Last week, the German Constitutional Court issued a much-anticipated decision, striking down its data retention law as violating human rights. It was an important victory for Europe’s Freedom Not Fear movement, which was formed to oppose the EU Data Retention Directive. But it was also a reminder of the political work which remains to be done to defeat it.

When the European Union first passed the Data Retention Directive in 2006, despite a hard-fought campaign by European activists, it seemed like the beginning of the end for Internet privacy. The directive sought to require telecommunications service providers operating in Europe to retain a detailed history of each of their customers' activity for up to 2 years for possible use by law enforcement; including phone calls made, web pages viewed, and emails sent and received.

The response from European citizens was swift and outraged. Under the banner of Freedom Not Fear, mass protests were held in cities all across Europe and beyond. The charge was led by the German Working Group on Data Retention (AK Vorrat), which in 2007 filed a class-action lawsuit of nearly 35,000 people challenging the German law.

The suit's complaints were mostly upheld by last week's German Constitutional Court decision. The court held that the blanket data retention mandated by the EU directive violated Article 10 of the German Constitution, which guarantees the basic right to private life and correspondence. The Court said that an infrastructure of exploratory surveillance results in an exceptional intensity of interference with human rights, which must be proportionately protected with appropriate safeguards. It also significantly narrowed the options for similar EU retention laws on other types of data. The court ordered the immediate deletion of all the data stored since the law went into effect in 2008 and ordered the suspension of data collection until a revised national law is proposed.

However, the court did choose to leave many important questions about the EU directive unanswered. In highlighting the need for increased safeguards, the court failed to recognize that the storage of data itself is what violates human rights. For instance, a survey of German citizens in 2008 found that 1 in 2 people would not have conversations with counselors or therapists by phone or email because of their concern about data retention.

A bolder stance was taken in October 2009 by the Romanian Constitutional Court, which ruled that the EU directive fundamentally violated Article 8 of the European Convention on Human Rights, which guarantees the right to respect for private life and correspondence. Data retention itself, the court wrote, is "likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people suspected of committing terrorism crimes or other serious crimes." As a result, all citizens would become "permanent subjects to this intrusion into their exercise of their private rights to correspondence and freedom of expression."

The rulings in Romania and now Germany set the stage for an imminent series of decisions on the status of national data retention laws across Europe. The recent Bulgarian vote on data retention legislation met with sharp criticism and protests. Petitions against the Belgian data retention law are available in both French and Flemish. The constitutional challenge against the Retention of Data Bill brought by Digital Rights Ireland may be referred to the European Court of Human Rights. In the meantime, despite the fact that the European Commission won its lawsuit against the government of Sweden for failing to implement the directive, the minimal penalty turns out to be worth the political risk.

In order to overturn a directive, the European Commission, Parliament, and Council have to agree. Viviane Reding, the incoming European Commissioner for Justice, Fundamental Rights, and Citizenship, declared at her confirmation hearings her dedication to defending the right to privacy. The members of the European Parliament, inaugurating their new term, flexed their political muscle when they recently rejected assenting to the SWIFT agreement that would have enabled the wholesale transfer of Europeans' financial data to the US. The European Council, representing the ministries of the individual Member States, will respond to the political climate in their home countries.

All in all, the threats to privacy and free speech posed by the Data Retention Directive are on their way to being nullified. In Germany, AK Vorrat launched its campaign against the new law being devised and set its sights on ending data retention on the European level. They will need the help of citizens across Europe to raise awareness and speak out for their rights on national levels.

Freedom Not Fear is planning another series of protests later this year – stay tuned to Deeplinks or sign up for FNF's mailing list to find out what is being planned near you.

The Treasury's Office of Foreign Assets Control (OFAC) announced on Monday key amendments to the regulation of United States sanctions against Cuba, Iran and Sudan.

The new provisions give a blanket license for the export of "certain services and software incident to the exchange of personal communications over the Internet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging, provided that such services are publicly available at no cost to the user."

This clarification is just what EFF called for last June, and will go a long way to allay concerns that online service providers based in the U.S. cannot offer their services in those countries. Previously, despite the well-known freedom-enhancing capabilities of services like Twitter and Facebook in repressive regimes like Iran, it was unclear whether those companies could even offer their services there without falling foul of the United State's broad prohibition on the export of goods and services to these regimes.

This was not a hypothetical concern: other services that were useful for dissidents to communicate and organize, like Microsoft, and Google's instant messaging clients had previously been blocked from being used in these very countries -- not by the repressive states, but by companies themselves, cautious of violating sanctions.

While the change in the letter of the law is clearly positive, perhaps just as important is the signal this sends about the administration's new guiding policy on global Internet freedom.

Previously, cautious companies, afraid of running afoul of OFAC, have frequently forbidden or blocked all use in sanctioned countries, even when the letter of the law did not require such draconian steps. You can see this institutionally paranoid language, and its inevitable results, in Bluehost's terms of service, which pre-emptively prohibits all citizens of sanctioned countries from even applying to use their hosting facilities (a policy which lead them to shamefully throwing innocent Zimbabwean activists off their service last year).

Now we are moving (slowly) to a new, and better default, where technologists and their lawyers might assume that free Internet services that facilitate free expression and association need not be blocked pre-emptively for anyone, anywhere.

The Obama administration has shown with these changes that it would prefer to move toward that end. Have we got there yet? Is it what export law now says?

While we wait for export regulation experts to sweat the details, the answer is still far too hazy for comfort.  While the State and Treasury departments have fixed much that was wrong with Iranian, Cuban and Sudanese sanctions, there are still regulations on, for instance, Zimbabwe, Syria and North Korea for techies and their lawyers to worry about, and those sanctions still inhibit making software generally available. We also would like to see more clarity about collaborative software development locations, like Sourceforge.

We hope that this administration backs up these first steps with a continuing review of export rules, and pro-actively works to reassure Internet companies that they are free to build an open Internet for everyone, without expecting a knock on the door from their own government.

The ebb and flow of gas and electricity into your home contains surprisingly detailed information about your daily life. Energy usage data, measured moment by moment, allows the reconstruction of a household's activities: when people wake up, when they come home, when they go on vacation, and maybe even when they take a hot bath.

California's PG&E is currently in the process of installing "smart meters" that will collect this moment by moment data—750 to 3000 data points per month per household—for every energy customer in the state. These meters are aimed at helping consumers monitor and control their energy usage, but right now, the program lacks critical privacy protections.

That's why EFF and other privacy groups filed comments with the California Public Utilities Commission Tuesday, asking for the adoption of strong rules to protect the privacy and security of customers' energy-usage information. Without strong protections, this information can and will be repurposed by interested parties. It's not hard to imagine a divorce lawyer subpoenaing this information, an insurance company interpreting the data in a way that allows it to penalize customers, or criminals intercepting the information to plan a burglary. Marketing companies will also desperately want to access this data to get new intimate new insights into your family's day-to-day routine–not to mention the government, which wants to mine the data for law enforcement and other purposes.

This isn't just a California issue. Many threats to the privacy of the home—where our privacy rights should be strongest—were detailed in a 2009 report for the Colorado Public Utility Commission. The federal government has been promoting the smart grid as part of its economic stimulus package, and last year, EFF and other groups warned the National Institute of Standards and Technology about the privacy and security issues at stake. For example, security researchers worry that today’s smart meters and their communications networks are vulnerable to a variety of attacks. There are also questions of reliability, as PG&E faces criticism from California customers who have seen bills skyrocket after the installation of the new "smart meters." Unsurprisingly, California legislators are questioning the rapid rollout. Texas customers are also complaining.

There are far more questions than answers when it comes to this new technology. While it's potentially beneficial, it could also usher in new intrusions into our home and private life. The states and the federal government should ensure that energy customers get the protection they deserve.

The entire family of devices built on the iPhone OS (iPhone, iPod Touch, iPad) have been designed to run only software that is approved by Apple—a major shift from the norms of the personal computer market. Software developers who want Apple's approval must first agree to the iPhone Developer Program License Agreement.

So today we're posting the "iPhone Developer Program License Agreement"—the contract that every developer who writes software for the iTunes App Store must "sign." Though more than 100,000 app developers have clicked "I agree," public copies of the agreement are scarce, perhaps thanks to the prohibition on making any "public statements regarding this Agreement, its terms and conditions, or the relationship of the parties without Apple's express prior written approval." But when we saw the NASA App for iPhone, we used the Freedom of Information Act (FOIA) to ask NASA for a copy, so that the general public could see what rules controlled the technology they could use with their phones. NASA responded with the Rev. 3-17-09 version of the agreement.

UPDATED: we are now also posting the most recent version of the agreement, dated January 2010.

This "license agreement" is particularly relevant right now, given the imminent launch of the iPad and anytime-now issuance of the U.S. Copyright Office's ruling regarding jailbreaking of the iPhone.

So what's in the Agreement? Here are a few troubling highlights:

Ban on Public Statements: As mentioned above, Section 10.4 prohibits developers, including government agencies such as NASA, from making any "public statements" about the terms of the Agreement. This is particularly strange, since the Agreement itself is not "Apple Confidential Information" as defined in Section 10.1. So the terms are not confidential, but developers are contractually forbidden from speaking "publicly" about them.

App Store Only: Section 7.2 makes it clear that any applications developed using Apple's SDK may only be publicly distributed through the App Store, and that Apple can reject an app for any reason, even if it meets all the formal requirements disclosed by Apple. So if you use the SDK and your app is rejected by Apple, you're prohibited from distributing it through competing app stores like Cydia or Rock Your Phone.

Ban on Reverse Engineering: Section 2.6 prohibits any reverse engineering (including the kinds of reverse engineering for interoperability that courts have recognized as a fair use under copyright law), as well as anything that would "enable others" to reverse engineer, the SDK or iPhone OS.

No Tinkering with Any Apple Products: Section 3.2(e) is the "ban on jailbreaking" provision that received some attention when it was introduced last year. Surprisingly, however, it appears to prohibit developers from tinkering with any Apple software or technology, not just the iPhone, or "enabling others to do so." For example, this could mean that iPhone app developers are forbidden from making iPods interoperate with open source software, for example.

You will not, through use of the Apple Software, services or otherwise create any Application or other program that would disable, hack, or otherwise interfere with the Security Solution, or any security, digital signing, digital rights management, verification or authentication mechanisms implemented in or by the iPhone operating system software, iPod Touch operating system software, this Apple Software, any services or other Apple software or technology, or enable others to do so

Kill Your App Any Time: Section 8 makes it clear that Apple can "revoke the digital certificate of any of Your Applications at any time." Steve Jobs has confirmed that Apple can remotely disable apps, even after they have been installed by users. This contract provision would appear to allow that.

We Never Owe You More than Fifty Bucks: Section 14 states that, no matter what, Apple will never be liable to any developer for more than $50 in damages. That's pretty remarkable, considering that Apple holds a developer's reputational and commercial value in its hands—it's not as though the developer can reach its existing customers anywhere else. So if Apple botches an update, accidentally kills your app, or leaks your entire customer list to a competitor, the Agreement tries to cap you at the cost of a nice dinner for one in Cupertino.

Overall, the Agreement is a very one-sided contract, favoring Apple at every turn. That's not unusual where end-user license agreements are concerned (and not all the terms may ultimately be enforceable), but it's a bit of a surprise as applied to the more than 100,000 developers for the iPhone, including many large public companies. How can Apple get away with it? Because it is the sole gateway to the more than 40 million iPhones that have been sold. In other words, it's only because Apple still "owns" the customer, long after each iPhone (and soon, iPad) is sold, that it is able to push these contractual terms on the entire universe of software developers for the platform.

In short, no competition among app stores means no competition for the license terms that apply to iPhone developers.

If Apple's mobile devices are the future of computing, you can expect that future to be one with more limits on innovation and competition (or "generativity," in the words of Prof. Jonathan Zittrain) than the PC era that came before. It's frustrating to see Apple, the original pioneer in generative computing, putting shackles on the market it (for now) leads. If Apple wants to be a real leader, it should be fostering innovation and competition, rather than acting as a jealous and arbitrary feudal lord. Developers should demand better terms and customers who love their iPhones should back them.

San Francisco - The Electronic Frontier Foundation (EFF) filed a friend-of-the-court brief today urging a federal court judge to block two criminal statutes that unconstitutionally limit the free expression of millions of adults who use the Internet and other electronic forms of communication, bringing the threat of criminal sanctions for private, lawful speech.

At issue are provisions of federal law that require anyone who produces a visual depiction of sexually explicit expression to maintain extensive records -- including copies of drivers' licenses, the dates and times images were taken, and all URLs where images were posted -- and often force public disclosure of a creator's home address. Even more troubling, the regulations allow law enforcement warrantless entry into homes or offices in order to inspect the records that are supposed to be kept. While these statutes regulate the commercial pornography industry, they also likely apply to a staggering number of Americans who create and share images of themselves over social networks, online dating services, personal erotic websites, and text messaging.

"The plain language of the statute subjects ordinary Americans, who are using emerging communications technologies at an ever-increasing rate, to onerous record-keeping and inspection requirements for lawful speech. They could face up to five years in prison if they don't follow the statutory requirements to the letter," said EFF Senior Staff Attorney Matt Zimmerman. "Speakers who engage in private, expressive activity protected by the First Amendment should not be at risk of criminal sanctions for violating an overbroad statute that they likely know nothing about."

A coalition of artists, producers, distributors, and educators filed suit against the provisions last year, arguing that the law censored their artistic and educational work. In its amicus brief in support of the coalition filed today, EFF asked the judge to throw out the record-keeping regulations as an unconstitutional chill on adult free expression in the digital age.

"Digital cameras, camcorders, and the Internet make it easy to create and share lawful adult material in a wide variety of ways. Thousands of ordinary Americans are doing just that, only to find themselves subject to these record-keeping and inspection requirements," said EFF Civil Liberties Director Jennifer Granick. "This just doesn't square with the Constitution."

For the full amicus brief:
http://www.eff.org/files/filenode/fsc_v_holder/EFF%20Amicus%20Brief.pdf

For more on Free Speech Coalition v. Holder:
http://www.eff.org/cases/free-speech-coalition-v-holder

Contacts:

Matt Zimmerman
Senior Staff Attorney
Electronic Frontier Foundation
mattz@eff.org

Jennifer Stisa Granick
Civil Liberties Director
Electronic Frontier Foundation
jennifer@eff.org

The Obama Administration has been slowly ramping up its attention to intellectual property issues. Over the past few months, we've seen an IP "summit" at the White House. We've seen the successful nomination of a new cabinet-level "IP Czar" position. We've seen the announcement of a new DOJ task force for IP issues. What does it all portend?

Unfortunately, many signs suggest that the administration is paying far more attention to the interests of the entertainment industry than to the public good. At the same time, there are a few positive efforts and indications, so we're holding out hope that things could improve.

The first bad omen came last December, when Vice President Biden invited the RIAA, MPAA and other representatives of the mainstream entertainment industry to a closed-door "Piracy Summit" at the White House. Although Biden's office sold the summit as "bringing together all the stakeholders" in the piracy debate, it failed to invite a single representative of the public interest or the technology industry.

One outcome previewed at the summit was the formation of a new Department Of Justice "Intellectual Property Task Force", which was formally announced in February. Unfortunately, the Department of Justice already has a history of coming down disproportionately hard on victims of the copyright conflict. And while the task force's announcement stressed that IP crime "threatens not only our public safety but also our economic wellbeing," it didn't even pay lip-service to the harms to privacy, free speech, and innovation in the industry's long war on piracy.

Later in February, the government's new IP Enforcement Coordinator (IPEC), Victoria Espinel, announced that "the Federal Government is currently undertaking a landmark effort to develop an intellectual property enforcement strategy" and asked for public input into what this strategy should look like. A major component of the request seeks information about "the costs to the
U.S. economy resulting from intellectual property violations," which in the past has mainly been expressed through skewed, erroneous accounts of the supposed effects of piracy from entertainment industry lobbyists. However, the IPEC is also demanding an unprecedented level of rigor from these studies:

Submissions directed to the economic costs of violations of intellectual property rights must clearly identify the methodology used in calculating the estimated costs and any critical assumptions relied upon, identify the source of the data on which the cost estimates are based, and provide a copy of or a citation to each such source. [Emphasis mine.]

Since some of these poorly executed studies have appeared to successfully persuade members of Congress to change copyright law only in ways that favor the entertainment industry, it's refreshing to see the IPEC pushing for greater validity. To that end, we look forward to seeing the Obama Administration publicly debunk the empty rhetoric that circulates around questions of unauthorized file sharing and its economic effects.

There are other bright points. Late last year, the Administration supported looser international copyright protections for reading materials for the blind. Limitations and exceptions to copyright are a critical "safety valve" in copyright that helps preserve free expression, access to knowledge, and other human rights, and we hope to see them defended by the Administration in other contexts as well.

While IP enforcement appears to have center stage, there are other double-standards and unintended consequences in copyright and trademark law, all of which could benefit from some attention from the White House. The orphan works conundrum remains unsolved. Copyright term and licensing issues stymie creators and archivists. The anti-circumvention provisions of the DMCA still obstruct innovators.

But will the Obama Administration and Congress choose to face these tough, important issues? At the next IP summit, will advocates for questions like these have a seat at the table? Or will the public interest side of intellectual property law and policy continue to languish unaddressed? Time will tell.

Last month, we celebrated the 20th anniversary of the founding of EFF at the DNA Lounge in San Francisco, joined by Adam Savage, the founders of EFF and dozens of other Internet luminaries. For non-local EFF supporters, we've put the gorgeous photos that John Adams and Johnny Grace captured at the event up on our Flickr page.

Don't forget to check out EFF's 20th Anniversary commemorative t-shirt and poster designed by EFF senior designer Hugh D'Andrade! These are still available in our shop and through our donation page. You can also download hi-res versions and wallpaper from our flickr page here.

(photo by John Adams)

(photo by Johnny Grace)

(photo by John Adams)

(Photo by John Adams)

(Photo by Johnny Grace)

Thanks to everyone who joined us or donated — and here's to another 20 years!

We often criticize DMCA takedown abuse here at EFF, but last week's Cryptome snafu highlights another facet of the problem: how a DMCA takedown for one item can result in the removal of lots of lawful material.

To recap, Cryptome posted Microsoft’s global criminal compliance manual. Microsoft sent a DMCA takedown notice to Cryptome’s domain name registrar and web hosting provider, Network Solutions, alleging that the post infringed copyright. Under the DMCA, a web hosting provider is protected from copyright infringement liability if, among other things, it “expeditiously” disables access to material properly identified in a DMCA takedown notice. Network Solutions asked Cryptome to remove the Microsoft compliance manual. Cryptome refused explaining that the document was posted in order to help the public better understand Microsoft's practices, and followed up with a DMCA counternotice. Network Solutions promptly shut down the entire Cryptome website. Thus, a complaint about a single document caused significant collateral damage to the perfectly legal material on Cryptome.

This illustrates a basic problem built into the DMCA safe harbors. Microsoft’s notice targeted just one document. Network Solutions, however, couldn’t take down that single document, so opted to take down the entire site. Thus, although Cryptome's beef was with Microsoft, Cryptome also had to persuade Network Solutions to take a chance of losing safe harbor protection (although not much of a chance, because Cryptome’s posting was protected by the fair use doctrine). Because Network Solutions wasn't willing to take that small risk, a whole lot of speech was temporarily disappeared.

We’ve recently seen the same scenario with music bloggers, who may have their entire sites taken down as a result of complaints about a few links to music they’re reviewing.

And sometimes it's not even enough to find a courageous hosting provider. Last year a takedown notice targeting a single site parodying the U.S. Chamber of Commerce resulted in a takedown of the websites of over 300 activist organizations hosted by MayFirst/PeopleLink. The Chamber of Commerce went "upstream," targeting one of MayFirst's upstream service providers, Hurricane Electric. When MayFirst pushed back, Hurricane shut off service, thus pulling the plug on unrelated websites, email and other online tools.

In all of these cases, copyright owners reach out to a "weak link," the service provider with the least incentive to resist the takedown notice. Unless it has a free lawyer, the cost of doing a fair use analysis and defending a lawsuit—even if the service provider knows it will win—is almost certainly more than a service provider is charging any individual customer, or even a whole bunch of "innocent bystander" customers.

This unfortunate outcome is particularly ironic because Congress gave service providers protections in the DMCA. Service providers who care about free speech have better options:

• Remember, if your only relationship to the material targeted is that you provide connectivity to a downstream service, you should qualify for the 512(a) safe harbor, and, therefore don’t have an obligation to take the material down.
• Remember also that you don’t need the safe harbor if the material is a non-infringing fair use. In clear cases, you can bypass DMCA procedures.
• If thinking about fair use doesn’t make business sense, or you’re not sure, keep in mind that the DMCA requires only that you act “expeditiously” to respond to a takedown notice. Courts have found that providers should take down material within a few days of receiving a notice. So if you realize complying with a takedown notice will result in taking down much more material than the notice identifies, take the time to notify the person who sent the notice about the collateral damage it may cause. They may elect to withdraw it, especially where they are likely to face public criticism for causing an overbroad takedown.
• Give your customer a chance to re-jigger their service to avoid such collateral damage.
• Be sure to offer customers a clear counter-notice procedure—the DMCA provides protection for service providers that restore content in response to counter-notices.

Customers who also care about free speech should vote with their wallets and look for providers who will commit to following these suggestions. The safe harbors were supposed to help protect free speech, and they often do—but only if copyright owners, service providers, and internet users follow their common sense as well their business sense.

San Francisco - The Electronic Frontier Foundation (EFF) submitted a petition signed by more than 7000 people to the Federal Communications Commission (FCC) today demanding that the agency close a loophole for copyright enforcement in its proposed regulations for network neutrality.

The petition is part of EFF's reply comments in the FCC's net neutrality rulemaking. The FCC's proposed rules generally prohibit ISPs from discriminating or blocking lawful content, but include a loophole for 'reasonable network management' by ISPs. The proposed rules then define 'reasonable network management" to include measures taken by ISPs to block unlawful content or transmissions. This exception would effectively permit ISPs to violate net neutrality rules and block lawful activities in the name of copyright enforcement.

"We can't afford to let lawful speech become collateral damage in Hollywood's war on copyright infringement," said EFF Senior Staff Attorney Fred von Lohmann. "Net neutrality regulations should not excuse ISPs that interfere with lawful content just because they claim they were acting as copyright cops."

EFF's original comments to the FCC, submitted in January, also question whether the FCC has the legal authority or political independence necessary to properly regulate the Internet. Additionally, EFF has called on the FCC to protect the interests of individuals who offer open WiFi Internet access to their neighbors or local communities.

"Before the ink is dry on net neutrality regulations, we already see corporate lobbyists and 'public decency' advocates pushing for loopholes," said EFF Civil Liberties Director Jennifer Granick. "A loophole like this could swallow network neutrality, with ISPs claiming copyright enforcement as a pretext for all sorts of discriminatory behavior."

For EFF's full reply comments to the FCC:
http://www.eff.org/files/filenode/nn/EFF%20NN%20reply%20comments2b.pdf

For more on net neutrality:
http://www.eff.org/issues/net-neutrality

Contacts:

Jennifer Stisa Granick
Civil Liberties Director
Electronic Frontier Foundation
jennifer@eff.org

Fred von Lohmann
Senior Staff Attorney
Electronic Frontier Foundation
fred@eff.org

EFF today released Unintended Consequences: 12 Years Under the DMCA. This is the sixth update to the report, which aims to catalog all the reported instances where the DMCA's ban on tampering with DRM have been abused to stymie fair use, free speech, and competition, rather than to attack "piracy."

Congress enacted the DMCA's ban on bypassing DRM at the urging of entertainment industry lobbyists who argued that DRM backed by law would quell digital copyright infringement. Of course, 12 years later, that exactly hasn't worked out. Nor is it likely to ever work out. But lots of industries have recognized that these provisions of the DMCA are good for other things—like impeding scientific research and legitimate competition. The Unintended Consequences report collects these stories, including oldies like Lexmark's effort to block toner cartridge refilling and new cases like the lawsuit against RealDVD.

Other new additions to the report include Apple's use of the DMCA to lock iPhone owners to Apple's own App Store for software, Apple's DMCA threats against Bluwiki for hosting discussions about iPod interoperability, and Texas Instruments' use of the DMCA to threaten calculator hobbyists trying to write their own operating systems.

Although in many cases the DMCA abuser backs down or is beaten in court, the abuses and resulting chilling effect on legitimate activities continues. And even though the U.S. Copyright Office is considering proposed exemptions to the DMCA, that proceeding won't prevent more abuses in the future.