Amendment principles across multiple contexts, and reveals how rights ultimately intersect. 

As we consider the free speech fights of today, it’s important to recall that the same intersection requires protection now as much as ever.  We need a strong First Amendment today, protecting today’s marginalized voices in their use of online tools to achieve equity and freedom online, as much as we did fifty-five years ago.   

  • 1. None of these was Shuttlesworth’s only Supreme Court victory. In the 1963 term, the Court decided Shuttlesworth v. Birmingham, 373 U.S. 262 (1963), which reversed Shuttlesworth’s conviction for aiding and abetting trespassing based on his acts of recruiting volunteers to take part in a sit-down demonstration at segregated lunch counters. The Supreme Court vacated Shuttlesworth’s conviction, and many others, finding no trespass because the the protestors were unconstitutionally excluded from the lunch counters. That case first reached the Supreme Court in 1962, when the Court first allowed Shuttleworth to appeal his state conviction in federal court. In re Shuttlesworth, 369 U.S. 35 (1962). In the 1965 term, the Court reversed a conviction for loitering after Shuttlesworth led a group of picketers outside a segregated department store. Shuttlesworth v. Birmingham, 382 U.S. 87 (1965). Shuttlesworth was also one of the petitioners in Walker v. Birmingham, 388 U.S. 307 (1967), which affirmed the issuance of an injunction against a planned walking protest, the same protest that gave rise to Shuttlesworth conviction later overturned in the 1969 case. Also, in 1958, Shuttlesworth was the legal representative of his daughter in her lawsuit challenging Alabama’s school segregation law. The Supreme Court summarily affirmed the dismissal of that case in Shuttlesworth v. Board of Education, 358 U.S. 101 (1958).
  • 2. Although the Supreme Court decided the cases in one opinion, the cases were briefed and argued separately.
  • 3. Shuttlesworth v Birmingham (1964) and NAACP v. Alabama (1964) are discussed below.
  • 4. As Professor Christopher Schmidt has written, “By the late 1950s and early 1960s, however, the tactic of defending legalized segregation on its own terms had largely run its course. Legally mandating racial segregation and other forms of overt racial discrimination was rapidly becoming a lost cause .… Unlike the legal battles segregationists waged in the 1940s and 1950s, this new legal attack on the Civil Rights Movement relied on laws that said nothing about race. These were laws regulating disorderly conduct, trespass, disturbing the peace, and defamation. Even tax law became a weapon against the Civil Rights Movement. As the Movement gained momentum, segregationists used these and other race-neutral laws to target civil rights activists and their allies. The race-conscious use of race-neutral law became Jim Crow’s front line of defense.” Christopher W. Schmidt, New York Times v. Sullivan and the Legal Attack on the Civil Rights Movement,” 66 Ala. L. Rev. vol. 2, 295, 293 (2014).

    Aside from defamation law, civil rights organizations like the NAACP were subject to laws regulating the legal profession, students were subject to disciplinary actions for protesting, organizations and leaders were prosecuted for tax evasion, and disorderly conduct and trespass laws were disproportionately enforced against civil rights protestors. Schmidt at 299-306.

  • 5. The ministers made this argument in several of the cases arising from the ad. For example, their Complaint in Abernathy v. Patterson, a case challenging the seizure of their assets pending the appeal of the state trial court’s Sullivan verdict, alleged that “The defendants herein at some time thereafter conspired and planned under the color of law and utilizing their official positions, as well as the judicial machinery of the State, to deter and prohibit the plaintiffs and their supporters as set forth above, from utilizing their constitutional rights and in particular their right to access to a free press, by instituting fraudulent actions in libel against the plaintiffs, without any basis in law or fact, in the Alabama State courts, arising out of the aforesaid advertisement.” Abernathy v. Sullivan, 295 F.2d 452, 454 (5th Cir. 1961).
  • 6. 376 U.S. at 266.
  • 7. Id. at 278.
  • 8. Schmidt at 304-05.
  • 9. William E. Lee, “Citizen-Critics, Citizen Journalists, and the Perils of Defining the Press,” 48 Ga. L. Rev. 757, 759 n.10 (2014).
  • 10. There were apparently several inaccuracies in these statements: “Although Negro students staged a demonstration on the State Capitol steps, they sang the National Anthem and not "My Country, 'Tis of Thee." Although nine students were expelled by the State Board of Education, this was not for leading the demonstration at the Capitol, but for demanding service at a lunch counter in the Montgomery County Courthouse on another day. Not the entire student body, but most of it, had protested the expulsion, not by refusing to register, but by boycotting classes on a single day; virtually all the students did register for the ensuing semester. The campus dining hall was not padlocked on any occasion, and the only students who may have been barred from eating there were the few who had neither signed a preregistration application nor requested temporary meal tickets. Although the police were deployed near the campus in large numbers on three occasions, they did not at any time "ring" the campus, and they were not called to the campus in connection with the demonstration on the State Capitol steps, as the third paragraph implied. Dr. King had not been arrested seven times, but only four, and although he claimed to have been assaulted some years earlier in connection with his arrest for loitering outside a courtroom, one of the officers who made the arrest denied that there was such an assault. [¶] . . . . Although Dr. King's home had, in fact, been bombed twice when his wife and child were there  . . .  the police were not only not implicated in the bombings, but had made every effort to apprehend those who were.”
  • 11. See Parks v. New York Times, 308 F.2d 474, 476 (5th Cir. 1962).
  • 12.

    According to: “John Murray, who helped prepare the ad for the Committee to Defend Martin Luther King, testified that the ministers' names were not in the first version of the ad brought to the Times.,. Bayard Rustin, executive director of the Committee to Defend Martin Luther King, was not satisfied with the draft of the ad and instructed Murray to include the names of ministers whose churches were affiliated with the SCLC. Rustin insisted it was not necessary to get permission for the use of names "because they were all part of the movement." Lee at 761 n. 17. See also Anthony Lewis, Make No Law, at 32 n.5 (1991); Kermit L. Hall 7 Melvin Urofsky, New York Times v. Sullivan, at 16-17 (Peter Charles Hoffer & N.E.H. Hull eds., 2011).

    The specific legal theory Sullivan, James, and the others pursued against the ministers was one of ratification or adoption, whereby the silence of the ministers in response to the retraction demand made them responsible for its contents even if they did not in advance approve or know of the inclusion of their names as endorsers. The 5th Circuit ultimately found that such silence, in addition to evidence that the ministers may have benefitted from the ad, since the SCLC ultimately received some of the funds raised, was sufficient to support a finding a ratification. Parks, 308 F.2d at 479.

  • 13. Governor Patterson’s lawsuit also named Dr. King, who was also listed as an “endorser,” as a defendant. Dr. King, in a deposition in the case, similarly testified that he had not authorized the inclusion of his name as a signatory. Some believe that the four individual Alabama residents were sued as a legal maneuver to make sure that the cases were tried in Alabama state courts, rather than removed to federal court, as they likely would have been had a non-Alabama entity, the New York Times, been the only defendant. See Lewis at 13. But the four ministers themselves believed they were specifically targeted as part of a broader effort by Alabama officials to suppress the civil rights movement in that state. See Lee at 758 & n.1, 764. They filed a lawsuit to this effect in which they sought to enjoin enforcement of Sullivan and James judgments pending appeal. See Abernathy v. Patterson, 295 F.2d 452 (5th Cir. 1961) (affirming dismissal of the case).
  • 14. See Parks, 308 F.2d at 476. The other cases did not go to trial before the Court ruled in New York Times v Sullivan, effectively ending all of the cases based on the ad.
  • 15. Lee at 759. The ministers field a separate action to enjoin the state from confiscating and selling their property, but that action was dismissed. Abernathy v. Patterson, 295 F.2d 452 (5th Cir. 1961) (affirming dismissal of the case).
  • 16. Lee at 759 & n. 10 (quoting Taylor Branch, Parting the Waters 580 (1988).
  • 17. Lee at 761 n.16.
  • 18. Lee at 764.
  • 19. Lee at 765.
  • 20. Lee at 766.
  • 21. Lee at 763-64.
  • 22. 376 U.S. at 279.
  • 23. Id. at 282
  • 24. Id. at 286
  • 25. Sullivan was not named in the ad. Rather, he, and in their separate cases, the other officials, claimed that as the city commissioner who oversaw the police he could maintain a libel lawsuit based on any statement about police misconduct or wrongful arrests. The Supreme Court ruled that an individual official cannot sue based on general criticism of the government, that such general statements do not adequately pertain to the individual and damage their individual reputation. 376 at 288.
  • 26. Id. at 273-74.
  • 27.

    Some commentators believe that this was purposeful in order to provide maximum protection to civil rights activism going forward – that the due process and equal protection claims could not have been decided without remanding the case back to the Alabama courts and effecting only piecemeal change when much larger change was needed. Lee at 764.

  • 28. Louisiana used this same tactic against the NAACP and other organizations, including the Southern Conference Education Fund. Mississippi passed a law requiring all teachers to disclose the names of all organizations to which they belonged. Arkansas and Virginia had similar laws. See Schmidt at 299-300.

A Privacy-Focused Facebook? We'll Believe It When We See It.

EFF - Thu, 03/07/2019 - 6:55pm

In his latest announcement, Facebook CEO Mark Zuckerberg embraces privacy and security fundamentals like end-to-end encrypted messaging. But announcing a plan is one thing. Implementing it is entirely another. And for those reading between the lines of Zuckerberg’s pivot-to-privacy manifesto, it’s clear that this isn’t just about privacy. It’s also about competition.

The Proof is in the Pudding

At the core of Zuckerberg’s announcement is Facebook’s plan to merge its three messaging platforms: Facebook’s Messenger, Instagram’s Direct, and WhatsApp. The announcement promises security and privacy features across the board, including end-to-end encryption, ephemerality, reduced data retention, and a commitment to not store data in countries with poor human rights records. This would mean that your messages on any of these platforms would be unreadable to anyone but you and your recipients; could be set to disappear at certain intervals; and would not be stored indefinitely or in countries that are likely to attempt to improperly access your data. Even better, the announcement promises that Facebook will not store your encryption keys for any of these services, as is already the case with WhatsApp.

This all sounds great, in theory. But secure messaging is not easy to get right at either the technical or policy level.

Secure messaging is not easy to get right at either the technical or policy level.

In technical terms, end-to-end encryption is only part of the story. In practice, the choices that undermine messaging security often lie far from the encryption engine. Strong authentication, for example, is necessary to ensure that you are messaging only with your intended recipients and not with any law enforcement “ghosts.” Automatic backups are another potential chink in the armor; if you choose to have WhatsApp back up your messages, it stores an unencrypted copy of your messages on iCloud (for iPhone) or Google Drive (for Android), essentially undermining the app’s end-to-end encryption.

The prospect of merging WhatsApp, Instagram, and Messenger also raises concerns about combining identities that users intended to keep separate. Each of the three uses a different way to establish your identity: WhatsApp uses your phone number; Instagram asks for a username; and Messenger requires your “authentic name.” It’s not unusual for people to use each app for different parts of their life; therapists, sex workers, and activists, for example, face huge risks if they can no longer manage separate identities across these platforms.

Zuckerberg’s announcement claims that merging the three apps “would be opt-in and you will be able to keep your accounts separate if you like.” An opt-in—not an opt-out—is an important safety valve and the right choice. Time will tell if a merged “Whatstamessenger” can pull off this promise.

Above all, Facebook needs to be transparent about its business model. For example, while end-to-end encryption protects the contents of your messages, it cannot protect the metadata: who the recipients are, when messages are sent, and even where you are. Will Facebook be tracking and retaining that metadata? What about the possibility of a “super-app” model like WeChat’s? Without transparency about how Facebook will monetize its end-to-end encrypted services, users and advocates cannot scrutinize the various pressure points that business model might place on privacy and security.

We could never get on board with a tool—even one that made solid technical choices—unless it was developed and had its infrastructure maintained by a trustworthy group with a history of responsible stewardship of the tool. Zuckerberg’s statement is vague about how Facebook will consult with “safety experts, law enforcement and governments on the best way to implement safety measures,” and what that will mean for how Facebook responds to government data requests.

Recent news also does not inspire optimism that Facebook can execute responsible stewardship of security and privacy features. One need look no further than this week’s headlines, for example, about the extent to which Facebook has abused the security feature two-factor authentication to share and expose users’ phone numbers.

Pay No Attention to the Competition Concerns Behind the Curtain

Facebook’s privacy-focused vision is also a competition move. Zuckerberg’s out-of-character privacy focus in this announcement takes a page out of the Wizard of Oz: “Pay no attention to the competition concerns behind the curtain!”

This is clearest when Zuckerberg’s announcement turns to “interoperability,” describing how users will be able to message friends on WhatsApp, Instagram, or Messenger from any one of the three apps. But it appears Facebook’s aim isn’t necessarily to make its messaging properties interoperable, but to make them indistinguishable—at least as far as regulators are concerned. Combining the services beyond recognition might give Facebook a technical excuse to sidestep impending competition and data-sharing regulation. Timing is key here: This privacy announcement comes on the heels of a German order to prevent Facebook from pooling user data without consent.

Zuckerberg’s idea of interoperability might better be called “consolidation.”

More broadly, Zuckerberg’s idea of interoperability might better be called “consolidation.” The announcement lays out a convenient future in which users have the freedom to communicate however they want...as long as they use Facebook-owned apps or SMS texting to do it. Zuckerberg’s excuse for excluding everyone else’s apps and messengers from this vision is security: “[I]t would create safety and spam vulnerabilities in an encrypted system to let people send messages from unknown apps where our safety and security systems couldn't see the patterns of activity.” But a future in which Facebook is the sole owner and guardian of our communication methods is not good news for user security, choice, and control.

If Facebook really cares about interoperability, it should pursue open standards that level the playing field, not a closed proprietary family of apps that entrenches Facebook’s own dominance.

Tell Congress to Stand Up for Real Net Neutrality Protections

EFF - Wed, 03/06/2019 - 11:49am

When the FCC announced its intention to repeal the 2015 Open Internet Order, Americans spoke up. When the FCC ignored the fact that most Americans support net neutrality, Americans spoke up again, asking Congress to reverse the FCC’s decision. And the Senate listened. This fight continues in the courts, in the states, and, yes, in Congress.

The just-introduced Save the Internet Act would restore the 2015 Open Internet Order and prevent the FCC from pulling the same stunt it did in 2017 by ignoring facts and the clear desire of the people. Internet service providers (ISPs) like Verizon, AT&T, and Comcast would once again be banned from engaging in discriminatory data practices like blocking, throttling, and paid prioritization. ISPs would once again be accountable for actions that threaten the free and open Internet, public safety, and competition. Privacy protections from your ISP would once again be restored. There would again be protections for real net neutrality.

The Save the Internet Act returns us to the hard-fought-for protections of the 2015 Open Internet Order and we should not settle for anything less. Bills, like H.R. 1101 (Walden), H.R. 1006 (Latta), and H.R. 1096 (McMorris Rodgers), that focus only on blocking, throttling, and paid prioritization miss the vital point that net neutrality is a principle of fairness. We cannot let ISPs try to redefine net neutrality as simply bans on three specific actions. It’s the idea that the provider that you pay to get you online doesn’t get to determine your experience once you’re on the Internet. You decide what you want to see and use, without ISPs stacking the deck in a way that benefits them.

Legislation that protects real net neutrality recognizes that there are more than three ways for ISPs to leverage the fact that they control your access to the Internet and Internet services’ access to you. Legislators that truly believe in a free and open Internet will support the Save the Internet Act and not any bill that does less for Americans.

Americans of both parties have made their opinion on net neutrality clear. Over and over again, we’ve spoken out. And we’re going to keep doing it until we get the Internet we deserve.

Tell your representatives you want them to stand up for real net neutrality. And don’t let them redefine net neutrality by supporting one of the other, net-neutrality-in-name-only bills. Tell them you want them to co-sponsor the Save the Internet Act, and take a stand for Team Internet—not ISPs.

Take Action

Protect Net Neutrality