Escape from Zoom: EFF's 6th Annual Tech Trivia Night Returns to Meatspace!

1 month ago

The Cybertiger has escaped his Zoom meetings, yes! YES! The Cybertiger is out!

After over two years of virtual meetings, EFF's Cooper "Cybertiger" Quintin returned to the stage, live and in-person! Friends reunited, suspicions that all our coworkers were actually holograms were assuaged (for now), and the tacos were delicious. So, so, delicious.

After some much needed comradery, the competition was on! Five teams put their tech know-how to the test, all vying for the chance to win an EFF prize pack, the new championship trophies, and perhaps most importantly, the bragging rights.

Last year it was mugs, now it's rainbows!

What began as a spin-off of EFF Cyberlaw Trivia, Tech Trivia Night is now in its sixth year (they grow up so fast) of testing players' knowledge on the fascinating, obscure, and trivial minutiae of digital security, online rights, and Internet culture.

With the awards gleaming in all their rainbow glory, Quintin introduced the highly esteemed judges: Andrés Arrieta, Jon Callas, and Syd Young. As with any fair competition, judges could be bribed with Burger King, KFC, fungible tokens, and answer sheet doodles!

Doodles to bribe the judges.

After a challenging first three rounds, team "And In First" lived up to their name and gained the lead early. Team "Masters of Disaster" were hot on their heels, but ultimately finished just 2 points behind, with team "Anonymous Lorises" taking 3rd place.

The winning team, "And In First"!

In second place, "Masters of Disaster"!

In third place, "Anonymous Lorises"!

Many thanks to this year's sponsors Bishop Fox and Gandi.net! If you or your company are interested in supporting a future EFF event, please contact Nicole Puller.

EFF's sincere appreciation goes out to of the participants who joined us for a great quiz over tacos and drinks while never losing sight of our mission to drive the online rights movement forward. We salute the digital freedom supporters around the world who have helped ensure that EFF can continue working in the courts and with policymakers, activists, technologists, and the public to protect online privacy and free expression.

Learn about upcoming EFF events when you sign up for our email list, or just check out our event calendar. We hope to see you soon!

 

 

Hannah Diaz

DOJ’s New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security Researchers

1 month 1 week ago

The Computer Fraud and Abuse Act (CFAA), the notoriously vague anti-hacking law, is long overdue for major reform. Among many problems, the CFAA has been used to target security researchers whose work uncovering software vulnerabilities frequently irritates corporations (and U.S. Attorneys). The Department of Justice (DOJ) today announced a new policy under which it will not bring CFAA prosecutions against those engaged “solely” in “good faith” security research.

It's an important step forward that the DOJ recognizes the invaluable contribution security research plays in strengthening the security of messaging and social media applications, financial systems, and other digital systems used by hundreds of millions of people every day. But its new policy, which is only an agreement for the DOJ to exercise restraint, falls far short of protecting security researchers from overzealous threats, prosecutions, and the CFAA’s disproportionally harsh prison sentences. We still need comprehensive legislative reform to address the harms of this dangerous law.

In part, DOJ’s policy change is forced by the Supreme Court’s ruling last year in Van Buren v. U.S., which provided clarification of the meaning of “exceeding authorized access” under the CFAA. The law makes it a crime to “intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] . . . information from any protected computer,” but does not define what authorization means. Previously, the law had been interpreted to allow criminal charges against individuals for violating a website’s terms of service or violating an employer’s computer use policy, leading to criminal charges that have nothing to do with hacking. In Van Buren, the Supreme Court cut back on that interpretation, holding that the defendant did not “exceed authorized access” when he obtained information he was entitled to search for work purposes but used that information for other, nonapproved activities.

The new DOJ policy adopts this interpretation—as it must—but like the Supreme Court, it stops far short of requiring that a defendant defeat a technological restriction in order to exceed authorized access. That would do more to protect security researchers, journalists, and others whose work requires accessing computers in ways that contravene terms of service or go against the wishes of the computer owner.

Instead of this clear line, the new policy explicitly names scenarios in which written policies may give rise to a criminal CFAA charge, such as when an employee violates a contract that puts certain files off limits in all situations, or when an outsider receives a cease-and-desist (C&Ds) letter informing them that their access is now unauthorized. We’ve seen companies like Facebook and LinkedIn abuse the CFAA in exactly that way—sending C&Ds to researchers and journalists whose access they don’t like. Regardless of the merit of these private disputes, it is unacceptable to give these tech companies discretion to turn their far less powerful adversaries into potential federal criminals.

The new DOJ policy also promises more than it delivers in its exemption from prosecution for security research. It limits the exemption to research conducted "solely" in "good faith,” which could leave out a lot of how security research happens in the real world. That word “solely” leaves open to interpretation whether hackers who discover and disclose a vulnerability so that it can be fixed but also get paid, speak at a security conference like DEF CON, or have other secondary motivations, can still be prosecuted.

Moreover, the policy adopts the definition of “good faith security research” put forth by the Copyright Office in its triennial rulemaking about the Digital Millennium Copyright Act (DMCA) Section 1201, which purports to provide an exemption for good faith security testing, including using technological means. But that exemption is both too narrow and too vague. The DMCA prohibits providing technologies, tools, or services to the public that circumvent technological protection measures to access copyrighted software without the permission of the software owner. To avoid violating the DMCA, any tools used must be for the "sole purpose" of security testing, with additional limitations interpreted at the government’s discretion.

Like the DMCA’s language, the DOJ policy fails to provide concrete, detailed provisions to prevent the CFAA from being misused to prosecute beneficial and important online activity. The CFAA should protect security researchers and give them incentives to continue their vital work. Security researchers should not have to fear that their work protecting all of us from flaws in computer systems in cars, electronic voting systems, and medical devices like insulin pumps and pacemakers, are going to land them prison. The DOJ’s policy simply does not go far enough to prevent this.

As an agency policy, the DOJ’s new rules do not bind courts, and can be rescinded at any time, such as by a future administration. And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators. Nor does it address the threats posed by state anti-hacking laws, some of which are even more overbroad than the CFAA itself. The policy is a good start, but it is no substitute for comprehensive CFAA reform, whether by Congress or by the courts in continuing the work of Van Buren to narrow its reach.

Related Cases: Van Buren v. United States
Andrew Crocker

Two of Peru's Top ISPs Improve Transparency Practices, While Two Competitors Lag Behind, New Hiperderecho's Report Shows

1 month 1 week ago

Peru’s top two telecom operators Movistar (Telefónica) and Claro (América Móvil) continued to earn high marks for being transparent about government requests for user data, while competitors Bitel (Viettel) and Entel slightly improved practices promoting human rights, but in general lagged behind, according to a new report issued today from digital rights group Hiperderecho

Hiperderecho’s new ¿Quién Defiende Tus Datos? (“Who Defends Your Data”) report, launched today, reveals disparities in data protection and privacy practices among Peru’s four leading internet service providers (ISPs). Movistar came out slightly ahead in the new report after tying with Claro for the top position in the report’s last edition. Except for the user notification category, Movistar received full credit in all other evaluated parameters. Even though all four companies—Bitel, Claro, Entel, and Movistar—have improved their marks since the first edition in 2015, the disparities in the latest results are evident. In four out of eight evaluated categories, Bitel and Entel received no credit, highlighting their lack of transparency regarding government requests for getting access to user personal data.

Only Movistar and Claro received scores  for publishing information about government requests for user data, disclosing guidelines they follow when responding to such requests, explicitly committing to require judicial orders before handing user data to authorities, and disclosing practices for notifying users about such government requests. The report also looked at companies’ privacy policies, digital security practices, and human rights policies. In those categories, all four companies earned at least partial scores.

This report, the fourth evaluating Peru’s major telecom operators,  included a new category: whether telecom companies make available webpages, contracts, and/or privacy policies in native languages, like Quechua and Aymara. As Hiperderecho’s report highlights, “[w]e consider this to be of utmost importance because there is no free and informed consent if the information presented regarding the processing of personal data is not in an understandable language.” 

Main findings

Publishing privacy policies is already a steady practice among evaluated ISPs. All earned full scores in the last two reports. They publish privacy/data protection policies that apply to their telecommunication services (not only to their apps or communication channels), disclosing, in simple and clear language, what  information they collect, for how long, and instances when they share data with third parties. Movistar stands out for a Transparency Center on its website that presents the information in a more helpful and attractive way.

As for publishing more detailed guidelines on how they handle government requests for user data, both Claro and Movistar received full scores. In contrast, Bitel and Entel don’t disclose any guidelines. For the first time, Movistar went beyond publishing its global policies, and published guidelines relating to Peru. Claro had done so already in the last report. Back then and this year, Claro’s published guidelines earned a full star. Claro discloses applicable norms for lifting telecommunications secrecy, competent authorities to issue data requests, requirements they should follow, and the ISP procedure for processing government demands. The guidelines mention norms that include communications content and metadata. 

Both companies also explicitly commit to requiring a judicial order before handing user data to government authorities. With transparent law enforcement guidelines, Claro and Movistar disclose more than vague statements that they may hand user data “to comply with legal requirements.” Those vague statements are all that Hiperderecho could find in Bitel and Entel policies.

Again, only Claro and Movistar publish transparency reports about government requests for user data. Telefónica (Movistar) has been publishing annual transparency reports since 2016. But the company only recently made the reports available on Movistar Peru’s website. In turn, Claro improved its practices since last edition and earned a full star for disclosing more  details about the requests received, like the requesting authorities and the reason for the request (for criminal or other matters, and the type of crime under investigation). Claro’s transparency report also shows the number of government requests for location data in real time as per Legislative Decree 1182, which requires subsequent judicial review, instead of a previous judicial order.

Hiperderecho’s report notes that in 2021 legislators expanded the cases in which authorities can access user data under LD 1182. Before the legislative change, authorities could access user data under LD 1182 only in cases where a crime was in the process of being committed. ("flagrante delicto" cases). Now they also cover preliminary investigations of a significant range of crimes, such as illegal mining and crimes against public administration. Shedding light on those requests is all the more important given their invasive nature and the lack of a previous judicial order requirement.

As for committing to notify users about data demands, Claro does so for labor, civil, and family cases—a key advance since the last report. However, both Claro and Movistar still refuse to notify users in criminal cases. Claro claims that the Prosecutor’s Office directs the investigation and therefore should determine the proper moment to notify. In turn, Movistar argues that Peru’s Criminal Procedure Code limits companies’ ability to notify. Hiperderecho holds a different understanding, defending user notification as a best practice companies should adopt. In any case, the report grants a partial score when companies publicly explain their practices relating to user notification, even if they explain the reason for not carrying it out.

Claro fell short, however, in the native language category, while Bitel almost received a full star. Bitel provides a service channel in Quechua, Aymara, Ashaninka and  Shipibo-conibo. In turn, Claro provides contracts and policies in Quechua. Movistar received the best score for having both service channels and contracts in native languages. 

Hiperderecho’s Peru ¿Quién Defiende Tus Datos? series of reports is part of a region-wide initiative, inspired by EFF’s Who Has Your Back project, aimed at encouraging companies to be more transparent and better protect user privacy to garner a competitive advantage in Latin America and Spain. Although companies with the largestmarket share, like Claro and Movistar in Peru, may have more resources to attain a leadership position, other ¿Quién Defiende Tus Datos? reports have shown that smaller operators can work to meet or even outperform the larger players. Peru’s Bitel and Entel should follow suit and do better next time.

 

Veridiana Alimonti

Platform Liability Trends Around the Globe: From Safe Harbors to Increased Responsibility

1 month 1 week ago

This is the first installment in a four-part blog series surveying global intermediary liability laws. You can read additional posts here: 

The vast majority of internet users around the world interact with online intermediaries—including internet service providers (ISPs), search engines, and social media platforms—on a regular basis. These companies play an essential role in enabling access to information and connecting people across the globe, and are major drivers of economic growth and innovation. 

Therefore, the policies that intermediaries adopt to govern online marketplaces and platforms significantly shape users’ social, economic, and political lives. Such policies have major implications for users’ fundamental rights, including freedom of expression, freedom of association, and the right to privacy. 

The increasingly powerful role of intermediaries in modern society has prompted a host of policy concerns. One key policy challenge is defining online intermediaries’ legal liability for harms caused by content generated or shared by—or activities carried out by—their users or other third parties. 

We are concerned by the growing number of governments around the world that are embracing heavy-handed approaches to intermediary regulation. Policymakers today not only expect platforms to detect and remove illegal content, but are increasingly calling on platforms to take down legal but undesirable or “harmful” content as well.  

Recent government proposals to address “harmful” content are dangerously misguided and will inevitably result in the censorship of all kinds of lawful and valuable expression.  Harsher liability laws for online intermediaries encourage platforms to affirmatively monitor how users behave; filter and check users’ content; and remove or locally filter anything that is controversial, objectionable, or potentially illegal to avoid legal responsibility. Examples of such proposals will be discussed in part three of this blog series.

Faced with expansive and vague moderation obligations, little time for analysis, and major legal consequences if they guess wrong, companies inevitably overcensor. Stricter regulation of and moderation by platforms also results in self-censorship, as users try to to avoid negative repercussions for their artistic and political expression. And, without legal protection, service providers easily become targets for governments, corporations, and bad actors who want to target and silence users.

The next few years will be decisive for the core rules that govern much of today’s internet. In this light, we offer up this four-part blog series, entitled Platform Liability Trends around the Globe, to help navigate the jungle that is global intermediary liability regulation. 

We begin by providing some background information and exploring global shifts in approaches to intermediary liability laws. In Part Two we’ll unpack different approaches to intermediary liability, as well as explore some regulatory “dials and knobs” that are available to policymakers. Part Three will take a look at some new developments taking place around the world. Finally, in Part Four, we’ll dig into EFF’s perspective and provide some recommendations as we consider the future of global intermediary liability policy.

A Brief History of Intermediary Liability Rules

Let’s start with a brief outline of intermediary liability laws, the political context that gave rise to them, as well as today’s changing political discourses surrounding them.

Generally, intermediary liability laws deal with the legal responsibility of online service providers for harms caused by content created or shared by users or other third parties.

Most intermediary liability regulations share one core function: to shield intermediaries from legal liability arising from content posted by users (the exact scope of this immunity or safe harbor varies across jurisdictions, as will be discussed later in this series). These laws acknowledge the important role online service providers play in the exercise of fundamental rights in today’s society. 

The need to create specific liability rules became apparent in the 1990s, as internet platforms were increasingly sued for harms caused by their users’ actions and speech. This trend of targeting internet intermediaries led to a host of problems, from increasing the risks associated with investing in the fledgling internet economy to legal uncertainty for users and businesses, and the fragmentation of legal regimes across countries and regions. 

Trying to counterbalance this trend, lawmakers around the globe introduced safe harbors and other liability limitations for internet intermediaries. In protecting intermediaries from liability, safe harbor laws pursue three goals: (1) to encourage economic activity and innovation, (2) to protect internet users’ freedom of speech, and (3) to encourage intermediaries to tackle illegal content and to take actions to prevent harm.

A Shift in Tone—from Liability Exemptions to Responsibility 

These goals are still highly relevant even though today's online environment is different from the one for which the early regulations were enacted. Today, a handful of companies are dominant global players on the internet and have become ecosystems unto themselves.

There are many potential responses to the dominance of "big tech.” At EFF, we have long advocated for interoperability and data portability as part of the answer to outsized market power. Liability exemptions are not a “gift to big tech”; rather they ensure that users can share speech and content over the internet using a variety of services. Nevertheless, some consider liability exemptions as giving an unfair advantage to the dominant platforms. 

Political discourse has also moved on in important ways. Internet intermediaries—and especially social media networks—are spaces where a considerable amount of public discourse occurs and often play a role in shaping discourse themselves. In recent years, major global events have catapulted social media platforms into the limelight of the public’s attention including: foreign interference in the 2016 US Presidential Election; the Cambridge Analytica scandal; the ethnic cleansing of Rohingyas in Myanmar; the 2018 Christchurch mosque shootings; and the spread of misinformation threatening the integrity of elections in countries like Brazil, India, and the United States.

As a result of the widespread perception by both the public and policymakers that companies’ responses to recurring problems like misinformation, cyberbullying and online hate speech have been insufficient, online intermediaries are under increased scrutiny. This “techlash” has thus given rise to calls for new and harsher rules for online intermediaries. 

Recent accountability debates have shifted the focus towards platforms’ assumed obligations based on moral or ethical arguments concerning the public role of online intermediaries in a democratic society. Rather than focusing on a utility or welfare-based approach to liability limitations, policymakers are increasingly moving towards a discourse of responsibility. Because so many people rely on them to communicate with each other, and because they appear so powerful, online platforms—and in particular social media services—are increasingly viewed as gatekeepers who have a responsibility towards the public good.

This expectation of intermediaries to respond to current cultural or social norms has led to two related policy responses both centering on the need of platforms to take on more “responsibility”: an increasing reliance on corporate social responsibility and other forms of self-intervention by intermediaries, and a greater push for legally requiring platforms to establish  proper governance structures and effectively tackle user misconduct. Some suggestions center on the need for users’ platforms to take more effective voluntary actions against harmful content and adopt moderation frameworks that are consistent with human rights. Still more aggressive and dangerous policy responses consider upload filters and proactive monitoring obligations as a solution.

EFF has long worked to provide guidance in response to shifting norms around this topic. In 2015, we, as part of an international coalition, helped launch the “Manila Principles on Internet Liability,” a framework of baseline safeguards and best practices based on international human rights instruments and other international legal frameworks. In 2018, EFF and partners then launched the Santa Clara principles on Transparency and Accountability in Content Moderation, which call on intermediaries to voluntarily adopt better practices. In 2021, a new version of the principles was developed, with a focus on adequately addressing fundamental inequities in platforms’ due process and transparency practices for different communities and in different markets. For this revision, the Santa Clara Principles coalition initiated an open call for comments from a broad range of global stakeholders. Feedback was received from allies in over forty countries, and the second iteration of the Santa Clara Principles was launched in December 2021. 

The current political climate toward intermediary regulation and changing market conditions could lead to a shift in the basic ideas on which current safe harbor regimes are based. We at EFF believe this may turn out to be a slippery slope. We fear the consequence of stricter liability regimes could be the loss of safe harbors for internet intermediaries, reshaping intermediaries’ behavior in ways that ultimately harm freedom of expression and other rights for internet users around the world. 

These themes will be explored in more detail in subsequent blogs as part of this four-part series, Platform Liability Trends Around the Globe. Many thanks to former EFF Mercator Fellow Svea Windwehr, who conducted a first analysis about platform regulatory trends, and former EFF intern Sasha Mathew, who assisted in writing the blog post series.

Christoph Schmon

We Finally Have a Federal Fiber Broadband Plan

1 month 1 week ago

There is a lot to appreciate in the recently published “Notice of Funding Opportunity” (NOFO) by the Department of Commerce’s National Telecommunications Information Administration (NTIA). It is arguably the first federal government proposal that seeks to promote infrastructure policies focused on the future, rather than the usual subsidizing “good enough for now” access. That means that the American government, or at least part of it, finally recognizes what appears obvious: that the future of internet access is in fiber.

The NOFO contains a strong emphasis on the deployment of open-access infrastructure designed to facilitate competition and meet the growing needs of communities. Lastly, it promotes affordability key priority outcome of the many projects that will get financed with federal tax dollars. Let’s dive into the details here.

Infrastructure That Will Last Decades

Congress was explicit in the bipartisan infrastructure law that it did not want the NTIA to implement a program that built broadband access solutions that would only be good enough for today and unprepared for tomorrow. Learning from past federal policy failures that squandered billions of federal dollars on outdated broadband infrastructure that will need to be replaced entirely, Congress emphasized a priority on projects that can “easily scale speeds over time” while meeting “evolving connectivity needs” and support “deployment of 5G” and “other advanced services” under Section 60102(a)(1)(I) of the bill:

(I) Priority Broadband Project - The term "priority broadband project" means a project designed to - 

(i) provider broadband service that meets speed, latency, reliability, consistency in quality of service, and related criteria as the Assistant Secretary shall determine; and

(ii) ensure that the network built by the project can easily scale speeds over time to -

        (I) meet the evolving connectivity needs of households and businesses; and

        (II) support the deployment of 5G, successor wireless technologies, and other advanced services.

In our filing to the NTIA, EFF provided technical analysis explaining how fiber-optic wires meet these objectives laid out by Congress and where alternatives fall short in one or more of the above categories. This wasn’t because of any type of favoritism towards on last-mile transmission medium over another, this was just plain old physics driving these results. In its explanation of the “priority broadband project,” the NTIA agreed and acknowledged that “only end-to-end fiber” (on page 42 of the NOFO) will meet these policy objectives.

As a result, states will need to draft plans with the understanding that pushing fiber deep into communities seeking access should be the overall objective of state broadband plans with rare exception. That exception, namely defined by an “extremely high cost per location threshold” (page 13 of the NOFO) will allow non-fiber alternatives to be considered in areas determined to be cost-prohibitive to deploy fiber optics. However, states should understand that there is a lot of data now showing that we can basically deploy fiber to the home anywhere we’ve been able to deploy electricity. In fact, because the demand and value of broadband is sky high with people at the same level as water and electricity, that demand results in the ability for local communities to long term finance the same way rural electrification was done in the past.

It may shock a number of state policymakers that 21st-century fiber can actually be a reality for so many people. For years they were told by lobbyists working for the big ISPs, such as AT&T and Comcast, that getting nearly everyone connected to fast multi-gigabit fiber was impossible. What they actually mean is its impossible only for the big ISPs that aren’t willing to make long-term commitments to communities over short-term profit. In other words, they refused to spend money to make money, choosing instead to exhaust their infrastructure and consumer choice.

But policymakers have to make a decision here on whether the Wall Street-driven, three-to-five-year return on investment formula is worth more than long term infrastructure solutions that will actually cost the taxpayer much less money in the end. People will always need access to the internet going forward, and that need will continue to grow without slowing down.

Open Access to Promote Competition and Maximum Value for Public Investment

EFF funded and published a study on how to get everyone connected to fiber infrastructure in the most efficient way possible to find that open-access fiber infrastructure was key. In specific, entities that just build the infrastructure to provide access to broadband providers (and other users), as opposed to selling broadband themselves, were better suited to reaching more Americans with lower subsidies than the traditional method of subsidizing broadband companies. This is because fiber allows the aggregation of data needs in ways other methods of broadband access lack, and due to that flexibility to meet multiple different kinds of needs the infrastructure will be better capable of capturing local revenues. The added benefit is that once those wires are laid and are open for multiple uses, anyone with enough technical knowledge and a small amount of resources could open a small local ISP and sell quality services.

EFF’s research also found that pure infrastructure providers were more willing to adopt longer-term profit strategies in recognition of the value of fiber as an asset, which allows them to assess risk differently than a traditional vertically integrated broadband provider. It is why you are seeing private market actors willing to deploy a lot more fiber than the traditional ISP and for rural local government entities fully commit to fibering up all of their residents with open access infrastructure. It is because they can look at the wires in isolation of services, see its capacity to meet infrastructure needs for decades (potentially as long as 70 years), and rationally rely on very long-term financing vehicles much in the same way people purchase houses with mortgages.

The NTIA appears in agreement with these efficiencies and asked states to seek out ways to promote open access infrastructure providers to participate in the program as a means to maximize the impact of the federal investment. If every state is able to replicate what is happening in Utah where an open-access infrastructure provider delivering access to a dozen ISPs is constantly growing due to local demand for the network, and that local demand more than pays for the network itself allowing it to constantly grow until everyone is connected to fiber, then infrastructure policy will have not only closed the digital divide but vastly improved the competitive landscape for broadband.

Affordability Sits at the Heart of NTIA’s Guidance

In many areas, these infrastructure dollars are going to provide for the first time broadband access, which means it will be a monopoly simply due to the lack of alternatives. Recognizing the value of the access point and the potential for exploitation, the NTIA details (on page 66 of the NOFO) that it expects states to adopt strong affordability provisions for all users, not just low-income users. Given that the taxpayer is actually a major payer in the infrastructure that is being deployed, it is logical for the government to set in place rules to protect the public. 

There is also something to be said about how much internet users can trust some companies in broadband access when the current market has given Americans some of the most expensive broadband access in the world, while sadly one of the slowest infrastructures as the advanced Asian countries and the EU transition towards multi-gigabit all fiber access well ahead of the United States. California has already embarked on establishing low-cost access as a priority for its infrastructure program and much like the NTIA’s proposal has prioritized applicants who will commit to offering affordable access to broadband.

As states develop their own plans, a key factor is the level of subsidization that will be provided should factor significantly in how low the price should be for access. The biggest price tag is the one-time sunk cost of constructing the network itself, whereas actual operation of the network costs are relatively low, particular with fiber networks. If the taxpayer is taking on the most expensive portion of deployment, that means the pressure on paying for the network is alleviated in a significant way. Balancing out these factors and how that plays into what should be a deliverable outcome from a NTIA/state infrastructure plan will require a lot of work as cost model analyst experts such as former Chief of the FCC’s Office of Strategic Planning Paul de Sa detailed in a recent white paper. But it is absolutely necessary in order to avoid unjustly enriching a recipient of this once-in-a-generation investment in internet access.

What Happens Next?

The ball mostly moves now into the states and territories that have to signal an intention to apply for funding and develop five-year action plans. Given the emphasis on fiber infrastructure, states will need to update their local policies to maximize their capability to deliver on 21st-century access to all people. That will include removing barriers to public sector infrastructure providers who can tackle the most difficult areas to provide service as well as explore ways to promote efficiencies like Alabama did by merging the interests of deploying fiber by electric utilities and ISPs through joint ventures. Every state will undoubtedly seek its own path that fits its needs, but now they have a partner in the NTIA who can provide technical assistance and resources in ways that were absent in the past.

For years EFF stated the United States desperately needed a “fiber for all” plan citing the data showing increased monopolization by cable, lack of preparedness to meet future needs, and general trend of international competitors such as China. The NTIA has delivered a thoughtful, detailed proposal to the states and territories that chart the course to connect everyone to fiber. Now you must go to your local elected officials to push them to see this vision through.

Ernesto Falcon

New Surveillance Transparency Report Documents an Urgent Need for Change

1 month 1 week ago

The U.S. Intelligence Community (IC) has released its Annual Statistical Transparency Report disclosing the use of national security surveillance laws for the year 2021—and to no one’s surprise it documents the wide-ranging overreach of intelligence agencies and the continued misuse of surveillance authorities to spy on millions of Americans. Specifically, the report chronicles how Section 702, an amendment to the Foriegn Intelligence Surveillance Act (FISA), that authorizes the U.S. government to engage in mass surveillance of foreign targets’ communications, is still being abused by the Federal Bureau of Investigation (FBI) to spy on Americans without a warrant.

Specifically, the report reveals that between December 2020 and November 2021, the FBI queried the data of potentially more than 3,000,000 “U.S. persons” without a warrant. 

Although Section 702 is intended to facilitate the surveillance of foreign people who are the targets of national security investigations, the collection of all of that data from U.S. telecommunications and internet providers results in the  “incidental” capture of conversations  involving a huge number of people in the United States. 

But this data isn’t “incidental” to the program’s operation at all. As the transparency report shows, each agency’s “targeting” and “minimization” rules allow access to Americans’ communications caught in the 702 dragnet. And based on the staggering number of times the FBI searches the 702 database using queries related to individual Americans, 702 has become a routine part of the Bureau’s “law enforcement mission.” The IC lobbied for Section 702 as a tool for national security outside the borders of the U.S., but at its core is instead the ability to conduct domestic, warrantless surveillance on Americans, including for run-of-the-mill crimes. This is the government’s favorite feature of Section 702—it’s not a bug.  

The good news is that Congress will again have the opportunity to address this massive warrantless surveillance program. The authorities for Section 702 are scheduled to sunset if they are not legislatively renewed by the end of 2023. This means lawmakers have a chance to end the many years of overreach by the intelligence community and close warrantless “backdoor” access to our data. 

The FBI has a wide range of investigatory tools. The Bureau and other members of the IC will try to scare lawmakers by giving a rundown of all of the crises that could be averted by maintaining its backdoor, but have never been required to adequately demonstrate for the public record that 702 fills a gap that could not be replicated through other investigatory tools. In 2020, Congress let Section 215 of the PATRIOT Act expire for similar reasons— the tools it provided were invasive, illegal, and did not produce information that could not be acquired with other insidious tools. 

This new surveillance transparency report should only serve to remind us that these programs have existed and flourished far too long in the shadows of the IC’s secrecy. With the potential renewal of Section 702 on the horizon, it’s time lawmakers stepped up to close this backdoor access to data law enforcement once and for all. 

Matthew Guariglia

EFF to Supreme Court: Put Texas Social Media Law Back on Hold

1 month 1 week ago
Users Should Be Able to Choose Among Platforms With Different Moderation Policies

WASHINGTON, D.C.—The Electronic Frontier Foundation (EFF) today urged the U.S. Supreme Court to halt enforcement of Texas’ constitutionally questionable social media law, which allows the state to dictate what speech platforms must publish and may lead to more, not less, censorship of user expression as platforms face a storm of lawsuits.

EFF,  joined by the Center for Democracy and Technology, the National Coalition Against Censorship, R Street Institute, the Wikimedia Foundation, and the Woodhull Freedom Foundation, said in an amicus brief filed today that the U.S. Court of Appeals for the Fifth Circuit erred last week when it lifted, without explanation, an injunction barring enforcement of the law. The order was put in place by a district court that found the law violated platforms’ First Amendment rights to curate content on their sites as they see fit.

Texas HB 20 prohibits Twitter, Facebook, and other big social media platforms from “censor[ing] a user, a users’ expression or a users’ ability to receive the expression of another person” based on the speaker’s viewpoint, whether expressed on or off the site, which covers nearly all common content moderation practices. It allows Texas residents or the state attorney general to sue platforms for any kind of negative treatment to a user or a post, including take down and down-ranking posts, and suspending, shadowing, or canceling accounts.

The Supreme Court must consider whether the district court’s order was in the public interest and whether it correctly applied accepted standards. EFF argues that the Fifth Circuit’s ruling is wrong because what it defines as censorship are well-established practices designed to serve users’ interests. Users are best served when they can choose among social media platforms with different editorial policies. While content moderation at scale is difficult to get right, it blocks content that some users don’t want to see, like personal abuse and harassment, hateful speech, promotion of suicide and self-harm, and glorification of Nazi ideology.

Content moderation practices that can be construed as viewpoint-based, which is virtually all of them, are barred under HB 20, so platforms will have to drop or alter them in ways that harm users’ interests.

“Almost any decision they make is going to be perceived as a response to someone’s viewpoint,” said EFF Civil Liberties Director David Greene. “This will lead to a flood of lawsuits before the court has even ruled on the law’s constitutionality.”

“Some platforms may stop moderating and allow abusive speech back on their sites. And others may take down even more speech to try to defeat the impression that they are being biased. Either way, internet users, and particularly vulnerable and marginalized speakers, will suffer,” Greene said.

Tech industry groups NetChoice  and the Computer and Communications Industry Association (CCIA) sued Texas last year to block the law. The plaintiffs today filed an emergency application with the Supreme Court asking justices to overturn the appeals court ruling. 

For the brief:
https://www.eff.org/document/effcdt-motion-amicus-netchoice

SCOTUS Docket for NetChoice v. Paxton

Contact:  DavidGreeneCivil Liberties Directordavidg@eff.org
Karen Gullo

Podcast Episode: An AI Hammer in Search of a Nail

1 month 1 week ago

It often feels like machine learning experts are running around with a hammer, looking at everything as a potential nail - they have a system that does cool things and is fun to work on, and they go in search of things to use it for. But what if we flip that around and start by working with people in various fields - education, health, or economics, for example - to clearly define societal problems, and then design algorithms providing useful steps to solve them?

Rediet Abebe, a researcher and professor of computer science at UC Berkeley, spends a lot of time thinking about how machine learning functions in the real world, and working to make the results of machine learning processes more actionable and more equitable.

Abebe joins EFF's Cindy Cohn and Danny O’Brien to discuss how we redefine the machine learning pipeline - from creating a more diverse pool of computer scientists to rethinking how we apply this tech for the betterment of society’s most marginalized and vulnerable - to make real, positive change in people’s lives.

%3Ciframe%20height%3D%2252px%22%20width%3D%22100%25%22%20frameborder%3D%22no%22%20scrolling%3D%22no%22%20seamless%3D%22%22%20src%3D%22https%3A%2F%2Fplayer.simplecast.com%2F291e8f4c-ac54-45c0-bf18-65c65641803a%3Fdark%3Dtrue%26amp%3Bcolor%3D000000%22%20allow%3D%22autoplay%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from simplecast.com

  
  

This episode is also available on the Internet Archive.

In this episode you’ll learn about:

  • The historical problems with the official U.S. poverty measurement 
  • How machine learning can (and can’t) lead to more just verdicts in our criminal courts
  • How equitable data sharing practices could help nations and cultures around the world
  • Reconsidering machine learning’s variables to maximize for goals other than commercial profit

Rediet Abebe is an Assistant Professor of Computer Science at the University of California, Berkeley, a Junior Fellow at the Harvard Society of Fellows, and a 2022 Andrew Carnegie Fellow who conducts research in the fields of algorithms and artificial intelligence with a focus on inequality and distributive justice concerns. She serves on the Executive Committee for the ACM Conference on Equity and Access in Algorithms, Mechanisms, and Optimization and was a Program Co-Chair for the inaugural conference. She also co-founded and co-organized the related MD4SG (Mechanism Design for Social Good) research initiative as well as the non-profit organization Black in AI, where she sits on the Board of Directors and co-leads the Academic Program. She earned a Bachelor’s degree in Mathematics and a Master’s degree in Computer Science from Harvard University, a Master of Advanced Studies in Mathematics from the University of Cambridge, and a Ph.D. in Computer Science from Cornell University.

Music:

Music for How to Fix the Internet was created for us by Reed Mathis and Nat Keefe of BeatMower. 

This podcast is licensed Creative Commons Attribution 4.0 International, and includes the following music licensed Creative Commons Attribution 3.0 Unported by their creators: 

Resources:

Machine Learning and AI:

Transparency and Inclusivity in AI:

Probabilistic Genome Cases:

Personal Ownership of Your Data:

Transcript:

Rediet: It's about how we build these tools, it's about how we conceptualize our role within society and within these different types of spaces, like the criminal legal space, and saying, what do we think is the thing that we would like to  see? What should our society look like? What would a just system look like? What would a more equitable community look like, in anything, in academic spaces and research spaces and just broadly, and say, what will we need to do to get there? And sometimes what we need to do is to step back and say, I think that I'm not going to be helpful, and so I'm going to not try to center myself. Sometimes it's building things that will challenge things that we've already built, or that will challenge other communities. And other times it's just being good community members and just showing up. It could literally save lives.

Cindy
That's our guest Rediet Abebe. Rediet is a researcher and professor of computer science at UC Berkeley, where she's working on how to make the results of machine learning processes more actionable and more equitable.

Danny: She's also the co-founder of Black in AI and MD4SG, that's Mechanism Design for Social Good. She's going to shine a light on the way forward.

Cindy: I'm Cindy Cohn, EFF's Executive Director.

Danny: And I'm Danny O'Brien. Welcome to How to Fix the Internet. A podcast of the Electronic Frontier Foundation.

Cindy: Welcome Rediet.

Rediet: Thank you for having me.

Cindy:
Rediet, you spent a lot of time thinking about how machine learning works in the real world and how we can make sure that we're using it for good purposes and not bad. Could you give us some of the examples of some of the good uses of machine learning that you've identified and then we can unpack what goes into that?

Rediet: Decisions that you make, as let's say, a researcher in how you understand social problems, and how you choose to formulate them as machine learning problems or algorithm problems, and how you then choose to work on it, and whatever outcome you have, how you choose to deploy that.

And so, the same set of techniques could be used to do a lot of good or a lot of harm. A lot of my research these days is now really focused on taking the machine learning pipeline that we traditionally have within this community and expanding it, also taking responsibility for stages of that pipeline that are considered often outside of our scope of responsibility, which include translating social problems into the types of research problems that we would typically work with, machine learning problems. But then also taking the output, and thinking critically about how that gets translated into practice, into some intervention, what impact it might have on communities. And so, a lot of the work that I'm doing is critically examining that from both a technical perspective, but just also from a practice perspective, and saying that we should be expanding the pipeline.

Cindy: We're fixing the internet now, we can certainly talk about the problems, but I'd like to start with the things where things go. If we did it right, or where have we done it right?

Rediet: We have this large scale project that involves examining the use of machine learning in education. So, rather than diving into build tools, which of course, we're also working on, we also wanted to do a survey, a holistic survey and analysis of how machine learning is used in education. And we identified education experts, and we sat with them and we talked through the papers with them. We were like, "This paper's goal is to let's say, predict student dropout. And the goal there would be not just to predict it, but also to hopefully do something about it so that students are not dropping out of schools."

And so, that's an admirable goal, that's a goal that all of us can get behind, but that problem has to be concretely formulated into some machine learning problem, and then you have to find the right data set and all that, and then now you have this prediction that you're doing around which students are going to drop out, and hopefully you get to translate that into some real world intervention. 

So, just taking this student dropout risk example, we had this interview with someone at a large state university that also struggles a lot with student dropout. One of the things that they mentioned was "Okay, this paper is predicting which students are likely to drop out "What can we do with that? You tell me that some student is at high risk of dropping out, that's terrible. But in some sense, the deed is done." At that point you tell a student, "Hey, you're at high risk of dropping out." That's not necessarily useful to the student.

And you tell the schools, the student's dropping out, it doesn't necessarily tell them what can you do about it? And so, what he said was something subtle, but I really appreciated. He said, "Instead of predicting what students are going to drop out, why don't you predict, for instance which students are likely to miss class, they were already missed some number of classes, and maybe they're about to miss a third class or something.” We know that if students are missing several classes, that's a sign that they might be at risk of dropping out. But missing classes is a more actionable thing. We can tell students, 'Hey I've noticed that you've been missing a lot of  classes. I'm worried that you're going to miss more classes. What can we do here to support you to attend class.’ 

The point here is more subtle. It's saying you have your target variable, that target variable could be dropout, or it could be something actionable, like missing classes. And the second thing is something that they can more easily do something about the latter, not as clear.

Danny: The giant machine comes up with a bleeps and says, this person is more likely to drop out, but it doesn't give you strong clues about how it came to that decision. And in many ways, I mean, this is an obvious example, I guess, but if kids are missing school, and that's something that system has learned is an early indicator of that, it's better to know that what it's learned than to have it as this opaque machine that just claims that these people are doomed.

Rediet: If I tell you, for instance, that students' race is a partial explainer for dropout, there's nothing you can do about that. That's a fixed thing. Whereas student missing classes being an issue, maybe there is something you can do about it. It showed me in some sense that if we were working on these problems in a more bottom up way, you go to a university that has a lot of dropout issues, you talk to educators there and other staff supporting students, and you get a sense of what it is that they notice in the students. In some sense, they can just give you the problem, or you can collaboratively, participatory form the problem, rather than as machine learning people, deciding what we want to solve. And then after we've solved it, hoping that's what they wanted us to solve.

Danny: To what degree do you think that this is a problem that's located in machine learning and the nature of, I know, computer science or this part of computer science, and how much is it just related to the societal fact that people doing research or building these systems are often quite distant and quite uninvolved with people 

Rediet: A lot of research communities with this gap that exists, for instance, you can take health. This is one space where we've made a lot of advances in improving health outcomes for people, but not for everyone. So, we've made very few advances for health issues that impact black people, trans individuals, you name it. Like marginalized communities. And so, this gap definitely exists in other spaces.

But there is also something special to the machine learning AI space as well. It is a powerful set of technologies that are being built. There are a lot of resources that we have in machine learning and AI that is in some ways really unprecedented. There's a lot of organizations that are invested in it. And the other thing is also, the field is one of the least diverse fields out there.

I mean, that's just the fact. You can look at graduation patterns in undergraduate degrees, in graduate degrees. You can look at the faculty composition. We have, I think in computer science, in the U.S, among the PhD granting institutions, there's something like over 5,000 faculty, and of those fewer than a hundred of them are black, and something like fewer than 20 of them are black women. That's just one example. You look at native American, it's like in the single digits.

And so, it is a very homogenous community. As it stands right now, things are slightly improving. There's a really, really long way to go. And so, as long as our field, our research field continues to not be representative of the society that we're trying to impact, you're going to continue to have these gaps and these gaps are going to show up in our papers. And sometimes they show up in more subtle ways and other times they show up in not so subtle ways. And so, I think these issues around thinking about the community culture and who gets to be part of the community is really tightly integrated and intertwined with our research itself.

Cindy: I love this example, I’m wondering is there another one? Are there other places where you see how we could do it better in ways that are actually either happening or within the pipeline?

Rediet: Yes. Right now we're actually focused a lot on understanding policy, public policy, and where things might be going wrong. So, just to give you one concrete example right now, a lot of decisions around which services are going to be allocated to what individuals are made based off of measurements like the official poverty measurement in the U.S. And this official poverty measurement was something that was originally proposed by an economist, Mollie Orshansky, back in the sixties. So, this was over 50 years ago. It was really meant to be almost a proof of concept, a placeholder, not meant to be something that generally applied. And she even explicitly says, we should not be generally applying it.  And we're using it almost unchanged, outside of maybe inflation 50 years later.

Danny: Wow. 

Rediet: As time has gone on things are getting harder and harder for a lot of communities. And so, there are many people who are by any reasonable definition, struggling, but this official poverty measurement might not necessarily pick up. So, you end up in situations where someone is really in need of services and you use this very coarse, extremely outdated measurement, and you can't necessarily detect it in that way. One of the things that we are looking at is that, there's a lot of evidence that predicting bad life outcomes, like let's say poverty, is hard. And we're seeing that, okay, part of the reason might be that the way that we measure poverty itself is very ill defined. It's extremely outdated.

If you have an official poverty measurement that is so low, that it can't actually even reliably detect a lot of people were struggling, then does it actually matter what you're predicting here? And so, in some ways we're using these machine learning techniques and these kinds of results, like predicting life outcomes is hard, to really challenge public policy, and to say, Hey, the way that we're measuring this thing is actually not good, we think. 

Danny: In situations like that, how do you know that you are doing better? Do you anticipate a way that people could learn to change that and challenge that in the way you are challenging these earlier measurements?

Rediet: We all are feeding in value into these systems, there's no neutral value. And so, in some sense what we're doing here is to say, the knee jerk machine learning researcher reaction here may have been, you get some data, you're excited about the data, you're like, what can I predict here? And one of the things that you can predict is poverty. You Are like, great. I'm going to try to predict poverty. And of course that assumes a lot of things. Like as I mentioned, that the way we're measuring poverty is accurate or reasonable or useful. And that's a huge, huge assumption that you're making there. And so, what we did here is to challenge that in many ways. So, the first thing is rather than just taking things as given, we were like, okay, why is this a measure of poverty? Let's go back to the literature in the public policy and sociology and economic space and understand what conversations are happening there.

And there, you notice that there is actually very robust conversation happening around how we should be measuring poverty. There's alternatives that have been proposed, like the Supplemental Poverty Measurement, which captures a whole host of other things, like material hardship that you might be facing; are you able to pay your utilities? Are you able to pay your rent, that stuff. This is not something that you can necessarily always capture using people's income. 

And so, these are conversations that if you stayed within the more traditional machine learning space, you might not necessarily be exposed to unless you happen to be dealing with it as a person yourself. And so, we're challenging that by saying, hey, listen we don't have to take things as given. We can go back and see what the debates are that are, happening out there, out in other fields, out in communities, out in policy spaces, and see how we can potentially contribute to that.

Cindy: It does feel sometimes like people who love machine learning are running around with this hammer, trying to make everything into a nail. "I've got this cool system, it's great, it can do stuff that feels like magic. Plus it's fun for me to work on. So, let me start looking around for things that I can use it for." And what I hear you saying is we really need to flip that around. We need to start with the people who are on the ground, what their problems are, and then make sure that the things that we're doing are actually giving them actionable steps. 

Cindy: In addition to making sure that the things we're using machine learning and algorithmic training techniques on are the good things, I think that there's all a strain of concern, that there are things that we shouldn't be using these systems on at all. I know you've thought about that as well.

Rediet: We have this large scale project we're working on, focused on statistical software used in the criminal legal system,it's used at pretrial, investigation, prosecution, post-trial. And we've been especially interested in machine learning as physical software used as evidence. So, these are cases is where you could have something like a Probabilistic Genotyping Software that could be used on samples that are found from crime scenes and used to convict people. We really need to have a serious conversation on the machine learning side, about what tools should even be used as evidence, because that's a really high bar.

Danny: How does that happen?   What's the process by which a machine learning approach or a system is put in place, and that leads to the wrongful conviction of a person?

Rediet: It could happen in several ways. So, one is just, even before you're brought to trial, you're not brought to trial just randomly. You don't pick up a random person off the street and you're like, "You're on trial today." There's a lot of things that happen. And a lot of statistical and machine learning tools that are used up until that point to "identify the person", I'm putting that in quotations, to make all sorts of decisions. There's also just the fact that in the U.S, we have incredible inequality and discrimination that surfaces in many different ways, including in what we criminalize. So, I think that's also important context to keep in mind. But what we're focused on in this project is specifically in software used as evidence, 

So, this is someone's on trial for some something, and there's just a set of evidence that I now get to present as a prosecution team and say this is why I think this person may have committed this crime, and that's used in discussions, and to make a decision around whether you think that and committed the crime or not. And sometimes that can be like a person I could say, "Oh, I know I totally saw Danny walking down the street at this hour" or something, and you get to question me, cross examine me. And say is, "Your eyesight good? Have you updated your prescription?" Any number of things.

And so, what happens is that I, as a prosecutor get to just like use some software that has not been properly validated, that it's now spitting some number, and we have to use that as evidence. And the defense might not necessarily have the ability to cross examine that. And I get to bring witnesses, like the CEO of the organization to say, "Oh, the software is actually awesome. Let me tell you bunch of things."

Danny: It has the force of some scientific fact. So, someone will stand up and say, this shows that there's a one in a million chance that this isn't the defendant, and people believe that, but they can't challenge it. And the defense doesn't have the technical expertise to say, "Yes, but if his sister also touched it, wouldn't that change the thing?" I see.

Danny: “How to Fix the Internet” is supported by The Alfred P. Sloan Foundation’s Program in Public Understanding of Science. Enriching people’s lives through a keener appreciation of our increasingly technological world and portraying the complex humanity of scientists, engineers, and mathematicians.

Cindy: EFF has done a bunch of these probabilistic genome cases and working with people in this. And so, the there's a threshold level problem, that often the company will claim a trade secret in how the technology works, which means that defense doesn't have access to it at all. The second thing is that, they will often point to papers about how great their system is, that were written just by them.  we've managed in a couple of cases to get access to the actual systems and have found horrific problems in them, that they're not actually very good, and that there's a finger on the scale on things. And sometimes it's just that it's poorly designed, not that anybody has evil intent. There's supposed to be a standard in the law called the Daubert Standard that make sure that technologies that are introduced in cases have been vetted. And honestly, it's not being followed at the level of rigor that is needed right now.

Rediet: This is precisely what we are, what we're working on. And this is a joint project with a lot of amazing people, including Angela Zhen and John Miller who are graduate students here at Berkeley, and Rebecca Wexler, who was an intern at EFF, and is a close collaborator of mine, and Ludwig Schmidt, and Moritz Hart also. So, what we're working on here is precisely what you mentioned. You have this Daubert Standard that would be followed in a lot of different cases, but in statistical and the use of statistical software used as evidence, I think right now, it's just not happening, I think. And it in the same way that, if someone was a witness and goes up to the stand and says a bunch of things, and you're able to cross examine them, you should also have that ability with the statistical software. And currently, we don't actually have a framework for doing that.

The legal system the U.S is meant to have these two sides, one of which is meant to prove innocence and the other is meant to prove guilt. And the idea is that, in a situation where these two sides are equally resourced and all that stuff, then maybe you're able to go about this truth seeking process in a more reliable way. But that's not what we have right now. There's an massive, massive imbalance. You have defense counsel who don't have time, who don't have resources, who don't have the energy to be able to challenge whatever the prosecution puts on the table. And then what next? This is completely unjust. And you end up having a lot of people wrongfully convicted for crime they didn't commit, and we're not doing anything about it. 

Cindy: I think it's tremendously important. And I think it's also helpful to judges. I think judges often feel like-

Rediet: Absolutely.

Cindy: ... they are skeptical, or at least they want to be sure that they're relying on good evidence, but they don't have the tools to know what they don't know.

Rediet: Absolutely.

Cindy: So, I think that this is great for the defense, but it's also, I think, going to be helpful to the courts in general-

Rediet: Absolutely.

Cindy: ... to be able to have a way to think about I'm being presented this information, how much rely, how should I-

Rediet: Reason.

Cindy:  Yeah.

Rediet: There's just a lot of different ways we could be involved. So, one of the things that is happening in this organization called PD Query, it's by Dana Yow, who's a law student here at Berkeley. I think she's graduated now. So, PD Query  matches public defenders with graduate students with technical training to do work that's maybe even more straightforward for us, but could be really, really useful.

But you could really imagine scaling this up and doing something even bigger. So, one of the things that we could do now is to write cross examining questions.  that helps the defense side. You could write affidavits. You could write maybe even more generic way to file affidavits that could be signed by experts in their respective areas. So, you could have, for the Probabilistic Genotyping Software, you could have a computer science professor and someone in population genetics saying, "Hey this is what we understand about the tools, and these are the concerns that we have about them. Please proceed with caution if you, it, in these types of situations." I think there's just so much the machine community could do, both in this more as like community members saying we have expertise, so we can just try to help people. These are things that will literally save lives. I mean, people are put on death row for this. They will literally save communities and families and avoid wrongful convictions and challenge our unjust system as it exists.

Cindy: It hurts a lot of people, it hurts the defendants, but it also hurts the other people who might be hurt by the person who really needed to go to jail, who didn't go to jail. So, the whole endeavor of criminal justice is aided by truth, and that's what these interventions are.

Rediet: And may I add one more thing? Can I just add one more thing? I think one other common misconception, I'm just assuming I have the ears of some people and I'm like really trying to pitch something. But one more thing I want to mention is, I think an unspoken, sometimes I guess it is spoken assumption, is that when you're working in this area, that it's technically less challenging. And let me tell you, I have never been more challenged than I have been in the past two years technically, honestly. When I started graduate school and I was doing stuff that was a lot more standard because I was like, "I want to get an academic job. So, I'm just not going to rock the boat." So, when I was doing stuff that was more standard, it was just, I mean, it was fun, but it was a lot more simple. This is a space that is challenging in so many different ways.

Danny: I can see how you're getting involved in connecting these dots is through creating your own institutions and organizations. And so, let's talk a little bit about Black in AI and also mechanism design for social good. 

Rediet: Mechanism design for social good was started as a graduate student reading group in 2016. It was eight of us. There was a very small group of people. And we were just trying to read stuff and understand where we could be useful with the set of techniques that we had. And now, fast forward, I won't tell you the whole story, but fast forward to now, it's this much broader community. It's thousands of people in hundreds of different countries and institutions, and the scope is also broader. 

Danny: Has the organization or your perceptions of the problems changed as it's become more global?

Rediet: There’s so many instances of this. So, one of the things that came out of this community is this larger project we have on data practices, primarily in Africa. Here in the U.S, there's obvious issues in data sharing, but we've gotten a lot of things under control.

If you're thinking in the, let's say Ethiopian context where I'm from, I've seen situations where data has been shared, that really should not be shared. There was no data sharing agreement. It included people's personally identifying information and it just passed around. A lot of data generated in the continent ends up to the benefit of those based outside of the continent, and especially those with no connections with the continent. And so, you have situations where literally those who collected the data and whose data is being collected don't have ownership rights over the data, and are not even able to buy it like everyone else would. You have situations like right now we're focused on open data, which of course, open software, but data, this is stuff that we get excited about, but there's some irony here. When you make something open, that's not necessarily equitable. It favors people like myself, who have the ability to go and work with that data, to work with the complexities of the data, who have a lot of compute power. And so, that's not actually equitable either. So you could still end up in a situation where open data of communities that are not given the resources could continue to just shut them out. So, it's not necessarily open in the sense that we would like to think that it is. So, lots of things that you could miss here that really shape how I understand the data economy in various parts of the world.

Danny: This is something that I spent some time tracking at EFF, because it was a huge concern because what I felt was that essentially that there were some countries and some regions that were being used as Guinea pigs for both data collection and data application.

Rediet: It's very disappointing and super common. I mean, it's incredibly common. And the common pattern that you observe here is that, it's, again, this gap that I mentioned to you, between those who are building something, doing research, whatever it is, and the people actually affected by it. Because they just talk to people, and you talk to people in such a way that they feel empowered, they'll let you know what's going to work and what's not going to work. And there's just so many things that you could get wrong. It's not just even the data collection. Even if we were to agree on the data set, there's even concepts like privacy, for instance. That mean different things in different parts of the world. 

Cindy: Give us a picture what, if we, what if we got this all right? 

Rediet: Shut off the internet for a bit, let's all take a break and just come back in a year.

Cindy: We need to reboot it.

Danny: Just close it down for repairs.

Cindy: Let's say that. I mean, because I think that you've identified so many important pieces of a better world. Like this looking at the whole pipeline of things, looking, talking, the people who are impacted, making sure the people are impacted just get told what's happening. And so, let's say we got all those things right, what values would we be embracing? What would be different about the world?

Rediet: So, I don't have the answers, which is good. I don't think anyone has the answers, but I have some things that I would start with. So, one of the things is that right now, a lot of what happens on the internet is profit driven. In many ways you can see how this primary goal being profit, maximization, being at the root of a lot of things that are going wrong. And so, that's one thing that's going wrong. And so, that of course brings up questions around like monopolies, it brings up questions around what kinds of regulations should we be putting in place?

These are not technical questions, but these are incredibly important questions that if you don't resolve, there's nothing that we can do here that will create a long lasting impact. So, that's one thing. And then instead, you have to decide, okay, what are the other values that we should be putting in? What are the things that we should be potentially maximizing for? And there, again, I don't think there's going to be a universal answer. I think that we have to embrace that different communities will need different things. And so, you have to figure out a way to move to more decentralized framework, where like one single entity does not get to impact billions of people in the way that it is now.

Unless we are able to figure out a way in which people are empowered, everyone is empowered, and especially those who are marginalized, because when you're marginalized, it's not like we're all starting from the same place. It's that like the marginalized person is more things have gone wrong for them. That is what that means. And so, we really have to focus on those communities and ways to empower those communities. And so, we really need to think about how we can create that first. And then from there, good things will happen. 

Cindy: It's important to note when things are getting better, but I don't think you have to say that things are getting better in order to try to envision a place where they are better. Too many people who I talk to, really think that we're, there's no better vision at all. And so, we want to give that better vision, because I don't think you can build a better world unless you can envision a better world. And we can be frank and brutal that we're not even headed toward that in some ways. We're headed against it in some places. And I think that's absolutely true why we celebrate our victories. We have to recognize that not everything is headed in the right direction.

Rediet: And I appreciate what you're saying here about just being able to articulate our vision for what a better world might be to ourselves, I think. And also, and to do so precisely, to be as precise as we can. And then also to one another, so we can have a conversation about it as well. So, I appreciate that.

Cindy: Thank you so much for coming. There’s such a rich conversation about how do we really rethink how we do machine learning and algorithmic decision making. And I thank you so much for taking the time to talk to us.

Rediet: Thank you so much, Cindy and Danny, 

Cindy: Well, that was a fascinating conversation. I really appreciate how she thinks about making sure machine learning gives actionable information. That we go beyond just the, can we predict something? And I think she's right that sometimes we actually can't predict something when we think we can, but more importantly, that our predictions need to move into actionable information. And the difference between just telling an educator that a student's at risk for dropping out versus telling the educator you need to watch for how many times they miss the class.  Those are two different inquiries. And recognizing the difference between the two of them is really important.

Danny: These are challenges about applying new academic or computer science techniques into the real world that have already existed. I love the story about the, as she was doing the investigation into how people measure poverty, that she realized that she found the embers of a 1960s research project that have been taken far too seriously. And even the researchers then, were trying to signal that this was tentative and not perfect. And again, it spreads out. I think that sometimes it's not the sin of machine learning, but the things that it reifies, or the data it sucks in. The stories of the hunger for data. Meaning that people stop considering about the privacy of data or the communities that they're drawing from, is an important lesson.

Cindy: She's deep into developing tools to help us get it right. Using machine learning in some instances to try to help alleviate the problems that machine learning is causing. And I think of the paper that they're writing about how to evaluate DNA evidence,  developing the systems to help the courts and advocates figure out whether that thing is working well. So, in some ways we've got machine learning, interrogating other machine learning. And I think that's fabulous, that's how we end at the balance where we think we're getting things more right.

Danny: Rediet, as, I think, a key figure doing this pitch to the machine learning community themselves to do the work to make things better. It was flattering that she thought though we are one of the podcasts they listened to, but also nice to know that this isn't the boring work.

Cindy: It's not just the coding. It's not the time when you're training up the model or the model is spitting out the results. It's actually looking all the way from what problems are you trying to solve? Are you defining the problems in a way that is actionable? And then what happens on the other side? What data are you feeding in? But then what happens on the other side of the actionable things being spit out?

Are they able to be implemented? And then how does it fit into the whole story?I think that one of the things that she's helping do is breaking machine learning out of this silo that it's just about the tech, and also breaking the pattern where the people doing machine learning don't look like all of the people who are impacted by their doing. The Black in AI and the other systems that she's building, really trying to make sure that we grow the number of people who are using these systems and developing these systems to better match the way that they're being used in the rest of the world.

Danny: Well, thanks again to Rediet Abebe. Thank you for joining us on How to Fix the Internet. If you want to let us know what you think about this or any other episode, do please write to us at podcast@eff.org. We do read every email. Music for How to Fix the Internet was created for us by Reed Mathis and Nat Keefe of Beat Mower. 

This podcast is licensed creative commons attribution 4.0 international, and includes music licensed under the creative commons attribution 3.0, Unported license by their creators. You can find those creators' names and links to their music in our episode notes or on our website at eff.org/podcast.

How to Fix the Internet is supported by the Alfred P. Sloan foundation's program in public understanding of science and technology. I'm Danny O'Brien.

Cindy: And I'm Cindy Cohn.

Josh Richman

British Citizen Alaa Abd El Fattah Demands An End to Mistreatment in Egyptian Prison

1 month 1 week ago

Egyptian blogger, coder, and free speech activist Alaa Abd El Fattah is on day 45 of a hunger strike in protest of his mistreatment in an Egyptian prison. Alaa was sentenced, without due process, late last year, after spending two years at a maximum-security prison in Tora, 12 miles south of Cairo, in pre-trial detention. He was granted British citizenship in April, and civil society groups—including Access Now, Reporters Without Borders, Amnesty UK, English PEN, and EFF—are joining the call for the British government to assist him. 

If you are a British citizen, FreeAlaa.net has an action you can take. Be aware that it’s an external and not EFF link:

Urge Parliament to call for Alaa’s release

In the UK? Take action now!

Fattah and his family have reported dangerous conditions in the prison in the past. Speaking out against injustice is not new to Alaa: he has repeatedly been targeted and jailed for his vocal advocacy. He has spent much of the past eight years imprisoned. Currently, Alaa has reported that he is beaten whenever asking for rights that he should be given under the law. He has been unable to access books or exercise and, despite the British embassy requesting consular access since December, he has been denied consular visits.

Fattah’s most recent sentence was handed down for "spreading false news undermining national security" by the court. The trial was rife with due process violations, according to reports: defense lawyers were denied access to case files and not given a chance to present arguments. He has submitted numerous reports about mistreatment in the prison, which the Egyptian authorities have either ignored or used against him. Now that he is a British citizen, Alaa and his family hope that the country's government will be permitted to meet with him.

Some government officials are listening: Zarah Sultana, a member of Parliament since 2019, has urged Britain’s Secretary of State for Foreign, Commonwealth and Development Affairs to secure consular access for Alaa and to ask the Egyptian Ambassador to demand his release. If you’re in the UK, you can urge your Member of Parliament to call for Alaa’s release. 

Jason Kelley

EFF, Al Sur Launch Guide to Raise Awareness About Deficiencies in Cross-Border Surveillance Treaty and Strategies to Mitigate Human Rights Risks

1 month 1 week ago


Download the report

Latin American countries have a choice to make in the coming months—whether to accede to a new set of rules for coordinating and cooperating with each other and nations around the world on criminal investigations. Opened for signature on May 12, the Protocol has already more than 20 signing States, pending their ratification. Chile and Colombia are part of the list.

The 10,000-word Second Additional Protocol to the Budapest Cybercrime Convention aims to make cross-border exchanges of electronic evidence, including personal data, faster and more efficient,  but it’s heavier on mandates increasing law enforcement  powers and lighter on mandatory human rights protections.

To help countries in the region garner an understanding of the Protocol, EFF, with the collaboration of Al Sur, today released a guide providing an overview of the new treaty. The guide examines how the Protocol was drafted and highlights some of its weaknesses, which include bypassing independent vetting of foreign police orders for personal data, failing to recognize that subscriber data can be highly revealing of people's lives and habits, and mandating law enforcement powers while making most human rights protections optional.

Importantly, the guide makes solid recommendations for steps countries can take to assess the Protocol and mitigate its human rights deficiencies if they choose accession—from reserving certain articles and bolstering existing privacy laws to assessing the legal and human rights impacts the Protocol will have on their privacy and data protection regimes.

We launch the guide along with a handy outline of key issues civil society organizations can raise in urging governments to carefully consider the implications of acceding to the treaty.

EFF and its partners spent months analyzing the Protocol’s text and pushing its drafters to add greater human rights safeguards. Among the Protocol’s 25 Articles, the guide especially focuses on Article 7, which deals with direct disclosure of subscriber information, Article 13, about general human rights protections, and Article 14, about protection of personal data. The guide also points out how the Protocol's provisions allowing direct foreign requests to service providers can be a negative influence for Latin American communications privacy frameworks, acting to establish a lower level of protection for accessing subscriber data and unveiling a user's identity.

Latin American countries that have ratified the 2001 Budapest Cybercrime Convention are eligible to accede to the Protocol. As the first set of international rules for cybercrime investigations, the Budapest Convention has influenced many related laws across the region. Given the desire by international law enforcement agencies for greater powers in cross-border criminal investigations, many countries may also ratify the new treaty despite, or even because of its weaknesses.

As such, the guide points out how the Protocol's provisions allowing direct foreign requests to service providers can be a negative influence for Latin American communications privacy frameworks, and potentially lead to a lower level of protection for accessing subscriber data and unveiling a user's identity.

Our advice is: countries should think twice about ratifying the Protocol. But for those that choose to accede, the guide is an important tool for ensuring countries do their best to protect the privacy and human rights of those who will be subject to the new treaty. We hope our recommendations shape national discussions on the Protocol so new surveillance powers don’t come without detailed legal safeguards.

Karen Gullo

Geofence Warrants and Reverse Keyword Warrants are So Invasive, Even Big Tech Wants to Ban Them

1 month 1 week ago

Geofence and reverse keyword warrants are some of the most dangerous, civil-liberties-infringing and reviled tools in law enforcement agencies’ digital toolbox. It turns out that these warrants are so invasive of user privacy that big tech companies like Google, Microsoft, and Yahoo are willing to support banning them. The three tech giants have issued a public statement through a trade organization,“Reform Government Surveillance,'' that they will support a bill before the New York State legislature. The Reverse Location Search Prohibition Act, A. 84/ S. 296, would prohibit government use of geofence warrants and reverse warrants, a bill that EFF also supports. Their support is welcome, especially since we’ve been calling on companies like Google, which have a lot of resources and a lot of lawyers, to do more to resist these kinds of government requests.

Under the Fourth Amendment, if police can demonstrate probable cause that searching a particular person or place will reveal evidence of a crime, they can obtain a warrant from a court authorizing a limited search for this evidence. In cases involving digital evidence stored with a tech company, this typically involves sending the warrant to the company and demanding they  turn over the suspect’s digital data.

Geofence and reverse keyword warrants completely circumvent the limits set by the Fourth Amendment. If police are investigating a crime–anything from vandalism to arson–they instead submit requests that do not identify a single suspect or particular user account. Instead, with geofence warrants, they draw a box on a map, and compel the company to identify every digital device within that drawn boundary during a given time period. Similarly, with a “keyword” warrant, police compel the company to hand over the identities of anyone who may have searched for a specific term, such as a victim’s name or a particular address where a crime has occurred.

These reverse warrants have serious implications for civil liberties. Their increasingly common use means that anyone whose commute takes them goes by the scene of a crime might suddenly become vulnerable to suspicion, surveillance, and harassment by police. It means that an idle Google search for an address that corresponds to the scene of a robbery could make you a suspect. It also means that with one document, companies would be compelled to turn over identifying information on every phone that appeared in the vicinity of a protest, as happened in Kenosha, Wisconsin during a protest against police violence. And, as EFF has argued in amicus briefs, it violates the Fourth Amendment because it results in an overbroad fishing-expedition against unspecified targets, the majority of whom have no connection to any crime.


In the statement released by the companies, they write that, “This bill, if passed into law, would be the first of its kind to address the increasing use of law enforcement requests that, instead of relying on individual suspicion, request data pertaining to individuals who may have been in a specific vicinity or used a certain search term.” This is an undoubtedly positive step for companies that have a checkered history of being cavalier with users' data and enabling large-scale government surveillance. But they can do even more than support legislation in one state. Companies can still resist complying with geofence warrants across the country, be much more transparent about the geofence warrants it receives, provide all affected users with notice, and give users meaningful choice and control over their private data.

Matthew Guariglia

California Law Enforcement Now Needs Approval for Military-Grade Surveillance Equipment. We'll Be Watching.

1 month 2 weeks ago

California residents finally have a law designed to dismantle some of the secrecy around domestic acquisitions of warzone surveillance equipment.

The weapons of the United States military—drones, mobile command centers, sound cannons, and more—have been handed off to local law enforcement for years. The transfers have equipped police departments with the ability to redirect surveillance tools and the weapons of war designed for foreign adversaries toward often-faultless targets on U.S. soil. For police departments getting the gear, the process is often secretive. If you don’t think your local law enforcement really needs an aerial surveillance system, or for that matter an MRAP (Mine-Resistant Ambush Protected vehicle), there hasn’t been too much you can do to stop these from joining the arsenal at your neighborhood police department. 

A.B. 481, a new California state law, went into effect at the beginning of May 2022 for equipment already in agencies’ possession and at the beginning of this year for new technologies. It requires democratic control of whether California state or local law enforcement agencies can obtain or use military-grade tools, whether they are received from the federal government, purchased, or utilized via some other channel. Through their elected officials, the public can say “no” to military surveillance and other technology, and it won’t be allowed to come to town.

A.B. 481 requires democratic control of whether California state or local law enforcement agencies can obtain or use military-grade tools, regardless of how it's obtained.

These democratic control measures include the creation of draft use policies that must be publicly posted, an opportunity for residents to organize and be heard, and a vote by the governing body at a public meeting. If the proposal is approved, the police then must provide regular reports on how the equipment has been used, and the public body must perform annual compliance reviews. The bill also mandates that agencies already in possession of military equipment obtain approval from the governing body by the end of 2022, or else stop using  them. 

A.B. 481 is modeled on Community Control of Police Surveillance (CCOPS) laws adopted in 18 communities across the country. It was sponsored by the The Women's Foundation of California, Women’s Policy Institute, Alliance for Boys and Men of Color, and The Stop Terror and Oppression by Police (STOP) Coalition. Where CCOPS ensures democratic control over local acquisition and use of all manner of surveillance technologies, A.B. 481 ensures democratic control over local acquisition and use of military technologies (including military surveillance technologies).

In California, there are more than 500 local law enforcement agencies, and the state is one of the biggest recipients of military transfers. In all, the federal program to transfer surplus military wares has moved more than $7.5 billion worth of equipment to local law enforcement since the program’s inception in 1990. 

Military equipment, for the purposes of the new law, encompasses a broad range of weapons and surveillance tools: 

  • Drones and unmanned vehicles of both the land and sky; 
  • Command & Control Vehicles (trucks equipped with computers and other equipment to collect and transmit various video and information feeds);
  • Tanks, MRAPs (mine-resistant ambush-protected vehicles), and Humvees;
  • Weaponized vehicles of any kind; 
  • Firearms of greater than .50 caliber;
  • Taser Shockwaves and LRADs (long-range acoustic devices, also known as sound canons); and
  • Projectile launchers.

It is important for there to be more transparency into law enforcement practices, and for communities to have democratic control of surplus military transfers, particularly for high-tech surveillance equipment. The enactment of A.B. 481 is an important step forward. 

It is important for there to be more transparency into law enforcement practices, and for communities to have democratic control of surplus military transfers, particularly for high-tech surveillance equipment. 

The proposed “military equipment use policy” is now the first step of the process for agencies trying to get military gear. This is a publicly available, written document that would govern the state or local agency’s use of this military equipment. It needs to do a few things: 

  • address the legal rules governing the use of the equipment;
  • outline the training required; and
  • describe the procedure by which the public can make complaints. 

A law enforcement agency then needs to get the approval of the jurisdiction’s governing body, like the City Council, in the form of a public meeting. The policy and other relevant materials need to be made available to the public on the agencies' website at least 30 days in advance. Residents who oppose the military equipment can use that month to organize in opposition.

Once approval is granted, the agency isn’t just free to use the equipment indefinitely. There will be an annual review for compliance with the use policy, based on an annual military equipment report. That report needs to contain: 

  • The quantity possessed for each type of military equipment;
  • A summary of how and for what purpose the military equipment was used;
  • A summary of any complaints or concerns received concerning the military equipment;
  • The results of any internal audits; 
  • Any information about violations of the use policy and the consequences;
  • The total annual cost for each type of military equipment, including acquisition, personnel, training, transportation, maintenance, storage, upgrade, and other ongoing costs, and from what source funds will be drawn the following year; and
  • The quantity sought for each type of additional military equipment the law enforcement agency intends to acquire in the next year.

Agencies have started posting their materials online, like these from Milpitas and the California Department of Corrections and Rehabilitation. Unfortunately, there have been rumblings from some in law enforcement against the need to disclose whether they have war-grade equipment. As we’ve seen in our compliance review of S.B. 978, which requires California police departments to post their policies online, adherence to new accountability measures can’t be taken for granted. Still, whether they like it or not, A.B. 481 makes hiding military-grade tools against the law for law enforcement. 

Beryl Lipton

In a Blow to Free Speech, Texas’ Social Media Law Allowed to Proceed Pending Appeal

1 month 2 weeks ago

A constitutionally problematic Texas law limiting social media companies exercising their First Amendment rights to curate the content they carry can go into effect after a federal appeals court lifted a lower court’s injunction blocking it.

A three-judge panel of the U.S. Court of Appeals for the Fifth Circuit, in a 2-1 decision, lifted the injunction in a one-sentence order without giving a reason. The law, Texas HB 20, which prohibits large social media platforms from removing or moderating content based on the viewpoint of the user, can now be enforced while the court continues to consider the appeal.

This decision to allow the law to be enforced before the court has ruled on its legality is wrong. It creates great uncertainty, will likely spawn numerous lawsuits, and will chill protected speech, all to the detriment of users of large social media sites in the US and everywhere.

The lower court blocked the law for violating the First Amendment and Texas appealed. We filed amicus briefs in both the trial and appeals courts, arguing that the government cannot regulate editorial decisions made by online platforms about what content they host. We told the Fifth Circuit that, while the content moderation decisions of social media companies can be frustrating, internet users nevertheless are best served when the First Amendment protects companies' right to edit their platforms as they see fit.

Those protections ensure that social media sites can curate content free from governmental mandates, giving users a diverse array of forums to read and contribute to. Under HB 20 social media platforms “may not censor a user, a user’s expression, or a user’s ability to receive the expression of another person based on . . . the viewpoint of the user or another person.” Users and the Texas Attorney General can sue companies they believe violated the law.

HB 20 is clearly a retaliatory measure aimed at punishing platforms for an alleged anti-conservative bias. As EFF’s brief explained, the government can’t retaliate against disfavored speakers and promote favored ones. Moreover, HB 20 would destroy or prevent the emergence of even larger conservative platforms, as they would have to accept user speech from across the political spectrum.

The lawsuit was filed by tech industry groups NetChoice  and the Computer and Communications Industry Association (CCIA); NetChoice plans to appeal the ruling. In the meantime, it’s unclear how and whether it will be possible for the companies bound by the law to comply with it.

Karen Gullo

The EU Commission’s New Proposal Would Undermine Encryption And Scan Our Messages

1 month 2 weeks ago

The executive body of the European Union published today a legislative proposal (text) that, if it became law, would be a disaster for online privacy in the EU and throughout the world. In the name of fighting crimes against children, the EU Commission has suggested new rules that would compel a broad range of internet services, including hosting and messaging services, to search for, and report, child abuse material. 

The Commission’s new demands would require regular plain-text access to users’ private messages, from email to texting to social media. Private companies would be tasked not just with finding and stopping distribution of known child abuse images, but could also be required to take action to prevent “grooming,” or suspected future child abuse. This would be a massive new surveillance system, because it would require the infrastructure for detailed analysis of user messages.

The new proposal is overbroad, not proportionate, and hurts everyone’s privacy and safety. By damaging encryption, it could actually make the problem of child safety worse, not better, for some minors. Abused minors, as much as anyone, need private channels to report what is happening to them. The scanning requirements are subject to safeguards, but they aren’t strong enough to prevent the privacy-intrusive actions that platforms will be required to undertake. 

Unfortunately, this new attempt to mandate a backdoor into encrypted communications is part of a global pattern. In 2018, the Five Eyes—an alliance of the intelligence services of Canada, New Zealand, Australia, the United Kingdom, and the United States—warned that they will “pursue technological, enforcement, legislative or other measures to achieve lawful access solutions” if the companies didn’t voluntarily provide access to encrypted messages. With the urging of the Department of Justice, U.S. Congress tried to create backdoors to encryption through the EARN IT Act, in 2020 and again earlier this year. Last fall, government agencies pressured Apple to propose a system of software scanners on every device, constantly checking for child abuse images and reporting back to authorities. Fortunately, the Apple program appears to have been shelved for now, and EARN IT is still not law in the U.S. 

The European Union prides itself on high standards for data protection and privacy, as demonstrated by the adoption of the General Data Protection Regulation, or GDPR. This new proposal suggests the EU may head in a dramatically different direction, giving up on privacy and instead seeking state-controlled scanning of all messages. 

European civil society groups that deal with digital freedoms, including European Digital Rights (EDRi), Germany’s Society for Civil Rights, the Netherlands’ Bits of Freedom, and Austria’s epicenter.works have expressed grave concerns about this proposal as well. 

Fortunately, the misguided proposal published today is far from the final word on this matter. The European Commission cannot make law on its own. We don’t think the EU wants to cancel everyday people’s privacy and security, and we are ready to work together with Members of the European Parliament and EU member states’ representatives to defend privacy and encryption. 

Joe Mullin

EFF to Court: Fair Use is a Right Congress Cannot Cast Aside

1 month 2 weeks ago

Copyright law and free expression have always been in tension, with the courts protecting speech from overzealous copyright claims using legal doctrines such as fair use. But in 1998, Congress passed the Digital Millennium Copyright Act, and since then courts have interpreted its “anti-circumvention” provision to give rightsholders the unprecedented power to block even fair uses of their works, whenever that use requires bypassing an access control like encryption or DRM.

This has harmed independent filmmakers when they try to include clips from other works in their own. It’s harmed people with visual disabilities who need to run text-to-speech software on their e-books in order to enjoy them, and people with hearing disabilities who rely on captioning to enjoy videos they purchase. It’s prevented educators from teaching media literacy and it’s prevented security and safety researchers from understanding electronic devices to keep us all safer. It keeps people from reading the code in the things they buy, from cars to tractors to home appliances, preventing us from understanding how these devices work and harming the market for independent repair and follow-on innovation.

Fair users can get sometimes get temporary and partial relief through the rulemaking process run by the Copyright Office, but that only underscores the fundamental problem: Section 1201(a) of the DMCA turned the right to make fair uses into a contingent privilege that you have to beg for in advance – with no binding legal standards to protect your right to speak.

That’s why we sued the government on behalf of security researcher Matthew Green and technologist bunnie Huang, working with law firm Wilson Sonsini Goodrich & Rosati. The case is now on appeal, and we’ve just concluded the briefing, with amicus support from law professors, disability rights advocates, filmmakers, and more.

The government defends the law by arguing that it only burdens conduct, not speech. Nonsense: the law is a direct ban on accessing information so that it can be communicated and adapted. It also directly bans providing instructions on how to do this in the form of software or a service. It restricts a wide range of legitimate speech, without adding much if anything to the government’s arsenal of tools to combat actual copyright infringement. Since someone circumventing in order to infringe is already an infringer, the law primarily impacts people who are circumventing for a non-infringing purpose, such as research, education, or just to enjoy the e-book they bought.

This disastrous law has interfered with creativity, research, and innovation for far too long. We hope the Court of Appeals for the D.C. Circuit agrees and restores the traditional balance between rightsholders and subsequent speakers.

Related Cases: Green v. U.S. Department of Justice
Kit Walsh

How to Disable Ad ID Tracking on iOS and Android, and Why You Should Do It Now

1 month 2 weeks ago

The ad identifier - aka “IDFA” on iOS, or “AAID” on Android - is the key that enables most third-party tracking on mobile devices. Disabling it will make it substantially harder for advertisers and data brokers to track and profile you, and will limit the amount of your personal information up for sale.

This post explains the history of device ad identifiers and how they have enabled persistent tracking, identification, and other privacy invasions. 

But first things first. Here’s how to revoke tracker access to your ad ID right now:

On Android 

Open the Settings app, and navigate to Privacy > Ads. Tap “Delete advertising ID,” then tap it again on the next page to confirm. This will prevent any app on your phone from accessing it in the future.
  

The Android opt out is available on Android 12, but may not available on older versions. Instead, you can reset your ad ID and ask apps not to track you as below:


Source

On iOS 

Apple requires apps to ask permission before they can access your IDFA. When you install a new app, it may ask you for permission to track you.


Source

Select “Ask App Not to Track” to deny it IDFA access.

To see which apps you have previously granted access to, go to Settings > Privacy > Tracking. The menu should look like this:

Here you can disable tracking for individual apps that have previously received permission. Only apps that have permission to track you will be able to access your IDFA.

You can set the “Allow apps to Request to Track” switch to the “off” position (the slider is to the left and the background is gray). This will prevent apps from asking to track in the future. If you have granted apps permission to track you in the past, this will prompt you to ask those apps to stop tracking as well. You also have the option to grant or revoke tracking access on a per-app basis.

Apple has its own targeted advertising system, separate from the third-party tracking it enables with IDFA. To disable it, navigate to Settings > Privacy > Apple Advertising:


Source

Set the “Personalized Ads” switch to the “off” position to disable Apple’s ad targeting.

History

In the early days of smartphones, trackers used static device identifiers - the “Unique Device Identifier” (UDID) on iOS, and the “Android ID” on Android - to track users across apps. These identifiers were unique, permanent, and were frequently accessed by third parties without user knowledge or consent.. 

This was rightfully considered a problem for user privacy. A 2010 investigation by the Wall Street Journal exposed the extent of the issue, and in 2011, after a series of probing questions from US members of congress, Apple began restricting access to the UDID

The industry had already begun to rely on data collection tied to UDID, and trackers scrambled to adapt to the change. Then, in 2012, Apple quietly introduced the Identifier for Advertisers (IDFA). IDFA was almost identical to the UDID it replaced: it was a globally unique identifier that was available to all apps by default. The biggest difference was that IDFA could be reset -- though this was only possible if users knew what to look for. Apple also allowed users to enable a setting called “Limit Ad Tracking.” This sent a signal to apps asking them not to track, but it did not actually affect the apps’ ability to access IDFA.

Android followed suit in 2013, introducing the Android Advertising Identifier (AAID). Like Apple, Google made its identifier available to all apps by default, without any special permission. It also allowed users to reset their ad identifier, but not restrict access to it or delete it.

In 2016, Apple updated Limit Ad Tracking to set the IDFA to a string of zeroes - effectively deleting it. This meant that for the first time, users had an effective, technical opt-out of IDFA tracking.

In 2021, Apple introduced App Tracking Transparency (ATT), which requires apps to get affirmative consent before they can track users with IDFA or any other identifier. This had an enormous impact on the tracking industry. While previously, about 20% of users chose to opt out of tracking (meaning 4 out of 5 were “opted in”), after the change, the vast majority of users have chosen not to allow tracking. Defaults matter.

Meanwhile, Android finally started rolling out a way for users to disable their ad ID.As of April 1, 2022, Android also requires developers to request a separate permission in order to access the ad ID. However, this is treated as a “normal” permission, meaning users don’t see any pop-up asking for their consent. Despite the ad ID’s central role in enabling third-party tracking, the developer documents explain that this kind of permission is for data that presents “very little risk to the user's privacy.” In other words, Android’s ad ID is still exposed on an opt-out basis, and users have to go out of their way to defend their privacy on the platform.

In February, Google also indicated that it may eventually phase out the ad ID altogether. It plans to bring a version of the Privacy Sandbox framework to mobile devices to support behavioral advertising “without reliance on cross-app identifiers.” But Google assured developers that it won’t change anything substantial about the ad ID for “at least two years.”

Why It Matters

The ad identifier is a string of letters and numbers that uniquely identifies your phone, tablet, or other smart device. It exists for one purpose: to help companies track you. 

Third-party trackers collect data via the apps on your device. The ad ID lets them link data from different sources to one identity you. In addition, since every app and tracker sees the same ID, it lets data brokers compare notes about you. Broker A can buy data from broker B, then use the ad identifier to link those two datasets together. Simply, the ad ID is the key that enables a whole range of privacy harms: invasive 3rd-party profiling by Facebook and Google, pseudoscientific psychographic targeting by political consultants like Cambridge Analytica, and location tracking by the U.S. military.

Sometimes, participants in the data pipeline will argue that the ad ID is anonymous or pseudo-anonymous, not “personally identifying” information, and imply that it does not pose a serious privacy threat. This is not true in practice. First, the ad ID is commonly used to help collect data that is obviously personally identifiable, like granular location data. If you can see where a person works, sleeps, studies, socializes, worships, and seeks medical care, you don’t need their email address to help identify them. And second, an entire industry exists to help trackers link ad IDs to more directly identifying information, like email addresses and phone numbers. In a vacuum, the ad ID may be anonymous, but in the context of the tracking industry, it is a ubiquitous and effective identifier.

Disabling this ID makes it substantially harder for most advertisers and data brokers to track you. These industries process data from millions or billions of users every day, and they rely on convenient technologies like the ad ID to make that kind of scale possible. Removing this tool from their toolbox will result in substantially less data that can be associated with you in the wild. It is not only beneficial to your privacy, it also makes the surveillance advertising industry less profitable. And don’t take our word for it: Facebook has said that Apple’s App Tracking Transparency feature would decrease the company’s 2022 sales by about $10 billion.

But although it’s a good first step, removing your ad ID won’t stop all tracking. If you are concerned about a specific privacy-related threat to yourself or someone you know, see our other resources, including Digital Security and Privacy Tips for Those Involved in Abortion Access. You can also check out EFF’s guides to surveillance self-defense, including personal security plans, attending a protest, and privacy on mobile phones. These resources are organized into playlists such as this one for reproductive healthcare providers, seekers, and advocates.

Bennett Cyphers

What Companies Can Do Now to Protect Digital Rights In A Post-Roe World

1 month 2 weeks ago

The increasing risk that the Supreme Court will overturn federal constitutional abortion protections has refocused attention on the role digital service providers of all kinds play in facilitating access to health information, education, and care—and the data they collect in return.

In a post-Roe world, service providers can expect a raft of subpoenas and warrants seeking user data that could be employed to prosecute abortion seekers, providers, and helpers. They can also expect pressure to aggressively police the use of their services to provide information that may be classified in many states as facilitating a crime.

Whatever your position on reproductive rights, this is a frightening prospect for data privacy and online expression. That’s the bad news.

The good news is there is a lot companies—from ISPs to app developers to platforms and beyond—can do right now to prepare for that future, and those steps will benefit all users. If your product or service might be used to target people seeking, offering, or facilitating abortion access, now is the time to minimize the harm that can be done.

Here’s some ideas to get you started.

If You Build it, They Will Come—So Don’t Build It, Don’t Keep It, Dismantle What You Can, and Keep It Secure

Many users don’t truly realize how much data is collected about them, by multiple entities, as they go about their daily business. Search engines, ISPs, apps, and social media platforms collect all kinds of data, including highly sensitive information. Sometimes, they need that data to provide the service the user wants. Too often, however, they use it for other purposes, like ad sales, and/or for selling to third parties. Sometimes they’ll claim the data is anonymized. But often that’s not possible. For example, there’s no such thing as “anonymous” location data. Data points like where a person sleeps at night or spends their days are an easy way to find a person’s home address or job. A malicious observer can easily connect these movements to identify a person and anticipate their routines and movement. Another piece of the puzzle is the ad ID, another so-called “anonymous" label that identifies a device. Apps share ad IDs with third parties, and an entire industry of  “identity resolution” companies can readily link ad IDs to real people at scale.

Governments and private actors know that intermediaries and apps can be a treasure trove of information. Good data practices can help you avoid being on the wrong side of history and legal hassles to boot—after all, if you don’t have it, you can’t produce it.

1. Allow pseudonymous access

Give your users the freedom to access your service pseudonymously, that is, so that even you do not know their identities. As we've previously written, “real-name” policies and their ilk are especially harmful to vulnerable populations, including pro-democracy activists, the LGBT community—and people seeking or providing abortion access. Recognize that authentication or verification schemes that require users to submit identification may also put them at risk.

2. Stop behavioral tracking

Don’t do it. If you must, make sure users affirmatively opt in first. If that’s not possible, ensure users know about it and know they can opt out. This includes letting users modify data that's been collected about them so far, as well as giving them the option to not have your service collect this information about them at all. When users opt out, delete their data and stop collecting it moving forward. Offering an opt-out of targeting but not out of tracking is unacceptable.

3. Check your retention policy

Do you really need to keep all of that data you’ve been collecting? Now is the time to clean up the logs. If you need them to check for abuse or for debugging, think carefully about which precise pieces of data you really need. And then delete them regularly—say, every week for the most sensitive data. IP addresses are especially risky to keep. Avoid logging them, or if you must log them for anti-abuse or statistics, do so in separate files that you can aggregate and delete frequently. Reject user-hostile measures like browser fingerprinting.

4. Encrypt data in transit.

Seriously, encrypt data in transit. Why are you not already encrypting data in transit? Does the ISP and the entire internet need to know about the information your users are reading, the things they're buying, and the places they're going?

5. Enable end-to-end encryption by default.

If your service includes messages, enable end-to-end encryption by default. Are you offering a high-value service—like AI-powered recommendations or search—that doesn’t work on encrypted data? It’s time to re-evaluate that tradeoff.

6. Don’t allow your app to become a location mine

There is an entire industry devoted to collecting and selling location data—and it’s got a well-documented history of privacy violations. Some location data brokers collect that data by getting ordinary app developers to install tracking software into their apps. Don’t do that.

7. Don’t share the data you collect more than necessary, and only with trusted/vetted partners

This one is beyond obvious: don’t share the data you collect except as necessary to provide the service you are offering. Even then, make sure you vet those third parties’ own data practices. Of course, this requires actually knowing where your data is going. Finally, avoid third-party connections.

8. Where possible, make it interoperable

There may be a third party that can do a better job protecting your privacy-conscious users than you can alone. If so, allow them to interoperate with you so they can offer that service.

Push Back Against Improper Demands—and Be Transparent About Them

For example, law enforcement may ask a search engine to provide information about all users who searched for a particular term, such as “abortion.” Law enforcement may also seek unconstitutional “geofence warrants” demanding data on every device in a given geographic area. Law enforcement might use that information to draw a line around an abortion clinic in a neighboring state, get a list of every phone that’s been there, and use that information to track people as they drive back home across state lines. Private parties, meanwhile, may leverage the power of the courts to issue subpoenas to try to unmask people who provide information online anonymously.

1. Stand up for your users

Challenge unlawful subpoenas for user information in court. If a warrant or subpoena is improper, push back. For example, federal courts have ruled that geofence warrants are unconstitutional. And there are strong protections in the U.S. for anonymous speech. Does the court have jurisdiction to require compliance? Some companies have been willing to stand up for their users. Join them. If your company can’t afford legal counsel, EFF may be able to help.

2. At minimum, provide notice to affected users 

Your user should never learn that you disclosed their information after it’s too late for them to do anything about it. If you get a data request, and there is no legal restriction forbidding you from doing so, notify the subject of the request as soon as possible.

3. Implement strong transparency practices

Issue transparency reports on a regular basis, including state-by-state breakdown of data requests and information related to reproductive rights bans/restrictions. Facebook’s transparency report, for example, is only searchable by country, not by state. And while the report mentions removing information based on reports from state attorneys general, it did not name the states or the reasons for the requests. Endorse the Santa Clara Principles on Transparency and Accountability – and implement them.

If You Market Surveillance Technology to Governments, Know Your Customer

This should also be obvious.

Review and Revise Your Community Standards Policy to Discourage Abuse

Social media platforms regularly engage in “content moderation”—the depublication, downranking, and sometimes outright censorship of information and/or user accounts from social media and other digital platforms, usually based on an alleged violation of a platform’s “community standards” policy. Such moderation, however well-intentioned, is often deeply flawed, confusing and inconsistent, particularly when it comes to material related to sexuality and sexual health. Take, for example, the attempt by companies to eradicate homophobic and transphobic speech. While that sounds like a worthy goal, these policies have resulted in LGBTQ users being censored for engaging in counterspeech or for using reclaimed terms like “dyke.”

Facebook bans ads it deems “overly suggestive or sexually provocative,” a practice that has had a chilling effect on women’s health startups, bra companies, a book whose title contains the word “uterus,” and even the National Campaign to Prevent Teen and Unwanted Pregnancy.

In addition, government and private actors can weaponize community standards policies, flagging speech they don’t like as violating community standards. Too often, the speaker won’t fight back, either because they don’t know how, or because they are intimidated.

Platforms should take another look at their speech policies, and consider carefully how they might be abused. For example, almost every major internet platform—Facebook, Google (owner of Blogger and YouTube), Twitter, and reddit—has some prohibition on “illegal” material, but their policies do not explain much further. Furthermore, most have some policy related to “local laws”—but they mean laws by country, not by state. This language leaves a large hole for individuals and governments to claim a user has violated the policy and get life-saving information removed.

Furthermore, as noted, Facebook has a terrible track record with its policy related to sex and sexual health. The company should review how its policy of labeling images associated with “birth-giving and after-birth giving moments, including both natural vaginal delivery and caesarean section,” might lead to confusion.

If your product or service might be used to target people seeking, offering, or facilitating abortion access, now is the time to minimize the harm that can be done.

Many groups share information through Google docs—posting links either within a network or even publicly. In a post-Roe world, that might include information about activities that are illegal in some states. However, while Google permits users to share educational information about illegal activities, it prohibits use of the service to engage in such activities or promote them.

Blogger uses similar language, and adds that “we will take appropriate action if we are notified of unlawful activities, which may include reporting you to the relevant authorities.” This language may discourage many from using the service to share information that, again, might be legal in some states and illegal in others.

In general, many sites have language outlawing material that may lead to “serious physical or emotional harm.” Depending on how “harm” is construed, and by whom, this language too could be an excuse to excise important tools and information. 

Worse, companies have set some unfortunate recent precedent. For example, Facebook’s transparency report mentions, in response to COVID-related concerns, that it blocked access to 27 items in response to reports from state attorneys general and the US Attorney General. All 27 were ultimately reinstated, as they did not actually violate Facebook’s “community standards or other applicable policies.” This shows a willingness on Facebook’s part to act first and ask questions later when contacted by state authorities. Even if eventually reinstated, the harm to people looking for information in a critical, time-sensitive situation could be incalculable.

Most of these ideas aren’t new – we’ve been calling for companies to take these steps for years. With a new threat model on the horizon, it’s past time for them to act. Our digital rights depend on it.

Corynne McSherry

Reproductive Privacy Requires Data Privacy

1 month 2 weeks ago

EFF supports data privacy for all, and that includes people seeking reproductive health care. Even before the Supreme Court draft decision regarding Roe v. Wade leaked, EFF was engaged with reproductive justice advocates on how to better protect data privacy for people seeking care, providing it, and funding it. We’ve provided digital privacy and security tips for patients seeking care and people involved in abortion access. But more is needed.

That's why EFF supports California’s A.B. 2091, authored by Asm. Mia Bonta and sponsored by Planned Parenthood Affiliates of California. This bill seeks to stop information about people seeking abortions in California from flowing across state lines and used by prosecutors or private actors under other states’ anti-abortion laws.

Specifically, it prohibits health care providers and service plans from releasing medical information related to people seeking or obtaining an abortion, in response to a subpoena or request based on another state’s law that interferes with reproductive freedom protected by California law. The bill also prohibits a person from being compelled to provide information that would identify someone who has sought or obtained an abortion, if it is being requested in this scenario. While EFF is not a reproductive rights advocacy group, our history of work on digital privacy—particularly health privacy—compels us to support this bill.

This issue also falls squarely within our organization’s work on limiting the collection and use of government data for purposes other than it was collected. Governments collect information for many reasons. But, all too often, data collected by the state is misused and weaponized for other purposes. The ones who suffer most are often vulnerable minority groups. This sad legacy of data misuse stretches from census data being used for Japanese-American internment during World War II, to license plate data being weaponized against immigrants today.

EFF likewise has supported legislation to protect data in the state of California from being misused to enforce federal immigration policies. California should be a digital sanctuary state for both immigrants and people seeking reproductive health procedures.

As the bill's sponsors told the California legislature, "No one should be able to manipulate California’s legal system to target and punish people who seek care and refuge here."

We urge California's legislators to pass A.B. 2091 as a crucial step to building such a sanctuary.

Hayley Tsukayama

A Token of Thanks for a Brighter Future

1 month 2 weeks ago

UPDATE: All Sustaining Donor Challenge Coins have been claimed! But there’s plenty of other member gear, and EFF can sure use your help.

EFF members have joined forces to fight for civil liberties and human rights online for over 30 years. Our movement has never been an easy one, but the future of technology depends on our determination. EFF members power EFF’s attorneys, activists, and technologists every day. Together, we can make a difference for every tech users’ right to privacy, free speech, and digital access. Will you sustain the cause with a modest recurring donation?

COUNT ME IN

Become an EFF Sustaining Donor

If you become a Sustaining Donor today, you can receive an individually-numbered EFF 30th Anniversary Challenge Coin as a token of our thanks! To be eligible, just set up an automated donation of at least $5 per month or $25 per year. We’ll send a challenge coin to the address you provide. Fewer than 200 of these 30th anniversary tokens are left so get yours now.

Challenge coins follow a long tradition of offering a symbol of kinship and respect for great achievements—and EFF owes its strength to tech users around the world like you. With your sustaining contribution, EFF is here to stay.

When you sign up to support EFF, you can get a number of EFF member perks including conversation-starting gear each year (like the recent Stay Golden t-shirt seen above!), a membership card, an EFF bumper sticker, discounts on EFF events, and invitations to local and virtual Speakeasy meetups and programs. Even if you choose to skip those benefits, know that your support makes a difference for people around the world. Take a stand for internet freedom today!

Support Online Rights

Start a Monthly or Annual Sustaining Donation

Reach out with any questions at membership@eff.org. EFF is a U.S. 501(c)(3) nonprofit, tax ID #04-3091431, and your gift is tax-deductible as allowed by law.

Aaron Jue

Podcast Episode: The Philosopher King

1 month 2 weeks ago

Computer scientists often build algorithms with a keen focus on “solving the problem,” without considering the larger implications and potential misuses of the technology they’re creating. That’s how we wind up with machine learning that prevents qualified job applicants from advancing, or blocks mortgage applicants from buying homes, or creates miscarriages of justice in parole and other aspects of the criminal justice system.

James Mickens—a lifelong hacker, perennial wisecracker, and would-be philosopher-king who also happens to be a Harvard University professor of computer science—says we must educate computer scientists to consider the bigger picture early in their creative process. In a world where much of what we do each day involves computers of one sort or another, the process of creating technology must take into account the society it’s meant to serve, including the most vulnerable.

Mickens speaks with EFF's Cindy Cohn and Danny O’Brien about some of the problems inherent in educating computer scientists, and how fixing those problems might help us fix the internet.

%3Ciframe%20height%3D%2252px%22%20width%3D%22100%25%22%20frameborder%3D%22no%22%20scrolling%3D%22no%22%20seamless%3D%22%22%20src%3D%22https%3A%2F%2Fplayer.simplecast.com%2F6647dd6c-f36b-4825-905d-1c8ca86df470%3Fdark%3Dtrue%26amp%3Bcolor%3D000000%22%20allow%3D%22autoplay%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from simplecast.com



  
  

This episode is also available on the Internet Archive.

In this episode you’ll learn about:

  • Why it’s important to include non-engineering voices, from historians and sociologists to people from marginalized communities, in the engineering process
  • The need to balance paying down our “tech debt” —cleaning up the messy, haphazard systems of yesteryear—with innovating new technologies
  • How to embed ethics education within computer engineering curricula so students can identify and overcome challenges before they’re encoded into new systems
  • Fostering transparency about how and by whom your data is used, and for whose profit
  • What we can learn from Søren Kierkegaard and Stan Lee about personal responsibility in technology
Music:

Music for How to Fix the Internet was created for us by Reed Mathis and Nat Keefe of BeatMower.

This podcast is licensed Creative Commons Attribution 4.0 International, and includes the following music licensed Creative Commons Attribution 3.0 Unported by their creators: 

Resources:

Machine Learning Ethics:

Algorithmic Bias in Policing, Healthcare, and More:

Adversarial Interoperability and Data Fiduciaries:


Transcript: 

James: One of the fun things about being a computer scientist, as opposed to, let's say a roboticist, someone who actually builds physical things. I'm never going to get my eye poked out, because my algorithm went wrong. Like I'm never going to lose an arm or just be ruined physically because my algorithm didn't work at least on paper. Right? And so I think computer science does tend to draw people who like some of these very stark sort of contrasts, like either my algorithm worked or it didn't. But I think that what's ended up happening is that in the infancy of the field, you could kind of sort of take that approach and nothing too bad would happen.

But now when you think about everything we do in a day, there's a computer involved in almost all of that. And so as a result, you can no longer afford to say, I'm not going to think about the bigger implications of this thing, because I'm just a hobbyist, I'm just working on some little toy that's not going to be used by thousands or millions of people.

Cindy: That's James Mickens. He's a professor of computer science at Harvard School of Engineering and Applied Sciences and a director at the Berkman Klein Center for Internet and Society. He's also a lifelong hacker.

Danny: 

James is going to tell us about some of the problems in educating ethical computer scientists and we're going to talk about how fixing those problems might help us fix the internet.

Cindy: I'm Cindy Cohn, EFF's executive director.

Danny: And I'm Danny O'Brien special advisor to EFF. Welcome to How to Fix the Internet, a podcast of the Electronic Frontier Foundation.

Cindy: 
James thank you so much for joining us. It’s really exciting to talk to you about how computer scientists and other technically minded people will help us move toward a better future and what that future looks like when we get there. 

James: Well, hello. Thank you for that great introduction and thank you for inviting me to have a chat.

Cindy: So let's wallow in the bad for a minute before get to the good. What's broken in our internet society now, or at least the specific pieces that are most concerning to you?

James: Well, there are just so many things. I mean, I could just give you a wood cut, like from the medieval period, people are on fire. They're weird people with bird masks running around. It's a scene. But if I had to just pick a couple things, here are a couple things that I think are bad. I think that at a high level, one of the big challenges with technology right now is the careless application of various techniques or various pieces of software in a way that doesn't really think about what the collateral damage might be and in a way that doesn't really think about, should we be deploying this software in the first place. At this point, sort of a classic example is machine learning, right? So machine learning seems pretty neat.   But when you look at machine learning being applied to things like determining which job applications get forwarded up to the next level, determining who gets mortgages and who does not, determining who gets sentenced to parole versus a harsher sentence for example. What you end up seeing is that you have these really non-trivial applications of technology that have these real impacts in the actual world. It's not some abstract exercise where we're trying to simulate the thought process of an agent in a video game or something like this.

Danny: Is there something special about computer scientists that makes them like this? Is it hubris? Is it just a feeling like they've got the answer to all of the world's problems?

James: The way that we're sort of trained as computer scientists is to say here's a crisp description of what a problem is and then here are a concrete set of steps which can "fix that problem". And going through that series of steps of identifying the problem, coming up with an algorithm to "solve it" and then testing it, at first glance that seems very clean. And in fact, there are a couple simple problems we could think of that are very clean to solve.

So for example, I give you a bunch of numbers, how do you sort them. It seems like a pretty objective thing to do. We all have a very clear understanding of what numbers are and what order means. But now if I ask you to do something like find the best applicant for a particular job, even if you were to ask different humans what the answer to that question is, they would probably give you a bunch of different answers.

And so this idea that somehow, because computers manipulate binary data, zeros and ones, that somehow we're always going to have clean answers for things, or somehow always be able to take these intractable social problems and represent them in this very clean way in the digital space, it's just absolutely false. And I think machine learning is a particular example of how this goes astray. Because you end up seeing that you get this data, this data has biases in it, you train an algorithm that replicates the biases in the training data, and that just perpetuates the social problem that we see sort of in the pre digital world.

Cindy: When we were first looking at predictive policing, for instance, which is a set of technologies that try to allegedly predict where crime is going to happen, the short answer to this is it actually just predicts what the police are going to do. If you define the problem as well, police know where crime is, then you've missed a whole lot of crime that police never see and don't focus on and don't prioritize. So that was an early example, I think, of that kind of problem.

James: People who live in let's say underprivileged communities or over policed communities, if you asked them what would happen if you were to apply one of these predictive policing algorithms, I bet a lot of them could intuitively tell you from their personal experience, well, the police go where they think the police need to go. And of course, that sets up a feedback circle. And just to be clear, I'm not trying to take out some sort of maximalist anti-police position here, I'm just saying there are experiences in the world that are important to bring to bear when you design technical artifacts, because these technical artifacts have to relate to society. So I think it's really important when you're getting a technical education that you also learn about things involving history or sociology or economics, things like that.

Cindy: I want to switch just a little bit, because we're trying to fix the internet here and I want to hear what's your vision of what it looks like if we get this right.I want to live in that world, what does that world look like from where you sit?

James: Well, a key aspect of that world is that I have been nominated as the philosopher king.

Cindy: Cool.

James: And that's the first thing and really everything sort of follows.

Danny: We'll get right on that.

James: Good to see everyone agrees with it.

Cindy: Yeah.

James: Yeah. Thank you. Thank you. So I think we've sort of hinted at one of the things that needs to change in my opinion, which is the way that "technical education" is carried out. A lot of engineers go through their formal engineering training and they're taught things like calculus and linear algebra. They learn about various programming languages. They learn how to design algorithms that run quickly. These are all obviously very important things, but they oftentimes don't receive in that formal education an understanding of how the artifacts that they build will interact with larger society. And oftentimes they don't receive enough education in what are sort of the historical and social and economic trends independent of technology, that have existed for hundreds or thousands of years that you should really think about if you want to create technology that helps the common good.

Cindy: And the other thing I hear in this is community involvement, right? That the people who are going to be impacted by the artifact you build need to be some of the people you listen to and that you check into that you go to the neighborhoods where this might be applied or you talk to the people who are trying to figure out how to get a mortgage and you begin to understand what the world looks like in shoes that are not yours. 

Are there any places in machine learning where you think that people are starting to get it right or is it still just a wasteland of bad ideas?

Danny: Allegedly.

James: It is. Yeah. The wasteland word is, I still think, generally applicable, but people are starting to awaken. People are starting to look at notions of, can we rigorously define transparency in terms of explaining what these algorithms do? Can we sort of rigorously think about bias and how we might try to address that algorithmically in collaboration with people. The field is starting to get better. I think there is still a lot of pressure to "innovate". There's still pressure to publish a lot of papers, get your cool new ML technology out there, how else am I going to get venture capital, things like this. So I think there's still a lot of pressure towards not being thoughtful, but I do see that changing.

Danny: So one of the things that we've seen in other podcast interviews is that actually we are going to have to go and redo some of the fundamentals because we're building on weak foundations, that we didn't think about computer security when we first started writing operating systems for general use and so forth. Do you think that's part of this as well? Not only do we have to change what we're going to do in the future, but we actually have to go and redo some stuff that engineers made in the past?

James: I think it speaks to these larger issues of tech debt, which is a term that you may have heard before. This idea that we've already built a bunch of stuff and so for us to go back and then fix it, for some definition of fix. So would you prefer us to just tackle that problem and not innovate further or would you prefer... What should we do? I think you're right about that. That is an important thing. If you look at, for example, how a lot of the internet protocols work or like how a lot of banking protocols work or things like this, systems for doing airline reservations, in some cases, this code is COBOL code. It came from the stone age, at least in computer science terms. 

And the code is very creaky. It has security problems. It's not fast in many cases, but would society tolerate no flights for a year, let's say, as we go back and we modernize that stuff? The answer is no obviously. So then as a result, we kind of creak forward. If you think about the basic core internet infrastructure, when it was designed, roughly speaking, it was like a small neighborhood. Most people on the internet knew everybody. Why would Sally ever try to attack my computer? I know her, our kids go to the same school, that would just be outrageous. But now we live in a world where the Internet's pervasive. That's good, but now everyone doesn't know everyone. And now there are bad actors out there. And so we can try to add security incrementally- that's what HTTPS does. The S stands for security, right? So we can try to layer security at top these sort of creaky ships, but it's hard. I think a lot of our software and hardware artifacts are like that. 

It's really getting back, I think, to Cindy's question too, about what would I want to see improved about the future? I always tell this to my students and I wish more people would think about this, it's easier to fix problems early, rather than later. That seems like a very obvious thing that Yoda would say, but it’s actually quite profound.  Because once you get things out in the world and once they get a lot of adoption, for you to change any little thing about it is going to be this huge exercise. And so it's really helpful to be thoughtful at the beginning in the design process.

Cindy: You've thought a little bit of about how we could get more thoughtfulness into the design process. And I'd love for you to talk about some of those ideas.

James: Sure. One thing that I'm really proud of working on is this embedded ethics program that we have at Harvard, and that's starting to be adopted by other institutions. And it gets back to this idea of what does it mean to train an engineer? And so what we're trying to do in this program is ensure that every class that a computer scientist takes, there'll be at least one lecture that talks about ethical considerations, concerns involving people and society and the universe that are specific to that class. Now, I think the specific to that class part is very important, right? Because I think another thing that engineers sometimes get confused about is they might say, oh, well, these ethical concerns are only important for machine learning.

I get it, machine learning interacts of people, but it's not important for people who build data centers. Why should I care about those things? But let's interrogate that for a second. Where do you build data center? Well, data centers require a lot of power. So where is that electricity going to come from? How is that electricity going to be generated? What is the impact on the surrounding community? Things like this. There's also sort of like these interesting geopolitical concerns there. So how many data centers should we have in North America versus Africa? What does the decision that we come to say about how we value different users in different parts of the world? 

As computer scientists, we have to accept this idea: we don't know everything, close to everything, but not everything, right? And so one of the important aspects of this embedded ethics program is that we bring in philosophers and collaborate with them and help use their knowledge to ground our discussions of these philosophical challenges in computer science.   

Cindy: Do you have any success stories yet, or is it just too early?

James: Well, some of the success stories involve students saying I was thinking about going to company X, but now I've actually decided not to go there because I've actually thought about what these companies are doing. I'm not here to name or shame, but suffice it to say that I think that's a really big metric for success  And we're actually trying to look at assessment instruments, talk to people from sociology or whatnot who know how to assess effectiveness and then tweak pedagogical programs to make sure that we're actually having the impact that we want.

Cindy: Well, I hope that means that we're going to have a whole bunch of these students beat a path to EEF's door and want to come and do tech for good with us because we've been doing it longer than anyone. 

Danny: “How to Fix the Internet” is supported by The Alfred P. Sloan Foundation’s Program in Public Understanding of Science. Enriching people’s lives through a keener appreciation of our increasingly technological world and portraying the complex humanity of scientists, engineers, and mathematicians.

Cindy: We're landing some societal problems on the shoulders of individual computer scientists and expecting them to kind of incorporate a lot of things that really are kind of built into our society like the venture capital interest in creating new products as quickly as possible, the profit motive or these other things. And I'm just wondering how poor little ethics can do standing up against some of these other forces.

James: I think sort of the high level sort of prompts is late stage capitalism, what do we do about it?

Cindy: Fair enough.

James: You are right, there And alas, I don't have immediate solutions to that problem.

Cindy: But you're supposed to be the philosopher king, my friend..

James: Fair enough. So you're right. I think that there's not like a magic trick we can do where we can say, oh, well, we'll just teach computer scientists and ethics and then all of a sudden the incentives for VCs will be changed because the incentives for VCs are make a lot of money, frequently make a lot money over the short term. They are not incentivized by the larger economy to act differently. But I think that the fact that better trained engineers can't solve all problems shouldn't prevent us from trying to help them to solve some problems. 

I think that there's a lot of good that those types of engineers can do and try to start changing some of these alignments. And there's a responsibility that should come with making products that affect potentially millions of people. So I sometimes hear this from students though. You're exactly right. Sometimes they'll say it's not my job to change sort of the larger macroeconomic incentive structures that make various things happen.

But then I say, well, but what are some of the biggest drivers of those macroeconomic incentive structures? It's tech companies. When you look at sort of stock market valuations and economic influence, it's these companies that you, the student, will be going to, that are helping to shape these narratives. And also too, it's you, the students, you'll go out, you'll vote. You'll think about ballot referendums, things like that. So there are things that we all have the responsibility to think about and to do individually, even though any one of us can't just sort of snap our fingers and make the change be immediate. We have to do that because otherwise society falls apart.

Danny: So some of this discussion assumes that we have like universal ethics that we all agree on, but I think there's always, I mean, part of the challenge in society is that we have room to disagree. Is there a risk that if we inject this sort of precautionary principle into what we are doing, we're actually missing out on some of the benefits of this rapid change? If we hold back and go, well, maybe we shouldn't do this, we're excluding the chance that these things will actually make society much, much better for everyone?

James: As an engineer trying to design a system to be "value neutral", that in and of itself is an ethical decision. You've made the decision to say like not considering social or economic factors X, Y, and Z is the right thing to do. That is an ethical decision. And so I think a lot of engineers though, they fall into that fallacy. They say, well, I'm just going to focus on the code. I'm just going to focus on the thing I'm going to build. And it'll be the users of that software that have to determine how to use it ethically or not.

But that argument is that just doesn't work.  The mere fact that people may disagree over values does not absolve us of the responsibility from thinking about those values nonetheless.

Cindy: To me, especially in a situation in which you're building something that's going to impact people who aren't involved in the building of it, right? I mean, you can build your own machine learning to tell you what you want about your life. And I don't have much to say about that, but a lot of these systems are making decisions for people who have no input whatsoever into how these things are being built, no transparency into how they're working and no ability to really interrogate the conclusions that are made. And to me, that's where it gets the riskiest.

James: I often turn to existential philosophy in cases like this. For the listeners who aren't familiar with philosophy, or think that it's all very obtuse, that's true about some of it. But if you read the existentialists, it's quite beautiful, a lot of the prose. It's just really fun to read, and it has these really impactful observations. And one of my favorite passages is from this guy, Kierkegaard. And Kierkegaard's talking about sort of like this burden of choice that we have. And he has this really beautiful metaphor where he says we are each the captain of our own ship.

And even if we choose not to put our hand on the rudder to point the ship in some direction, the wind will nevertheless push us towards some shore. And so in deciding where you want to go, you make a decision. If you decide not to make an active decision about where to sail your boat, you're basically deciding I will let the wind tell me where to go. The metaphor is telling us that your boat's still going to go in some direction even if you don't actively become the captain of it.

And I think about that a lot, because a lot of engineers want to abdicate themselves with the responsibility for being the captain of their own boat. And they say, I'm just going to focus on the boat and that's it. But in this metaphor sort of society and built in biases and things like that, those are the winds. Those are the currents. And they're going to push your product. They're going to push your software towards some shore and that's going to happen regardless of whether you think that's going to happen or not. So we really have this responsibility to choose and decide.

Danny: I hate to follow Kierkegaard with Stan Lee, but is that with great power comes great responsibility. And I wonder if part of these ethical discussions is whether that's not the problem. That you are asking engineers and the creators of this technology to make ethical decisions sort of that will affect the rest of society. And the problem is that actually it should be the rest of society that makes those decisions and not the engineers   maybe the harder work is to spread that power more equally and give everyone a little element of being an engineer like that they can change the technology in front of them. 

James: I think that what you're talking about sort of at a broad level is governance. How do we do governance of online systems? And it's a mess right now. It's a combination of internal company policies, which are not made public, external, that is to say publicly visible policies regulation, the behavior of individual users on the platform. And it's a big mess. Because I think that right now, a lot of times what happens is a disaster happens and then all of a sudden there's some movement by both the companies and maybe regulators to change something thing, and then that'll be it for a bit. And then things kind of creak along then another disaster happens. So it'd be nice to think about, in a more systemic way, how we should govern these platforms. 

Cindy: As a free speech, fourth amendment lawyer, having governments have more say over the things that we say in our privacy and those kinds of things, well, that hasn't always worked out all that well for individual rights either, right? But we have these gigantic companies. They have a lot of power and it's reasonable to think, well, what else has a lot of power that might be able to be a check on them? Well, there's government. And that's all true, but the devil really is in the details and we worry as much about bad corporate behavior as we do bad governmental behavior. And you have to think about both. 

Cindy: So let's say you're the philosopher king or in your great new world, what does it look like for me as a user in this future world ?

James: I think one important aspect is more transparency about how your data is used, who it gets shared with, what is the value that companies are getting from it. And we're moving a little bit in that direction slowly but surely. Laws like GDPR, CCPA, they're trying to slowly nudge us in this direction. It's a very hard problem though, as we all know. I mean, engineers may not fully understand what their systems do. So then how are they going to explain that in a transparent way to users. But in sort of this utopia, that's an important aspect of online services. There's more transparency in how things work. I think there's also more consent in how things work. So these things go hand in hand. So users would have more of an ability to opt into or opt out of various manipulations or sharings of their data.

Once again, we're starting to go a little bit closer towards that. I think we can do much, much more. I think that in terms of content moderation, I think, and this is going to be tricky, it's going to be hard, this speaks to sort of Cindy's observations about, well, we can't fully trust government or the companies. But in my opinion, I mean, I'm the philosopher king in this experiment. So in my opinion, what I want to have is I want to have a floor that defines sort of minimal standards for protections against hate speech, harassment, things like that. Of course the devils and the details. But I think that's actually something that we don't really have right now. There's also this important aspect of having educated like citizens, right? So having more technical education and technical literacy for laypeople so that they can better understand the consequences of their action. 

Cindy: That we know what choices we're making, we're in charge of these choices and have actual choices, I think are all tremendously important. EFF has worked a lot around adversarial interoperability and other things which are really about being able to leave a place that isn't serving you. And to me, that's got to be a piece of the choice. A choice that doesn't really let you leave is not actually a choice.

James: As you may know, there have been some recent proposals that want to solve this portability issue essentially by saying, let's have users store all their data on user owned machines and then the companies have to come to us for permission to use that data. There's a sort of push and pull there in terms of, on the one hand wanting to give people literal power over their data, such that it's actually their machines that are storing it versus saying, well, if I look at like the computers that are administered by my relatives, for example, who are not computer scientists, these computers are offline all the time. They've got like terrible, ridiculous programs on them. They're not reliable. Now in contrast, you look at a data center, that's administered by paid professionals whose job it is to keep those machines online. So there's an advantage to using that model.

Do we want to still keep our data in centralized places, but then make sure there's plumbing to move stuff between those centralized places or do we want to, in the extreme, go towards this peer to peer decentralized model and then lose some of the performance benefits we get from the data center model?

Cindy: That's a good articulation of some of the trade-offs here. And of course the other way to go is kind of on the lawyer side of things is a duty of care that people who hold your data have a fiduciary or something similar kind of duty to you in the same way that your accountant or lawyer might have. So they have your data, but they don't have the freedom to do with it what they want. In fact, they're very limited in what they can do with it.  I feel very optimistic in a certain way that there are mechanisms on the technical side and the non-technical side to try to get us to this kind of control. Again, none of them are without trade-offs, but they exist all across the board.

James: Yes. And I think an interesting area of research, it's an area that I'm a bit interested in myself, is what are specific technical things that software developers can do to provide obvious compliance with legal regulations. Because these laws, they're just like any human creation. They can be vague or ambiguous in some cases, they can be difficult to implement. 

And I think that part of this gets down to having these different communities talk to each other. One reason it's difficult for computer scientists to write code that complies with legal requirements is that we don't understand some of these legal requirements. The lawyers need to learn a little bit more about code and the computer scientists need to learn a little bit more about the law.

Cindy: It's also the case, of course, that sometimes laws get written without a clear idea of how one might reduce it to ones and zeros. And so that may be a bug if you're a computer scientist, it might be a feature if you're a lawyer, right? Because then we let judges sort out in the context of individual situations what things really mean. 

James: So one of the gifts of the philosopher king to lure people under these semantic morasses 

Cindy: Thank you so much king.

James: No problem of course. It's been great sitting here chatting with you. Let me return back to my kingdom.

Danny: James Mickens, thank you very much.

James: Thank you.

Cindy: Well, James teaches computer science at Harvard, so it's right that his focus is on education and personal ethics and transparency. This is the work of the computer scientists. And I appreciate that he's working and thinking hard about how we build more ethical builders and also that he's recognizing that we need to kind of move beyond the silos that computer science often finds itself in and reach out to people with other kinds of expertise, especially philosophy. But we also heard from him about the importance of the role of the impacted community, which is something we've heard over and over again in this podcast and the need to make sure that the people who are impacted by technology understand how it works and have a voice.

Danny: It wasn't just sort of this literally academic kind of discussion. He had some practical points too, I mean, for instance, that if we do need to improve things and fix things, we found some ways of doing incremental security improvements like HTTPS, but some really have to overcome a lot of tech debt. And I don't think we're going to be in a situation where we can ask people not to book airplane tickets while we fix the fundamentals, which again, points out to what he's saying, which is that we need to get this stuff right earlier rather than later in this process.

Cindy: And I loved hearing about this embedded ethics program that he's working on at Harvard and at other places and the idea that we need to build ethics into every class and every situation, not just something we tack on separately at the end, I think is a very good start. And of course, if it leads to a line of students who want to do ethical tech beating their way to EFFs doors, that would be an extra bonus for us.

Danny: It does make everything a little bit more complicated to think of ethics and the wider impact. I mean, I did take on board his comparison of the ease of building a centralized internet, which might have deleterious effects on society with the obvious solution, which is to decentralize things. But you have to make that just as easy to use for the end user and then somebody who's hacking away trying to build a decentralized web, that's something I definitely took personally and will take on board.

Cindy: There's trade-offs everywhere you go. And I think in that way, James is just a true educator, right? He's requiring us all to look at the complexities in all directions so that we can really bring all those complexities into thinking about the solutions we embrace. After this conversation, I kind of want to live in the world where James is our philosopher king.

Danny: Thanks to you, James Mickens, our supreme leader and thanks you for listening today. Please visit eff.org/podcast for other episodes, or to become a member. Members are the only reason we can do this work. Plus you can get cool stuff like an EFF hat or an EFF hoodie, or even an EFF camera cover for your laptop. Music for How to Fix the Internet was created for us by Reed Mathis and Nat Keefe of BeatMower. This podcast is licensed Creative Commons Attribution 4.0 International and includes music licensed under the Creative Commons Attribution 3.0 imported license by their creators. You can find those creators names and links to their music in our episode notes or on our website at eff.org/podcast. How to Fix the Internet is supported by Alfred P. Sloan Foundation's Program in Public Understanding of Science and Technology. I'm Danny O'Brien.

Cindy: And I'm Cindy Cohn.

 

 

James Mickens is a professor of computer science at the Harvard School of Engineering and Applied Sciences and a director at the Berkman Klein Center for Internet and Society. He studies how to make distributed systems faster, more robust, and more secure; much of his work focuses on large-scale web services, and how to design principled system interfaces for those services. Before Harvard, he spent seven years as a researcher at Microsoft; he was also a visiting professor at MIT. Mickens received a B.S. from the Georgia Institute of Technology and a Ph.D. from the University of Michigan, both in computer science.

Josh Richman
Checked
1 hour 52 minutes ago
EFF's Deeplinks Blog: Noteworthy news from around the internet
Subscribe to EFF update feed