Communities from around the world have been demonstrating that they are not only capable of building solutions for the digital divide, they can also do it while seeding important social changes. Welcome to the 53rd monthly round-up of developments impacting your local access networks and community-based initiatives.Language English
International Coalition of Rights Groups Call on Internet Infrastructure Providers to Avoid Content Policing
San Francisco—Internet infrastructure services—the heart of a secure and resilient internet where free speech and expression flows—should continue to focus their energy on making the web an essential resource for users and, with rare exceptions, avoid content policing. Such intervention often causes more harm than good, EFF and its partners said today.
EFF and an international coalition of 56 human and digital rights organizations from around the world are calling on technology companies to “Protect the Stack.” This is a global effort to educate users, lawmakers, regulators, companies, and activists about why companies that constitute basic internet infrastructure—such as internet service providers (ISPs), certificate authorities, domain name registrars, hosting providers, and more—and other critical services, such as payment processors, can harm users, especially less powerful groups, and put human rights at risk when they intervene to take down speech and other content. The same is true for many other critical internet services.
EFF today launched the Protect the Stack website at the Internet Governance Forum in Addis Ababa, Ethiopia. The website introduces readers to “the stack,” and explains how content policing practices can and have caused risks to the human rights. It is currently available in English, Spanish, Arabic, French, German, Portuguese, Hebrew, and Hindi.
"Internet infrastructure companies help make the web a safe and robust space for free speech and expression," said EFF Legal Director Corynne McSherry. "Content-based interventions at the infrastructure level often cause collateral damage that disproportionately harms less powerful groups. So, except in rare cases, stack services should stay out of content policing."
“We have seen a number of cases where content moderation applied at the internet’s infrastructural level has threatened the ability of artists to share their work with audiences,” said Elizabeth Larison, Director of the Arts and Culture Advocacy Program at the National Coalition Against Censorship. “The inconsistency of those decisions and the opaque application of vague terms of service have made it clear that infrastructure companies have neither the expertise nor the resources to make decisions on content.”
Infrastructure companies are key to online expression, privacy, and security. Because of the vital role they play in keeping the internet and websites up and running, they are increasingly under pressure to play a greater role in policing online content and participation, especially when harmful and hateful speech targets individuals and groups.
But doing so can have far-reaching effects and lead to unintended consequences that harm users. For example, when governments force ISPs to disrupt the internet for an entire country, people can no longer message their loved ones, get news about what’s happening around them, or speak out.
Another example is domain name system (DNS) abuse, where the suspension and deregistration of domain names is used as a means to stifle dissent. ARTICLE 19 has documented multiple instances of “DNS abuse” in Kenya and Tanzania.
Moreover, at the platform level, companies that engage in content moderation consistently reflect and reinforce bias against marginalized communities. Examples abound: Facebook decided, in the midst of the #MeToo movement’s rise, that the statement “men are trash” constitutes hateful speech. In addition, efforts to police “extremist” content by social media platforms have caused journalists’ and human rights defenders’ work documenting terrorism and other atrocities to be blocked or erased. There’s no reason to expect that things will be any different at other levels of the stack, and every reason to expect they will be worse.
A safe and secure internet helps billions of people around the world communicate, learn, organize, buy and sell, and speak out. Stack companies are the building blocks behind the web, and have helped keep the internet buzzing for businesses, families, and students during the COVID-19 and for Ukrainians and Russians during the war in Ukraine. We need infrastructure providers to stay focused on their core mission: supporting a robust and resilient internet.
For more information: https://protectthestack.org/Contact: CorynneMcSherryLegal Directorcorynne@eff.org
The Hidden Codes that Shape Our Expression: Understanding How Social Media Algorithms Obstruct Feminist Expression and How Malaysian Women Navigate the Challenges
This research intends to better understand the barriers and biases resulting from algorithms in women’s access to freedom of opinion and expression, and to examine how they navigate these algorithms to create the much-needed space to speak out, to be heard, and to occupy digital spaces.
A company harvested your personal data, but failed to take basic steps to secure it. So thieves stole it. Now you’ve lost control of your data, and you’re at greater risk of identity theft. But when you sue the negligent company, they say you haven’t really been injured, so you don’t belong in court – not unless you can prove a specific economic harm on top of the obvious privacy harm.
We say “no way.” Along with our friends at EPIC, and with assistance from Morgan & Morgan, EFF recently filed an amicus brief arguing that negligent data breaches inflict grievous privacy harms in and of themselves, and so the victims have “standing” to sue in federal court – without the need to prove more. The case, In re Marriott Customer Data Breach, arises from the 2018 breach of more than 130 million records from the hotel company’s reservation system. This included guests’ names, phone numbers, payment card information, travel destinations, and more. We filed our brief in the federal appeals court for the Fourth Circuit, which will decide whether the plaintiff class certified by the lower court shares a class-wide injury.
Our brief explains that once personal data is stolen, it can be used against the breach victims for identity theft, ransomware attacks, and to send unwanted spam. The risk of these attacks causes psychological injury, including anxiety, depression, and PTSD. To avoid these attacks, breach victims must spend time and money to freeze and unfreeze their credit reports, to monitor their credit reports, and to obtain identity theft prevention services.
Courts have long granted standing to sue over harms like these. Intrusion upon seclusion and other privacy torts are more than a century old. As the U.S. Supreme Court has recognized: “both the common law and literal understanding of privacy encompass the individual’s control of information concerning [their] person.”
Further, the harms from a single data breach must be understood in the context of the larger data broker ecology. As we explain in our amicus brief:
Data breaches like the Marriott data breach cannot be considered individually. Once data has been disclosed from databases such as Marriott’s, it is often pooled with other information, some gathered consensually and legally and some gathered from other data breaches or through other illicit means. That pooled information is then used to create inferences about the affected individuals for purposes of targeted advertising, various kinds of risk evaluation, identity theft, and more. Thus, once individuals lose control over personal data that they have entrusted to entities like Marriott, the kinds of harms can grow and change in ways that are difficult to predict. Also, it can be onerous, if not impossible, for an ordinary individual to trace these harms and find appropriate redress.Standing doctrine gone wrong
Under the current standing doctrine, your privacy is violated – and so you have standing to sue – when your data leaves the custody of a company that is supposed to protect it. So In re Marriott is an easy case for the Fourth Circuit.
But make no mistake, the U.S. Supreme Court has wrongly narrowed the standing doctrine in recent data privacy cases, and it should reverse course. These cases are Spokeo v. Robins (2016) and TransUnion v. Ramirez (2021). They hold that to have standing, a person seeking to enforce a data privacy law must show a “concrete” injury. This includes “intangible harms” that have “a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,” such as “reputational harms, disclosure of private information, and intrusion upon seclusion.”
In TransUnion, the credit reporting company violated the Fair Credit Reporting Act by negligently and falsely labeling some 8,000 people as potential terrorists. The Court held that some 2,000 of them suffered concrete injury, and thus had standing, because the company disclosed this dangerous information to others. Unfortunately, the Court also held that the remaining people lacked standing, because the company unlawfully made this dangerous information available to employers and other businesses, but did not actually disclose it to them.
We disagree. As we argued in amicus briefs in TransUnion and Spokeo (and have argued elsewhere), we need broader standing for private enforcement of data protection laws, not narrower. Our personal data, and the ways private companies harvest and monetize it, play an increasingly powerful role in modern life. Corporate databases are vast, interconnected, and opaque. The movement and use of our data is difficult to understand, let alone trace. Yet companies use it to reach inferences about us, leading to lost employment, credit, and other opportunities. In this data ecosystem, all of us are increasingly at risk from wrong, outdated, or incomplete information, yet it is increasingly hard to trace the causation from bad data to bad outcomes.
Congress made a sound judgment in the Fair Credit Reporting Act that a person should be able to sue a data broker that negligently compiled a dossier about them containing dangerously false information, and then made that dossier available to others. Four Justices in TransUnion would have deferred to Congress, but the majority thought it knew better.
So, even though TransUnion provides standing to the many millions of people harmed by data breaches, including Marriott’s, the Court still must revisit and overrule TransUnion.
You can read our In re Marriott amicus brief here.
東京都若者ワクチン接種センター、開設初日の混乱を受けて 2 日目から抽選方式に変更 2021年08月28日