If there's something that drives us crazy, it's when patents get in the way of innovation. Unfortunately, we often don't find out about the most dangerous patents until it's too late—once they've been used to assert infringement. That's why we were encouraged by the new provision of the patent law that allows third parties to easily challenge patent applications while those applications are still pending.
But, here's the rub: it's hard to identify those dangerous applications. And, once you do, it's even harder to find the right information to challenge those applications during the window that the law allows. So we partnered with the Cyberlaw Clinic at Harvard’s Berkman Center for Internet and Society and Ask Patents and—most importantly—you.
As of today, we've now challenged six pending patent applications that you helped us identify as applications that, if granted, would particularly threaten the growing field of 3D printing technology. Harvard's Cyberlaw Clinic hand delivered the first two submissions to the Patent Office earlier this year, and we've since sent in four more.
The prior art we’ve submitted so far thanks to your submissions ranges from patents and blog posts to research papers and symposium proceedings. Each prior art document gives the Patent Office tools to reject patent claims for obviousness. That in turn helps protect the diverse, exciting uses of 3D printing that are gaining in popularity each day, from small hobbyist printers to large-scale, high-quality commercial fabrication using materials ranging from titanium to chocolate.
Here are copies of what we submitted to the Patent Office. The good news is that so far, the Patent Office has accepted our submissions (because of that, if you're thinking of making your own preissuance submissions, you might want to use these as a model). Now we wait to see whether our input influences the examiners.
Our work doesn’t stop here. Next we’re going to investigate a number of pending applications that impact mesh networking technology—another area with an extremely active open development community and with tremendous potential. We’ll be asking you to help us again soon. Stay tuned!Files: 191_ribbon_filament_presub.pdf 217_gas_flow_presub.pdf 424_chocolate_presub.pdf 503_voxel_model_presub.pdf 876_build_material_presub.pdf 996_heide_presub.pdfRelated Issues: Patents
In the last three months alone, the House has released three different cybersecurity bills and has held over seven hearings on the issue. In addition, the House Judiciary Committee floated changes to the Computer Fraud and Abuse Act (CFAA)—the draconian anti-hacking statute that came to public prominence after the death of activist and Internet pioneer Aaron Swartz. Politicians tout this legislation as necessary to protect against foreign threats every single time they introduce a bill with “cyber” somewhere in the text. And it comes as no surprise that every hearing has opened up with a recap of computer security attacks faced by the US from China, Iran, and other foreign countries.
For many politicians "cybersecurity" is also synonymous with increasing penalties for computer crimes. The CFAA proposal floated last week expands the already broad scope of the CFAA, increases the prison time for violations, and criminalizes new actions. Politicians from both parties believe—despite research saying otherwise—that increasing penalties will serve as a deterrent to foreign crimes. Just last year, President Obama, Senator Leahy, and House Republicans all proposed expanding the reach of the CFAA by increasing its penalties. With your help these attempts were defeated when we killed the cybersecurity bill in the Senate.Why Increases Won't Deter Foreign Threats
Increasing penalties in the CFAA won't serve as a deterrent to foreign threats. Many foreign hacks—like the ones revealed in the recently released Mandiant report—are not private individuals, but are state or quasi-state sponsored citizens. In talks, politicians often cite the recent hack of a Saudi oil Company called Saudi Aramco. But the hack is thought to be from a quasi-state sponsored Iranian group. And the US will find it hard, if not impossible, to extradite Chinese or Iranian state-sponsored computer hackers. In the case of China and Russia, there are strong legal prohibitions that bar the government from handing over a citizen to another country.
The US would also have a hard time prosecuting civilian foreign citizens. In recent memory there have been only a handful of CFAA extradition cases. In one potential case—the infamous "ILOVEYOU" virus—the FBI said that suspects are generally prosecuted in the country they're found. This means that the CFAA wouldn't be used. The larger Department of Justice manual concerning extraditions lists factors leading to an extradition, but warns prosecutors: "appeals and delays are common." In general, there have been very few successful extradition cases based solely on the CFAA.
Just last year, the US tried to extradite Gary McKinnon under the CFAA for allegedly accessing US military computers. The US government labeled McKinnon as one of the "world's most dangerous hackers," yet it was unable to persuade one of its closest allies, England, to extradite him. McKinnon's case is just one recent example of the difficulties the US government faces when trying to prosecute foreign online threats with US domestic law.
In 2011, Michael Chertoff, the former secretary of the Department of Homeland Security, made these same exact points. While discussing the CFAA and foreign cybersecurity threats, Chertoff noted:
The problem is a lot of the activity is overseas, and we are not going to find the people who do this stuff because they are never coming over to the United States. And, frankly, in some countries there is not a lot of interest in cooperating with us.
In addition, former Justice Department prosecutor and CFAA expert Orin Kerr wrote last week that Congress and the Justice Department seem to be pushing these changes despite the fact that sentences are already very tough, and without any evidence that judges that preside over computer crimes cases think are necessary:
[H]ave there been any cases in which judges maxed out the current sentences, suggesting that if they had the power to do so they might have wanted to sentence a defendant to a greater punishment? Or is Congress considering increasing the allowed penalties under the CFAA with a complete absence of evidence that any federal judge anywhere has ever found the current statutory maximum penalties too low in any actual case?
The facts are clear: Increasing penalties and expanding the scope of the CFAA won't deter foreign threats—the main reason politicians cite for cybersecurity legislation that increase penalties to the CFAA—and it's unclear if it will deter any threats at all.Where We Need to Go
This year, in the wake of Aaron's death, advocates fighting to change the status quo have even more reason to enact serious reform. Congress should reform the draconian CFAA by narrowing its scope and reducing its penalties. Rep. Zoe Lofgren has proposed Aaron's law, which seeks to pass language already reflected in judicial decisions and clarifies that violations of a terms of service are not a crime. EFF's own proposal goes beyond this. Our changes aim to protect innovation and decrease the penalties found in the law.
Politicians shouldn't misinterpret reforming the CFAA with being "soft on crime" or with facilitating more foreign attacks. Even domestically speaking, prosecutors have a number of laws to choose from. CFAA reform has been long overdue. Courts like the Fourth and Ninth circuits are already narrowing the law. It's time for Congress to follow their lead. Help support CFAA reform by telling your Representative to support reform.
Related Issues: Cyber Security LegislationComputer Fraud And Abuse Act Reform
Who would have thought a major oil corporation would have such thin skin?
In the wake of a major pipeline spill in Mayflower, Arkansas, Exxon has launched a dirty tricks campaign to prevent Little Rock television stations from running a political ad titled, “Exxon Hates Your Children.” The ad, which can be viewed at exxonhatesyourchildren.com, makes an obviously over-the-top assertion about the company’s views about children, in order to call attention to the creators' serious concerns about the company’s policies. To try to keep it off the air, Exxon is circulating a memo to television stations claiming that the commercial is “defamatory toward each of ExxonMobil’s 80,000 employees and their families.” Exxon goes on to describe good things the company does for children and the environment.
The ads, which were paid for through crowdfunding, were scheduled to run on local ABC, NBC, and Fox stations this week, but were taken off the schedule when the stations got the memo. In February, Exxon pulled the same stunt when Comcast was set to air the ad during the president's State of the Union address.
With help from EFF, the activists behind the ad, Oil Change International, are fighting back. As we explain in our response, Exxon's humorless memo misses the point entirely. The activists are simply using parody and satire to comment on an issue of public concern. This type of political speech fits well within the protections of the First Amendment. After all, as Supreme Court Justice Felix Frankfurter wrote in a 1944 free-speech case, "One of the prerogatives of American citizenship is the right to criticize public men and measures."
As we also explain, the right way to respond to speech you don't like is to engage in open debate, not censorship, and media outlets should be especially sensitive to that principle. Judge Learned Hand said it best seventy years ago: "[T]he First Amendment . . . presupposes that right conclusions are more likely to be gathered out of a multitude of tongues, than through any kind of authoritative selection. To many this is, and always will be, folly; but we have staked upon it our all."
What Exxon should not do—and what the television stations should not help them do—is use ill-defined and improper legal threats to silence legitimate political speech. The stations should let the ad run and, if Exxon chooses to create its own ad, run that too.lttreexxoncampaign.pdf exxonhatesyour_children_-_cease_and_desist_4.8.13.docx
UPDATE 2013-04-12: Apparently as a result of this blog post, social media attention, and questions from the Australian Greens to the Australian Federal Attorney General's Department, the block has been lifted. But there has not yet been any explanation of why these 1,200 sites were blocked in the first place.
EFF has long opposed Australia's Internet censorship schemes, warning that even the voluntary filtering that has been implemented by Australia's largest ISPs, Telstra and Optus, lacks transparency and accountability, and could lead to collateral damage—accidental censorship of websites that are not violating the law in any way. A dramatic example of such collateral damage appears to be occuring at the moment.
EFF was recently contacted by the organisers of a community group called the Melbourne Free University (MFU) because their site appears to have been blocked or censored by Australian network operators, possibly at the request of the Australian government. Users from some (but not all) Australian ISPs have been unable to reach the Melbourne Free University site since Thursday the 4th of April. An employee of one of the affected ISPs told MFU by email that the site was blocked as a result of an order from the Australian government, but was unable to say more. Research by EFF and MFU, and discussion amongst Australian network operators, confirms that the IP address has been black holed by a number of Australian ISPs, preventing access to more than 1,200 websites including the Melbourne Free University (multiple websites sharing a single IP address is common due to virtual hosting).
The causes for the block are currently unknown. Speculation by the Australian networking community has included criminal investigations, action by ASIC, or DDOS mitigation. Unusually, a representative of one of the blackholing ISPs, AAPT, would only state that "in regard to this issue, this IP address has been blocked". Under conditions where the cause was to protect the functioning of the Internet, such as to combat a denial-of-service attack, one would expect the ISP to clearly describe the reasons for the temporary filter to better assist other network operators. It would be surprising if the cause was Australia's nascent Internet censorship system as that is reported to operate with DNS rather than IP blocks.
Whatever the reason for the IP black hole, it is extremely unlikely that they justify the reckless censorship of 1,200 sites for Australian Internet users, and very disturbing that the true reasons have not been made public after many days of requests from the affected parties. Decisions that affect the global connectivity of the Internet should be made transparently, whether they are made in the offices of ISPs, or in the courts and corridors of government.
In the mean time, Australian Internet users who are affected by it can install Tor to access affected websites.Some Technical Info on the Black Hole
A typical traceroute from an affected ISP looks like this:> $ traceroute www.melbournefreeuniversity.org > traceroute to melbournefreeuniversity.org (18.104.22.168), 64 hops max, 40 > byte packets > 1 XXXXXXXXXXXXX (192.168.1.254) 1 ms 1 ms 1 ms > 2 XXX.XXX.96.58.static.exetel.com.au (58.96.XXX.XXX) 18 ms 19 ms 18 ms > 3 22.214.171.124.static.exetel.com.au (126.96.36.199) 19 ms 18 ms 19 ms > 4 pe-5017370-mburninte01.gw.aapt.com.au (188.8.131.52) 24 ms 20 ms > 20 ms > 5 te3-3.mburndist01.aapt.net.au (184.108.40.206) [MPLS: Label 190 Exp 1] > 35 ms 35 ms 31 ms > 6 te0-3-4-0.mburncore01.aapt.net.au (220.127.116.11) [MPLS: Label 17412 Exp > 1] More labels 31 ms More labels 31 ms More labels 30 ms > 7 bu2.sclarcore01.aapt.net.au (18.104.22.168) [MPLS: Label 16702 Exp 1] > More labels 49 ms More labels 32 ms More labels 31 ms > 8 te2-2.sclardist01.aapt.net.au (22.214.171.124) [MPLS: Label 895 Exp 1] 31 > ms 32 ms 33 ms > 9 * po6.sclarbrdr01.aapt.net.au (126.96.36.199) 30 ms * > 10 * * * > 11 * * *
Packets for the MFU website, which is hosted in the US, never make it out of Australian networks. For comparison, a traceroute from an Australian university where censorship is not present looks like this:$ traceroute www.melbournefreeuniversity.org traceroute to www.melbournefreeuniversity.org (188.8.131.52), 30 hops max, 60 byte packets 1 128.250.XXX.XXX (128.250.XXX.XXX) 0.731 ms 0.825 ms * 2 172.18.XXX.XXX (172.18.XXX.XXX) 0.731 ms 0.713 ms 0.694 ms 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 ge-7-1-0.bb1.a.syd.aarnet.net.au (184.108.40.206) 12.984 ms 13.037 ms 13.030 ms 9 xe-0-0-0.bb1.b.sea.aarnet.net.au (220.127.116.11) 155.554 ms 155.514 ms 155.491 ms 10 * * * 11 * * * 12 ae-32-52.ebr2.Seattle1.Level3.net (18.104.22.168) 240.518 ms * * 13 * * * 14 * * * 15 ae-2-2.ebr2.Dallas1.Level3.net (22.214.171.124) 238.357 ms 238.176 ms 238.409 ms 16 ae-92-92.csw4.Dallas1.Level3.net (126.96.36.199) 255.044 ms ae-62-62.csw1.Dallas1.Level3.net (188.8.131.52) 242.661 ms ae-82-82.csw3.Dallas1.Level3.net (184.108.40.206) 241.341 ms 17 ae-73-73.ebr3.Dallas1.Level3.net (220.127.116.11) 240.255 ms ae-63-63.ebr3.Dallas1.Level3.net (18.104.22.168) 238.899 ms ae-83-83.ebr3.Dallas1.Level3.net (22.214.171.124) 236.614 ms 18 ae-7-7.ebr3.Atlanta2.Level3.net (126.96.36.199) 240.434 ms 239.945 ms 241.744 ms 19 ae-63-63.ebr1.Atlanta2.Level3.net (188.8.131.52) 241.140 ms 241.238 ms 241.278 ms 20 ae-1-8.bar1.Orlando1.Level3.net (184.108.40.206) 238.578 ms 238.914 ms 238.484 ms 21 ten-7-4.edge1.level3.mco01.hostdime.com (220.127.116.11) 243.929 ms 244.469 ms 243.938 ms 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * $ sudo traceroute -T -p 80 www.melbournefreeuniversity.org traceroute to www.melbournefreeuniversity.org (18.104.22.168), 30 hops max, 44 byte packets 1 128.250.XXX.XXX (128.250.XXX.XXX) 0.476 ms 0.585 ms 0.581 ms 2 172.18.XXX.XXX (172.18.XXX.XXX) 0.729 ms 0.734 ms * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 so-0-1-0.bb1.a.syd.aarnet.net.au (22.214.171.124) 14.958 ms 14.951 ms 14.998 ms 9 xe-0-0-0.bb1.b.sea.aarnet.net.au (126.96.36.199) 156.501 ms 156.522 ms 156.499 ms 10 * * * 11 * * * 12 * * * 13 ae-2-2.ebr2.Denver1.Level3.net (188.8.131.52) 240.604 ms * * 14 * * ae-1-100.ebr1.Denver1.Level3.net (184.108.40.206) 238.874 ms 15 * ae-2-2.ebr2.Dallas1.Level3.net (220.127.116.11) 239.695 ms 239.757 ms 16 ae-72-72.csw2.Dallas1.Level3.net (18.104.22.168) 238.391 ms ae-62-62.csw1.Dallas1.Level3.net (22.214.171.124) 243.191 ms ae-92-92.csw4.Dallas1.Level3.net (126.96.36.199) 240.982 ms 17 ae-83-83.ebr3.Dallas1.Level3.net (188.8.131.52) 239.423 ms ae-63-63.ebr3.Dallas1.Level3.net (184.108.40.206) 240.658 ms ae-93-93.ebr3.Dallas1.Level3.net (220.127.116.11) 242.555 ms 18 ae-7-7.ebr3.Atlanta2.Level3.net (18.104.22.168) 242.528 ms 242.706 ms 242.316 ms 19 ae-63-63.ebr1.Atlanta2.Level3.net (22.214.171.124) 243.530 ms 243.745 ms 237.970 ms 20 ae-1-8.bar1.Orlando1.Level3.net (126.96.36.199) 243.341 ms 245.715 ms 236.782 ms 21 ten-7-4.edge1.level3.mco01.hostdime.com (188.8.131.52) 239.822 ms 241.864 ms 238.934 ms 22 active.host-care.com (184.108.40.206) 240.094 ms 240.135 ms 240.132 ms
Other websites using the same IP address ( including karenleefield.com, moneysaveuk.com , fmachennai.org , smartandfrank.com, and kohchangpoolvillas.com) demonstrate similar behavior.
A BGP query to looking glass server at an affected Australian backbone ISP shows the black hole as an abnormal route to the destination IP:Router: Sydney Command: show ip bgp 220.127.116.11 255.255.255.0 longer BGP table version is 146982471, local router ID is 18.104.22.168 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, x best-external Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 22.214.171.124/32 192.0.2.1 0 101 32768 ? Related Issues: Free SpeechContent BlockingInternational
To date, thousands of people have sent messages to Congress demanding reform of the Computer Fraud & Abuse Act through EFF alone, not counting the ones sent through our friends at Demand Progress and elsewhere. But the citizens of the Internet will need to shout even louder if we’re going to drown out the corporate interests that have already dedicated hundreds of thousands of dollars to influence lawmakers to change the CFAA for the worst.
Take, for example, the Software & Information Industry Association (SIIA), which describes itself as “the principal trade association for the software and digital content industry.” The group’s board of directors is made up of the captains of the computing industry, including executives from Oracle, Adobe, IBM, Red Hat and Intuit, each of which pay up to $125,000 a year in dues to the SIIA. In 2012 alone, the SIIA dropped a whopping $880,000 to lobby Congress and federal agencies on digital issues.
In August 2012, before Aaron Swartz’s death, SIAA provided the federal government’s Intellectual Property Enforcement Coordinator with 19 pages of formal comments on the national policy on cyber affairs. One section is titled, “Preserving and Improving the Computer Fraud and Abuse Act.” Regarding the bi-partisan efforts led by Senators Chuck Grassley, Al Franken and Mike Lee to reform the “exceeding authorized access” part of the law so it doesn’t criminalize terms of service violations, SIIA wrote:
We, therefore, urge that the IPEC in the Joint Strategic Plan state its opposition to proposals that would limit the definition of “exceeds authorized access” in the CFAA in any way that would prevent its application to violation of contractual obligations or agreements.
Now we expect that some of the companies on SIIA’s membership roster actually are sympathetic to fixing the CFAA, especially in light of Aaron’s death. And of course, many rank-and-file employees are already independently voicing their opposition to the law. Yet, these companies’ dues funded at least three lobbyists who were working on the hill last year to oppose even modest CFAA reform.
As we’ve written before, the CFAA has been expanded and morphed since it originally passed in 1984 so that it now threatens draconian and out-of-proportion punishments for acts that cause little or no economic harm. It has also been used to threaten innovators and security researchers. Worse, since the Justice Department's expansive interpretation would criminalize website terms of service violations, the CFAA threatens to turn virtually everyone online into a criminal. The SIAA is directly opposing this last portion, the one that has broad support by actual users of websites.
After all, many sites alter their terms of service with little or no notification and these terms are written incredibly broadly to allow websites to refuse service to users for practically any reason. No user could reasonably be expected to understand or even follow the myriad of terms they implicitly agree to everyday. For example, EFF recently outlined numerous news agencies with terms of service that forbid minors from visiting their sites; even Seventeen magazine’s website until recently barred users under 18.
The Department of Justice’s computer-crimes prosecution manual even encourages U.S. Attorneys to pursue this legal theory, describing it as “relatively easy to prove.”
Thus, at least based upon its statements to IPEC in August 2012, the SIIA opposes even the most common-sense changes to the law. The organization’s main concern was civil litigation, but they also argued that the criminal provisions should remain in place (although they do leave room for compromise).
While we understand that there are concerns that the CFAA is being too broadly enforced in the criminal context we think that there are other, more effective, ways to address this issue than the present legislative proposals which would prevent actions from being brought under the CFAA that are based on a violation of a contractual obligation or agreement. At the very least these, since these concerns only appear in the criminal context, any legislative proposals to limit the CFAA should only apply to criminal cases.
The SIAA was completely wrong when it suggests that CFAA reformers aren’t concerned about how the law is used in civil proceedings. On March 12, 2013, a coalition of online businesses (including Mozilla, Reddit and Vuze) sent a letter to Congress laying out how CFAA stifles innovation. Among the examples were several cases in which corporations used alleged violations of terms of service to sue and threaten potential competitors.
The organization hasn’t announced any change in its position, though it did warn members in a newsletter that Aaron Swartz’s tragic death “likely increased support among policymakers to reform the CFAA sooner, rather than later.”
The SIIA invests roughly $220,000 per quarter to promote its legislative agenda. But the best way to counter this in a legislator’s ear is with the voice of a constituent. Take a moment to show that citizens trump corporations by sending a message to your member of Congress.
And if you work for a company on the SIIA’s roster, tell the association its time to get on board with sensible CFAA reform.Related Issues: Terms Of (Ab)UseComputer Fraud And Abuse Act Reform
In the wake of social justice activist Aaron Swartz's tragic death, EFF and Internet users around the country are in the middle of a week-of-action, asking Congress to reform the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking law. The CFAA has many problems and users can contact their representative to demand reform. In this two-part series, we'll explore the specific problems with federal sentencing under the CFAA. Part 1 explains why maximums matter.
Much of the recent discussion about the problems with the CFAA's tough penalty scheme has revolved around its draconian maximum punishments. While maximums play an important role in criminal sentencing, the actual sentence a defendant will receive depends mostly on the sentencing range recommended in the United States Sentencing Guidelines ("USSG"). The Guidelines are written and updated by the United States Sentencing Commission ("USSC"), an independent agency of the judicial branch created by Congress in 1984, to help judges determine where in the spectrum from no jail time to the maximum a sentence should fall. Once binding on sentencing courts, in 2005 the Supreme Court ruled that were only a recommendation the court was free to disregard. Nonetheless, the vast majority of federal criminal sentences fall within the Guideline range recommended by the USSC. And when it comes to looking at how the Guidelines treat CFAA cases, it's clear why the law needs to be reformed.How the Guidelines Work
The Guideline range only hinges on two things: the characteristics of the crime committed and the defendant’s criminal history. It plots these two factors on a table. On the Y-Axis is a scale of 1 to 43 that measures the "offense level" or the seriousness of a crime; 1 is the least serious crime; 43 is the most serious crime. On the X-Axis is a scale of I to VI that measure's a defendant's criminal history; I is the least serious criminal history including first offenders; VI is the highest.
At sentencing, the court must first calculate the offense level for the specific statute of conviction. Then, it can apply enhancements for aggravating behavior like choosing an "official victim." Once the court calculates the offense level it then determines the defendant's criminal history. Then, once these two factors have been calculated, the court matches the two numbers on the table, leading to the recommended sentencing range for a particular crime. As any of these two axes increase, so does the length of the sentence. The court can impose a sentence within the range—which can be presumed reasonable on appeal -- or disregard the range and impose whatever sentence it wants up to the maximum.
While the Supreme Court has noted the Guideline ranges created by the USSC are supposed to be based on "empirical data and national experience," oftentimes they are born out of Congressional directive to the Commission to increase sentencing ranges after Congress increases maximum punishments. That's exactly what Congress did in 2008 (PDF) after it increased the CFAA's maximum penalties and told the USSC it wanted the Guideline ranges for CFAA crimes to be "increased in comparison to those currently provided by such guidelines and policy statements."
The Guideline section that applies to the CFAA is § 2B1.1 which also covers other fraud and theft crimes. The "base offense level," or starting point of the Guideline calculation, depends on the maximum punishment. But unless a defendant is convicted of causing damage to a protected computer that "recklessly causes serious bodily injury" or a repeat violation of some CFAA crimes, the base offense level for CFAA crimes is 6.
At first blush, a CFAA defendant is clearly at the lower end of the sentencing spectrum. For sentences ranges falling in "Zone A," the Guidelines authorize a court to impose probation without any imprisonment. However, the offense levels steadily increase as the Guidelines' myriad number of adjustments and enhancement start to apply."Loss," The Infinite Enhancement
After determining the base offense level, § 2B1.1(b) tells the court to calculate the amount of financial loss caused by the crime. "Loss" means the greater of either "actual loss"—the reasonably foreseeable financial harm caused by the crime—or the "intended loss"—the financial harm the defendant intended to cause if not for some obstacle getting in the way. In a fraud or theft case, that generally is the value of the thing taken. But the Guidelines define "loss" much broader for CFAA convictions:
In the case of an offense under 18 U.S.C. § 1030, actual loss includes the following pecuniary harm, regardless of whether such pecuniary harm was reasonably foreseeable: any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other damages incurred because of interruption of service.
Not only does this exclusive CFAA definition and the corresponding sentencing increase lead to excessive sentences compared to other forms of fraud; it also gives prosecutors wide discretion to ratchet potential sentences for defendants who insist on exercising their constitutional right to go to trial.
For example Andrew "Weev" Auernheimer was sentenced to 41 months in prison for exposing a security hole on AT&T's servers that publicly revealed iPad users' email addresses. The court ruled that the "loss" to AT&T in his case was $73,000. But that wasn't the "value" of the email addresses that were taken or the cost of fixing the computers or servers; rather that was how much it cost AT&T to mail a letter to its customers notifying them of the email breach. As Professor Orin Kerr has noted, that loss amount is unreasonable because it had nothing to do with fixing the computers and wasn't a reasonable response to the problem by AT&T since AT&T also sent an email notice of the breach, which had been effective. Yet, that $73,000 loss amount resulted in an 8 level increase to the offense level for Auernheimer. For his co-defendant Daniel Spitler, who pleaded guilty and testified against Auernheimer, prosecutors agreed to a loss amount of $30,000, subjecting him to only a 6 level increase.
In the case of Aaron Swartz, the ability of prosecutors to determine loss resulted in an enormous sentencing exposure swing. Since Swartz didn't "hack" into anything and didn't harm any computers, the sole issue that would determine his possible sentence would be the value of the articles he took from JSTOR. When prosecutors offered Swartz a plea deal that would result in a few months in jail, they were likely calculating the loss to be more than $10,000 but less than $30,000, resulting in only a 4 level increase from in the Guidelines. But according to Swartz's lawyer Elliot Peters, prosecutors also threatened Swartz with a much greater sentence if he went to trial, claiming the amount of loss was $2 million. That would result in a 16 level increase in his Guideline range. Others have speculated that if taken to its logical extreme -- taking 4.8 million articles that cost $19 apiece to download -- the loss could be $91 million, leading to a 24 level increase, bringing his Guideline sentence closer to the maximum punishments bandied about in DOJ's press release.
These wild swings create uncertainty and pressures on defendants to plead guilty. And while that's true in any criminal case, it's amplified with the CFAA since the loss definition is broader than even other federal fraud crimes.Double (and Triple) Counting Computer Skills
Unfortunately, there's more. Section 2B1.1(b)(10) also calls for a two level increase for using "sophisticated means" to commit the crime. For Auernheimer, that was Spitler's act of running the script that simply modified a number in a public URL. It could easily be the same thing for Swartz, who also allegedly ran a script in order to bulk download the files from JSTOR, despite the fact he actually had permission to access the files, just not with a bulk downloader.
Meanwhile, there's another enhancement that covers the same exact conduct which could also apply. Under § 3B1.3 a defendant who uses a "special skill" to commit a crime faces another two level enhancement, notwithstanding § 2B1.1(b)(10)'s "sophisticated means" increase. A "special skill" is a "a skill not possessed by members of the general public and usually requiring substantial education, training or licensing." The examples given by the USSG are a pilot, lawyer or doctor. DOJ claimed Auernheimer—who again did no "hacking" or script writing—had "special" computer skills that justified the increase. So he received an additional 4 level increase.
Its easy to imagine the same enhancement applying to Swartz too for not only running the script, but also for masking his IP address—a legitimate practice designed to protect anonymity—in order to avoid getting kicked off of MIT's network or JSTOR's servers and leave no trace of who he was or where he was coming from.
The Guidelines allow the same conduct to result in multiple level increases, ultimately resulting in a higher sentence.
Adding It All Together
Auernheimer also received another two level increase under § 2B1.1(b)(11) for transferring a "means of identification," specifically the email addresses. So here's how the Guidelines ultimately worked out for Weev and Swartz on the CFAA counts. Both are in criminal history category I:
Weev Swartz Base Offense Level 6 6 Loss +8 ($73,000) +16 ($2 million) "Sophisticated Means" +2 +2 "Means of Identification +2 0 "Special Skill" +2 +2 Adjusted Offense Level 20 26 Guideline Range 33-41 months 63-78 months
Weev and Swartz are in "Zone D" of the table, meaning the Guidelines disqualified them from probation and required a prison sentence. Weev received a sentence at the high end of the Guideline range, 41 months, with some noting his past Internet behavior motivated the higher sentence. And in truth, § 1B1.4 of the Guidelines tell the Court it "may consider, without limitation, any information concerning the background, character and conduct of the defendant" when deciding on the appropriate sentence.
Prosecutors took full advantage of this provision, informing the court of Auernheimer's past behavior, and the court took the bait, holding Weev accountable for actions irrelevant to the criminal sentence and imposing a sentence that was not only at the high end of the Guideline range, but more than other defendants convicted of arguably worse behavior.
It's easy to imagine prosecutors doing the same with Swartz, using his prior bulk download of documents from PACER and his "Guerilla Open Access Manifesto" as a reason to justify the tough prosecution and sentence.
Ultimately, the Guidelines are just as much of a problem in CFAA cases as the broad language of the statute and the maximum punishments. We're working hard to reform the CFAA, advocating for the law’s penalties to be proportionate to the wrongdoing they're meant to punish. That means Congress needs to not only change the CFAA's penalty scheme but also must call on the USSC to reexamine how the Guidelines treat the CFAA too. So please join EFF in calling on Congress to fix the CFAA by sending an email to your elected representatives now.Related Issues: Computer Fraud And Abuse Act ReformRelated Cases: U.S. v Auernheimer
Calling Internet engineers and technologists!
We need you to help fix the Computer Fraud and Abuse Act (CFAA)—the law used to prosecute the late activist and Internet pioneer Aaron Swartz. Specifically, we need you to start a conversation within your company about supporting CFAA reform.
The CFAA broadly criminalizes accessing a computer without or in excess of "authorization"— a vague term that is followed up by extremely harsh penalties. The law threatens technologists, developers, researchers, and others who tinker with software, conduct security research, or engage in many other kinds of innovation. Companies have used the CFAA to seek criminal charges against employees for violating employee contracts. In fact, the Justice Department has argued that anyone who violates a term of service could be committing a crime that can potentially carry many years of prison time.
After the tragic death of Aaron, who was aggressively prosecuted under the law, EFF and a number of organizations put together some proposed fixes to the CFAA that would bring a measure of sanity to computer crime law. But meanwhile, the House Judiciary Committee has floated a backwards proposal that would actually make the law worse.
We need your help. We need people who understand how technology works and how innovation happens to stand up to fix this law. We especially need tech companies and technologists to join us. Unfortunately, many lawyers and policy staffers at tech companies support the currently overbroad CFAA, or see fixing it as unimportant. Some are even working to make it worse. Some companies like the CFAA because it lets them call the cops on employees who disobey workplace policies.
If we're going to fix the CFAA, tech companies need to join in the fight on the right side. To get there, they need to hear from their valued employees about why the CFAA must be reformed. That means you.
If you work for a technology company, here's the challenge: Start the conversation about CFAA reform in your company. Figure out how best to do it—talk to your boss, talk to your CEO, talk to your policy team. Talk to the lawyers. Get the conversation started, and let them know that technologists need hacking laws to be sane, clearly bounded, and narrower than their current sprawling scope.
Urge your company to support CFAA reform that helps, not hurts, technologists, developers, researchers and consumers. Here are some points to bring up:
This law directly affects the programming community. It's time for us to step up in response. Demand that your company support strong CFAA reform that fixes—instead of exacerbates—the problems.
For more information, visit our issue page on the CFAA.
We want to hear from you. Tell us how it went at firstname.lastname@example.org.Related Issues: Computer Fraud And Abuse Act Reform
San Francisco - The Electronic Frontier Foundation (EFF) urged the Washington State Supreme Court Monday to recognize that text messages are "the 21st Century phone call" and require that law enforcement officers obtain a warrant before reading texts on someone's phone.
"Text messages are a ubiquitous form of communication, and their context can be as private as any telephone conversation," said EFF Staff Attorney Hanni Fakhoury. "We use texts to talk to our wives and husbands, our kids, our co-workers, and more. Police should not be able to sift through these personal exchanges on a whim – they must show probable cause and get a warrant before accessing this information."
In this case, police seized a cell phone during a drug investigation and monitored incoming messages. Officers responded to several texts, setting up meetings that resulted in two arrests, without first getting a warrant. Prosecutors have argued that no warrant was required because there should be no expectation of privacy in text messages, as anyone can pick up someone else's phone and read what's stored there. But in two related amicus briefs filed Monday, EFF argues that searching the phone for the texts without a warrant clearly violates the Constitution.
"The state argues that just because someone can intercept a communication, you should reasonably expect that communication to be intercepted. That's a dangerous way to interpret the Fourth Amendment," said Fakhoury. "The prosecutors' theory would eviscerate any privacy protections in the digital age. We're asking the Washington State Supreme Court here to recognize what's at stake and to require a warrant before allowing officers to read text messages on a cell phone."
Venkat Balasubramani of FOCAL PLLC in Seattle, Washington, served as EFF's local counsel in the cases.
For the full amicus briefs:
Electronic Frontier Foundation
Ever since reintroducing CISPA, the so-called "cybersecurity bill," its supporters promote the bill with craftily worded or just plain misleading claims. Such claims have been lobbed over and over again in op-eds, at hearings, and in press materials. One "fact sheet" by Rep. Rogers and Ruppersberger titled "Myth v. Fact" is so dubious that we felt we had to comment. To stop this type of misinformation—and to stop CISPA—we urge you to tell your members of Congress to stand up for privacy.
Here are some of the statements supporters of CISPA are pushing and why they're false:Supporters of CISPA say, "There are no broad definitions"
Supporters are keen to note that the bill doesn't have broad definitions. In the "Myth v. Fact" sheet, the authors of CISPA specifically point to the definition of "cyber threat information." Cyber threat information is information about an online threat that companies can share with each other and with any government agency—including the NSA. In hearings, experts have said that they don't need to share personally identifiable information to combat threats. But the definition in the bill allows for any information related to a perceived threat or vulnerability—including sensitive personal information—to be shared. Cyber threat information should be a narrowly defined term.
Another example of a broad (or missing) definition is the term "cybersecurity system." Companies can use a "cybersecurity system" to "identify or obtain" information about a potential threat ("cyber threat information"). The definition is critical to understanding the bill, but is circular. CISPA defines a "cybersecurity system" as "a system designed or employed" for a cybersecurity purpose (i.e. to protect against vulnerabilities or threats). The language is not limited to network security software or intrusion detection systems, and is so broadly written that one wonders if a "system" involving a tangible item—e.g., locks on doors—could be considered a "cybersecurity system." In practical terms, it’s unclear what is exactly covered by such a "system," because the word “system” is never defined.
The best example of a dangerous undefined term in the bill is found within the overly broad legal immunity for companies. The clause grants a company who acts in "good faith" immunity for "any decisions made" based off of the information it learns from the government or other companies. Does this cover decisions to violate other laws, like computer crime laws? Or privacy laws intended to protect users? Companies should not be given carte blanche immunity to violate long-standing computer crime and privacy law. And it is notoriously hard to prove that a company acted in bad faith, in the few circumstances where you would actually find out your privacy had been violated.Supporters of CISPA say, “The bill is not a government surveillance program”
Supporters are adamant CISPA doesn't create a wide-ranging "government surveillance program." It’s true the bill doesn't create such a surveillance program like the one described in the ongoing warrantless wiretapping lawsuits.
But the trick here is what is meant by “government surveillance.” We think that if the bill aims at having our information flow to the government, it’s tantamount to government surveillance, whether or not the government initially collected the information.
The bill creates a loophole in the privacy laws that prevented companies from disclosing your information to the government and gives companies broad legal immunity for sharing information with the government. As a result, CISPA makes it more likely that companies will surveil their own users and then disclose that information. The sly wording dodges the key issue: that CISPA encourages companies to conduct surveillance on their networks and hand “cyber threat information” to the government. In short, the bill encourages a de facto private spying regime, with the same end result.Supporters of CISPA say, "The government can't read your private email"
Reps. Rogers and Ruppersberger are adamant CISPA doesn't grant the government access to read private emails. The claim was recently repeated by James Lewis, a fellow at the Center for Strategic and International Studies. But the broad definitions do allow for personal information to be gathered by companies and then sent to the government without any mandatory minimization of personal information. And under the vague definitions an aggressive company could claim that private messages are related to the threat, obtain them, and share then with the government. If Reps. Rogers and Ruppersberger didn't want the content of emails to be disclosed under CISPA, it would be easy enough for them to exclude this content by including language in CISPA.Supporters say, "CISPA follows advice from privacy and civil liberty advocates"
In his introduction of the bill, Rep. Rogers assured the audience that he has listened to the privacy and civil liberties community.
This year’s CISPA does contain some language added after privacy and civil liberties advocates complained in 2012. But those changes didn’t address some big issues that were raised last year, and this year’s privacy and civil liberties complaints about CISPA remain unaddressed.Let's Stop CISPA
Reps. Rogers and Ruppersberger are on a strong publicity offensive to make sure the bill passes. The American public deserves full explanations and clear meanings about what CISPA can do and the extent to which it can do it. The public doesn't need carefully worded messaging materials that obfuscate and mislead a discussion on CISPA. The issues at stake—like the broad legal immunity and new spying powers that allow for companies to collect private, and sensitive, user information—are too serious.
This week, EFF and a bipartisan coalition of organizations are calling for a Week of Action to reform the Computer Fraud and Abuse Act—the law used in the aggressive prosecution of Aaron Swartz and that could potentially be used to turn every Internet user into a criminal.
Since Aaron's death, EFF has proposed changes that would reform the CFAA and bring it into the 21st Century. Unfortunately, the House Justiciary committee has proposed radical changes to the CFAA that would seek to increase penalties, expand the law, and criminalize new actions.
This week, we have a Twitter tool which you can use to express your support for reform and an action center which allows you to easily find your representative and email them. But if you live in one of the following districts, you can have even more impact by calling your representative on the phone.
We've heard from multiple sources in Congress that the most effective action taken during the SOPA protest in January 2012 was the massive numbers of people who called into Congress to express their concern. During that week of action, the phone lines in Congress were temporarily overwhelmed from call volume and had to be shut down. This sent a powerful message to those who were considering voting against Internet freedom.
Here are some talking points for you to mention during the phone call:
Hello, my name is [YOUR NAME] and I am a constituent of the Representative.
I think the recent proposed changes by the House Judiciary committee to the Computer Fraud and Abuse Act are a bad idea, and I hope the representative will stand against them.
Thank you for your consideration.
Find your state in the list below to get the phone numbers for your Representative.
Help us spread the word!
Once you’ve called your Representative, there are still more steps you can take to fight the House Judiciary Committee changes. Tell your friends, in person or on Twitter, and ask them to call their representative. And if you haven’t yet used our action alert, act now to e-mail your legislators.State-District Representative Phone Number Alabama-6 Spencer Bachus (202) 225-4921 Arizona-8 Trent Franks (202) 225-4576 California-37 Karen Bass (202) 225-7084 California-27 Judy Chu (202) 225-5464 California-49 Darrell Issa (202) 225-3906 California-19 Zoe Lofgren (202) 225-3072 Florida-26 Joe Garcia (202) 225-2778 Florida-6 Ron DeSantis (202) 225-2706 Florida-21 Ted Deutch (202) 225-3001 Georgia-9 Doug Collins (202) 225-9893 Georgia-4 Hank Johnson (202) 225-1605 Iowa-4 Steve King (202) 225-4426 Idaho-1 Raul Labrador (202) 225-6611 Illinois-4 Luis Gutierrez (202) 225-8203 Louisiana-2 Cedric Richmond (202) 225-6636 Michigan-13 John Conyers (202) 225-5126 Nevada-2 Mark Amodei (202) 225-6155 North Carolina-6 Howard Coble (202) 225-3065 North Carolina-13 George Holding (202) 225-3032 North Carolina-12 Mel Watt (202) 225-1510 New York-10 Jerrold Nadler (202) 225-5635 New York-8 Hakeem Jeffries (202) 225-5936 Ohio-1 Steve Chabot (202) 225-2216 Ohio-4 Jim Jordan (202) 225-2676 Pennsylvania-10 Tom Marino (202) 225-3731 Pennsylvania-12 Keith Rothfus (202) 225-2065 Puerto Rico-At Large Pedro Pierlusi (202) 225-2615 South Carolina-4 Trey Gowdy (202) 225-6030 Tennessee-9 Steve Cohen (202) 225-3265 Texas-27 Blake Farenthold (202) 225-3265 Texas-1 Louie Gohmert (202) 225-7742 Texas-8 Sheila Jackson-Lee (202) 225-3816 Texas-2 Ted Poe (202) 225-6565 Texas-21 Lamar S. Smith (202) 225-4236 Utah-3 Jason Chaffetz (202) 225-7751 Virginia-4 Randy Forbes (202) 225-6365 Virginia-6 Bob Goodlatte (202) 225-5431 Virginia-3 Bobby Scott (202) 225-8351 Washington-1 Suzan Delbene (202) 225-6311 Wisconsin-5 Jim Sensenbrenner (202) 225-5101 Related Issues: Computer Fraud And Abuse Act Reform
Today, EFF and a host of organizations across the political spectrum are launching a week-of-action imploring Congress to reform the Computer Fraud and Abuse Act (CFAA)—the expansive law used to prosecute the late activist and Internet pioneer Aaron Swartz.
The CFAA has been expanded and morphed since it originally passed in 1984 so that it now threatens draconian and out-of-proportion punishments for acts that cause little or no economic harm. It has also been used to threaten innovators and security researchers. Worse, since the Justice Department's expansive interpretation would criminalize website terms of service violations, the CFAA threatens to turn virtually everyone online into a criminal.
We're asking Congress for three specific, common-sense fixes to the CFAA, which will bring the outdated law into the 21st Century:
Unfortunately some members of the House Judiciary committee have floated a change to the CFAA that goes in the opposite direction, expanding penalties under the CFAA and largely codifying the DOJ’s position on terms of service violations.Here's how you can help:
1. Use our Twitter tool to send tweets to House Judiciary members explaining to them that violating website terms of service and employee duties should not be a crime.
2. Email your representative to support a version of Aaron's Law that would makes the fixes listed above.
3. Call your representative to reiterate your support for CFAA reform. Remember, during the SOPA/PIPA fight, nothing was more important than jamming up the Congressional phonelines.
4. Change your twitter and Facebook icons both in remembarance of Aaron and to spread word about CFAA reform.
You can also take action on a special page made by Demand Progress, the advocacy organization Aaron founded to help fight SOPA and other threats to Internet freedom.
EFF and a host of other organizations and experts are participating in two Reddit AMAs over the next couple days (one on CISPA, one on CFAA), so make sure to share them on social media. And please share as much information on the draconian penalities in the CFAA as you can. Many people outside of the tech community may not have heard of the law and how unjust it is.
We'll continue to update you throughout the week on our progress in reforming the CFAA once and for all.
For more history on the CFAA, and for EFF's specific legislative fixes to the law, please visit our CFAA reform page.Related Issues: Computer Fraud And Abuse Act Reform
EFF filed comments today urging the Federal Trade Commission to take action against patent trolls. We have written often about the rise of the patent troll—entities that don't create products themselves, but instead buy patents and make money from lawsuits—and the serious harm they are causing true innovators.
In our comments, we urge the FTC to produce a detailed report about patent trolls (or, as the FTC more delicately calls them, ‘patent assertion entities’) and the cost they impose on the economy. We explain that trolls are costing billions of dollars every year with the burden falling especially hard on startups. Patent trolls target startups because they know smaller businesses lack the resources to fight back.
We also urge the FTC to use its investigatory and enforcement powers against the most abusive trolls—especially those that use baseless lawsuits to extort settlements. Because shell company patent trolls don’t make anything themselves, they generally have nothing to lose. This gives them a unique incentive to abuse the litigation system. Until now, this abuse has gone largely unchecked.
We welcome the FTC’s interest in patent trolls and hope the agency will follow up with action. A strong response to abusive patent trolls is long overdue.Files: eff_pae_comments_for_ftc_05-04-13.pdfRelated Issues: PatentsPatent Trolls
Copyright laws that represent the one-sided concerns of Hollywood at the expense of the broader public interest do not belong in trade agreements. Period.
Yet just days after dozens of public interest groups around the world issued called on the Office of the United States Trade Representative (USTR) to keep copyright and patent regulations out of a new international trade agreement, a Senator with longstanding ties to the entertainment industry introduced a misguided bill that would create a new position for a "Chief Innovation and Intellectual Property Negotiator" — in other words, an Ambassador from Hollywood, paid for by the general public.
This proposal stands in stark opposition to our public petition for the U.S. Trade Rep to stop backroom negotiations in international trade agreements.
Given the utter lack of transparency and absence of public input in almost all other trade agreements, we have no reason to believe that this new position would improve the broken balance in copyright or patent law. Rather, it is an effort to entrench "intellectual property" as a policy matter that should be decided in secret trade meetings that have so far been shrewd in deflecting all democratic oversight.
The bill, S.660, is not Senator Orrin Hatch's first attempt to put Big Content's interests on a pedestal in U.S. trade policy. In fact, it comes directly on the heels of a failed amendment to the much-debated Senate budget proposal approved just the week before.
It's disappointing but not surprising that such an attempt would come as a rider on a much larger bill and without public debate. After all, the position it would have created would have been dedicated to promoting copyright and patent policies that wouldn't pass muster in a setting with more transparency and accountability.
But as troubling as that failed amendment was, this proposal is even worse. The new Chief “Intellectual Property" Negotiator would have to be approved by the Senate Finance Committee — of which Senator Hatch himself is the Ranking Member — and would be required to "be a vigorous advocate on behalf of United States innovation and intellectual property interests." That is to say, this representative wouldn't be there to represent the public interest, or the average Americans who are paying his or her salary.
Worse still, this proposal comes at the precise moment that the legacy content industry's trade agenda has shown itself to be most at odds with the public interest. In particular, opponents of an effective and permanent fix to the Digital Millenium Copyright Act's ban on phone-unlocking have cited language in recent trade agreements as a reason why any such legislation could be impossible — even though it's been described as simple "common sense" by the White House. Regardless of the truth of those opponents' claims, they slow the pace of change, even for extremely popular proposals. In other words, industry interests at the international level are trying to tie the hands of democratically elected legislators and dictate which laws are unacceptable.
This goes beyond even policy laundering, where otherwise indefensible copyright policies are given the patina of legitimacy by being accepted first in an international forum. Here, the copyright lobby is claiming to be able to set profoundly undemocratic limits on the kinds of laws that domestic legislators can pass. It's essential that the public pushes back on that notion — and it's certainly not acceptable to be advancing it further with the creation of a new Ambassador required to listen to an industry group and not the public.
As Upton Sinclair once famously wrote: "It is difficult to get a man to understand something, when his salary depends on his not understanding it." On this point, Hatch's proposal is clear: question the assumption that "vigorous" copyright and patent enforcement may be at odds with innovation, or that the public interest should supercede industry interest, and you're out of a job. Appointing a representative for the industries dedicated to "strong" copyright and patent laws all but guarantees that U.S. trade policy will reflect the industry-friendly regulations that representative is paid to promote, regardless of whether they are in the public interest.
EFF and others have repeatedly called for Congress to not debate copyright in a "reality-free zone," and instead to create evidence-based policies that advance the constitutional purpose of promoting the progress of science and the useful arts. Senator Hatch's proposal represents a tremendous step away from that goal.
And while we hope the Senate rejects Senator Hatch's dangerous proposal, we want to go one step further. In that spirit, we're calling for the next appointed U.S. Trade Rep to commit to stopping the secret copyright agenda, and to purse policies of real transparency. That transparency would provide sorely needed accountability, and give U.S. Representatives a powerful incentive to not push for policies that go against the general public interest.
We've put together a global petition to tell the next U.S. Trade Rep that the public demands that level of transparency. Please sign, and lend your voice today to make sure that we're heard loud and clear.Related Issues: Intellectual PropertyInternational
If you are 17 or under, a federal prosecutor could have charged you with computer hacking just for reading Seventeen magazine online—until today.
It’s not because the law got any better. Earlier today, we wrote about news sites that alarmingly prohibit their youth audiences from accessing the news and the potential criminal consequences under the Computer Fraud and Abuse Act. In response, the Hearst Corporation modified the terms of service across its family of publications, including the Hearst Teen Network, which notably includes titles like Seventeen, CosmoGirl, Teen and MisQuince.
Seventeen highlights the absurdity of giving terms of service the force of law under the CFAA. It boasts a readership of almost 4.5 million teen readers with an average age of 16 and a half, and yet, until today, the average reader was legally banned from visiting Seventeen.com. That’s right, for a magazine dedicated to teen fashion, the publisher’s terms explicitly restricted online access to readers 18 and older. What’s worse, the Justice Department could choose to bring the might of the government to enforce this contract against a Seventeen reader who may never have even seen the agreement.
Federal prosecutors have argued in court that accessing a website in violation of terms of service is a crime. If the website’s terms, like Seventeen magazine’s previous version, explicitly state that you must be an adult to visit their sites or participate in their interactive features, then teenagers accessing the site “without authorization” under the CFAA and could be doing jail time, according to the DOJ.
Hearst removed the following line from the terms for publications ranging from the Houston Chronicle to the San Francisco Chronicle, from Popular Mechanics to Seventeen:
YOU MAY NOT ACCESS OR USE THE COVERED SITES OR ACCEPT THE AGREEMENT IF YOU ARE NOT AT LEAST 18 YEARS OLD.
The revisions are dated “April 23, 2013,” but presumably they meant April 3. Thank you Hearst, we appreciate your prompt response. But the real problem is the CFAA, which allows prosecutors to use these silly terms to manufacture computer crimes. And prosecutors have plenty of opportunities, as ridiculous terms of service abound throughout the Internet.
We also previously reported on a variety of other websites—including the New York Times, Boston Globe, and NPR—that have similar terms of service that restrict people 12-and-under from reading the news. Atlantic Wire expanded on our blog post by pointing to even more news sites that do the same thing. While these terms weren’t as absurd as Hearst’s, Atlantic Wire also highlighted the law’s farcical implications using photos showing which of Shaquille O’Neal’s children were allowed to visit a lengthy list of news sites.
Thankfully, the Ninth and Fourth Circuits have rejected the government’s aggressive interpretation of the CFAA (with amicus help from EFF), but the Justice Department has shown no signs that it has given up on aggressive interpretations. The vague language of the law could turn virtually every Internet user a potential criminal, allowing the Justice Department to use their discretion to go after any citizen they don’t like, rather than only harmful criminals the bill was intended to stop.
It's been nearly two years since we first reported about Lodsys, the patent troll who targeted app developers. You might remember that Lodsys had actually filed lawsuits against some app developers in Texas; that case was (and is) slowly moving forward. We hadn't heard anything else from Lodsys in the meantime and assumed (foolishly, perhaps) that it was waiting to see what the judge said. This week, that all changed. It appears that Lodsys sued at least ten more app developers—many smaller players along with larger ones such as Walt Disney.
First, a quick refresher on Lodsys: Lodsys claims that typical "click to upgrade" functionality found in apps infringes two patents that it owns. Lodsys starting by targeting iOS and Android app developers, sending letters demanding that those developers pay Lodsys a license fee (and providing proposed licenses like this one). Lodsys' claims on their face were troubling, but the story was more complicated. For starters, the technology that Lodsys claimed infringes its patents is provided to the app developers by Apple and Google. That's right, the developers don't even create this technology themselves. In other words, when they use this technology, they are taking on risks that they never could have contemplated. After countless app developers received these threatening letters, Lodsys went ahead and filed a lawsuit against 11 app developers in federal court in Texas. That case is still pending.
Now, to both Apple and Google's credit, each got involved to defend its app developers. Apple filed a Motion to Intervene in the lawsuit, arguing that the law (and its license covering the Lodsys patents) allows it to provide its app developers the technology at issue free from claims of infringement. The Court granted Apple's motion to appear in the case, which is good news, but it could still take years before there is a final ruling on its legal claims. (Note: a ruling in Apple’s favor would also bode well for Android developers, as Google could presumably make the same legal argument.)
Google took action of its own, filing a Request for Inter Partes Reexamination with the Patent and Trademark Office on the two patents Lodsys is asserting against app developers. A reexamination is a proceeding before the PTO, brought by a third party to challenge the validity of a patent. The PTO agreed to consider some of Google’s arguments, but it will likely take some time (though not as long as litigation) to get a decision—and then there is no guarantee that the patents will be fully invalidated. Perhaps more likely, the claims will be narrowed. If that happens, they remaining claims may or may not cover the in-app payment and upgrade functionality that Lodsys claims they currently do.
We've been watching these legal developments closely, and all seemed quiet on the Lodsys front. But, as we said above, this week, that all changed. Lodsys is back at it, and this time, again, it's doing more than merely threatening. It's actually filing lawsuits. These lawsuits against app developers are just part of a dangerous recent trend of patent trolls going after end-users. For example, a shadowy collection of shell companies has been blanketing the nation with letters demanding that companies pay them $1000 per employee for the privilege of using standard office technology like scanners and email. And another patent troll is targeting the podcasting community.
So what do you do if you're an app developer? First, you can check out the FAQs we provided when Lodsys first came on the scene. Second, you can reach out to the Application Developers Alliance (you should email email@example.com), an important group and ally in this fight that's working hard to organize app developers facing the Lodsys threat. Finally, continue watching this space for more updates; we'll continue to post news as it becomes available.
If you'd like help finding a lawyer, you can start by emailing EFF at firstname.lastname@example.org. (If you’re a lawyer who is willing to help out, please email email@example.com with your contact information or the contact information for your firm, and the states in which you are licensed to practice law with the subject line "Lodsys Attorney Addition.")Related Issues: PatentsPatent Trolls
During his first term, President Barack Obama declared October 2009 to be “National Information Literacy Awareness Month,” emphasizing that, for students, learning to navigate the online world is as important a skill as reading, writing and arithmetic. It was a move that echoed his predecessor's strong support of global literacy—such as reading newspapers—most notably through First Lady Laura Bush's advocacy.
Yet, disturbingly, the Departments of Justice (DOJ) of both the Bush and Obama administrations have embraced an expansive interpretation of the Computer Fraud and Abuse Act (CFAA) that would literally make it a crime for many kids to read the news online. And it’s the main reason why the law must be reformed.
"YOU MAY NOT ACCESS OR USE THE COVERED SITES OR ACCEPT THE AGREEMENT IF YOU ARE NOT AT LEAST 18 YEARS OLD.”
In the DOJ’s world, this means anyone under 18 who reads a Hearst newspaper online could hypothetically face jail time. But Hearst’s publications aren’t the only ones with overly restrictive usage terms. U-T San Diego and the Miami Herald have similar policies. Even NPR is guilty, saying teenagers can’t access their “services” (including the site, NPR podcasts and the media player) without a permission slip:
“If you are between the ages of 13 and 18, you may browse the NPR Services or register for email newsletters or other features of the NPR Services (excluding the NPR Community) with the consent of your parent(s) or guardian(s), so long as you do not submit any User Materials.”
Some sites must have recognized the problem and crafted their policies to only forbid users under the age of 13. These include the New York Times, the Boston Globe, and the Arizona Republic. NBCNews.com uses this wording:
"By using or attempting to use the Site or Services, you certify that you are at least 13 years of age or other required greater age for certain features and meet any other eligibility and residency requirements of the Site.”
This means that inquisitive 12-year-olds who visit NBCNews.com to learn about current events would be, by default, misrepresenting their ages. Again, this could be criminal under the DOJ's interpretation of the CFAA.
We’d like to say that we’re being facetious, but, unfortunately, the Justice Department has already demonstrated its willingness to pursue CFAA to absurd extremes. Luckily, the Ninth Circuit rejected the government’s arguments, concluding that, under such an ruling, millions of unsuspecting citizens would suddenly find themselves on the wrong side of the law. As Judge Alex Kozinski so aptly wrote: "Under the government’s proposed interpretation of the CFAA...describing yourself as 'tall, dark and handsome,' when you’re actually short and homely, will earn you a handsome orange jumpsuit."
And it’s no excuse to say that the vast majority of these cases will never be prosecuted. As the Ninth Circuit explained, “Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.” Instead of pursuing only suspects of actual crimes, it opens the door for prosecutors to go after people because the government doesn’t like them.
Unfortunately, there’s no sign the Justice Department has given up on this interpretation outside the Ninth and Fourth Circuits, which is why the Professor Tim Wu in the New Yorker recently called the CFAA “the most outrageous criminal law you’ve never heard of.”
The potential criminalization of terms of service is a prime reason that Congress needs to overhaul CFAA and it’s certainly why the House Judiciary Committee should abandon the seemingly DOJ-drafted bill it floated recently and instead sit down with Rep. Zoe Lofgren, Rep. Darrell Issa, and others to negotiate real reform.
Are you a minor with a thirst for information? You, and your parents who vote, should together tell Congress to fix CFAA.Related Issues: Computer Fraud And Abuse Act Reform
Let’s face it: most of us have no idea how companies are gathering and sharing our personal data. Colossal data brokers are sucking up personal facts about Americans from sources they refuse to disclose. Digital giants like Facebook are teaming up with data brokers in unsettling new ways. Privacy policies for companies are difficult to read at best and can change in a heartbeat. And even savvy users are unlikely to fend off the snooping eyes of online trackers working to build profiles of our interests and web histories.
So what can we do about it? A new proposal in California, supported by a diverse coalition including EFF and the ACLU of Northern California, is fighting to bring transparency and access to the seedy underbelly of digital data exchanges. The Right to Know Act (AB 1291) would require a company to give users access to the personal data the company has stored on them—as well as a list of all the other companies with whom that original company has shared the users' personal data—when a user requests it. It would cover California residents and would apply to both offline and online companies. If you live in California, click here to support this bill.
Under current California law, customers can contact companies and ask for an accounting of disclosures for direct marketing purposes—basically, a list of what companies got your personal data for them to send you junk mail, spam, or call you on the phone—and general facts about what types of data were disclosed. For example, if you went to PetSilly and bought dog bones, and then PetSilly sold your data to 17 companies that were using it for direct marketing, you could ask PetSilly for an accounting of disclosures. PetSilly would have to provide you with the names of those 17 companies as well as what categories of information were disclosed (name, address, phone number, etc).
The new proposal brings California's outdated transparency law into the digital age, making it possible for California consumers to request an accounting of all the ways their personal information is being trafficked—including with online advertisers, data brokers, and third-party apps. So while current law provides information about data exchanged for direct marketing, the Right to Know Act would update existing transparency law to ensure that users could track the flow of their data from online interactions. It also updates the definitions in the law in important ways, including adding location data—a sensitive data set not adequately protected by current law.
It's not just about knowing what a company is sharing, it’s about knowing what a company is storing. The new proposal would require companies to make available, free of charge, access to or a copy of the customer's personal information. That means you the consumer will really know what information a company has about you.
Lots of people around the world already enjoy these rights. This law mimics the rights of data access already available to users in Europe, which means that most of the big tech companies should already have systems in place to facilitate user access.
This law is about transparency and access, not new restrictions on data sharing. The proposed law wouldn't limit or restrict sales of data, and it wouldn't provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers, and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy.
The Right to Know Act is written specifically to ensure that companies big and small will be able to tell Californians how they’re collecting and sharing your personal data. You ask and they tell you what they have collected, the list of companies they gave your data to, and general facts about what kind of data was handed over (like “sexual information ” and "address"). However, the law has three important safeguards to make sure that even little startups with limited resources will be able to comply:
California’s Right to Know Act is supported by a diverse coalition of civil liberties groups, domestic violence advocates, consumer protection groups, sexual health, and women’s rights groups. And EFF recently sent a letter (PDF) to Assemblymember Bonnie Lowenthal, the bill’s author, to affirm our strong support of this bill.
Please help us pass this important transparency law. If you are a California resident, click here. If you are not a California resident, send this article to friends of yours who are.Files: ab1201-support.eff_.pdf
The federal appeals court in New York affirmed yesterday that Internet streaming service Aereo is not infringing copyright when it enables users to stream broadcast TV to Internet devices. The Court of Appeals for the Second Circuit upheld the trial court's decision not to shut down Aereo while the case is pending. This decision is a win for Aereo, its customers, and for future innovators with the audacity to improve the TV-watching experience without permission from copyright owners.
Aereo placed hundreds of tiny antennas on a Brooklyn rooftop. For a fee, New Yorkers can rent an antenna and receive local television on any Internet-connected device. The major American TV networks sued Aereo, claiming that it was making "public performances" of their broadcasts, something that copyright law reserves to copyright holders. The case quickly became a battle of metaphors: the networks argued that Aereo was acting like a cable system, which must have a license from copyright holders, while Aereo argued that its system was more like a personal "rabbit ears" antenna, which requires no permission from broadcasters. The trial court declined to shut Aereo down before trial, and the networks appealed that decision. EFF, together with Public Knowledge, filed amicus briefs in both courts supporting Aereo's right to innovate in the personal TV technology space.
The appeals court came down firmly on the side of the "rabbit ears" metaphor:
It is beyond dispute that the transmission of a broadcast TV program received by an individual’s rooftop antenna to the TV in his living room is private, because only that individual can receive the transmission from that antenna, ensuring that the potential audience of that transmission is only one person. Plaintiffs have presented no reason why the result should be any different when that rooftop antenna is rented from Aereo and its signals transmitted over the internet.
The court also rejected the networks' argument that Aereo's individual transmissions over the Internet to each subscriber should be "aggregated" together into a single public performance. "If the potential audience of the transmission is only one subscriber," said the court, "the transmission is not a public performance." The court concluded that because each Aereo user receives TV signals using a unique antenna, and because the signal from that antenna goes only to one subscriber, Aereo was not making public performances, and copyright law simply doesn't touch Aereo's system.
The decision is a positive step because it repudiates the "permission culture" worldview of the TV networks and their allies. The networks, joined by ASCAP, sports leagues, and a former Register of Copyrights, argued essentially that anyone who profits from copyrighted works must be made to pay, and that if a company like Aereo builds a business that copyright law doesn't touch, the court should try to rewrite the law. Courts can't do that, of course. Copyright law has never regulated all possible uses of creative works. Many uses are free for everyone, without payment or permission, and private, personal transmission of free TV is one of them.
This is also a great decision because it gives companies like Aereo an incentive to put TV technology firmly under the viewer's control. The same features that put Aereo's system beyond the reach of copyright law also mean that the viewer can record what she wants to record, rewind and fast-forward at will, watch on any Internet-connected device, and retain all of the control that an old-fashioned rabbit ears and VCR allowed - and still get all the flexibility of an Internet-based service. If Aereo had built a system resembling video-on-demand or pay-per-view, with customer choices strictly controlled from above, the court likely would have shut them down as infringing. By helping themselves, Aereo also put customers in control of their TV experience. That's an example of what good law should do.
A beloved star of one of the networks seeking Aereo's demise - PBS's Fred Rogers - testified in 1979 about the importance of video technology that empowers the individual:
Some public stations, as well as commercial stations, program the "Neighborhood" at hours when some children cannot use it ... I have always felt that with the advent of all of this new technology that allows people to tape the "Neighborhood" off-the-air, and I'm speaking for the "Neighborhood" because that's what I produce, that they then become much more active in the programming of their family's television life. Very frankly, I am opposed to people being programmed by others. My whole approach in broadcasting has always been "You are an important person just the way you are. You can make healthy decisions." Maybe I'm going on too long, but I just feel that anything that allows a person to be more active in the control of his or her life, in a healthy way, is important.1
Aereo, and other innovators that will surely follow, also allow people to be more active in the control of their lives. Yesterday, besides upholding the law as Congress wrote it, the appeals court followed Mister Rogers' wise approach.
Alaa Abd El Fattah is under threat again. The Egyptian blogger, who spent more than a month in prison in 2011, missing the birth of his first child, has found himself the target of a new case. Last week, Abd El Fattah went voluntarily to the office of the prosecutor after hearing from the media that there was a warrant for his arrest for inciting “aggression” against members of the Muslim Brotherhood.
According to his own tweets, Abd El Fattah is being investigated for a mention on Twitter made by a user who goes by the handle “Princess Joumana.” According to the Committee to Protect Journalists, “the naïve members of the Muslim Brotherhood who filed the complaint against Abdel Fattah apparently thought the interaction on social media was a conspiracy involving a real princess—possibly from a hostile government such as that of the United Arab Emirates, where Brotherhood members are being put on trial.” Abd El Fattah denounced the investigation, calling for an independent judge—rather than the public prosecutor—to handle the case.
EFF spoke to Abd El Fattah, who asked that the case against Hassan Mustafa—an activist from Alexandria recently sentenced to two years in prison—be given more attention. Mustafa is an activist sentenced on March 12 to two years in prison for allegedly attacking a prosecutor, a charge he denies. Mustafa’s appeal is scheduled for April 13. Front Line Defenders is running a campaign in support of Mustafa.
EFF calls for the spurious charges against Abd El Fattah to be immediately dropped and for the Muslim Brotherhood to immediately end its crackdown on expression.Related Issues: Free SpeechBloggers Under Fire
Today a wide range of organizations and legal experts from across the political spectrum—including EFF—sent a letter to the House Judiciary Committee protesting their proposed draft of draconian changes to the Computer Fraud and Abuse Act.
Rep. Zoe Lofgren has been working hard on crafting reform and EFF has already published its own proposed fixes to the CFAA. We urge the House Judiciary committee to drop this draconian draft and work with Rep. Lofgren and outside groups to reform the CFAA. The CFAA should not engulf security researchers, innovators, and everyday Internet users. It should instead be used for its original, intended purpose: to go after malicious criminals who could cause real harm and economic damage.
You can read the full text of the letter and download a copy of the PDF version below.
Dear Representatives Goodlatte, Conyers, Sensenbrenner and Scott:
We, the undersigned organizations and individuals, oppose draft legislation reportedly slated for consideration this month to amend the Computer Fraud and Abuse Act by increasing penalties and expanding the scope of conduct punishable under the statute.
Ensuring the security of U.S. computer systems and protecting user privacy require strong federal laws to deter and punish those who maliciously attack U.S. networks. However, the CFAA does far more than this important task: the law endangers ordinary Internet users, academics, researchers and entrepreneurs.
As currently written, the CFAA imposes criminal and civil liability for accessing a protected computer without or “in excess of authorization.” “Exceeds authorized access” is vague, and the government and civil litigants have pressed courts to find CFAA violations whenever someone uses computers in a fashion that the system owner doesn’t like. This means private companies write federal criminal law when they draft their computer use policies. As a result, CFAA cases have been brought against users who violate websites’ terms of service (TOS), employees who violate their employers’ policies, and customers who breach software licenses.
A talented and promising young man, Aaron Swartz, recently took his own life while awaiting trial under the CFAA. Aaron’s death has prompted an outcry for CFAA reform from legislators, law professors and Internet users across the political spectrum—including many who thought Aaron should have been prosecuted, but not under the CFAA and not under threat of such harsh penalties.
Unfortunately, the draft under discussion is a significant expansion of the CFAA at a time when public opinion is demanding the law be narrowed. This language would, among other things:
On its face, the bill might appear to limit the application of CFAA section (a)(2)’s “exceeds authorized access” crime by specifying categories of information protected from such access. To the contrary, the change expands the statute’s reach by criminalizing activities “involving” broad categories information. As a result, the bill would make it a felony to lie about your age on an online dating profile if you intend to contact someone online and ask them personal questions. It would make it a felony for anyone to violate the TOS on a government website. It would also make it a felony to violate TOS in the course of committing a very minor state misdemeanor.
It is unreasonable to expand CFAA penalties when the statute already makes illegal so much of what Americans do with computers every day. Expanding the scope of the CFAA to cover even more conduct is even more dangerous. This bill would give prosecutors and civil litigants a free hand to go after employees, social networking users, academics, researchers and other computer users for common online activities.
We therefore urge the Committee to reject the proposed draft language, including increased penalties. Instead, this Committee should adopt amendments that would bring the CFAA into the 21st century, with sensible fixes that will protect the ordinary Internet user, while addressing the serious problem of malicious computer attacks.
Laura W. Murphy, Director, Washington Legislative Office
American Civil Liberties Union
Jessica McGilvray, Assistant Director
American Library Association
Katie McAuliffe, Executive Director
Americans for Tax Reform’s Digital Liberty
Leslie Harris, President and CEO
Center for Democracy & Technology
Fred L. Smith, Founder and Chairman
Competitive Enterprise Institute
Beck Bond, Political Director
David Segal, Executive Director
Cindy Cohn, Legal Director
Electronic Frontier Foundation
Holmes Wilson, Co-Director
Fight for the Future
Matt Wood, Policy Director
Free Press Action Fund
Wayne T. Brough, Ph.D., Chief Economist and Vice President, Research
Orin S. Kerr, Professor of Law
George Washington University*
Paul Rosenzweig, Visiting Fellow
The Heritage Foundation*
Kyle O’Dowd, Associate Executive Director for Policy,
National Association of Criminal Defense Lawyers
Jennifer Granick, Director of Civil Liberties
Stanford Center for Internet and Society*
Berin Szoka, President
*(Affiliation listed for identification purposes only)Files: cfaa_letter_to_judiciary.pdfRelated Issues: Computer Fraud And Abuse Act Reform