Luis,
During the SOPA blackout, National Public Radio offered a free back-up
service on Twitter for people who needed research questions answered.
I'm not sure what their success rate was compared to Wikipedia's
Reference Desks, but can we return the favor? Journalism is actually
under direct assault by the government now:
http://fair.org/take-action/media-advisories/the-accelerating-assault-on-jo…
Do you still think it is reasonable to conflate protecting readers and
editors with frustrating intelligence agencies? Wouldn't actions to
cause them to come in to compliance with the Bill of Rights make them
less frustrated over time, even if it temporarily makes them more
frustrated?
What is the status of my request to ask the Foundation's cloud
providers to produce peer-to-peer versions of their applications
capable of end-to-end encryption?
What actions have been taken to institute policies in response to
receipt of government orders by the Foundatiopn to make sure that they
are in compliance with superior law before being acted on?
What actions can the Foundation take to protect those of our readers
and editors who are or act as journalists?
Sincerely,
James Salsman
hey folks,
I'm curious to know if anyone on this list knows much/anything about
changes to the Marco Civil da Internet resulting from the NSA leaks?
I've just been reading this Washington Post story interviewing Ronaldo
Lemos, and it's pretty interesting -- I'm curious to know if anyone knows
more. Note I'm *not* asking the WMF legal team (or anyone else) to put time
into researching this -- I'd just like links or basic info if anyone has
that. I've read the enWP article -- it's pretty thin.
Thanks,
Sue
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/22/glenn-greenwal…
"This whole story is causing a backlash in terms of Internet regulation in
Brazil. There’s a frenzy, people trying to regulate the Internet as quick
as they can. The Marco Civil project [legislation guaranteeing civil rights
in the use of the Internet] became a top priority for the government.
The government is now introducing changes in the project that are quite
problematic. One of them mandates that companies that store any type of
Brazilian data have their servers physically located in Brazil. The idea of
the government is that having the servers here will make them available for
the Brazilian courts. But this is a bad idea because it will create huge
costs for companies.
Imagine if Brazil required every company that has Brazilian data in storage
to have a server located physically here. That breaks the Internet because
you remove from companies the ability to make these decisions based on
efficiency. When you’re deciding where to have your servers, you’re doing
it in a way that’s cost-effective. Imagine if other countries reciprocate,
if [every country says] you have a Brazilian Internet company, they have to
have servers in my country. The potential for balkanization is very high.
What other regulations have been proposed in the wake of the Snowden
revelations?
Other provisions that were introduced in the bill have to do with expanding
Brazilian jurisdiction to Internet companies that have subsidiaries in
Brazil. If Google opens an office, their parent company will be on the hook
for the Brazilian jurisdiction. Critics are saying this will actually be an
incentive for companies not to have an office in the country. Why open an
office and then you have this expanded idea of jurisdiction.
Regulatory agencies like the National Telecommunications Agency, Brazil’s
equivalent of the Federal Communications Commission, are stepping into the
picture and trying to fill the regulatory void with regulation without this
[legislation] being discussed in Congress. The agency is feeling empowered
and legitimated by the Snowden case and saying, “We have jurisdiction and
we’re going to regulate them ourselves.”
The way I see it, there are some dark clouds on the horizon in terms of
regulation. Huge backlash because of the Snowden case. We will see some
very not very well thought forms of regulation coming from Brazil and a
change in the way Brazil positions itself in terms of Internet freedom or
regulation."
I aggree with JP Béland: the computer security obviously affects the
Wikimedia users, but imho we shouldn’t do more than we can and let the
responsability of their own security to the users -- although we should
contribute for a decent security.
For the specific topic you brought about 0-days, I’m not personnaly
surprised, this type of market was revealed some time ago, see for
instance
<http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days…>.
~ Seb35
Le Tue, 20 Aug 2013 07:30:09 +0200, JP Béland <lebo.beland(a)gmail.com> a
écrit:
> I'm not sure what is your point here. How exactly readers of Wikimedia
> projects are at risk here because of that story? Are you trying to say it
> is the Foundation responsibility to protect the readers from the
> vulnerabilities of their operating systems?
>
> JP Béland
>
>
>
> 2013/8/19 James Salsman <jsalsman(a)gmail.com>
>
>> While the trickling release of Edward Snowden's revelations from bad to
>> worse in weekly incremental steps has been enormously effective in
>> swaying
>> public opinion, it has made formulating a meaningful response very
>> difficult.
>>
>> A few weeks ago we learned that the FBI has been purchasing personal
>> computer operating system vulnerabilities from gray and black-hat
>> hackers
>> on the black market, often for several tens of thousands of dollars
>> each,
>> and leaving them unreported and thereby unpatched for use in future
>> surveillance operations:
>> http://blogs.wsj.com/digits/2013/08/01/how-the-fbi-hacks-criminal-suspects/
>>
>> Unfortunately, this means that the vulnerabilities remain available to
>> the
>> criminal computer crime underground, affecting everyone including
>> Foundation project readers and contributors alike.
>>
>> Very recently a well respected group of researchers characterized this
>> state of affairs as "preferable" to the complexity of additional
>> surveillance network and systems infrastructure:
>> http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2312107
>>
>> This is a false dichotomy which directly places Foundation project
>> readers
>> and editors at risk, but does so along with virtually everyone else who
>> uses personal computer or smartphone equipment. However, I think it is
>> an
>> important aspect to address because none of the other recent
>> eavesdropping
>> revelations put people at risk to organized computer crime, blackmail,
>> and
>> extortion in the same way.
>>
>> Is there any reason to exclude action on a particular issue just
>> because it
>> effects everyone else along with our users?
>> _______________________________________________
>> Wikimedia-l mailing list
>> Wikimedia-l(a)lists.wikimedia.org
>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
>> <mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list
> Wikimedia-l(a)lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
Does this mean that block circumvention by users by changing/masking
their IP addresses would now be a violation of the law?
---
Changing IP address to access public website ruled violation of US law
http://arstechnica.com/tech-policy/2013/08/changing-ip-address-to-access-pu…
Changing your IP address or using proxy servers to access public
websites you've been forbidden to visit is a violation of the Computer
Fraud and Abuse Act (CFAA), a judge ruled Friday in a case involving
Craigslist and 3taps.
The legal issue is similar to one in the Aaron Swartz case, in which
there was debate over whether Swartz "had committed an unauthorized
access under the CFAA when he changed his IP address to circumvent IP
address blocking imposed by system administrators trying to keep
Swartz off the network," law professor Orin Kerr wrote yesterday on
the Volokh Conspiracy blog.
The ruling in Craigslist v. 3taps (PDF) is the first "directly
addressing the issue," Kerr wrote. 3taps drew Craigslist's ire by
aggregating and republishing its ads, so Craigslist sent a
cease-and-desist letter telling the company not to do that. Craigslist
also blocked IP addresses associated with 3taps' systems.
"3taps bypassed that technological barrier by using different IP
addresses and proxy servers to conceal its identity and continued
scraping data," wrote Judge Charles Breyer of US District Court in
Northern California. Craigslist subsequently accused 3Taps of
violating the CFAA, which "imposes criminal penalties on any person
who, among other prohibitions, 'intentionally accesses a computer
without authorization or exceeds authorized access, and thereby
obtains... information from any protected computer.'”
3taps asked the court to "hold that an owner of a publicly accessible
website has no power to revoke the authorization of a specific user to
access that website" and argued that criminalizing its activity under
the CFAA would create a slippery slope that could harm ordinary
Internet users and allow Web companies to use anti-competitive
practices.
Breyer denied the company's motion, saying 3taps did not prove that
Craigslist's actions were illegal. Under the "plain language" of the
CFAA, 3taps did not have authorization to visit Craigslist:
3taps’ argument starts out on firm statutory ground: “[B]y making the
classified ads on its website publicly available, Craigslist has
‘authorized’ the world, including 3taps, to access craigslist.org.
But it does not answer the question here, which is whether Craigslist
had the power to revoke, on a case-by-case basis, the general
permission it granted to the public to access the information on its
website. Craigslist certainly thought it had such authority and sought
to exercise it through its cease-and-desist letter and IP blocking
measures. 3taps says that Craigslist had no power to “de-authorize”
anyone, but it cannot point to any language in the statute supporting
that conclusion.
In fact, the statutory context and the Ninth Circuit’s interpretation
of the phrase “without authorization” both cut against 3taps’
argument. One way to accomplish the result that 3taps
urges—prohibiting computer owners from revoking “authorization” to
access public websites—would be to restrict the kind of information
protected by the CFAA. For example, Congress might have written §
1030(a)(2) to protect only “nonpublic” information. A neighboring
provision in the CFAA includes that very modifier and prohibits access
without authorization to “nonpublic” government computers. Another
adjacent provision applies only to certain kinds of financial
information. Congress apparently knew how to restrict the reach of the
CFAA to only certain kinds of information, and it appreciated the
public vs. nonpublic distinction—but § 1030(a)(2)(c) contains no such
restrictions or modifiers.
Breyer also tore down 3taps' slippery slope arguments. The average
person does not use an anonymous proxy to bypass IP blocking enforced
through a cease-and-desist letter addressed specifically to that
person, the judge wrote:
Without any language in the statute to support its arguments, 3taps
lets the cat out of the bag in the concluding section of its brief and
urges consideration of “serious policy concerns” raised by
straightforward application of the CFAA’s broad language. There, and
sprinkled throughout its earlier, ostensibly text-based, arguments,
3taps posits outlandish scenarios where, for example, someone is
criminally prosecuted for visiting a hypothetical website
www.dontvisitme.com after a “friend”—apparently not a very good
one—says the site has beautiful pictures but the homepage says that no
one is allowed to click on the links to view the pictures. Needless to
say, the Court’s decision [regarding 3taps' actions]... does not speak
to whether the CFAA would apply to other sets of facts where an
unsuspecting individual somehow stumbles on to an unauthorized site.
3taps also invites this Court to make all manner of legislative
judgments turning on, for example, the “culture” of the Internet, the
Court’s view of whether accessing a website is more like window
shopping from a public sidewalk or actually entering a store and
whether “a permission-based regime for public websites could implode
the basic functioning of the internet itself.” 3taps opines that “the
‘socially prudent’ benefits of finding an implied license [to access
public website data] far outweigh any social utility derived from
allowing a website owner to selectively block access to publicly
available information, including by competitors.”
Maybe, or maybe not—but it is certainly not for this Court to impose
its views on those matters on unambiguous statutory language.
IP blocking hardly much of a “technological barrier”
Kerr, a professor of law at George Washington University and a former
trial attorney in the Computer Crime and Intellectual Property Section
at the US Department of Justice, wrote that Breyer's decision is
consistent with his view that "circumventing some kind of
technological barrier is required to violate the CFAA." However, Kerr
is disappointed that Breyer takes it as a given that changing one's IP
address or using a proxy counts as the circumvention of a
technological barrier.
Whether Craigslist sent a cease-and-desist letter to 3taps is only
necessary to prove 3taps' intent in accessing the website despite
being told not to, Kerr wrote. The "circumvention of a technological
barrier" question is a separate one that isn't addressed in the ruling
in any depth, he wrote.
"The counterargument runs like this," Kerr wrote. "IP addresses are
very easily changed, and most people use the Internet from different
IP addresses every day. As a result, attempting to block someone based
on an IP address doesn’t 'block' them except in a very temporary
sense. It pauses them for a few seconds more than actually blocks
them. It’s a technological barrier in the very short term but not in
the long term. Is that enough to constitute a technological barrier?"
Kerr wrote by way of disclosure that "I have discussed this case with
the defendant’s side but my analysis here remains my independent
opinion."
The CFAA itself could get an overhaul in Congress due to a bill
introduced in response to the prosecution of Swartz, who committed
suicide before his trial.
The bill's text "deletes the vague phrase 'exceeds authorized access
and clarifies the definition of 'access without authorization,' key
fixes in a law that has for years been misinterpreted because of its
vague definitions," according to the Electronic Frontier Foundation.
"Without this change, the government could've prosecuted everyday
Americans for violating low-level terms of service violations... In
short, everyone would be a criminal, leaving it up to the government
to decide when and where to bring down the hammer."
While the trickling release of Edward Snowden's revelations from bad to
worse in weekly incremental steps has been enormously effective in swaying
public opinion, it has made formulating a meaningful response very
difficult.
A few weeks ago we learned that the FBI has been purchasing personal
computer operating system vulnerabilities from gray and black-hat hackers
on the black market, often for several tens of thousands of dollars each,
and leaving them unreported and thereby unpatched for use in future
surveillance operations:
http://blogs.wsj.com/digits/2013/08/01/how-the-fbi-hacks-criminal-suspects/
Unfortunately, this means that the vulnerabilities remain available to the
criminal computer crime underground, affecting everyone including
Foundation project readers and contributors alike.
Very recently a well respected group of researchers characterized this
state of affairs as "preferable" to the complexity of additional
surveillance network and systems infrastructure:
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2312107
This is a false dichotomy which directly places Foundation project readers
and editors at risk, but does so along with virtually everyone else who
uses personal computer or smartphone equipment. However, I think it is an
important aspect to address because none of the other recent eavesdropping
revelations put people at risk to organized computer crime, blackmail, and
extortion in the same way.
Is there any reason to exclude action on a particular issue just because it
effects everyone else along with our users?
Hello, Wikimedians!
As expected, lots of busy bees have been flying around Brussels in July
trying to finish off things before the summer break. This made it a rather
long read, but I am sure there are worse things to have on your tablet on
the beach :). Anyway, enjoy the summer (or winter if you’re way south) and
see you in Hong Kong or back here in a month!
Dimi
EU Policy on Meta: http://meta.wikimedia.org/wiki/EU_policy
tl;dr
>From a Wikimedian’s perspective, the most significant events were the
signing of two open letters as a reaction to PRISM (by WMF and WMDE) and
the Committee vote on the Collective Rights Management Directive. This is
the Directive that will decide whether it will be legal for musicians to
donate single pieces of music to our projects.
ToC
1. Prism and Data Protection - Reactions and Wikimedia actions
2. Collective Rights Management Directive - Committee vote passes
3. Licences for Europe - Inside the work groups
4. Net Neutrality - Leaked draft
5. Notice and Takedown - And now what?
6. Meet us in Hong Kong!
-----------------
-----------------
#PRISM #EUdataP
1. Prism and Data Protection - Reactions and Wikimedia actions
Why is this relevant?
As stated elsewhere, rights of privacy are necessary for intellectual
freedom [1]. As a major global information provider we are part of the
“bigger” picture.
What happened?
As announced, the Wikimedia Foundation has signed a letter urging the US
government for more transparency as a reaction to recent surveillance
debates. [2] Other signatories include Mozilla, Reporters Without Borders
and companies like Google, Facebook and Microsoft. Wikimedia Deutschland
has signed an open letter too, to “ensure respect for the fundamental right
to privacy and informational self-determination”. [3] Other signatories are
the Electronic Frontier Foundation, Creative Commons Deutschland,
Transparency International and Greenpeace. Meanwhile, there is considerable
debate in Brussels on whether Snowden could and should be nominated for the
Sakharov (freedom of thought award by European Parliament) and Nobel
prizes.
What comes next?
The Snowden case has significantly changed the landscape for the current
and future data protection and internet privacy regulations. It would be
wise to think about whether we (the Wikimedia movement) have or should have
clear positions on these topics in the future, or, whether it would be
wiser stay out of it for the most part.
-----------------
-----------------
#CRM
2. Collective Rights Management Directive - European Parliament Committee
Vote Passes
Why is this relevant?
A new Directive aiming to harmonise the rules on collective rights
management in the EU is in the making (Full name: Collective management of
copyright and related rights and multi-territorial licensing of rights in
musical works for online uses in the internal market). Currently, many
artists find it legally impossible to release single pieces of music under
free licenses, as collecting societies have “all or nothing”-clauses.
Additionally, in many Member States collecting societies are state-approved
monopolies, leaving no room for free choice. The current proposal might
make it possible for musicians to release even individual pieces of music
under a free licence.
What happened?
The original Commission proposal did not include the possibility for
authors to release individual works under free licenses. In the European
Parliament, Rapporteur for the lead Committee (Legal Affairs) Marielle
Gallo (EPP, FR) proposed [4] to include such an option in her draft. This
change was lost in a compromise agreement within the committee before the
the vote. However, an amendment by Christian Engström (Greens, SE) was
somewhat surprisingly accepted that will most likely allow free licensing
for individual works. [5]
What comes next?
The Legal Affairs Committee’s version is expected to be voted in the
parliament in a single reading plenary session in October. Then it will
move on to the Council, where it might again be changed. In the meantime,
it would be helpful to canvass the Member States’ (Permanent
Representatives) positions so we get a clearer picture on whether the
Engström amendment is at risk. The first possible review date for the
Permanent Representatives is the 2nd December.
Further links:
Procedure file on the CRM Directive [6]
General review of the Directive [7]
-----------------
-----------------
#L4E
3.Licences for Europe - Inside the work groups
Why is this relevant?
This is a consultation process by the European Commission on licensing of
digital content. It is seen as part of a larger initiative to completely
overhaul copyright, although there have been voices questioning the
seriousness of such an intention. Generally speaking, this dialogue must be
seen in the context of the Commission currently bargaining the agenda for a
future Copyright reform - which aspects will we be on the table in the next
few years.
What happened?
At the mid-term plenary session the work done so far in the work groups has
been presented. The most relevant group for us - User Generated Content -
has seen the European Consumer Organisation (BEUC) leave the process and
being replaced by a group that claims to represent User Generated projects,
but no one has heard of.
This is currently forcing all remaining civil society organisation in the
work group to consider whether they should stay on board of a “pseudo”
discussion. Content-wise, the talk dominated by industry organisations is
going toward created more licensing for user-generated content, on top of
what we already have.
What comes next?
As Wikimedia’s core issue is user-generated content and the Commission is
looking for new civil society partners to join the consultation, it would
be useful to decide until September whether we want to participate or stay
out due to the fact that we can’t gain (almost) anything and the
credibility of the process has taken numerous hits.
Further links:
We have a file on Licences for Europe on Meta [8]
The European Commission Page [9]
The European Consumer Organisation’s letter to Commissioner Barnier [10]
-----------------
-----------------
#netneutrality
4. Network Neutrality - Leaked draft
Why is this relevant?
Our mission is to disseminate Free Knowledge globally and we do so through
our projects (internet websites). How people’s access to them is regulated
is fundamental to us.
What happened?
After years upon years of flip-flopping on the issue, Digital Commissioner
Neelie Kroes finally seemed resolute on a coherent protection of the
neutrality of the internet. [11] However, a leaked working draft of
interservice consultation process [12] goes in a completely different
direction. According to the document it would be possible for website
operators to pay internet service providers to guarantee that their sites
load faster (or others are throttled).
What comes next?
An official legislative proposal is due to be published by the Commission
by the end of the year.
Further links:
We have a Network Neutrality file on Meta that can use your help! [13]
-----------------
-----------------
#NnT
5. Notice and Takedown - And now what?
Why is this relevant?
Notice and Takedown procedures define legally who is responsible for
(allegedly) unlawful content online and how to handle such cases in
practice. It is very likely that the questions of liability will be
defined or refined if it comes to a Directive.
What happened?
It is presently unclear whether this Commission will go ahead and propose a
Takedown and Notice Directive. Regardless of that development, a
Recommendation (non-binding) is in the making and expected by the end of
the year. Meanwhile, a group of 6 MEPs has released a letter [14] urging
Commissioner Barnier to go ahead a publish a draft Directive and not hide
the obviously heated discussions by shifting focus to a Recommendation.
What comes next?
There is not enough information for the moment to know what will be
proposed and when. However, if a Recommendation is made, there is no way to
change it in Parliament and it is up to each Member State whether they want
to implement it or not.
Further links:
We have a Notice and Takedown file on Meta, which needs your help [15]
A good overview of the topic so far by IPtegrity.com [16]
-----------------
-----------------
#Wikimania
7. Meet us in Hong Kong!
Me (Dimi, a.k.a. Dimitar Dimitrov) and Niko (Nikolas Becker, WMDE Board)
will be in Hong Kong to present the EU Policy initiative and the newly
founded Free Knowledge Advocacy Group EU. Meet us during the Pre-Conference
on Thursday (8th) from 12-15 for an introduction and see our presentation
titled “Hacking Brussels” on Sunday (11th) in room TU201 [17]. Also, chat
us up wherever you see us!
-----------------
-----------------
Linkography:
[1]
http://www.ala.org/Template.cfm?Section=interpretations&Template=/ContentMa…
[2] https://www.cdt.org/files/pdfs/weneedtoknow-transparency-letter.pdf
[3]http://www.stopsurveillance.org/
[4]
http://www.europarl.europa.eu/RegData/commissions/juri/projet_rapport/2013/….
amendment 36)
[5]
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML….
amendments 252 and 263)
[6]
http://www.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2012/…
[7]
http://kluwercopyrightblog.com/2012/07/24/proposal-for-a-directive-on-colle…
[8]http://meta.wikimedia.org/wiki/EU_policy/Monitor/L4e
[9]http://ec.europa.eu/licences-for-europe-dialogue/en/content/about-site
[10]http://blog.quintarelli.it/files/2013-00138-01-e.pdf
[11]https://twitter.com/NeelieKroesEU/statuses/340020753510563840
[12]https://netzpolitik.org/wp-upload/CONSOLIDATED-DRAFT-for-ISC-070713.pdf
[13]http://meta.wikimedia.org/wiki/EU_policy/Monitor/NN
[14]
http://ameliaandersdotter.eu/sites/default/files/letter_commissioner_barnie…
[15]http://meta.wikimedia.org/wiki/EU_policy/Monitor/NnT
[16]
http://www.iptegrity.com/index.php/ipred/867-will-the-eu-act-on-notice-and-…
[17]https://wikimania2013.wikimedia.org/wiki/Schedule
Luis,
Would it be legal to adopt a policy that any individual served with a
National Security Letter must immediately request a transfer to a
department headed by a different C-level officer?
If so, is the Foundation willing to adopt such a policy?