Whitepapers
Our whitepapers reflect the results of EFF's clear thinking on issues at the cutting-edge of law and technology.
When EFF launched the Certbot tool in 2016, our goal was to help website administrators secure their sites with HTTPS certificates. Since then, our technology and design teams have received feedback from users about their barriers to using Certbot, how they find it, what makes it useful, and what a more usable Cerbot might look like for different people. Here, we’ll give a behind-the-scenes look at how EFF is thinking about making it easier for everyone to secure their websites with free HTTPS certificates. This case study covers a year of internal user research and design strategy sessions with the goal of redesigning our Certbot website. Beyond securing the web, we hope this design case study will be helpful to other nonprofit organizations and independent groups who are also figuring out how to do smaller scale user research for their own technology projects.
The debate over the best infrastructure to deliver fixed last-mile broadband service in the 21st century is settled, and fiber is the undisputed winner. Fiber-to-the-home deployments are a better option for consumers today, and they are the only option that will allow expansive, efficient upgrades to America’s networks for a generation.
Drawing on rights recognized by the American Convention of Human Rights, and examples from North and South American jurisprudence, this document seeks to connect the work of security research with the fundamental rights of its practitioners.
We are at a critical moment for free expression online and for the role of Internet intermediaries in the fabric of democratic societies. In particular, governments around the world have been pushing companies to take down more speech than ever before. What responsibilities do the platforms that directly host our speech have to protect—or take down—certain types of expression when the government comes knocking?
Face recognition is poised to become one of the most pervasive surveillance technologies, and law enforcement’s use of it is increasing rapidly. This white paper takes a broad look at the problems with law enforcement use of face recognition technology in the United States, finishing with concrete and specific technical and legal recommendations for future legislation.
In the Internet’s early days, those wishing to register their own domain name had only a few choices of top-level domain to choose from, such as .com, .net, or .org. Today, users, innovators, and companies can get creative and choose from more than a thousand top-level domains, such as .cool, .deals, and .fun. But should they?
It turns out that not every top-level domain is created equal when it comes to protecting the domain holder’s rights. Depending on where you register your domain, a rival, troll, or officious regulator who doesn’t like what you’re doing with it could wrongly take it away, or could unmask your identity as its owner—even if they are from overseas.
To help make it easier to sort the .best top-level domains from the .rest, EFF and Public Knowledge have gotten together to provide this guide to inform you about your choices. There’s no one best choice, since not every domain faces the same challenges. But with the right information in hand, you’ll be able to make the choice that makes sense for you.
Women’s health is big business. There are a staggering number of applications for Android and iOS which claim to help people keep track of their monthly cycle, know when they may be fertile, or track the status of their pregnancy. These apps entice the user to input the most intimate details of their lives, such as their mood, sexual activity, physical activity, physical symptoms, height, weight, and more. But how private are these apps, and how secure are they in fact? After all, if an app has such intimate details about our private lives, it would make sense to ensure that it is not sharing those details with anyone, such as another company or an abusive family member. To this end, EFF and Gizmodo reporter Kashmir Hill have taken a look at some of the privacy and security properties of nearly twenty different fertility and pregnancy tracking applications. While this is not a comprehensive investigation of these applications by any means, we did uncover several privacy issues, some notable security flaws, and a few interesting security features in the applications we examined. We conclude that while these applications may be fun to use, and in some cases useful to the people who need them, women should carefully consider the privacy and security tradeoffs before deciding to use any of these applications.
Freedom of expression is a universal right, but the specific threats to it vary widely from country to country and region to region. As activists fighting for free speech worldwide, it is essential that we better understand the specific legal and procedural mechanisms that governments use to silence it. When you begin to untangle the array of laws that are used to prosecute speech in a given country, you get a much clearer picture of the state of digital rights in that country.
Which companies will stand by users, insisting on transparency and strong legal standards around government access to user data? And which companies make those policies public, letting the world—and their own users—judge their stances on standing up for privacy rights?
Every year, the United States publishes a report on countries that, in the opinion of the U.S. Trade Representative (USTR), fail to give “adequate and effective” protection to U.S. holders of intellectual property rights. This Special 301 Report names and shames nations that do not meet a vague and impossibly high standard of IP enforcement, and implies that the U.S. and its trade partners should punish them for failing to enact more draconian copyright, patent, and trademark restrictions. The Special 301 Report is the result of an opaque process that directly manifests the desires of private industry, like Hollywood studios. It is used as a bullying tactic to push countries into adopting stronger IP laws, regardless of whether such laws are in the best interests of the citizens of that country.
The "Defend Innovation" whitepaper is the culmination of two-and-a-half years worth of research, drawing from the stories, expertise, and ideas of more than 16,500 people who agree that the current patent system is broken.
When somebody wants to silence speech, they often use the quickest method available. When the speech is hosted on a major online platform, that method is usually a copyright or trademark complaint. For many years, EFF has worked with people whose lawful speech has been unfairly targeted by these sorts of complaints. We've observed that some approaches tend to work better than others in preventing that sort of deliberate abuse, as well as the casual censorship that comes from haphazard and dragnet approaches to policing online infringement.
The “anti-circumvention” provisions of the Digital Millennium Copyright Act (“DMCA”), codified in section 1201 of the Copyright Act, have not been used as Congress envisioned. The law was ostensibly intended to stop copyright infringers from defeating anti-piracy protections added to copyrighted works. In practice, the anti-circumvention provisions have been used to stifle a wide array of legitimate activities. As a result, the DMCA has become a serious threat to several important public policy priorities.
This whitepaper explains U.S. copyright law’s civil penalty regime. It describes the two major problems with this regime: excessive penalties and unpredictability. It discusses the harms that flow from this broken law. Finally, it suggests some measured changes Congress can make to fix these problems.
We entrust our most sensitive, private, and important information to technology companies like Google, Facebook, and Verizon. Collectively, these companies are privy to the conversations, photos, social connections, and location data of almost everyone online. The choices these companies make affect the privacy of every one of their users. So which companies stand with their users, embracing transparency around government data requests? Which companies have resisted improper government demands by fighting for user privacy in the courts and on Capitol Hill? In short, which companies have your back?
When you use the Internet, you entrust your conversations, thoughts, experiences, locations, photos, and more to companies like Google, AT&T and Facebook. But what do these companies do when the government demands your private information? Do they stand with you? Do they let you know what’s going on?
In this annual report, the Electronic Frontier Foundation examined the policies of major Internet companies — including ISPs, email providers, cloud storage providers, location-based services, blogging platforms, and social networking sites — to assess whether they publicly commit to standing with users when the government seeks access to user data. The purpose of this report is to incentivize companies to be transparent about how data flows to the government and encourage them to take a stand for user privacy whenever it is possible to do so.
When you use the Internet, you entrust your online conversations, thoughts, experiences, locations, photos, and more to companies like Google, AT&T and Facebook. But what happens when the government demands that these companies to hand over your private information? Will the company stand with you? Will it tell you that the government is looking for your data so that you can take steps to protect yourself?
The Electronic Frontier Foundation examined the policies of 18 major Internet companies — including email providers, ISPs, cloud storage providers, and social networking sites — to assess whether they publicly commit to standing with users when the government seeks access to user data. We looked at their terms of service, privacy policies, and published law enforcement guides, if any. We also examined their track record of fighting for user privacy in the courts and whether they’re members of the Digital Due Process coalition, which works to improve outdated communications law. Finally, we contacted each of the companies with our conclusions and gave them an opportunity to respond and provide us evidence of improved policies and practices. These categories are not the only ways that a company can stand up for users, of course, but they are important and publicly verifiable.
The collection of biometric data in the United States--whether by law enforcement or at the nation's borders--has expanded drastically in the years since September 11, 2001, and immigrant communities are increasingly affected by this expansion. What does this mean for the privacy and security of citizens and non-citizens alike? You can view or download the entire paper at this link: https://www.eff.org/document/fingerprints-dna-biometric-data-collection-us-immigrant-communities-and-beyond For more information see By the Numbers or the Executive Summary.
Our lives are on our laptops – family photos, medical documents, banking information, details about what websites we visit, and so much more. Thanks to protections enshrined in the U.S. Constitution, the government generally can’t snoop through your laptop for no reason. But those privacy protections don’t safeguard travelers at the U.S. border, where the U.S. government can take an electronic device, search through all the files, and keep it for a while for further scrutiny – without any suspicion of wrongdoing whatsoever.
The Fourth Amendment to the Constitution protects you from unreasonable government searches and seizures, and this protection extends to your computer and portable devices. But how does this work in the real world? What should you do if the police or other law enforcement officers show up at your door and want to search your computer? EFF has designed this guide to help you understand your rights if officers try to search the data stored on your computer or portable electronic device, or seize it for further examination somewhere else.
In a review of nearly 2,500 pages of documents released by the Federal Bureau of Investigation as a result of litigation under the Freedom of Information Act, EFF uncovered alarming trends in the Bureau’s intelligence investigation practices. The documents consist of reports made by the FBI to the Intelligence Oversight Board of violations committed during intelligence investigations from 2001 to 2008. The documents suggest that FBI intelligence investigations have compromised the civil liberties of American citizens far more frequently, and to a greater extent, than was previously assumed.
Since they were enacted in 1998, the "anti-circumvention" provisions of the Digital Millennium Copyright Act ("DMCA"), codified in section 1201 of the Copyright Act, have not been used as Congress envisioned. Congress meant to stop copyright infringers from defeating anti-piracy protections added to copyrighted works and to ban the "black box" devices intended for that purpose. In practice, the anti-circumvention provisions have been used to stifle a wide array of legitimate activities, rather than to stop copyright infringement.
After several years of false starts, the universe of digital books seems at last poised to expand dramatically. Readers should view this expansion with both excitement and wariness. Excitement because digital books could revolutionize reading, making more books more findable and more accessible to more people in more ways than ever before. Wariness because the various entities that will help make this digital books revolution possible may not always respect the rights and expectations that readers, authors, booksellers and librarians built up, and defended, over generations of experience with physical books.
We have all seen them while online. Whether placed in front of our faces in the form of an "I Agree" box or found in a notice lingering at the bottom of a web page, we all will eventually be asked to agree a listed set of "Terms of Service" (TOS). But the fundamental question remains: when do these ubiquitous TOS agreements actually become binding contracts with the online service provider? As it turns out, not all expressions of agreement are created equal.
On January 30th, 2009, Kristina Clair of Philadelphia, PA — one of the system administrators of the server that hosts the indymedia.us site — received in the mail a grand jury subpoena from the Southern District of Indiana federal court. The FBI had sent an email to Ms. Clair a couple of weeks earlier asking where a subpoena directed at the indymedia.us site should be sent. So, we at EFF were ready and waiting to evaluate the subpoena as soon as it arrived. Yet even we were surprised at what we saw.
Over the next decade, systems which create and store digital records of people's movements through public space will be woven inextricably into the fabric of everyday life. We are already starting to see such systems now, and there will be many more in the near future.
The Internet remains one of the most powerful means ever created to give voice to repressed people around the world. Unfortunately, new technologies have also given authoritarian regimes new means to identify and retaliate against those who speak out despite censorship and surveillance. Below are six basic ideas for those attempting to speak without falling victim to authoritarian surveillance and censorship, and four ideas for the rest of us who want to help support them.
Here's a story we hear a lot at EFF: You think BadCo, Inc. is a bad actor and you've developed a really cool site to tell the world why. Maybe just by griping about them or maybe through a bit of parody. Fast forward two weeks: you're basking in the pleasure of calling BadCo out when bam! You find out your site's been shut down. You call your internet service provider to find out what's going on. After way too much time climbing phone trees and sitting on hold you get an answer — BadCo has claimed that your site violates its intellectual property rights.
On March 10-12, 2008, the World Intellectual Property Organization’s Standing Committee on Copyright and Related Rights met in Geneva to begin talking about exceptions to, and limitations on, rights granted to copyright holders by international instruments, a topic which is of vital importance to developing countries. As a result, copyright exceptions and limitations will be an ongoing focus of the work of WIPO’s Copyright Committee in the next year.
This document collects reported cases where the anti-circumvention provisions of the DMCA have been invoked not against pirates, but against consumers, scientists, and legitimate competitors. It will be updated from time to time as additional cases come to light. The latest version can always be obtained at EFF.org.
On September 8, 2003, the recording industry sued 261 American music fans for sharing songs on peer-to-peer (P2P) file sharing networks, kicking off an unprecedented legal campaign against the people that should be the recording industry’s best customers: music fans. Five years later, the recording industry has filed, settled, or threatened legal actions against at least 30,000 individuals. These individuals have included children, grandparents, unemployed single mothers, college professors—a random selection from the millions of Americans who have used P2P networks. And there’s no end in sight; new lawsuits are filed monthly, and now they are supplemented by a flood of "pre-litigation" settlement letters designed to extract settlements without any need to enter a courtroom.
Online service providers (OSPs) are vital links between their users and the Internet, offering bandwidth, email, web, and other Internet services. Because of their centrality, however, OSPs face legal pressures from all sides: from users, industry, and government. Here we offer information for people who run and use OSPs in order to help them make sound, ethical decisions about how to safeguard private data and preserve freedom of expression online.
Many issued patents upon a new review turn out to lack novelty and obviousness in light of previously undisclosed references. This report examines this policy problem and suggests the following recommendations to improve patent quality during and after issuance.
The current battles surrounding peer-to-peer file sharing are a losing proposition for everyone. The record labels continue to face lackluster sales, while the tens of millions of American file sharers—American music fans—are made to feel like criminals. Every day the collateral damage mounts—privacy at risk, innovation stymied, economic growth suppressed, and a few unlucky individuals singled out for legal action by the recording industry. And the litigation campaign against music fans has not put a penny into the pockets of artists. We need a better way forward.
Comcast is the second largest Internet Service Provider (ISP) in the United States.
Some time around May 2007, Comcast installed new software or equipment on its networks that began selectively interfering with some of Comcast's customers' TCP/IP connections.
Certain Internet service providers have begun to interfere with their users' communications by injecting forged or spoofed packets - data that appears to come from the other end but was actually generated by an Internet service provider (ISP) in the middle. This spoofing is one means (although not the only means) of blocking, jamming, or degrading users' ability to use particular applications, services, or protocols.
Google, MSN Search, Yahoo!, AOL, and most other search engines collect and store records of your search queries. If these records are revealed to others, they can be embarrassing or even cause great harm. Would you want strangers to see searches that reference your online reading habits, medical history, finances, sexual orientation, or political affiliation?
As of July 2006, the RIAA has sued over 20,000 music fans for file sharing in just under three years. In 2004, the Motion Picture Association of America (MPAA) joined< this misguided, anti-consumer crusade. Filing lawsuits against anonymous "Doe" defendants, the RIAA and MPAA seek to uncover the identities of P2P users and force them to pay thousands of dollars in settlements. Many innocent individuals are being caught in the crossfire. While there is no way to know exactly what the RIAA and MPAA are going to do or who they are going to sue, users of publicly-accessible P2P networks can take the following steps to reduce their chances of being sued:
This document collects a number of reported cases where the anti-circumvention provisions of the DMCA have been invoked not against pirates, but against consumers, scientists, and legitimate competitors. It will be updated from time to time as additional cases come to light. The latest version can always be obtained at www.eff.org.
This piece is meant as a general explanation of the U.S. copyright law principles most relevant to P2P file-sharing technologies.
At the request of the United States Secret Service, manufacturers developed mechanisms that print in an encoded form the serial number and the manufacturer's name as indiscernible markings on color documents. This paper investigates these codes in detail.
For years, university administrators have faced a growing challenge: fighting copyright infringement on campus networks. Confronting this challenge has not been easy and neither has choosing the right tool for the job.
Here we offer a few simple precautions to help you maintain control of your personal privacy so that you can express yourself without facing unjust retaliation. If followed correctly, these protections can save you from embarrassment or just plain weirdness in front of your friends and coworkers.
This paper discusses the failure of DRM in the developed world, where it has been in wide deployment for a decade with no benefit to artists and with substantial cost to the public and to due process, free speech and other civil society fundamentals.
As of July 2006, the RIAA has sued over 20,000 music fans for file sharing in just under three years. In 2004, the Motion Picture Association of America (MPAA) joined< this misguided, anti-consumer crusade. Filing lawsuits against anonymous "Doe" defendants, the RIAA and MPAA seek to uncover the identities of P2P users and force them to pay thousands of dollars in settlements. Many innocent individuals are being caught in the crossfire. While there is no way to know exactly what the RIAA and MPAA are going to do or who they are going to sue, users of publicly-accessible P2P networks can take the following steps to reduce their chances of being sued.
We've all seen them – windows that pop up before you install a new piece of software, full of legalese. To complete the install, you have to scroll through 60 screens of dense text and then click an "I Agree" button. Sometimes you don't even have to scroll through to click the button. Other times, there is no button because merely opening your new gadget means that you've "agreed" to the chunk of legalese.
In their zeal to stop spam, many organizations and companies are blocking the delivery of wanted messages, especially those sent through email lists. This problem is exacerbated by the fact that most blocking processes are not transparent to the email sender or recipient, and email users are generally given little or no control over which emails are blocked.
In 1641, in his Meditations on First Philosophy, mathematician and philosopher Rene Descartes asked how it is that we can trust our senses. What if, he asked, everything we experience is actually part of a delusion created by an omnipotent demon bent on deceiving us? It turns out that a similar question has been weighing on the minds of Microsoft, Intel, and a number of other computer companies.
Nearly one-third of American voters – over 50 million people – live in districts that will use electronic voting terminals to elect the next president.1 However, widespread reports of voting terminal failures,2 and growing concern about the security of these machines, are fueling fierce debate over how to ensure the integrity of our elections.
Computer security is undeniably important, and as new
vulnerabilities are discovered and exploited, the perceived need for
new security solutions grows. "Trusted computing" initiatives propose
to solve some of today's security problems through hardware changes
to the personal computer.
The DMCA has been used to invade the privacy
of Internet users, harass Internet service providers, and chill online speech.
The subpoena and takedown powers of Section 512 are not limited to cases
of proven copyright infringement, and are exercised without a judge's review. The
following is a small sampling of abuse, overreaching, and mistakes in the
use of Section 512(h) subpoenas, Section 512(c)(3)(A) notices, and equivalents.
Judicial oversight could curb these abuses without interfering with copyright
enforcement.
Among the many reactions to the September 11 tragedy has been a renewed attention to biometrics. The federal government has led the way with its new concern about border control. Other proposals include the use of biometrics with ID cards and in airports, e.g. video surveillance enhanced by facial-recognition technology. The purpose of this document is to sketch out EFF's concerns about biometrics.
A wide variety of technologies travel under the banner of "digital rights management" (DRM). In appropriate circumstances, these technologies can solve real problems for users, technology vendors, and content owners. Some, however, have made more ambitious claims for DRM, suggesting that these technologies represent the best hope for the entertainment industries as they struggle to evolve in a networked economy. But DRM is not without costs.
Since they were enacted in 1998, the "anti-circumvention" provisions
of the Digital Millennium Copyright Act ("DMCA"), codified in section 1201
of the Copyright Act, have not been used as Congress envisioned. Congress
meant to stop copyright pirates from defeating anti-piracy protections added
to copyrighted works, and to ban "black box" devices intended for that purpose. In practice, the anti-circumvention provisions have been used
to stifle a wide array of legitimate activities, rather than to stop copyright
piracy.
12 steps you can take to help protect your privacy on the Web.