Electronic Freedom Foundation
Today, EFF once again joined a coalition of privacy advocates filing comments with the California Attorney General (AG) on the latest proposed regulations for the California Consumer Privacy Act (CCPA). The CCPA was passed in June 2018 and took effect on January 1, 2020. Later this year, the AG will finalize regulations that dictate how exactly the law will be enforced.
While the first set of proposed regulations were (as we wrote at the time) a “good step forward” that could have gone further, the first revision to those regulations—published earlier this year—was largely a step backwards for privacy. Two weeks ago, the AG released a second set of revisions to the draft regulations, available here. [.pdf] With the enforcement deadline approaching, the public is running out of chances to weigh in on the rulemaking process. Some of the worst features of the regulations have been cut, but this round of modifications still falls short of a user-friendly implementation of CCPA. In fact, some new provisions added this round threaten to undermine the intent of the law.
For example, the CCPA sets aside a special set of companies, called “service providers,” which are exempt from certain parts of the law. Consumers can’t opt out of having their data sold to service providers in some interactions. In exchange, CCPA is meant to tightly restrict the ways service providers can use data they collect. However, the new draft regulations would greatly expand the ways service providers may use personal data, even allowing them to build profiles of individual people. The new regulations would also allow data brokers that collect information directly from consumers to avoid notifying them of the collection.
Other issues remain from earlier drafts. The latest draft still makes it hard for consumers to exercise their right to opt out of the sale of their personal information. Businesses may not need to treat clear signals like Do Not Track (DNT) as requests to opt out of sale.
Finally, some industry advocates have asked the AG to extend the enforcement deadline—by 6 months or more—amid the global health crisis. But the CCPA went into effect on January 1st, 2020, more than 18 months after its passage, and companies should already be complying with the law. Now, more than ever, consumers need the legal protections offered by CCPA. The AG should not extend the enforcement deadline on behalf of companies who would violate user privacy and the law.
Our coalition letter goes into more detail about these and other issues we have identified with the latest draft regulations. We urge the Attorney General to close business-friendly loopholes and make the CCPA an effective, enforceable tool for user privacy.
Read the coalition's full comments below.
As the proposed sale of the .ORG domain registry to private equity firm Ethos Capital plays out, we see more and more why this sale was rushed through: the longer we have to look at it, the more questions we all have, and the fewer answers we get. For the second time, some of the people questioning the wisdom of this sale are members of the U.S. Congress.
On March 18, Senators Elizabeth Warren, Ron Wyden, Richard Blumenthal, Edward Markey, and Representative Anna Eshoo sent a new letter [.pdf] to the Internet Corporation for Assigned Names and Numbers (ICANN), urging, for the second time, that ICANN reject the “private equity takeover of the .ORG registry.”
The members of Congress pointed out that their previous questions have still not gotten satisfactory answers from ICANN, Public Interest Registry (PIR, the currently-a-nonprofit entity that runs .ORG that will be converted to a for-profit if this sale goes forward), and Ethos Capital. What we do know is that, while PIR claimed that ICANN’s review of the deal is limited to whether the sale will keep .ORG “secure, reliable, and stable,” ICANN itself said, “This is wrong.” ICANN can, in fact, consider the impact of the sale on the “public interest and the interest of the .ORG community.”
Of course, the sale is against the interest of the .ORG community. More than 25,000 people and 858 organizations have signed a letter demanding a stop to the sale. The impact on the public interest is proved by, among other things, the weakness of the “stewardship council” that Ethos claims will prevent them from harming the nonprofit community. Among other problems, PIR has reserved for itself the ability to ignore the council, making its existence basically moot.
The deal loses even on PIR’s preferred home court of the security, reliability, and stability of the .ORG domain registry. Ethos Capital and PIR claim that the benefits of converting PIR from a nonprofit for a for-profit is that it will allow them to take “risks” and develop new “products and services.” The members of Congress point out that in a webinar held last month neither PIR’s CEO nor Ethos’s CEO could give “a single, clear example of a useful new product or service that would be offered in exchange for the private equity-funded takeover of the .ORG domain, or an explanation of how .ORG being operated by a company that is ‘in the business of taking risks’ would be in the public interest.”
Based on EFF’s and Americans for Financial Reform Education Fund’s analysis of what is publicly known about this deal, it seems like the outcome can only be a PIR burdened with debt that will likely be paid off by reducing investments in technical upkeep, which could hurt reliability, security, and stability of the domains; charging nonprofits higher fees, under a new rule that allows PIR to raise prices up to 10% every year; allowing PIR and Ethos Capital to double the registration fee within seven years; and offering unspecified “new products and services” that could harm the interests of nonprofits in .ORG.
Ethos Capital and PIR have tried to use Public Interest Commitments (PICs), in order to make the square peg of this deal fit in the round hole of what is wanted and needed by the .ORG community. One PIC concerns registration fees, but doesn’t address any other burden PIR could place on .ORG registrants, many of whom rely on their .ORG address and have spent years making it a safe and reliable site for people seeking information and help from a nonprofit to go and therefore are incredibly reluctant to give up the address. As the letter from the members of Congress states, “we remain concerned that, if the sale is approved, Ethos can and will impose unlimited additional fees on registrants or registrars, which would not be addressed by the PIC’s price limit on registration fees.”
It’s incredibly important that people looking for help from nonprofits are able to go to the established, stable website to ask for it. In emergencies, people looking for help or reliable information are under extreme stress and need to get to the exact organization they are seeking, without interruption. And if someone is looking to donate to nonprofits providing vital services, it’s equally important they give their money or other gift to the right place.
The important work of the .ORG community should not be interrupted by anything, and certainly not a sale which will wring money out of that community while risking the reliability and stability it needs.
COVID-19 has trapped many of us in our homes, isolating us from family and friends and limiting our movements. But there are few people who feel the isolating impacts of COVID-19 more acutely than those who are actually incarcerated in jails and prisons across the country. As Jerry Metcalf, an inmate in Michigan, wrote for the Marshall Project’s “Life on the Inside” series:
For those of you reading this who feel trapped or are going stir-crazy due to your coronavirus-induced confinement, the best advice I can give you—as someone used to suffering in long-term confinement—is to take a pause, inhale a few deep breaths, then look around at all the things you have to be grateful for.
Metcalf’s is an important perspective to have, but, unfortunately, it is increasingly difficult to hear from inmates like him. That's because prison systems are making it harder for the public to hear from incarcerated people through excessive restrictions on the ways prisoners can express themselves over the Internet.
As the pandemic unfolds, state agencies should take a flexible approach to enforcement of restrictions on inmates’ ability to connect with the outside world.
It’s especially important to hear from Metcalf, and others like him, in this moment—given the heightened risk COVID-19 poses to inmates. The virus has already demonstrated an ability to move swiftly through closed spaces, like cruise ships and nursing homes—and it’s already made its way into several prison systems, the consequences of which we’ll sadly see unfold over the next several weeks. As Metcalf described it, COVID-19 has turned his prison into a “death trap.” Given the potential humanitarian crisis many prisoners now face, it’s critically important to receive unvarnished reports from them about life inside prison walls.
For those outside of prison, social media has been an important tool during the pandemic—helping us connect with family and friends, to share updates and news, and to stay informed.
But, overwhelmingly, the incarcerated cannot connect to the outside world in this way.
At EFF, we’ve long been concerned with government attempts to unduly limit prisoners’ speech—especially by limiting access to technology that would allow the incarcerated to lift their voices beyond the prison walls. These restrictions come in a variety of forms, but one type we’ve paid particular attention to in the past is limitations on access to social media.
Many states prohibit inmates from accessing or posting information to social media in any manner. Some states, like Alabama and Iowa (pdf), go so far as to limit the ability of third-parties outside of prison—like a friend or relative—to post information to social media on an inmate’s behalf. Some of these policies can even extend beyond what we typically think of as social media, prohibiting access to email or even any online publication of prisoners’ speech (including, as a potential example, stories like Metcalf’s published by the Marshall Project). Violations can carry extreme and disproportionate consequences. For example, some inmates in South Carolina received years in solitary confinement for posting on Facebook while in prison.
Even in calmer times, draconian limitations on social media access are dangerous and raise serious First Amendment concerns. Prisoners, and those who support them, use social media to raise awareness about prison conditions; to garner support for court cases or clemency proceedings; and to otherwise advocate for important social and political issues.
Inmates may lose many liberties when they enter the correction system, but the ability to participate in debate online should not be one of them. Censorship of prisoners is also censorship of society at large because it deprives the public of the freedom to read the long letters, consider the long thoughts, and hear the long prayers of people who have lost their freedom.
The need to hear these voices now is particularly important—as prisons begin to close to outside visitors, and further isolate, in an attempt to stave off COVID-19. Jerry Metcalf’s perspective—from inside a prison in Michigan in the midst of a global pandemic—is equally important if it’s published by the Marshall Project or if it’s shared by a relative in a Facebook post. What’s important is that the world is able to hear his story, and those like him, right now.
As the pandemic unfolds, state agencies should take a flexible approach to enforcement of restrictions on inmates’ ability to connect with the outside world, including curbing the enforcement of overly restrictive social media policies. We’ll be carefully watching to make sure any restrictions that are applied are done so consistent with the First Amendment rights of inmates and those who support them.
EFF, ACLU & CDT Argue Five Months of Warrantless Covert 24/7 Video Surveillance Violates Fourth Amendment
Should the fact that your neighbors can see the outside of your house mean the police can use a camera to record everything that happens there for more than five months? We don’t think so either. That’s why we joined ACLU, ACLU of Massachusetts, and the Center for Democracy & Technology in filing an amicus brief last week in the Massachusetts Supreme Judicial Court arguing the Fourth Amendment and Massachusetts’s state equivalent protect us from warrantless video surveillance of our homes.
In Commonwealth v. Mora, Massachusetts State Police secretly installed several cameras high up on utility poles in front of Nelson Mora and Randy Suarez’s homes. These “pole cameras” allowed officers to watch video feeds of the two homes (and by extension everyone going in and out of the homes) in real time, remotely control angle and zoom functions, and zoom in close enough to read license plates. Officers recorded the footage over a period of several months, which allowed them to go back, search through, and review footage at their convenience. They never got a warrant to install the cameras, and the extended surveillance was not subject to any court oversight.
Mora and Suarez moved to suppress the video surveillance, arguing the use of the cameras violated the Fourth Amendment and article 14 of Massachusetts’s Declaration of Rights, which prohibit unreasonable searches.
In our amicus brief, we asked the court to recognize, as the Supreme Court did in U.S. v Carpenter, that, just as collecting cell phone location data over time reveals sensitive information about people, using stationary video surveillance to record all activity in front of a person’s home for months implicitly reveals so much more private, sensitive, and intimate information than the public sees merely walking by the house from time to time. Using this invasive surveillance, the police could learn or infer private relationships, medical information, and political or religious beliefs. And, as with the collection of location data, technological advances make video surveillance cheap and easy for law enforcement to implement, removing the practical privacy protections that existed when the police had to rely on physical surveillance such as covertly positioning actual officers in front of a house (and paying those officers their full salaries).
Our brief also informed the court about recent advances in camera technology and digital storage and search. Cameras can now hone in on small details with startling accuracy. For example, one company has released a camera small enough to fit on a drone that can identify a face from 1,000 feet and read serial numbers on appliances from 100 feet. Casinos are using cameras that can read text messages off phones. And Logan Airport has a camera that can see any object a centimeter and a half wide from a distance of more than one and a half football fields. Digital storage and search capabilities also now make it possible for police departments to hold on to surveillance footage for a long time and to search through footage easily using keyword searches for categories like gender, age, and “appearance similarity.” Even though the cameras that focused on Mora and Suarez’s homes did not have all of these capabilities, the U.S. Supreme Court has instructed that courts should take into consideration technology that is currently in use or in development in conducting their Fourth Amendment analysis.
Finally, we noted that secret video surveillance like this disproportionately impacts minority and poorer communities. The prosecutors in this case argued that Mora and Suarez did nothing to hide their homes from public view, so they couldn’t expect privacy from government surveillance that would in essence “see” the same thing that a worker on the top of a utility pole could see. However, utility poles commonly rise 20-40 feet in the air. Only the very wealthy can live in communities where their properties are either set back so far from these poles as to be hidden from view or the utilities are buried underground. Without the financial resources to live in neighborhoods and homes like this, under the government’s arguments, those with less means would face forced diminishment of their privacy expectations and disproportionate surveillance in direct proportion to their income level.
The Massachusetts Supreme Judicial Court planned to hear this case on April 7, 2020, but that date has been extended, given the current COVID 19 crisis. We will update this post when the court issues its opinion.Related Cases: United States v. Vargas
EFF and a number of other organizations that advocate for government transparency have signed onto a letter written by the First Amendment Coalition asking the California state judiciary to ensure public access to court proceedings and records.
Many clerk’s offices are restricting entry and many operations of the state court system have moved online in direct response to actions taken by Gov. Gavin Newsom, including the Statewide Order of March 23, 2020, which in effect restricted physical access to and the activities of California’s courts. In the letter, addressed to Chief Justice Tani Cantil-Sakauye, coalition groups urge that while extraordinary measures are needed in the time of a public health emergency:
“we need to recognize that important civil liberties and constitutional rights should not be unduly restricted. While courts are closing buildings, halting proceedings and holding some hearings telephonically, we are concerned members of the press and public will face insurmountable barriers to access judicial records and proceedings.”
Especially in times of crisis as governments make big decisions that could impact the safety and liberty of millions, it is more important than ever that government remain transparent and accessible when it comes to decision making. With so much to be decided, secrecy breeds distrust, panic, and conspiracy theories at a time when people need their government most.
To that end, the letter requests:
- Telephonic hearings must be conducted on conference lines that make allowance for free public usage and dial-in information be made public ahead of the hearing.
- Criminal proceedings must be conducted in a way that the public and press can still safely observe.
- Court records must remain publicly available, and fees for online access waived, until normal operations resume.
These requests echo those EFF has made in other venues to preserve government transparency during the COVID-19 crisis.
EFF recently signed onto a letter urging local and state governments not to give into panic and secrecy by cutting people off from their right to know what the government is doing and what decisions they are making. “At all times,” the letter said, “but most especially during times of national crisis, trust and credibility are the government’s most precious assets. As people are asked to make increasing sacrifices in their daily lives for the greater good of public health, the legitimacy of government decision-making requires a renewed commitment to transparency.” This included a rejection of the Federal Bureau of Investigation’s decision to totally suspended accepting Freedom of Information Act requests.
EFF has also pushed for digital access to the arguments and processes of the U.S. Supreme Court as a way to make sure the American people are not shut off from the nation’s highest court. Although the Court has suspended oral arguments, once it beings hearing them again, it must allow the public access by broadcasting or releasing same-day video recordings of its proceedings. The Supreme Court recognized the need for this transparency more than 40 years ago, writing that “People in an open society do not demand infallibility from their institutions, but it is difficult for them to accept what they are prohibited from observing.”
Whether it concerns actions dedicated to stop the spread of COVID-19, or just the general everyday operations of government, people have the right to know what their government is up to. In the era of social-distancing, this might require getting creative, but if we’re all moving online to contend with the public health crisis, government transparency can too.
It’s unthinkable that bad actors could take advantage of patent law and keep the public from getting access to COVID-19 tests and treatment, but they can and will—it already happened this month. Fortunately, an often-overlooked section of U.S. patent law allows the government to do something about it.
Patent troll Labrador Diagnostics LLC recently used a portfolio of old patents to sue a company that makes and distributed COVID-19 tests. The story gets weirder: those patents were originally issued to Theranos, the notoriously fraudulent blood-testing company that closed up shop in 2018. It’s a particularly outrageous example of an all-too-common story: a company fails, yet its patents live on as fodder for legal bullying against practicing companies in the same field.
The Labrador Diagnostics case is a clear example of a time when the incentives don’t line up right: in this case, exclusivity is standing in the way of innovation.
We’re relieved that Labrador has now agreed to grant royalty-free licenses for COVID-19 testing, but this case shows how high the stakes become once a U.S. patent issues and grants its owner the right to stop others from engaging in productive—and here, potentially life-saving—activities. It also shows that these stakes are high because of the power that patents convey—not because patent owners necessarily provide any benefit to the public.
At its core, the patent system exists to enhance the public’s access to innovation, not to compensate individual rightsholders. The patent grant isn’t a paycheck; it represents a trade between an inventor and society. Inventors agree to disclose certain information to the public about how an invention works; in return, they get the right to stop others from making, using, or selling the patented invention without permission for 20 years. In principle, this period of exclusivity allows inventors to recover the costs of research and development and make a profit.
The most vocal defenders of a rigid patent system believe that innovation simply would not happen without that period of exclusivity—in other words, that innovation is simply impossible without government-backed restrictions on access. But the Labrador Diagnostics case is a clear example of a time when the incentives don’t line up right: in this case, exclusivity is standing in the way of innovation. Nonprofit researchers have developed low-cost tests for COVID-19—truly life-saving innovation—that companies like Labrador could block by asserting their patents and thus invoking their right to exclude.
Fortunately, the U.S. government can do something about it. 28 U.S.C 1498 allows the government to use or authorize others to use any invention “described in and covered by a patent of the United States.” If such authorization is granted, patent owners can sue the United States, but only for reasonable compensation. That means they cannot seek injunctions against private entities working for the United States government. Nor can they engage in protracted litigation in patent-friendly jurisdictions like the Eastern District of Texas; they must sue the government in a bench trial in the Court of Federal Claims in Washington, D.C.
To stop Labrador and any bad actors that might follow, the government could invoke Section 1498, and thereby make itself—rather than private entities—the defendant in a patent infringement lawsuit. That would save the public from the risk of an injunction that would cut off the public’s access to desperately-needed tests. Long before the current crisis, scholars in the pharmaceutical field have advocated for the government to use Section 1498 to enhance access and reduce drug prices.
As Labrador’s patents on methods of testing show, the effects of patents on access to medical care goes beyond the accessibility and affordability of pharmaceuticals. That is especially true as software-based tools and services become more and more integral to our health care system. We already have evidence showing that software patents generally serve to transfer resources from more to less innovative companies. And we have seen patent trolls go after innovative health care companies, as a patent assertion company called “My Health” did, when it sued numerous remote healthcare monitoring services despite the fact that it wasn’t offering any services to the public. Patent abuse could stop software-based healthcare solutions from getting to people who need them.
During the current crisis, we hope the United States government will use its statutory authority under 28 U.S.C. § 1498 to issue compulsory licenses on patents that stand in the way of access to existing technologies and the space to develop new technologies to benefit public health. Whether those technologies are rooted in biochemistry or computer science, the government has the power to mitigate the damage done by opportunists using the patent system to stop practicing companies from bringing needed services to the public. Owners of valid patents would still be entitled to reasonable compensation for the use of their inventions, but they wouldn’t be entitled to stop private companies and nonprofits from doing important work that benefits us all.
One week after Alphabet’s Verily launched its COVID-19 screening website, several unanswered questions remain about how exactly the project will collect, use, and retain people’s medical information.
Verily, a healthcare data subsidiary of Google's parent company Alphabet, has until now operated its Project Baseline as a way to connect potential participants with clinical research. Now, after a confused roll-out, Verily’s Baseline COVID-19 Pilot Program screening and testing website allows users to fill out a multi-question survey about their symptoms and, if they are eligible, directs them to testing locations in a few counties in California.
After a letter from Congress and multiple blog posts, press statements, and not one but two FAQs from Verily, users still do not have enough information about how using this service will affect their medical privacy. So, we have a few questions of our own.
While the United States is in dire need of more testing, individuals’ access to this critical health service should not hinge on whether or not they have created an account and shared information with the world’s biggest advertising company.
But you can’t use the Verily screening website without a Google account: users must either log into their existing Google account, or create a new one, before filling out the screening survey. Verily representatives have claimed this is necessary to authenticate users and contact them during the screening and testing process. However, Verily has not explained why a Google account is uniquely suited to identifying patients, or why the project cannot use other less invasive forms of identification.
Verily assures users that the medical information they input as part of the screening service will not be linked with their Google account data without “separate or explicit” consent. However, the screening website’s FAQ page says that information may be shared with “certain service providers engaged to perform services on behalf of Verily,” which includes—you guessed it—Google.
The information you choose to provide during the screening process or testing process may also be shared with the healthcare professionals at the specimen collection sites, the clinical laboratory that processes specimens, the California Department of Public Health, and potentially other federal, state, and local health authorities, as requested or mandated for public health purposes.
While Verily has been clearer about the healthcare professionals and labs it partners with, it does not detail what “other federal, state, and local health authorities” include. What is Verily’s relationship with the U.S. government? Would ICE, for example, have access to user data under any circumstances? The only thing that's clear here is that Verily is lumping federal, state, and local public health agencies into one undifferentiated mass, and that is unacceptable.
Verily also fails to provide more information about its relationship with the California Department of Public Health. Is there a written Memorandum of Understanding that lays out how data will flow between Verily and state health authorities?
In addition to Project Baseline, where the COVID-19 screening site is hosted, Verily has its Baseline Platform, Baseline Registry, and Baseline Community.
After completing the screening survey on the website, users are asked if they would like to participate in Verily’s Baseline Community, which spokespeople have told the press will “enable you to participate in creating new knowledge that is critically important to the health of all of us in the face of the COVID-19 pandemic.” Statements go on to say that participation in Baseline Community is “completely voluntary,” and imply that users’ information is shared with California public health authorities regardless.
It’s unclear how these various Verily services intersect with the screening website, and how those relationships may or may not change in the future. Concerns about such internal relationships are especially critical given Google’s healthcare ambitions and previous scrutiny in this area.
Cristian León, based in Buenos Aires, works for Asuntos del Sur, a “think/do tank” that works to strengthen democracy and participation. Originally from Bolivia, Cristian works on open government and democracy across several countries in Latin America, including conducting digital security trainings. He is also one of the founders and current advisors to the Internet Bolivia Foundation.
Over Zoom a couple of months ago, we discussed the current threats to free expression in Latin America, the connection between digital security and expression, and the increasing culture of surveillance he sees in the region.
Jillian C. York: What does free expression mean to you?
For me, it’s the ability for someone to express their mind, their thoughts as they are, without pressure. It’s the ability to say anything you want.
York: I love hearing the different answers to this! And what brought you to your work?
I’ve had many cases where I felt like I didn’t have free expression. Much of my professional life has been related to equality, and defense of human rights, so I’ve seen many cases where I suffer myself, or where other people’s [ability to express themselves] was cut off.
Some examples I can mention: Feminist cases, I have many feminist colleagues, who can’t use the green scarf [editor’s note: a symbol of the abortion rights movement in Argentina] in some government buildings, because some people from the government don’t like it because they don’t want to hear demands related to abortion. So when they go to a meeting with someone from the government, they have to stop wearing the scarf.
Another case, from Bolivia—you know, recently we had a situation where our last president, Evo Morales ... the army told him to resign, and another party took control over the government. The transitional government wasn’t legal. I wrote about it on Twitter, and many people that I know, relatives or friends, actually wrote me private messages to shut up because, even though they thought it was bad, they didn’t want me to express anything about it because they know I have relationships to international organizations. Some people even threatened to harm my parents. For that reason, I couldn’t express myself freely on Twitter. That was [a couple months] ago.
York: Do you feel safe now?
Yes, I’m safe, my parents are safe, but I cannot express anything about that topic on Twitter. I can talk about many issues, but not about whether that was a coup or not.
York: Wow, I’m glad you’re safe, but that’s intense. Are you observing or working on other issues in Latin America?
Yes. I’ve been working in Nicaragua, in Colombia, Bolivia, and Argentina.
York: I think it would be really interesting for readers to know what you see, in the next decade, as some of the threats to free expression in Latin America.
What I see is that fear is growing, and because of that many people are afraid to express themselves. For example, I know several cases from Colombia where people believe their phones were tapped. They’re afraid to say things on calls because they thought the government might hear them. They asked me how to know if your phone is being [spied on.]
The same issue happened in Nicaragua, but the difference is that the government there doesn’t have as much capacity, technology, to do that. But in Colombia, we believe that they do.
Because of the movies, because of the Snowden story, people believe—and I think in some ways they’re right—that they’re being monitored all day long and because of that, they can’t spread ideas. It’s surveillance culture. Somehow, this is positive because people are more aware of data, and how technology can be used in meaningful ways. But it’s really bad for our democracies because free expression is under threat.
In Bolivia as well, even though we know that the Bolivian government doesn’t have this kind of technology, they don’t have this capacity … what we saw—and we have documentation of this—is that people in the streets have [had their phones taken by policemen] who make them open their phones to read their WhatsApp or other messages. There’s a belief that people might be conspiring against the new government. Many journalists, many activists, are being more careful with their phones because of that.
York: As a person who does digital security training, how would you describe the connection between security and expression?
I think that if you don’t have the conditions to know that the channel you’re using is secure, you might not be expressing yourself freely. For people to express themselves, to say whatever they want, they need to have secure channels: Secure phones, encrypted apps. That’s the connection.
York: Yes, I completely agree. Okay, let me take this in a different direction: Do you have a free expression hero?
York: It could be someone from history, someone you know, whatever you like!
For me, I don’t have an individual hero, but I feel like the hero here, at least in Argentina, are the Madres de Mayo—it’s a movement that … there was a dictator in the 1970s, and the Madres de Mayo went out to express themselves and defend their rights, because they were looking for their sons that were lost during this period. They went against the dictatorship. Even now, they are a very powerful and respected movement. And, you know these feminist groups that tried to make abortion legal last year...they are modeled on the Madres de Mayo. To me, they are champions of free expression and democracy in general, because in spite of all the bad conditions and hostility, they went out to defend their rights and expose themselves—because you know that the government here was extremely violent, and most of them could’ve been assassinated, but they went out anyway. You can say that because of this, the democracy here in Argentina is now very strong.
York: That’s a great answer...I’ve really enjoyed everyone’s answer to this question so far.
What we’re experiencing now in Latin America, in most countries, is moving backwards. Usually we say that the direction of human rights is going forward, improving to have more rights. But what I feel now in Latin America, especially after having to give advice to many activists and hear [their stories], there is a sensation now that human rights in general are less respected, and people are afraid of what is coming...especially in countries like Brazil, Venezuela, Nicaragua, Bolivia. I think this is really bad, and it has an impact on how people feel. People no longer feel that they can express what they want anymore. For example, if you go into a meeting and you don’t know the people you’re meeting, you stay quiet because you don’t want to expose yourself. Others could take the information out of the meeting and do something to harm you.
York: Thank you again Cris.
“There are myriad reasons why individuals may wish to use a name other than the one they were born with. They may be concerned about threats to their lives or livelihoods, or they may risk political or economic retribution. They may wish to prevent discrimination or they may use a name that’s easier to pronounce or spell in a given culture.”
These words, from a blog post we published nine years ago during my first year at EFF, remain as true as ever. Whether we’re talking about whistleblowers, victims of domestic violence, queer and trans youth who aren’t out to their local communities, or human rights workers, secure anonymity is critical for these individuals, even life-saving.
And yet, our right to anonymity online remains at risk. Just last month, British television presenter Caroline Flack’s death by suicide prompted calls for more regulation of social media, with some pundits suggesting platforms require ID. In India, a similar proposal is expected to be released by the country’s IT Ministry, although reports indicate that verification would be optional.
Proponents of such proposals believe that when people use their “real” name, they behave more civilly toward one another. Facebook has long maintained that their policy requiring “authentic identity” keeps users safe. But the evidence just isn’t there. One report, from the Coral Project, breaks down the fallacy of why people believe anonymity makes people less civil, while another—from commenting platform Disqus—suggests that people are at their kindest when using a pseudonym.
But most importantly, there are myriad reasons why anonymity and pseudonymity remain vital tools for free expression and safety. Take, for instance, our recent case involving Darkspilver, a member of the Jehovah’s Witness community who posted comments—including a copy of an advertisement from the organization’s Watchtower magazine—to Reddit. The Watchtower Bible and Tract Society pursued a copyright claim against Darkspilver over the advertisement. A magistrate judge ruled that the organization should be able to pursue its claim, and ordered the disclosure of Darkspilver’s identity.
Darkspilver had serious concerns about being “disfellowshipped” from their community, having seen others cut off from their families and communities. EFF was able to successfully appeal in District Court, however, and Darkspilver’s anonymity remains protected.
Today, as we’re seeing many of our digital rights impacted by governments’ handling of COVID-19, the right to anonymity remains vital. We’ve already seen important medical information being shared with the press by anonymous health experts in Wuhan. We’ve also already heard stories of vital information being suppressed, and arrests of those who speak out against their governments.
In times of turmoil, authorities might scapegoat anonymous speakers, blaming them for societal challenges. But anonymous speech is often how the public finds out the depth and severity of those challenges, be it an abuse of political power or the severity of a global pandemic. Without anonymous speech, some lies powerful people tell would go unchecked.
Social distancing, work from home, shelter in place—these are all strategies employed in response to the COVID-19 epidemic. Americans who have jobs allowing them to engage in social distancing are very dependent on their Internet connection. That dependence is only going to grow as time goes on. As parents depend on the Internet for homeschooling, as businesses depend on employees being able to work from home, and as everyone depends on the Internet for public safety information, we need to recognize that our current Internet ecosystem is failing many Americans. And any infrastructure recovery effort that comes out of this situation should address the digital divide at its source: policy decisions that have left us at the mercy of a few, giant companies whose business concerns don’t include all Americans.
For however long this emergency lasts, an untold number of us will be forced to deal with the failure of our telecom policies to produce universally available, affordable, and competitive high-speed broadband options. Families with children who must simultaneously handle school closures and remote education while also working through video conferencing and cloud computing will reside in the two different Americas for broadband access. American households who reap the benefits of competition among ever increasing speeds with lowering prices and Americans who are forced to rely on obsolete infrastructure built from a bygone era or, worse yet, have no broadband options at all. Those two Americas still being split between what we call the "digital divide" in 2020 is a clear sign of failure in our current approach to broadband. It is imperative that we take it upon ourselves to forcefully bring an end to the inequality of access as part of any infrastructure recovery effort.We Are Seeing the Digital Divide at Work, and Its Lines Are Drawn Where Fiber Access Exists
It could not be more clear: where there are upgraded networks—meaning networks that can deliver gigabit connections—those homes are able to handle the increase in Internet usage that social distancing requires. Where those networks do not exist—where Americans do not have choices for high-capacity services—social distancing is much harder on people, if not outright impossible.
Upgraded networks generally have had fiber infrastructure built by new, local, independent ISPs from both private and public providers. This new competition forced the old ISPs—often the usual suspects of AT&T, Verizon, and so on—to improve their own networks to keep pace. Not only did competition improve the quality of Internet service, it also improved the price.
But there are many Americans who don’t have meaningful access to choice for high-speed broadband. Some have no choice at all. Communities that rely on decades-old Internet infrastructure lack access to an Internet connection that can handle the demands of social distancing. And the fault of this will lie with the ISPs who used record profits and tax cuts on everything but upgrading their services. The fault will also lie with our federal and state governments, which failed to promote fiber through laws pushing universality or funding to simply have someone besides the large incumbents build it.
Those relying on older networks are those who can least afford to: low-income and/or rural Americans. The most expensive part of starting an ISP is the initial construction cost. The legacy ISPs serving low-income and/or rural populations with older infrastructure have long since paid off that cost, but they still charge through the nose because their customers don’t have alternative choices. And the number one reason people do not subscribe to broadband at all is excessive price. Because no one is offering better service, at a better price, there is no reason for these companies to upgrade their networks, leaving many Americans without the high-speed, reliable, competitively priced Internet service that we absolutely need, especially now.
The differences between competitive markets in the United States and noncompetitive ones is stark. Aside from higher prices and inferior infrastructure, even the COVID-19 oriented relief packages are dramatically different. For example, AT&T is waiving overage fees (a fraction of the excessive bill most people pay) and Comcast is offering 25 mbps/3 Mbps for free for two months to low-income users, but a fiber competitor called Sonic in San Francisco (a city with a fairly decent amount of competition) is offering free gigabit service for three months to families and seniors regardless of their income status.High-Speed Affordable Broadband Is Essential for Everyone—and That Makes It a Sound Investment
What is tragic about the digital divide is that there are no good reasons for it to exist, let alone continue. It is profitable to serve all Americans, no matter what major incumbents like AT&T and Verizon may say. If the major ISPs universally converted their older networks over to fiber to the home, they would be net profitable in the long run. Contrary to assertions that smartphones and wireless plans alone are sufficient, nothing can truly substitute for a high-capacity connection in the home. As we are seeing right now, the more and more we do online, the less and less our phones and our outside-the-home options will be compelling replacements.
Our own analysis of the world’s fastest ISP demonstrates how the financials work for fiber networks. That ISP is located in the United States, built and run by the local government of Chattanooga, Tennessee. Once a portion of their network had subscribers, their revenue from $70 a month for gigabit service outpaced their costs for the entire network. In other words, after they reached a certain number of customers, their profits grew faster than their costs. That profit allowed them to stretch the network further and further. In fact, because of the unique nature of fiber wires, they were able to upgrade to a 10 gigabit network with only a tiny additional investment. Unfortunately—and predictably—the old ISPs stepped in and got states to ban local government broadband, crushing further expansion by this successful competitor. Extending fiber networks is perfectly doable, blocked only by the refusal of the big ISPs to do it themselves and their successful campaign to erect legal barriers to stymie alternatives.
But even that hasn’t worked entirely. Because we need the Internet. And in a reversal of the classic movie quote, we’re already there, so we will build it. In the state of Utah, where residents had been left behind by incumbent ISPs, and where the state law banning community broadband remains, a handful of cities collectively started building universal open access fiber as a workaround. To butcher another movie quote, we will not be ignored.
Rather than build broadband, they built fiber infrastructure, and allowed small private broadband companies to sell services off the network. Demand is so high for the services from these neglected communities, that more than enough money is being made. In fact, they’ve made enough to pay for the entire construction effort. This is allowing the network (called Utopia Fiber) to rapidly expand and complete universal fiber deployments on schedule, all while giving people nearly a dozen broadband options at competitive prices.
In response to COVID-19, they are currently experiencing a record number of new subscriptions from the people of Utah who need more capacity to stay home for long periods of time. Everywhere in the country we continue to see pockets of success, from the 7,000-member People’s Rural Telephone Cooperative in Kentucky to nearly 100+ other small rural cooperatives deploying fiber to the home.
All of this shows not only that building fiber networks could have been done everywhere, for everyone, years ago, but also that it would have been profitable. So why have our big ISPs failed us?
The answer lies in their investor expectations and the companies' lack of willingness to engage in long-term investments versus faster short-term profits. Fiber networks are big investments that generally need 10 years or more to fully pay down the construction costs. Similar to when you buy a car, it comes with a big down payment, but eventually you have paid it off and just have maintenance costs. The difference here is that unlike your car, which depreciates after you buy it with higher maintenance costs over time, a fiber network will grow in value and usefulness because advancements in technology will allow it to get faster without any new down payments for construction. It is also expected to be useful for around 70 years after it is built. It’s a future-proof investment—the old ISPs just lack an interest in the future.
Since the old ISPs have proven unwilling to invest in what we need, no relief package or infrastructure package should defer to them on what to do. We should conclude that, after billions in tax breaks and federal deregulation by the FCC, that they are content with leaving people using decades-old infrastructure forever. After all, it is not like companies like AT&T are afraid of spending money when it comes to buying other companies, as their merger debt is an eye popping $171 billion (which is less than it would cost to give every single American a fiber connection).Ending the Digital Divide Depends on Federal and State Infrastructure Plans That Deliver High-Speed Internet to Everyone
The unnecessary hardships many Americans face to maintain their daily lives are the inevitable result of relentlessly low expectations pushed by the big, old ISPs. They’ve set the bar so low in hopes that the public and the government would just accept a fraction of what Americans deserve from the broadband carrier industry. This has resulted in too many policymakers engaging in rhetoric about the importance of broadband, rather than putting forth policies that would give every American affordable 21st century-ready Internet access as a matter of law. It is time for policymakers to back up their rhetoric with action.
EFF supports universal deployment of fiber optics and open access policies that would promote competition and affordability not as a pipe dream, but because we’ve seen the proof. Other countries are further along, giving us proof of concept.
So here’s what we know: we need to be willing to invest, both with dollars and with our laws, in the goal of connecting everyone by a specific date. We need to also refocus our laws in remedying the lack of competition in the broadband access market. Our own engineering analysis shows that a broadband access network that is all fiber will be more than ready for advances in applications and services for decades to come, including massive increases in usage needs. Countries like South Korea that long ago completed their universal fiber build did so because the government’s telecom policy drove that result.
As we noted in comments to the federal government and in our home state of California, the absence of a policy effort from government to push for guaranteed universality of fiber will continue the digital divide problem and worse yet replace it with a "speed chasm" of broadband choices. That means allowing the current state of affairs in the United States to continue is a choice. Let the hard lessons we are learning in real time today be the reason we finally commit to getting everyone connected in the aftermath.
The absence of universal access to high-speed, affordable Internet has made social distancing, working from home, remote education for children, and connecting with loved ones unnecessarily difficult. As Congress, the state governments, and local governments work to provide relief to Americans and the economy, any Internet infrastructure spending needs to remember this lesson.
EFF is proud to announce that independent researcher and technologist Ashkan Soltani has joined our advisory board, where he will share his expertise in privacy and security. Ashkan is a long-time EFF friend and collaborator whose research has informed our efforts to protect users from NSA backdoors, shine a light on third-party tracking, and hold the government accountable for unconstitutional mass surveillance.
Ashkan is a career advocate for user rights in the digital world, and his commitment to protecting consumer privacy will be vital to the work we do at EFF. Ashkan is one of the architects of the California Consumer Privacy Act, the nation’s strongest digital privacy law protecting private information and providing users more control over their data. His work looking under the hood of tracking technology and practices used by companies to collect user data—years before the Cambridge Analytica scandal—has been critical to the public’s understanding of how personal data is being mined and monetized.
Ashkan’s research was the basis for the Wall Street Journal’s award-winning series “What They Know,” a ground-breaking report on tracking technologies and how they work. He also co-authored a Washington Post series on NSA spying programs that was awarded a 2014 Pulitzer Prize. Ashkan was one of the first staff technologists at the Federal Trade Commission’s Division of Privacy and Identity Protection, where he helped lead investigations of Google, Twitter, and Facebook for misleading user privacy practices. Later, he was appointed Chief Technologist at the FTC, advising on technology policy and helping create a new Office of Technology Research and Investigation.
In 2016 Ashkan was recruited by the White House to serve as Senior Advisor to the U.S. Chief Technology Officer, consulting on consumer privacy and the ethics of big data. The engagement ended after the White House denied Ashkan a security clearance, which many in the tech community speculated was a result of his work on the NSA spying series at the Washington Post.
In 2018 Ashkan became an expert witness in EFF’s landmark Jewel v. NSA lawsuit challenging the constitutionality of NSA mass surveillance. In an affidavit, he testified that the communications of EFF’s plaintiffs were likely subjected to collection as part of NSA’s surveillance network.
We’re thrilled to have Ashkan on our advisory board.
As Californians shelter-at-home up and down the state, the journalists and citizen watchdogs who file California Public Records Act (CPRA) requests know that trade-offs must be made. We know that local agencies may be understaffed at this time and that they may be slow to respond to our letters. They may need to restrict our ability to inspect records in person at City Hall, and public records lawsuits may stall as courts restrict hearing dates.
But where we draw the line is when government agencies announce they will suspend the public records request process altogether, a move telegraphed by several agencies in a recent Los Angeles Times story.
The right to access information is enshrined in the California Constitution, and this right is never more important than during an international crisis. That’s why EFF has joined the First Amendment Coalition and other public records advocacy groups in signing a statement supporting government transparency, even amid the most challenging circumstances.
“While we acknowledge the extraordinary stresses that government agencies face right now, we urge all government agencies to comply with the California Public Records Act and the California Constitution and take all reasonable measures to continue to provide information to the public and the press during these exceptionally difficult times,” the groups write.
The letter notes that COVID-19 is hardly California’s first major crisis. The legislature has never authorized the suspension of CPRA, nor do Gov. Gavin Newsom’s emergency orders waive agencies’ responsibilities under CPRA.
The California Supreme Court has found that "openness in government is essential to the functioning of a democracy.” While COVID-19 will certainly interrupt some of our normal expectations, it is essential that our democracy continue to function through these hard times. That means ensuring that the public can understand and hold officials accountable for the decisions they make in the halls of power while we’re all stuck at home.
EFF and its members work to ensure that technology supports freedom, justice, and innovation for all the people of the world. The COVID-19 pandemic has made obvious how important the Internet and digital tools are to our lives and how vital it is that we maintain an open and secure approach to them.Online Creativity Is A Bright Spot In The Darkness
For those of us living under quarantine, shelter in place orders, or just staying home to voluntarily help protect our communities, we now rely on the Internet and digital tools more than ever to share information and advice, create art and memes, listen to our favorite musicians perform “live,” or just to feel less alone. We see how technology is helping us cope, hopefully temporarily, with the loss of in-person contact. Many others are using digital tools and services to organize mutual aid for their neighborhoods and communities in this time of crisis.
When fear threatens to undermine our rights and pervert justice, that’s where EFF—and you—come in.
Thanks to open access science, scientific and medical teams are able to instantly share their work and build on efforts to track the virus, study its effect on people, and develop vaccines. Others are developing ways to create and repair vital medical equipment using open tools, including reportedly 3D printing. We are coming together online and offline in new and creative ways, and ensuring that security, privacy, and openness are baked into the tools and services we use will only support our efforts.
In some ways, the explosion of open creativity online to keep us connected and sane during these scary times is one of the bright spots in the darkness. But in the United States, it also shows how this crisis disproportionately impacts those of us who are marginalized in society already—the unsheltered, those who cannot afford or access reliable broadband service to continue school or work, the consultants and retail workers who have little reserves, and all of those falling through our frayed social safety net. Innovation is needed here too—like ensuring that robust broadband access works for everyone, not just the wealthy, and is not dependent on temporary largess of some giant providers.We Must Be Extra Vigilant In Defending Our Rights In This Moment
We also know that times of great public fear come with great risk. Public fear has driven some of the worst human rights atrocities, and given opportunities for those who would seize power from us and reduce or even erase our hard-won human rights and civil liberties. Already we see efforts to use this public health crisis as an excuse to place irrational blame on our Asian communities and direct even more pressure and discrimination against refugees and immigrants. We already see calls from companies seeking to cash in on this crisis for unchecked face surveillance, social media monitoring, and other efforts far beyond what medicine or epidemiology require.
When fear threatens to undermine our rights and pervert justice, that’s where EFF—and you—come in.
We know that this virus requires us to take steps that would be unthinkable in normal times. Staying inside, limiting public gatherings, and cooperating with medically needed attempts to track the virus are, when approached properly, reasonable and responsible things to do. But we must be as vigilant as we are thoughtful. We must be sure that measures taken in the name of responding to COVID-19 are, in the language of international human rights law, “necessary and proportionate” to the needs of society in fighting the virus. Above all, we must make sure that these measures end and that the data collected for these purposes is not re-purposed for either governmental or commercial ends.We Can Take Advantage Of Technology, and Emerge Stronger
As we head further into these difficult times, EFF is standing strong to make sure that we both take advantage of how technology can help us now and, equally importantly, that we emerge from this time with our freedom and democracy as strong, if not stronger, than when we went in. Because we at EFF have a committed membership as our primary support – over half of our annual budget comes from individuals — we are able to pivot our attention to these issues even as we continue our ongoing fights. Our lawyers are scrutinizing the proposed laws and regulations and corporate privacy moves, especially the growing and concerning raft of corporate/government surveillance efforts. Our technologists are digging into the digital tools we all rely on during this crisis to make sure that your privacy is protected. We’re pushing to lower artificial barriers to information sharing, and working to make sure that access to knowledge is one of the things we keep as we emerge from these times. And more.
We have created an issue page dedicated to our COVID-19 focused work and will continue to highlight our efforts there, as well as publish needed practical information about how to fight COVID-19 phishing attempts and how to show your EFF support as we head into our 30th year of standing strong for your rights.
Right now, when real science is so often under attack, those of us who care about truth, health, and each other need to take seriously the things that science and medicine are telling us about how to keep this virus from spreading. And we also need to be vigilant so that we come out the other side of this crisis with a society we want to live in and hand down to our kids. We can—and must—do both.
EFF is proven, ready, and strong. With the support of our members, new and old, we’ll be there with you every step of the way.
At a time when government officials are justifiably limiting in-person gatherings to slow the spread of COVID-19, the public should have access to essential government activities. The Supreme Court is no exception, which is why it must finally allow cameras in its courtroom.
Responding to the health and safety concerns raised by the spread of COVID-19, the Supreme Court announced on March 12 that it would close its building to the public until further notice. Four days later, the Court postponed its March oral arguments altogether.
Once the Supreme Court begins hearing oral arguments again, it must allow the public to access them by broadcasting or releasing same-day video recordings of its proceedings. Just as every other facet of life is moving to telecommunications platforms in response to COVID-19, if the Court remains shut to an in-person audience, it should make videos of its arguments available to the public instead.
The public’s right to access court proceedings like oral arguments is one of the most basic tenets of our justice system, rooted in both the Constitution and common law. Access to courts safeguards the foundation of our democracy by ensuring the public can see how courts operate, understand how they apply the law, and hold our justice system accountable so that the public’s trust in it can be maintained. The Supreme Court recognized this principle more than 40 years ago, writing that “People in an open society do not demand infallibility from their institutions, but it is difficult for them to accept what they are prohibited from observing.”
In light of this longstanding mandate, Supreme Court arguments are open to the public and press. That means members of the public can travel to the Supreme Court building in Washington, D.C., to watch oral arguments in person (although courtroom capacity is limited). Additionally, the Court makes argument transcripts available day-of and releases audio at the end of the week.
Such access is important, but far from sufficient. The courtroom is fairly small, and those wishing to attend argument—even attorneys who are members of the Supreme Court bar—are typically required to line up early in the morning. Argument transcripts and audio recordings are not a perfect substitute for those who cannot travel to Washington D.C. or otherwise get into the courtroom. Non-verbal signals—an eye roll or disbelieving glare—can illuminate the justices’ reasoning and provide valuable insight into the Court’s ultimate decision.
While cameras are widely allowed in courtrooms at the trial and appellate levels, the Supreme Court has long resisted allowing cameras at argument.
This isn’t because the Court hasn’t considered it. Justice Kennedy has stated that videos in the Supreme Court are “inevitable.” And in 1988, the Supreme Court secretly tested cameras in the courtroom. Three Justices asked questions to Judge Timothy B. Dyk of the Court of Appeals for the Federal Circuit, who was, at that time, a media lawyer, and recorded the session to replicate a real oral argument.
But the Court didn’t decide to allow cameras to access its courtroom then, and now, more than 30 years later, almost every Justice has publicly opposed doing so. Why?
Some Justices have expressed concern about how cameras would affect the lawyers arguing, perhaps by causing them to grandstand for the television.
But this hasn’t proven to be the case in other courts that allow cameras. In a study by the Federal Judicial Center, judges and attorneys in such courtrooms agreed that cameras had little effect on trial participants. Canada’s highest court has allowed cameras in the courtroom for over 30 years, and hasn’t looked back. According to the former Canadian Chief Justice Beverly McLachlin, who served on the Canadian Supreme Court for over 28 years until retiring in 2017, the Canadian court originally had the same concerns about cameras—but it turns out that "nobody is out there trying to put on a performance." She said that she could only recall a single time where someone gave a “barnstorming kind of speech” in court that could have been directed at the cameras. And she “just told him to sit down.”
Other Justices worry about the effect that cameras would have on them—perhaps by causing the Justices to self-censor at oral argument for fear that they might say something “ridiculous” or have their words taken out of context.
But any self-consciousness about the cameras likely wouldn’t last long. Chief Justice McLachlin said that the Canadian Justices there are “just oblivious" to the cameras. “I don’t think I ever think about them in the course of a hearing . . . They’re unobtrusive." And the Court already releases audio and written transcripts of arguments, so any gaffes are hardly a secret. To the extent that the Justices worry about their words being decontextualized or manipulated, the best remedy is to release accurate video in its entirety.
Even in normal times, when individuals can watch Supreme Court arguments in person, videos would allow the greater public to form opinions about the participants, the arguments presented, and the fairness of the procedures. Given the affordability and accessibility of video technology today, there is no justification for depriving the public of access to oral argument videos any longer.
Recognizing the public’s right of access includes the right to see what happens in the courtroom—on video if not in person—is all the more urgent with the Supreme Court now barring the press and public from attending in person.
Governments around the world are demanding new dragnet location surveillance powers to contain the COVID-19 outbreak. But before the public allows their governments to implement such systems, governments must explain to the public how these systems would be effective in stopping the spread of COVID-19. There’s no questioning the need for far-reaching public health measures to meet this urgent challenge, but those measures must be scientifically rigorous, and based on the expertise of public health professionals.
Governments have not yet met that standard, nor even shown that extraordinary location surveillance powers would make a significant contribution to containing COVID-19. Unless they can, there’s no justification for their intrusions on privacy and free speech, or the disparate impact these intrusions would have on vulnerable groups. Indeed, governments have not even been transparent about their plans and rationales.
The Costs of Location Surveillance
EFF has long opposed location surveillance programs that can turn our lives into open books for scrutiny by police, surveillance-based advertisers, identity thieves, and stalkers. Many sensitive inferences can be drawn from a visit to a health center, a criminal defense lawyer, an immigration clinic, or a protest planning meeting.
Moreover, fear of surveillance chills and deters free speech and association. And all too often, surveillance disparately burdens people of color. What’s more, whatever personal data is collected by government can be misused by its employees, stolen by criminals and foreign governments, and unpredictably redirected by agency leaders to harmful new uses.
Emerging Dragnet Location Surveillance
China reportedly responded to the COVID-19 crisis by building new infrastructures to track the movements of massive numbers of identifiable people. Israel tapped into a vast trove of cellphone location data to identify people who came into close contact with known virus carriers. That nation has sent quarantine orders based on this surveillance. About a dozen countries are reportedly testing a spy tool built by NSO Group that uses huge volumes of cellphone location data to match the location of infected people to other people in their vicinity (NSO’s plan is to not share a match with the government absent such a person’s consent).
In the United States, the federal government is reportedly seeking, from mobile app companies like Facebook and Google, large volumes of location data that is de-identified (that is, after removal of information that identifies particular people) and aggregated (that is, after combining data about multiple people). According to industry executives, such data might be used to predict the next virus hotspot. Facebook has previously made data like this available to track population movements during natural disasters.
But re-identification of de-identified data is a constant infosec threat. De-identification of location data is especially hard, since location data points serve as identification of their own. Also, re-identification can be achieved by correlating de-identified data with other publicly available data like voter rolls, and with the oceans of information about identifiable people that are sold by data brokers. While de-identification might in some cases reduce privacy risks, this depends on many factors that have not yet been publicly addressed, such as careful selection of what data to aggregate, and the minimum thresholds for aggregation. In the words of Prof. Matt Blaze, a specialist in computer science and privacy:
One of the things we have learned over time is that something that seems anonymous, more often than not, is not anonymous, even if it’s designed with the best intentions.
Disturbingly, most of the public information about government’s emerging location surveillance programs comes from anonymous sources, and not official explanations. Transparency is a cornerstone of democratic governance, especially now, in the midst of a public health crisis. If the government is considering such new surveillance programs, it must publicly explain exactly what it is planning, why this would help, and what rules would apply. History shows that when government builds new surveillance programs in secret, these programs quickly lead to unjustified privacy abuses. That's one reason EFF has long demanded transparent democratic control over whether government agencies may deploy new surveillance technology.
Governments Must Show Their Work
Because new government dragnet location surveillance powers are such a menace to our digital rights, governments should not be granted these powers unless they can show the public how these powers would actually help, in a significant manner, to contain COVID-19. Even if governments could show such efficacy, we would still need to balance the benefit of the government’s use of these powers against the substantial cost to our privacy, speech, and equality of opportunity. And even if this balancing justified government’s use of these powers, we would still need safeguards, limits, auditing, and accountability measures. In short, new surveillance powers must always be necessary and proportionate.
But today, we can’t balance those interests or enumerate necessary safeguards, because governments have not shown how the proposed new dragnet location surveillance powers could help contain COVID-19. The following are some of the points we have not seen the government publicly address.
1. Are the location records sought sufficiently granular to show whether two people were within transmittal distance of each other? In many cases, we question whether such data will actually be useful to healthcare professionals.
This may seem paradoxical. After all, location data is sufficiently precise for law enforcement to place suspects at the scene of a crime, and for juries to convict largely on the basis of that evidence. But when it comes to tracking the spread of a disease that requires close personal contact, data generated by current technology generally can’t reliably tell us whether two people were closer than the CDC-recommended radius of six feet for social distancing.
For example, cell site location information (CSLI)—the records generated by mobile carriers based on which cell towers a phone connects to and when—is often only able to place a phone within a zone of half a mile to two miles in urban areas. The area is even wider in areas with less dense tower placement. GPS sensors built directly into phones can do much better, but even GPS is only accurate to a 16-foot radius. These and other technologies like Bluetooth can be combined for better accuracy, but there’s no guarantee that a given phone can be located with six-foot precision at a given time.
2. Do the cellphone location records identify a sufficiently large and representative portion of the overall population? Even today, not everyone has a cellphone, and some people do not regularly carry their phones or connect them to a cellular network. The population that carries a networked phone at all times is not representative of the overall population; for example, people without phones skew towards lower-income people and older people.
3. Has the virus already spread so broadly that contact tracing is no longer a significant way to reduce transmission? If community transmission is commonplace, contact tracing may become impractical or divert resources from more effective containment methods.
There might be scenarios other than precise, person-to-person contact tracing where location data could be useful. We’ve heard it suggested, for example, that this data could be used to track future flare-ups of the virus by observing general patterns of people’s movements in a given area. But even when transmission is less common, widespread testing may be more effective at containment, as may be happening in South Korea.
4. Will health-based surveillance deter people from seeking health care? Already, there are reports that people subject to COVID-based location tracking are altering their movements to avoid embarrassing revelations. If a positive test result will lead to enhanced location surveillance, some people may avoid testing.
As our society struggles with COVID-19, far narrower “big data” surveillance proposals may emerge. Perhaps public health professionals will show that such proposals are necessary and proportionate. If so, EFF would seek safeguards, including mandatory expiration when the health crisis ends, independent supervision, strict anti-discrimination rules, auditing for efficacy and misuse, and due process for affected people.
But for now, government has not shown that new dragnet location surveillance powers would significantly help to contain COVID-19. It is the government’s job to show the public why this would work.
Responding to the threat of COVID-19, science advisers from twelve countries have signed on to an open letter urging scientific publishers to make all COVID-19 research freely available to the public through PubMed Central or the World Health Organization's COVID Database.
This is an emergency call for open science, the movement to make tools, data, and publications resulting from publicly funded research available to the public. Among the signers of this open letter was the Director of the United States Office of Science and Technology Policy, Kelvin Droegemeier, who is reportedly shaping an executive order to require similar availability for all federally funded research starting on the first day of publication.
Thankfully, major commercial publishers such as Elsevier and Springer have already announced that they will drop their paywalls on coronavirus research for the duration of the crisis. In doing so, a growing number of publishers are helping scientists work together to combat COVID-19 by embracing open access, the idea that research publications should be freely available for anyone to read.
That’s a great start. Open access ensures scientists are operating transparently and have access to the most current information available. This allows research efforts to move more quickly and eliminates barriers among researchers across the globe. The current crisis demonstrates how open access is a human rights issue. Potentially life-saving medical knowledge should not be restricted to those connected to institutions that can afford expensive journal subscriptions.
In the last month, researchers have embraced libre and open source research tools such as Nextstrain and open data platforms like Gisaid. The combined efforts of scientific researchers and free software programmers have accelerated research on coronavirus to unprecedented speeds. Medical professionals are even working together to share information about how to repair vital equipment while others build open hardware alternatives to proprietary devices. Readers should keep in mind when interpreting the findings of these efforts, that they can often be shared before undergoing peer-review.
In the past decade we’ve come a long way in bringing scientific research to the public, but we’re still far from realizing its full potential. Between a 2013 executive order and a 2018 California law, publishers are generally only required to make research freely available after a one-year embargo, and even then only if they receive federal or California state funding. While both are steps in the right direction, the current moment highlights why we need to go further. For fast-moving health research, a one-year embargo period severely reduces the value of an open access law for the public. A growing list of foundations have made that point clearly by requiring the research they fund to be open access on the day it’s published.
In Europe, today's emergency support of open science is poised to become the status quo next year when the Plan S policy will require open access on the first day of publication. This means researchers will be in a better position to respond to future crises, and even more important discoveries will be made available through open access.
Researchers and publishers have made heroic strides this month, and we cannot forget the impact we are seeing in improving public access to knowledge. It will become increasingly important to push for the full benefit of research by changing more state and federal laws to make open science the default, and go beyond reading access to grant greater re-use freedoms. Let’s work together to help make the public better prepared for future crises.
As government officials at all levels move quickly to respond to COVID-19 and protect the public’s health, it is vital that they also safeguard the public’s ability to participate in and access information about those decisions, EFF and a coalition of more than 100 organizations wrote in a letter on Friday.
Transparency and public access during this crisis is a necessary and important way to give those affected clarity into government decision-making. It’s neither normal nor healthy for democracy to hide or classify public health-related decisions or deliberations. At a time when whistleblowers and others have contributed to the public awareness of how agencies and government actors, in the U.S. and abroad, have responded to this crisis, it’s crucial that we see exactly how decisions with potentially life-altering ramifications are made. From the letter:
“At all times, but most especially during times of national crisis, trust and credibility are the government’s most precious assets. As people are asked to make increasing sacrifices in their daily lives for the greater good of public health, the legitimacy of government decision-making requires a renewed commitment to transparency.”
While some government functions move away from normal channels due to safety measures such as quarantines—for example, using private email accounts instead of government email accounts—every effort must be made to ensure those channels allow for messages to be publicly accessible. Agencies may struggle to respond quickly to public records requests and other requests for information at this time, which is why the default must be a commitment to transparency from the beginning, rather than obfuscation. For example, agencies should not follow the lead of the FBI, which has stopped accepting FOIA requests via email.
The letter also encourages governments to postpone important decisions that can be made after the current crisis, as officials should not exploit the inability for the public to participate in person in the short term:
“Just as citizens are being asked to defer nonessential travel and errands, so should government agencies defer noncritical policy-making decisions until full and meaningful public involvement can be guaranteed. Where postponement is not realistic, every available measure should be taken to (1) notify the public of meetings of government bodies and how to participate in those meetings remotely, (2) use widely available technologies to maximize real-time public engagement, and (3) preserve a viewable record of proceedings that is promptly made accessible online.”
Transparency is among the principles EFF has laid out for government to take into consideration and commit to during this crisis. Knowing “what the government is up to” is often the first step in ensuring that the government respects the civil liberties of its citizens, and during a crisis, this knowledge takes on extraordinary importance. Though this may take additional effort due to the severity of the pandemic, it is essential that government actions be clearly and quickly explained to the public. Moreover, transparency is particularly important so the public can scrutinize fast-moving efforts to have private companies work with the government to respond to COVID-19, such as the reported Google effort to help broaden access to screening for the virus.
EFF is a fierce defender of government transparency, which is especially important given reports of secretive talks between government agencies and corporations hoping to deploy technologies such as cell-phone location tracking, advanced video analytics, and biometric surveillance.
The rallying cry of these difficult times is that we’re all in this together. We agree, and that includes keeping everyone in the loop when it comes to technology that could cause long-lasting damage to our rights after the crisis has passed.
In the current moment, governments may be tempted to funnel scarce public health resources into the use of face recognition to curtail the spread of COVID-19. Public health crises, especially a global pandemic, may require extraordinary measures in favor of the public good—but invasive face surveillance is not in the public’s interest.
This approach could involve building new infrastructure to conduct more face surveillance and large government contracts with some of the most nefarious surveillance technology vendors in the world. Companies like Clearview AI, which uses over two billion face images scraped from social media to track individuals and identify them with real-time face surveillance, are already in talks with agencies to provide assistance. Even as civil liberties groups call for a national ban on government use of face recognition, U.S. Customs and Border Protection is currently touting face recognition at airport check-ins as supposedly more hygienic than other screening.
Face recognition may seem convenient and useful, but is actually a deeply flawed technology that exposes people to constant scrutiny by the government.
The massive infrastructure required to run face recognition (such as cameras, software, and open-ended contracts with vendors) cannot be easily dismantled when the public health crisis is over. We cannot allow law enforcement and other government officials to normalize this invasive tactic. We know the truth about this spy tech: face recognition may seem convenient and useful, but is actually a deeply flawed technology that exposes people to constant scrutiny by the government, and has the potential to chill free speech and movement by identifying and tracking people as they visit their doctors, lawyers, houses of worship, or political demonstrations. It also can generate inaccurate reports.
It is all too likely that any new use of face surveillance to contain covid-19 would long outlive the public health emergency. In a year, systems that were put in place to track infected individuals as they moved through a city could be re-deployed to track people as they walk away from a political demonstration or their immigration attorney’s office. Face recognition software that is able to identify people even when they’re wearing surgical masks, as the company Hanwang has developed, could also be used to identify people who obscure their face at political protests out of fear of retribution from the government. We have to consider the afterlives of these technologies and the way their use can creep into everyday life after the emergency is over.
This is why EFF and concerned citizens continue to call on Congress to ban the government use of face recognition. You can take action here by telling your elected officials that this technology, today and in the future, erodes our civil liberties and undermines our participation in a free society.
You can also take EFF’s new quiz to see what government agencies use or share your photograph for the purpose of conducting face recognition.
Tell your elected officials to ban government use of face recognition
Entropy isn't just a word, it’s the (second) law (of thermodynamics): the idea that things tend towards chaos and brokenness. That’s why the Right to Repair is so close to our heart: fixing things is nothing less than the embodiment of the ancient struggle to wring order from chaos, to stave off deterioration and collapse.
It’s no coincidence that farmers are the vanguard for Right to Repair. People who live in rural, low-population zones have to fend for themselves when entropy is visited upon their tools. Farmers can’t wait for days or weeks for a part or a service technician: they literally have to make hay while the sun shines. Since the dawn of agriculture, farmers have been making and adapting their tools, and workshops and even forges are mainstays of agricultural life.
We can’t simply leave our hospitals undersupplied or sitting on broken hardware until the emergency has passed.
Coronavirus has given us all a taste of what life is like for farmers and other people far from repair and parts. With global supply chains in chaos and whole cities on lockdown, broken things might not get fixed unless you can fix them.
Lucky for us, we still have the Internet, which is full of repair instructions (including iFixit’s massive repository of "repair guides for every thing") and we have more access to tools than at any time in history, including—for some of us—futuristic tools-that-make-tools, like laser-cutters, CNC mills, and 3D printers.
These have already begun to play a key role in the pandemic. A hospital in Brescia, Italy reportedly rehabilitated a broken, urgently needed Venturi oxygen mask for the hospital’s ventilator with help from local 3D printing entrepreneurs who brought their printer to the hospital, designed a replacement part on the spot, and printed it out, successfully repairing the respirator so that it could be used to save lives.
The story is a heartwarming mix of modern miracle and solidarity in a crisis, but there’s more going on under the surface.
It turns out that the reason that the part had to be designed from scratch is that the manufacturer refused to help with the project. One of the people involved says that he was threatened with patent litigation if he tried; his colleagues differ on the matter, but they agree that the company refused to share design files. And sending threats or not, the part’s designer still says he will not distribute the plans for a replacement.
All around the world, there is a shortage of ventilators and ventilator parts—and at the same time, the country that does the lion’s share of high-tech manufacturing, China, is running at extremely reduced capacity. While online communities are crowdsourcing multiple plans for open source hardware ventilators and other pandemic-related technology, the most important thing they and companies can do is work in concert to keep existing, tested tech functional.
Getting this kind of med-tech project right is important, and it’s hard. The global supply-chain shutdown has revealed the fragility of long distance, complex manufacturing systems that are organized around central hubs that represent points of critical failure. The surge in open source hardware designs and parts for medical equipment during the emergency represents a distributed, urgently needed decentralization of our world’s critical manufacturing capacity. Even as these distributed efforts reduce the hazards of failing health systems, they have the potential to create their own hazards. The best way to ensure that emergency repairs and modifications are safe is for original manufacturers to cooperate with community technicians. Indeed, that’s the only way—we can’t simply leave our hospitals undersupplied or sitting on broken hardware until the emergency has passed.
The very nature of emergency medicine means that front-line professionals must make decisions about how to keep their equipment running when it is not fully functional. Even under normal circumstances, there aren't always timely, reliable sources of parts and skilled service. The right person to decide whether a field repair should be attempted, and whether the repair is solid enough to rely upon are medical professionals, not the shareholders of med-tech companies or the lawyers who write their terms of service and patent applications.
We are all like farmers now—isolated, with machinery that we can’t afford to let sit idle until a distant company can help us repair it. Today, we need those companies to step up by providing repair instructions, specifications, and technical aid to the global volunteer corps of makers and fixers who have given themselves over to helping us all weather this calamity.
A greater portion of the world’s work, organizing, and care-giving is moving onto digital platforms and tools that facilitate connection and productivity: video conferencing, messaging apps, healthcare and educational platforms, and more. It’s important to be aware of the ways these tools may impact your digital privacy and security during the COVID-19 crisis.
Here are a few things you should know in order to make informed decisions about what works best for you and your communities, and ways you can use security and privacy best practices to protect yourself and others.Free Slacks
EFF has written a lot about Slack’s data retention issues when it comes to free versions of the software. With so many mutual aid networks and organizing groups coalescing on Slack to support our communities, it’s important that users are aware that the company retains their messages if they're using a free plan—and they can't automatically delete them. By default, Slack retains all the messages in a workspace or channel (including direct messages) for as long as the workspace exists.
If you are using a paid workspace, you can change how many messages are retained in Slack’s databases by setting shorter retention periods. If you’re using the free version though, that option is not available to you. Additionally, free workspace users only have the ability to search through the most recent 10,000 messages. And while users can’t see messages sent prior to the 10,000 message mark, they are still available to Slack, law enforcement, and any third-party hackers through a data breach. Leaking or sharing of this data could prove catastrophic, especially for groups who are working to provide aid and support for our most at-risk communities.Zoom conferencing
The best way to stave off the effects of isolation is to maintain contact with friends, family, and coworkers. Zoom has quickly become a popular option to work and keep in touch with others in the midst of social distancing and shelter-in-place protocols. There are a few things to keep in mind when using Zoom, particularly in instances where users are relying on the conferencing tool for their studies, or for work-related activities.Attendee attention-tracking
The host of a Zoom call has the capacity to monitor the activities of attendees while screen-sharing. This functionality is available in Zoom version 4.0 and higher. If attendees of a meeting do not have the Zoom video window in focus during a call where the host is screen-sharing, after 30 seconds the host can see indicators next to each participant’s name indicating that the Zoom window is not active.Administrators and user tracking
Zoom allows administrators to see detailed views on how, when, and where users are using Zoom, with detailed dashboards in real-time of user activity. Zoom also provides a ranking system of users based on total number of meeting minutes. If a user records any calls via Zoom, administrators can access the contents of that recorded call, including video, audio, transcript, and chat files, as well as access to sharing, analytics, and cloud management privileges.
For any meeting that has occurred or is in-process, Zoom allows administrators to see the operating system, IP address, location data, and device information of each participant. This device information includes the type of machine (PC/Mac/Linux/mobile/etc), specs on the make/model of your peripheral audiovisual devices like cameras or speakers, and names for those devices (for example, the user-configurable names given to AirPods). Administrators also have the ability to join any call at any time on their organization’s instance of Zoom, without in-the-moment consent or warning for the attendees of the call.Schools moving to online learning
Surveillance shouldn’t be a prerequisite for getting an education. But even before more school districts started moving their classes and coursework to digital forums for purposes of social distancing, surveillance has become more and more common in schools. With the advent of COVID-19 and the associated uptick in distributed digital learning, the potential for this surveillance to ramp up is alarming.
This is true from kindergarten all the way through graduate school, though it is most prevalent and insidious in K-12 schools. School administrators are choosing to use tools and tactics that encroach on students’ privacy in ways that can break down trust amongst students and their peers, teachers, families, and administrators. Many K-12 schools offer or mandate the use of school-issued devices, and those devices come with pre-installed spyware that monitors all student activities and reports them to school administrators.
Many schools are already experimenting with mass surveillance technologies with no evidence, and no way for concerned parents and students to opt out. If your school is using or is considering using technologies like Bark, GoGuardian, Gaggle, Securly, or Social Sentinel, check out our guide to Privacy for Students. It covers many of the privacy and surveillance concerns that these technologies raise, with ways to minimize the data being tracked, risk mitigation strategies, and advocacy tactics.Telehealth and non-HIPAA platforms
The HHS has altered HIPAA rules during the COVID-19 crisis, allowing health care providers to use applications such as FaceTime, Facebook Messenger, Hangouts, Skype, Zoom, etc so they are able to provide care to patients remotely:
During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules.
If your healthcare provider is using an application or platform that is not covered under HIPAA, check with them on what safeguards they have in place to ensure your privacy is protected, and what their plans and timelines are for moving to platforms that do fall under HIPAA compliance.Tools for assessing risk and staying safe online
One of the best things you can do to keep yourself and others safe during this crisis is to learn how to minimize risk. Many of the problems presented in this post can be mitigated or circumvented with careful consideration of the risks, employing “privacy as a team sport” tactics, and minimizing the data that corporations, employers, and others can track. Our resource site, Surveillance Self-Defense, is full of practical tips, tools, how-to’s, and explainers for communicating safely online. Here’s a list of useful guides with concrete steps you can take to get started:
- Evaluate and choose the tools you use to make sure they work for you.
- Learn about best practices for communicating with others and incorporate them into your routines and tools.
- Use a password manager to create strong passwords.
- Ensure that you have two-factor authentication (also known as 2FA) enabled for as many accounts as possible.
- Consider your needs and choose the VPN that’s right for you.
And lastly, remember—we’re all in this together. Take care of each other by safeguarding each others’ physical and digital health.