Rechten

In the absence of strong net neutrality protections, internet service providers (ISPs) have made all sorts of plans that would allow them to capitalize on something called "network slicing." While this technology has all sorts of promise, what the ISPs have planned would subvert net neutrality—the principle that all data be treated equally by your service provider—by allowing them to recreate the kinds of “fast lanes” we've already agreed should not be allowed. If their plans succeed, then the new proposed net neutrality protections will end up doing far less for consumers than the old rules did.

The FCC released draft rules to reinstate net neutrality, with a vote on adopting the rules to come the 25th of April. Overall, the order is a great step for net neutrality. However, to be truly effective the rules must not preempt states from protecting their residents with stronger laws and clearly find the creation of “fast lanes” via positive discrimination and unpaid prioritization of specific applications or services are violations of net neutrality.

Since “fast lanes” aren’t a technical term, what do we mean when we are talking about a fast lane? To understand, it is helpful to think about data traffic and internet networking infrastructure like car traffic and public road systems. As roads connect people, goods, and services across distances, so does network infrastructure allow for data traffic to flow from one place to another. And just as a road with more capacity in the way of more lanes theoretically means the road can support more traffic moving at speed1, internet infrastructure with more “lanes” (i.e. bandwidth) should mean that a network can better support applications like streaming services and online gaming.

Individual ISPs have a maximum network capacity, and speed, of internet traffic they can handle. To continue the analogy, the road leading to your neighborhood has a set number of lanes. This is why the speed of your internet may change throughout the day. At peak hours your internet service may slow down because a slowdown has occurred from too much requested traffic clogging up the lanes.

It’s not inherently a bad thing to have specific lanes for certain types of traffic, actual fast lanes on freeways can improve congestion by not making faster moving vehicles compete for space with slower moving traffic, having exit and entry lanes in freeways also allows cars to perform specialized tasks without impeding other traffic. A lane only for buses isn’t a bad thing as long as every bus gets equal access to that lane and everyone has equal access to riding those buses. Where this becomes a problem is if there is a special lane only for Google buses, or for consuming entertainment content instead of participating in video calls. In these scenarios you would be increasing the quality of certain bus rides at the expense of degraded service for everyone else on the road.

An internet “fast lane” would be the designation of part of the network with more bandwidth and/or lower latency to only be used for certain services. On a technical level, the physical network infrastructure would be split amongst several different software defined networks with different use cases using network slicing. One network might be optimized for high bandwidth applications such as video streaming, another might be optimized for applications needing low latency (e.g. a short distance between the client and the server), and another might be optimized for IoT devices. The maximum physical network capacity is split among these slices. To continue our tortured metaphor, your original six lane general road is now a four lane general road with two lanes reserved for, say, a select list of streaming services. Think dedicated high speed lanes for Disney+, HBO, and Netflix, but those services only. In a network neutral construction of the infrastructure, all internet traffic shares all lanes, and no specific app or service is unfairly sped up or slowed down. This isn’t to say that we are inherently against network management techniques like quality of service or network slicing. But it’s important that quality of service efforts be undertaken, as much as possible, in an application agnostic manner.

The fast lanes metaphor isn’t ideal. On the road having fast lanes is a good thing, it can protect more slow and cautious drivers from dangerous driving and improve the flow of traffic. Bike lanes are a good thing because they make cyclists safer and allow cars to drive more quickly and not have to navigate around them. But with traffic lanes it’s the driver, not the road, that decides which lane they belong in (with penalties for doing obviously bad faith things such as driving in the bike lane.)

Internet service providers (ISPs) are already testing their ability to create these network slices. They already have plans of creating market offerings where certain applications and services, chosen by them, are given exclusive reserved fast lanes while the rest of the internet must shoulder their way through what is left. This kind of networking slicing is a violation of net neutrality. We aren’t against network slicing as a technology, it could be useful for things like remote surgery or vehicle to vehicle communication which requires low latency connections and is in the public interest, which are separate offerings and not part of the broadband services covered in the draft order. We are against network slicing being used as a loophole to circumvent principles of net neutrality.

Where net neutrality is the principle that all ISPs should treat all legitimate traffic coming over their networks equally, discriminating between  certain applications or types of traffic is a clear violation of that principle. When fast lanes speed up certain applications or certain classes of applications, they cannot do so without having a negative impact on other internet traffic, even if it’s just by comparison. This is throttling, plain and simple.

Further, because ISPs choose which applications or types of services get to be in the fast lane, they choose winners and losers within the internet, which has clear harms to both speech and competition. Whether your access to Disney+ is faster than your access to Indieflix because Disney+ is sped up or because Indieflix is slowed down doesn’t matter because the end result is the same: Disney+ is faster than Indieflix and so you are incentivized to use Disney+ over Indieflix.

ISPs should not be able to harm competition even by deciding to prioritize incumbent services over new ones, or that one political party’s website is faster than another’s. It is the consumer who should be in charge of what they do online. Fast lanes have no place in a network neutral internet.

• 1. Urban studies research shows that this isn’t actually the case, still it remains the popular wisdom among politicians and urban planners.

Following an urgent appeal filed to the United Nations Working Group on Arbitrary Detention (UNWGAD) on behalf of blogger and activist Alaa Abd El Fattah, EFF has joined 26 free expression and human rights organizations calling for immediate action.

The appeal to the UNWGAD was initially filed in November 2023 just weeks after Alaa’s tenth birthday in prison. The British-Egyptian citizen is one of the most high-profile prisoners in Egypt and has spent much of the past decade behind bars for his pro-democracy writing and activism following Egypt’s revolution in 2011.

EFF and Media Legal Defence Initiative submitted a similar petition to the UNGWAD on behalf of Alaa in 2014. This led to the Working Group issuing an opinion that Alaa’s detention was arbitrary and called for his release. In 2016, the UNWGAD declared Alaa's detention (and the law under which he was arrested) a violation of international law, and again called for his release.

We once again urge the UN Working Group to urgently consider the recent petition and conclude that Alaa’s detention is arbitrary and contrary to international law. We also call for the Working Group to find that the appropriate remedy is a recommendation for Alaa’s immediate release.

Read our full letter to the UNWGAD and follow Free Alaa for campaign updates.

We should all have the freedom to read, share, and comment on the laws we must live by. But yesterday, the House Judiciary Committee voted 19-4 to move forward the PRO Codes Act (H.R. 1631), a bill that would limit those rights in a critical area. 

TAKE ACTION

Tell Congress To Reject The Pro Codes Act

A few well-resourced private organizations have made a business of charging money for access to building and safety codes, even when those codes have been incorporated into law. 

These organizations convene volunteers to develop model standards, encourage regulators to make those standards into mandatory laws, and then sell copies of those laws to the people (and city and state governments) that have to follow and enforce them.

They’ve claimed it’s their copyrighted material. But court after court has said that you can’t use copyright in this way—no one “owns” the law. The Pro Codes Act undermines that rule and the public interest, changing the law to state that the standards organizations that write these rules “shall retain” a copyright in it, as long as the rules are made “publicly accessible” online. 

That’s not nearly good enough. These organizations already have so-called online reading rooms that aren’t searchable, aren’t accessible to print-disabled people, and condition your ability to read mandated codes on agreeing to onerous terms of use, among many other problems. That’s why the Association of Research Libraries sent a letter to Congress last week (supported by EFF, disability rights groups, and many others) explaining how the Pro Codes Act would trade away our right to truly understand and educate our communities about the law for cramped public access to it. Congress must not let well-positioned industry associations abuse copyright to control how you access, use, and share the law. Now that this bill has passed committee, we urgently need your help—tell Congress to reject the Pro Codes Act.

TAKE ACTION

TELL CONGRESS: No one owns the law

Het onderzoek zal worden gedaan door het Wetenschappelijk Onderzoek- en Datacentrum (WODC), zo hebben de demissionair ministers De Jonge (Binnenlandse Zaken) en Yeşilgöz (Justitie en Veiligheid) de Tweede Kamer laten weten.

Onderzocht wordt of de huidige regels en voorwaarden nog voldoende aansluiten bij de actuele ontwikkelingen. Bij het onderzoek worden de instanties betrokken die zich bezighouden met het mogelijk maken van demonstraties, en het veilig verloop ervan: burgemeesters, Openbaar Ministerie en politie.
Het onderzoek richt zich op twee soorten situaties: acties waarbij demonstranten de grenzen van de wet bewust opzoeken of zelfs overschrijden en demonstraties waarbij andere grondrechten of de nationale veiligheid in het geding kunnen komen.

Bepaalde groepen demonstranten overtreden bewust de wet, vaak met als doel om zoveel mogelijk aandacht te krijgen en hiermee beleid te beïnvloeden. Hierbij valt te denken aan het blokkeren van een snelweg, het bezetten van delen van vliegvelden of het veroorzaken van gevaarlijke verkeerssituaties door brandstichting op of langs snelwegen. Dergelijke demonstraties kunnen tot gevaarlijk situaties leiden en vergen veel politie-inzet.
Omdat dit soort demonstraties ook in andere landen toenemen, zullen de onderzoekers kijken hoe dergelijke demonstraties elders worden aangepakt.

Ook zijn er acties waarbij demonstranten niet direct regels overtreden, maar die wel op gespannen voet kunnen staan met de grondrechten van anderen. Bijvoorbeeld als het gaat om protesten bij woningen van politici of bij een abortuskliniek. Het demonstratierecht kan dan op gespannen voet komen te staan met het recht op bescherming van de persoonlijke levenssfeer. Het lokale gezag kan een demonstratie beperken als dat noodzakelijk is voor de verkeersveiligheid, de volksgezondheid of om wanordelijkheden te bestrijden of te voorkomen. Andere grondrechten kunnen maar beperkt worden meegewogen. Het onderzoek moet in kaart brengen hoe in andere landen met dit soort demonstraties wordt omgegaan.

Soms kunnen demonstraties gevolgen hebben voor de nationale veiligheid. Onlangs werd een koranverbranding verboden door de Arnhemse burgemeester Marcouch uit vrees voor wanordelijkheden. Daarbij werd tevens gewezen op de mogelijke impact op de nationale veiligheid. De onderzoekers zullen daarom ook bekijken hoe andere landen omgaan met nationale veiligheid als grond voor eventuele beperkingen van demonstraties. Bij dit onderzoek vormen de Grondwet en het Europees Verdrag voor de Rechten van de Mens het uitgangspunt.

Het bericht WODC gaat onderzoek doen naar het demonstratierecht verscheen eerst op Mr. Online.

“Eén voor de knowledge, twee voor de lol, drie voor bravoure, vier pour l’amour” – MC Prak$ weet nog altijd als geen ander het yuppisme met de nodige ironie te cultiveren. Maar naast de aan het genre inherente borstklopperij is er in het nieuwe werk tevens de nodige ruimte voor zelfrelativering. “Vijf voor de passie, m’n laptoptassie. Ben ook gewoon een clown; net Bassie”, omschrijft de advocaat bij Loyens & Loeff zijn pretentieloze zelf.

Ziedaar het natuurlijke vervolg van zijn debuutalbum Rappende Raadsman uit 2023. In de nieuwe single ‘Bassie’ reflecteert de niet-meer-vrijgezel op intredende nesteldrang. Sinds kort woont hij samen en ontdekt steeds meer een zachte kant in zichzelf. Nog altijd “tof als een peer, scherp als een speer en zo sterk als een beer, maar liever beregezellig.” De rap van de tongriem gesneden Randstedeling omarmt alles wat vroeger dodelijk saai leek. “You get me?! Gooi die wandelschoenen at me.” Prakke wil om zes uur al aan de piepers.

En tóch kruipt het bloed soms waar het niet gaan kan. In de schemerfase tussen de verlengde studententijd en het burgerleven blijft de 29-jarige af en toe verlangen naar nachtelijke escapades. Op de B-kant ‘Gut Feeling’ beschrijft hij de terugkerende drang om de bloemetjes buiten te zetten. “Remmen los, stoom afblazen, paradoxen achterlaten – status quo niet hand te haven.” En zo kunnen fans hem nog altijd zomaar eens in het Amsterdamse nachtleven treffen: “Er zijn heel wat mazen in ontwikkelingen van die heute Abend want die heute Abend is nog im Frage.”

Aan festiviteiten gelukkig geen gebrek. “Tijdens de Album Release Party in juni van vorig jaar werd het figuurlijke dak afgeblazen van een bomvolle Akhnaton te Amsterdam”, laat een trotse Prakke aan Mr. weten. Na een zonnige aftrap met een glaasje bubbels werd tot in de late uurtjes doorgefeest en waren er verscheidene optredens. Natuurlijk van MC Prak$ en zijn producer Robijntje zelf, maar ook van collega-rappers Jong Louis en Meester Hidde (niet in de rechten, maar aardrijkskunde op het Lumion in Amsterdam-West).

Dit najaar zal ook Prak$’ tweede plaat Rappende Raadsman II groots worden gelanceerd, zo kondigt hij alvast aan.

Het bericht De rappende raadsman is terug verscheen eerst op Mr. Online.

Een lezer vroeg me: Ik zit met het volgende. Ik heb dus een D-Link NAS waar een backdoor account in aanwezig is. Nu begrijp ik heel goed dat software en andere producten beveiligingslekken bevatten. Maar een backdoor account voeg je als fabrikant toch echt zelf toe. Kan ik een partij als D-Link (en genoeg anderen helaas) hier aansprakelijk voor houden? Het liefst wil ik gewoon mijn geld terug of een product zonder backdoor. Hier werd inderdaad recent voor gewaarschuwd: “Het betreft een command injection-kwetsbaarheid en het gebruik van hardcoded credentials, of een ‘backdoor account’ zoals D-Link het noemt. Via de kwetsbaarheden kan een aanvaller zonder authenticatie willekeurige commando’s op het NAS-systeem uitvoeren, wat kan leiden tot toegang tot gevoelige informatie, het aanpassen van de systeemconfiguratie of een denial of service.”

De hardcoded credentials ware geen bewuste feature, maar een slordigheid: hierachter zit een typische Unix-constructie die alleen niet goed is geïmplementeerd. Maar uiteindelijk doet het er niet toe of het opzet, roekeloosheid, onoplettendheid of iets anders was. Die backdoor zit er, het product is daardoor niet veilig, wat kun je daarmee als consument?

Het simpele antwoord is natuurlijk: je mag van een product verwachten dat dit aan de redelijke verwachtingen voldoet. Dat wil niet zeggen dat het altijd 100% foutloos en backdoorloos is, je moet kijken hoe het product wordt gemarket, hoe eenvoudig de fout te exploiteren is en in hoeverre D-Link dit had moeten voorzien. Niet elke fout is een conformiteitsgebrek.

Toch denk ik dat je bij een enorme impact zoals hier je wel een goed verhaal hebt dat het product niet voldoet aan de redelijke verwachting. Zó makkelijk binnendringen, dat moet niet kunnen bij zo’n belangrijk product. Maar dit wordt al snel een moeilijke technische discussie, waar je niet makkelijk uitkomt als de wederpartij betaald wordt om het met je oneens te zijn.

In de nabije toekomst zullen we met wetten als de Cyber Resilience Act dit een stuk makkelijker aan kunnen pakken. Die stellen updates en een kwalitatief proces van security verplicht. Er is dan weinig nuance meer als er dan toch een securityfout doorheen glipt.

Als laatste blijf je natuurlijk met het aloude probleem in het consumentenrecht dat de winkel (die jij moet aanspreken en die wettelijk verplicht is jou je geld terug te geven, nu herstel geen optie meer is omdat de NASsen end-of-life zijn) simpelweg weigert dat te doen met meestal een excuus zoals “er zit maar 2 jaar garantie op” of “het lampje gaat aan dus hij is niet stuk”. En daarna komt security jou eruit zetten want stemverheffing triggert Protocol Lastige Klant. Het kan dus een hele toer zijn om je recht te halen als consument, en de vraag is altijd of dat het waard is gezien de prijs van het ding.

Arnoud

Het bericht Er zit een backdoor in mijn NAS, mag ik mijn geld terug? verscheen eerst op Ius Mentis.

It’s been a long two years since the Dobbs decision to overturn Roe v. Wade. Between May 2022 when the Supreme Court accidentally leaked the draft memo and the following June when the case was decided, there was a mad scramble to figure out what the impacts would be. Besides the obvious perils of stripping away half the country’s right to reproductive healthcare, digital surveillance and mass data collection caused a flurry of concerns.

Although many activists fighting for reproductive justice had been operating under assumptions of little to no legal protections for some time, the Dobbs decision was for most a sudden and scary revelation. Everyone implicated in that moment somewhat understood the stark difference between pre-Roe 1973 and post-Roe 2022; living under the most sophisticated surveillance apparatus in human history presents a vastly different landscape of threats. Since 2022, some suspicions have been confirmed, new threats have emerged, and overall our risk assessment has grown smarter. Below, we cover the most pressing digital dangers facing people seeking reproductive care, and ways to combat them.

A case in Nebraska resulted in a woman, Jessica Burgess, being sentenced to two years in prison for obtaining abortion pills for her teenage daughter. Prosecutors used a Facebook Messenger chat log between Jessica and her daughter as key evidence, bolstering the concerns many had raised about using such privacy-invasive tech products for sensitive communications. At the time, Facebook Messenger did not have end-to-end encryption.

In response to criticisms about Facebook’s cooperation with law enforcement that landed a mother in prison, a Meta spokesperson issued a frustratingly laconic tweet stating that “[n]othing in the valid warrants we received from local law enforcement in early June, prior to the Supreme Court decision, mentioned abortion.” They followed this up with a short statement reiterating that the warrants did not mention abortion at all. The lesson is clear: although companies do sometimes push back against data warrants, we have to prepare for the likelihood that they won’t.

Well before the Dobbs decision, prosecutors had already used Google Search history to indict a woman for her pregnancy outcome. In this case, it was keyword searches for misoprostol (a safe and effective abortion medication) that clinched the prosecutor’s evidence against her. Google acquiesced, as it so often has, to the warrant request.

Related to this is the ongoing and extremely complicated territory of reverse keyword and geolocation warrants. Google has promised that it would remove from user profiles all location data history related to abortion clinic sites. Researchers tested this claim and it was shown to be false, twice. Late in 2023, Google made a bigger promise: it would soon change how it stores location data to make it much more difficult–if not impossible–for Google to provide mass location data in response to a geofence warrant, a change we’ve been asking Google to implement for years. This would be a genuinely helpful measure, but we’ve been conditioned to approach such claims with caution. We’ll believe it when we see it (and refer to external testing for proof).

Sites propped up for doxxing healthcare professionals that offer abortion services are about as old as the internet itself. Doxxing comes in a variety of forms, but a quick and loose definition of it is the weaponization of open source intelligence with the intention of escalating to other harms. There’s been a massive increase in hate groups abusing public records requests and data broker collections to publish personal information about healthcare workers. Doxxing websites hosting such material are updated frequently. Doxxing has led to steadily rising material dangers (targeted harassment, gun violence, arson, just to name a few) for the past few years.

There are some piecemeal attempts at data protection for healthcare workers in more protective states like California (one which we’ve covered). Other states may offer some form of an address confidentiality program that provides people with proxy addresses. Though these can be effective, they are not comprehensive. Since doxxing campaigns are typically coordinated through a combination of open source intelligence tactics, it presents a particularly difficult threat to protect against. This is especially true for government and medical industry workers whose information may be subjected to exposure through public records requests.

Recently, Senator Wyden’s office released a statement about a long investigation into Near Intelligence, a data broker company that sold geolocation data to The Veritas Society, an anti-choice think tank. The Veritas Society then used the geolocation data to target individuals who had traveled near healthcare clinics that offered abortion services and delivered pro-life advertisements to their devices.

That alone is a stark example of the dangers of commercial surveillance, but it’s still unclear what other ways this type of dataset could be abused. Near Intelligence has filed for bankruptcy, but they are far from the only, or the most pernicious, data broker company out there. This situation bolsters what we’ve been saying for years: the data broker industry is a dangerously unregulated mess of privacy threats that needs to be addressed. It not only contributes to the doxxing campaigns described above, but essentially creates a backdoor for warrantless surveillance.

Midway through 2023, The Intercept published an article about a tenfold increase in federal designation of abortion-rights activist groups as domestic terrorist threats. This projects a massive shadow of risk for organizers and activists at work in the struggle for reproductive justice. The digital surveillance capabilities of federal law enforcement are more sophisticated than that of typical anti-choice zealots. Most people in the abortion access movement may not have to worry about being labeled a domestic terrorist threat, though for some that is a reality, and strategizing against it is vital.

Last month, the Supreme Court heard oral arguments challenging the FDA’s approval of and regulations governing mifepristone, a widely available and safe abortion pill. If the anti-abortion advocates who brought this case succeed, access to the most common medication abortion regimen used in the U.S. would end across the country—even in those states where abortion rights are protected.

Access to abortion medication might also be threatened by a 150 year old obscenity law. Many people now recognize the long dormant Comstock Act as a potential avenue to criminalize procurement of the abortion pill.

Although the outcomes of these legal challenges are yet-to-be determined, it’s reasonable to prepare for the worst: if there is no longer a way to access medication abortion legally, there will be even more surveillance of the digital footprints prescribers and patients leave behind. 

Electronic Health Records (EHRs) are digital transcripts of medical information meant to be easily stored and shared between medical facilities and providers. Since abortion restrictions are now dictated on a state-by-state basis, the sharing of these records across state lines present a serious matrix of concerns.

As some academics and privacy advocates have outlined, the interoperability of EHRs can jeopardize the safety of patients when reproductive healthcare data is shared across state lines. Although the Department of Health and Human Services has proposed a new rule to help protect sensitive EHR data, it’s currently possible that data shared between EHRs can lead to the prosecution of reproductive healthcare.

Perhaps the most frustrating aspect of what we’ve covered thus far is how much is beyond individual control. It’s completely understandable to feel powerless against these monumental threats. That said, you aren’t powerless. Much can be done to protect your digital footprint, and thus, your safety. We don’t propose reinventing the wheel when it comes to digital security and data privacy. Instead, rely on the resources that already exist and re-tool them to fit your particular needs. Here are some good places to start:

It’s impossible, and generally unnecessary, to implement every privacy and security tactic or tool out there. What’s more important is figuring out the specific risks you face and finding the right ways to protect against them. This process takes some brainstorming around potentially scary topics, so it’s best done well before you are in any kind of crisis. Pen and paper works best. Here's a handy guide.

After you’ve answered those questions and figured out your risks, it’s time to locate the best ways to protect against them. Don’t sweat it if you’re not a highly technical person; many of the strategies we recommend can be applied in non-tech ways.

Secure communication is as much a frame of mind as it is a type of tech product. When you are able to identify which aspects of your life need to be spoken about more carefully, you can then make informed decisions about who to trust with what information, and when. It’s as much about creating ground rules with others about types of communication as it is about normalizing the use of privacy technologies.

Assuming you’ve already created a security plan and identified some risks you want to protect against, begin thinking about the communication you have with others involving those things. Set some rules for how you broach those topics, where they can be discussed, and with whom. Sometimes this might look like the careful development of codewords. Sometimes it’s as easy as saying “let’s move this conversation to Signal.” Now that Signal supports usernames (so you can keep your phone number private), as well as disappearing messages, it’s an obvious tech choice for secure communication.

As mentioned above, it’s important to know when to compartmentalize sensitive communications to more secure environments. You can expand this idea to other parts of your life. For example, you can designate different web browsers for different use cases, choosing those browsers for the privacy they offer. One might offer significant convenience for day-to-day casual activities (like Chrome), whereas another is best suited for activities that require utmost privacy (like Tor).

Now apply this thought process towards what payment processors you use, what registration information you give to social media sites, what profiles you keep public versus private, how you organize your data backups, and so on. The possibilities are endless, so it’s important that you prioritize only the aspects of your life that most need protection.

Both tactics mentioned above incorporate a sense of community when it comes to our privacy and security. We’ve said it before and we’ll say it again: privacy is a team sport. People live in communities built on trust and care for one another; your digital life is imbricated with others in the same way.

If a node on a network is compromised, it will likely implicate others on the same network. This principle of computer network security is just as applicable to social networks. Although traditional information security often builds from a paradigm of “zero trust,” we are social creatures and must work against that idea. It’s more about incorporating elements of shared trust pushing for a culture of security.

Sometimes this looks like setting standards for how information is articulated and shared within a trusted group. Sometimes it looks like choosing privacy-focused technologies to serve a community’s computing needs. The point is to normalize these types of conversations, to let others know that you’re caring for them by attending to your own digital hygiene. For example, when you ask for consent to share images that include others from a protest, you are not only pushing for a culture of security, but normalizing the process of asking for consent. This relationship of community care through data privacy hygiene is reciprocal.

As somewhat touched on above in the other dangers to consider section, doxxing can be a frustratingly difficult thing to protect against, especially when it’s public records that are being used against you. It’s worth looking into your state level voter registration records, if that information is public, and how you can request for that information to be redacted (success may vary by state).

Similarly, although business registration records are publicly available, you can appeal to websites that mirror that information (like Bizapedia) to have your personal information taken down. This is of course only a concern if you have a business registration tied to your personal address.

If you work for a business that is susceptible to public records requests revealing personal sensitive information about you, there’s little to be done to prevent it. You can, however, apply for an address confidentiality program if your state has it. You can also do the somewhat tedious work of scrubbing your personal information from other places online (since doxxing is often a combination of information resources). Consider subscribing to a service like DeleteMe (or follow a free DIY guide) for a more thorough process of minimizing your digital footprint. Collaborating with trusted allies to monitor hate forums is a smart way to unburden yourself from having to look up your own information alone. Sharing that responsibility with others makes it easier to do, as well as group planning for what to do in ways of prevention and incident response.

It’s natural to feel bogged down by all the thought that has to be put towards privacy and security. Again, don’t beat yourself up for feeling powerless in the face of mass surveillance. You aren’t powerless. You can protect yourself, but it’s reasonable to feel frustrated when there is no comprehensive federal data privacy legislation that would alleviate so many of these concerns.

Take a deep breath. You’re not alone in this fight. There are guides for you to learn more about stepping up your privacy and security. We've even curated a special list of them. And there is Digital Defense Fund, a digital security organization for the abortion access movement, who we are grateful and proud to boost. And though it can often feel like privacy is getting harder to protect, in many ways it’s actually improving. With all that information, as well as continuing to trust your communities, and pushing for a culture of security within them, safety is much easier to attain. With a bit of privacy, you can go back to focusing on what matters, like healthcare.

The Fourth Amendment is Not For Sale Act, H.R.4639, originally introduced in the Senate by Senator Ron Wyden in 2021, has now made the important and historic step of passing the U.S. House of Representatives. In an era when it often seems like Congress cannot pass much-needed privacy protections, this is a victory for vulnerable populations, people who want to make sure their location data is private, and the hard-working activists and organizers who have pushed for the passage of this bill.

Everyday, your personal information is being harvested by your smart phone applications, sold to data brokers, and used by advertisers hoping to sell you things. But what safeguards prevent the government from shopping in that same data marketplace? Mobile data regularly bought and sold, like your geolocation, is information that law enforcement or intelligence agencies would normally have to get a warrant to acquire. But it does not require a warrant for law enforcement agencies to just buy the data. The U.S. government has been using its purchase of this information as a loophole for acquiring personal information on individuals without a warrant.

Now is the time to close that loophole.

At EFF, we’ve been talking about the need to close the databroker loophole for years. We even launched a massive investigation into the data broker industry which revealed Fog Data Science, a company that has claimed in marketing materials that it has “billions” of data points about “over 250 million” devices and that its data can be used to learn about where its subjects work, live, and their associates. We found close to 20 law enforcement agents used or were offered this tool.

It’s time for the Senate to close this incredibly dangerous and invasive loophole. If police want a person—or a whole community’s—location data, they should have to get a warrant to see it. 

Take action

TELL congress: 702 Needs serious reforms

Het boek verschijnt op 19 april, op twee dagen na een jaar nadat Weski werd gearresteerd. Ze zat anderhalve maand vast.

Volgens Uitgeverij Lux gaat het 280 pagina’s tellende boek over “hoe de geheimhoudingsplicht van een advocaat werkt en welke consequenties daaraan zijn verbonden.” Weski beschrijft haar arrestatie en detentie en “de traumatische maar soms ook absurde gebeurtenissen die volgden.” Het boek gaat niet alleen over Weski’s persoonlijke ervaringen, maar is  ook een betoog over het belang van de rechtsstaat.

Weski werd aangehouden op verdenking van deelname aan een criminele organisatie die zich bezighoudt met internationale drugshandel en witwassen, en het schenden van geheimen. Ze zou informatie van haar cliënt Ridouan Taghi vanuit de EBI in Vught hebben gedeeld met zijn contacten in de buitenwereld. De rechtszaak hierover heeft nog niet plaatsgevonden.
Inez Weski is niet meer werkzaam als advocaat; ze werd naar aanleiding van haar arrestatie op verzoek van de Rotterdamse deken voorlopig geschorst als advocaat.

Het bericht Inez Weski schrijft boek over arrestatie, detentie én geheimhoudingsplicht verscheen eerst op Mr. Online.

De democratische rechtsstaat functioneert weliswaar, maar staat onder druk, zowel intern als extern door geopolitieke bedreigingen, constateert de Raad van State in de algemene beschouwing bij het jaarverslag. “Ons land ziet zich geconfronteerd met grote maatschappelijke opgaven. De overheid loopt al langere tijd op haar tandvlees, wordt overvraagd en maakt mede daardoor fouten. Disfunctioneren van de rechtsstaat ligt op de loer als de kwetsbare vertrouwensrelaties tussen overheid en burger en tussen burgers onderling niet verbeteren.” En daarom zijn onderhoud en versterking van de dijken van de rechtsstaat hard nodig.

Voor dat onderhoud gelden volgens de Raad van State belangrijke voorwaarden, zoals het bestaan van stabiele instituties die onder alle omstandigheden goed functioneren. Deze instituties moeten toegankelijk voor burgers, en ook voor minder draagkrachtige burgers moet de toegang tot de rechter verzekerd zijn. “Op de kwaliteit van de rechtsstatelijke instituties mag niet worden beknibbeld”, aldus de Raad. “Dat betekent dat financiële voorzieningen voor een goed functionerende rechtsstaat voorafgaan aan reguliere afwegingen binnen de rijksbegroting.”

De Raad van State komt met drie aanbevelingen voor het onderhoud, versterking en waar nodig vernieuwing. ‘Doorontwikkelen’ van de rechtsstaat kan plaatsvinden op het gebied van digitale technologieën, in de maatschappelijke functie van de Grondwet en in een sterkere rechtsstatelijke cultuur.

Zo vindt de Raad regulering en toezicht op AI en andere digitale technologieën wenselijk. Burgers moeten kennis kunnen nemen van de gegevens die de overheid over hen heeft; ze moeten deze kunnen corrigeren en onnodige gegevens uit overheidssystemen kunnen laten verwijderen. Ook is recht op informatie aan te bevelen: in een besluit moet staan of bij totstandkoming daarvan gebruik is gemaakt van een algoritme. Verder zou het goed zijn om in de Algemene wet bestuursrecht bepalingen op te nemen over algoritmische besluitvorming.

De tweede aanbeveling betreft de Grondwet. De Raad van State vindt dat de maatschappelijke functie van de Grondwet aandacht verdient en adviseert daarom een verkenning naar het functioneren van grondrechten “in een tijdperk van digitale ontwikkelingen en grote veranderingen op onder meer het gebied van klimaat”. Verder moet het parlement meer oog hebben voor de constitutionele aspecten van wet- en regelgeving.

Als laatste aanbeveling gaat over het zorgen voor een sterke rechtsstatelijke cultuur. Regering en parlement zouden daaraan in de ogen van de Raad van State nadrukkelijk prioriteit moeten geven. Een politiek debat over de constitutionele en rechtsstatelijke aspecten van wetsvoorstellen kan daaraan bijdragen. Naast een zorgvuldige omgang, respect en begrip voor de rechtsstaat van institutionele spelers, zijn ook structurele aandacht en kennis in publieke sectoren én bij burgers van belang. Een voorbeeld daarvan is goed burgerschapsonderwijs, dat kan volgens de Raad van State toekomstige generaties leren de rechtsstaat te begrijpen en te waarderen.

Het bericht Raad van State: ‘Onderhoud, versterk en vernieuw de dijken van de rechtsstaat’ verscheen eerst op Mr. Online.

Een greep uit de onderwerpen:

• Interview met Iris van Domselaar, hoogleraar Rechtsfilosofie en Beroepsethiek voor Juristen aan de Universiteit van Amsterdam. In haar oratie pleitte ze – met de hardvochtige beslissingen van juristen in de Toeslagenaffaire en het Groningse aardbevingsdossier in het achterhoofd – voor een burgergerichte juridische beroepsethiek. “Oog hebben voor de basisbehoeften van burgers is cruciaal”, zegt Van Domselaar tegen Mr.
• Juristen kunnen een belangrijke rol spelen bij de bescherming van het milieu. Advocaat Danny Hoekzema, bedrijfsjurist Katja Out-Maassen en hoogleraar Steven Bartels vertellen over verschillende groene juridische initiatieven. “Juristen die willen bijdragen aan het klimaat hoeven zich niet aan de A12 vast te lijmen; pak de rol die bij je past.”
• Huiselijk geweld en vooral femicide zijn de laatste tijd meer op de kaart komen te staan. Ook juristen, zoals officier van justitie Berte van Heemst, hoogleraar Sanne Struijk en advocaat Ine Avontuur, hebben er in hun werk steeds meer mee te maken. “Bij veel professionals ontbreekt de specialistische kennis nog. Juristen moeten leren om ‘rode vlaggen’ te herkennen.”
• In de rubriek  ‘Groeten uit…’ schrijft officier van justitie Jeroen Kuipers over zijn ervaringen als liaisonmagistraat in Rome en Tirana. “Succes in Nederlandse zittingszalen is meer dan ooit afhankelijk geworden van internationale justitiële samenwerking.”

Bekijk hier het aprilnummer van Mr.

Ontvang (ook) de digitale Mr.
Verreweg de meeste abonnees ontvangen de papieren editie van Mr. Toch stappen steeds meer abonnees over op de digitale versie van het magazine. Wilt u dat ook, dan moet u eerst uw papieren abonnement opzeggen. U heeft daarvoor uw abonneenummer nodig; dit staat op de plastic wikkel waarin u Mr. ontvangt. Ga met dat nummer naar Mr. Online, klik op Abonneren, wijzigen en opzeggen en kies voor Opzeggen. Daarna kiest u via Abonneren op de optie Abonneren op het digitale magazine.
U kunt natuurlijk ook uw bestaande papieren Mr. behouden én daarnaast de digitale versie nemen. Ook dat kan via onze website, onder Abonneren.

Het bericht De nieuwe Mr. is uit! verscheen eerst op Mr. Online.

De rechtbank Overijssel heeft besloten dat Unibet een Nederlander zijn gokschulden van ongeveer 8.600 euro moet terugbetalen. Dat meldde Emerce vorige week. Het vonnis zelf is niet direct te vinden: er is alleen een persbericht van de advocaat van de gelukkige gokker. Het lijkt dus een tikje prematuur om te stellen dat iedereen nu zijn geld terug kan krijgen van een illegale goksite, maar er zit meer achter.

De betrokken advocaat doet dit vaker, en met succes. Alle zaken komen min of meer op hetzelfde neer: een Nederlandse consument ging een kansspelovereenkomst aan met een partij die in Nederland geen vergunning heeft. Naar Nederlands recht is zo’n overeenkomst dan nietig/vernietigbaar (strijd met openbare orde, 3:40 BW). Het geld is dan betaald zonder rechtsgrond en moet dan terug.

In al die zaken (lees deze of deze als voorbeeld) zie je dat rechters zich actief sterk maken voor de consument. Het is altijd duidelijk zat dat die sites zich (ook) richten op Nederland, de forumkeuzebedingen gaan linea recta de prullenbank in en ik zie zelfs “litigation bullying” als verwijst naar de goksites als die al te veel processtappen nemen.

De meeste vonnissen zijn tussenvonnissen om punten zoals bevoegdheid of gebondenheid aan Nederland uit te maken. Er zijn ook een paar uitspraken die wel eindvonnis zijn, zoals deze met als terug te betalen bedrag € 128.415,76, dus de nettoschuld die de consument nog had als je zijn winsten van de inleg afhaalt. In deze zaak ging het om € 93.210,71 en dat zijn forse bedragen.

En ja, dit is te verhalen: het casino zit op Curaçao, dat is gewoon deel van hetzelfde Koninkrijk als Nederland. Ook bij een casino in zeg Malta (waar er veel online gevestigd zijn) is dat mogelijk, vanwege Europese regels over tenuitvoerlegging. De enige vraag is of de deurwaarder een bankrekening kunt vinden waar het geld op staat.

Arnoud

Het bericht ‘Nederlanders mogen gokschulden terugvorderen’ verscheen eerst op Ius Mentis.

There are a lot of updates in the fight for our freedoms online, from a last-minute reauthorization bill to expand Section 702 (tell your senators to vote NO on the bill here!), a new federal consumer data privacy law (we deserve better!), and a recent draft from the FCC to reinstate net neutrality (you can help clean it up!).

It can feel overwhelming to stay up to date, but we've got you covered with our EFFector newsletter! You can read the full issue here, or subscribe to get the next one in your inbox automatically! You can also listen to the audio version of the newsletter on the Internet Archive, or by clicking the button below:

LISTEN ON YouTube

EFFECTOR 36.5.- About Face (Recognition)

Since 1990 EFF has published EFFector to help keep readers on the bleeding edge of their digital rights. We know that the intersection of technology, civil liberties, human rights, and the law can be complicated, so EFFector is a great way to stay on top of things. The newsletter is chock full of links to updates, announcements, blog posts, and other stories to help keep readers—and listeners—up to date on the movement to protect online privacy and free expression. 

Thank you to the supporters around the world who make our work possible! If you're not a member yet, join EFF today to help us fight for a brighter digital future.

In our capacity as accredited observers of the WIPO Standing Committee on Copyright and Related Rights (SCCR), we are attending the 45th session of the Committee, which is currently taking place in Geneva (April 15-19, 2024).

We made the following statement regarding limitations and exceptions for educational and research institutions and for persons with other disabilities (Agenda Item 6):

Dear Delegates,

Many of us here today will remind you that knowledge institutions face many challenges when it comes to fulfilling their public interest missions in the digital environment. These hurdles range from lack of harmonisation of copyright exceptions to legal uncertainty and fear of litigation.

In the words of Marcin, a researcher from Poland researching ancient Chinese literature and contemporary culture, and I quote “a considerable part of the work is thinking about what I can do and what I can’t do, what is legal, what is illegal”.

These obstacles are particularly problematic in a cross-border environment, where a fragmented legal framework negatively affects these activities, forcing for instance researchers to limit or abandon collaborative projects, or to select research partners according to their national copyright laws. The 2nd edition of our publication “Nobody puts research in a cage”, where we interview researchers engaged in joint and cross-border projects, shows this very clearly.

If you want case studies to understand what are the kinds of problems that you should be fixing right now, this is a good start. From researchers stuck in cages in Sweden, to researchers flying across continents to be able to research Chinese movies from the TVs of their hotel rooms, it’s unsettling to read about the obstacles they face to conduct their research projects. But it’s also fascinating to see the solutions that they propose to tackle these problems.

Sure enough, they all want more copyright exceptions, more legislation granting them rights to use copyrighted works, particularly in an international environment. And this Committee knows that there are various binding and non-binding ways of getting close to that place. With all due respect, toolkits published on an obscure corner of the WIPO website, where there are about 6000 entries for the word “toolkits”, are just not it.

We understand why this would be a priority for the Secretariat, but if this Committee is truly committed to implement their work program on L&Es, the way forward are the working groups foreseen there. And again, with all due respect, we are appalled to see that, one year after the approval of the work program, you have not been able to agree on the scope and modalities of such working groups. We thus urge you to not leave this meeting without an implementation agreement in place.

The post SCCR/45: COMMUNIA Statement on Limitations and Exceptions appeared first on COMMUNIA Association.

In our capacity as accredited observers of the WIPO Standing Committee on Copyright and Related Rights (SCCR), we are attending the 45th session of the Committee, which is currently taking place in Geneva (April 15-19, 2024).

We made the following statement regarding the protection of Broadcasting Organizations (Agenda Item 4):

Dear Delegates,

The proposed broadcast treaty, in its current version, remains a threat to the Public Domain and usage rights, particularly when legal protection of broadcasters is shaped in the form of exclusive rights, on top of rights that apply to content.

The rights-based model suggests that broadcasters will benefit from secondary rights for exploitation and control following fixation of the broadcast signal, without sufficient consideration for the public interest needs related to access to knowledge and information of signal content. In the current text, none of the exceptions are mandatory and there is no Public Domain safeguard.

Broadcasters own extensive collections of exclusive content that is highly valuable for researchers, educators, learners, cultural heritage institutions, and the general public. These collections document not only popular culture and the entertainment industry, but also function as historical documents, educational resources and research sources.

Often, the only way of accessing high-quality copies of the content in those collections is through broadcasting. Therefore, it is essential to limit exclusive rights with adequate usage rights, and ensure that, when the signal content is in the Public Domain, broadcasters are prevented from claiming exclusive rights and taking that content out of the Public Domain.

Countries opting for a rights-based model should be required to implement at least those exceptions that are already mandatory for copyrighted works (quotation, news of the day, and providing access for the visually impaired). Furthermore, they shall be required to provide in their domestic laws that, when the term of protection of the signal content has expired, the rights and protection guaranteed in this Treaty shall not apply.

The post SCCR/45: COMMUNIA Statement on Broadcasting Organizations appeared first on COMMUNIA Association.

Er is een fout opgetreden tijdens het openen van dit document. Het bestand is beschadigd en kan niet worden gerepareerd.” Dat was de foutmelding die het gerechtshof Amsterdam kreeg toen een medewerker probeerde een van de bijlagen bij een mail van een advocaat te openen.

De beschadigde bijlage betrof een beroepschrift in een zaak over herstel van het ouderlijk gezag en een omgangsregeling. De rechtbank had de verzoeken van de vader afgewezen. De dag voor het verstrijken van de termijn voor het instellen van hoger beroep, stuurde de advocaat van de man via Veilig mailen (Zivver) een mail aan het hof met als bijlage het beroepschrift tegen de uitspraak van de rechtbank. De advocaat kondigde in de mail ook aan dat een fysiek document per post onderweg was, en deed het verzoek het beroepschrift alvast te registreren.

Het hof verklaart de man niet-ontvankelijk verklaard in zijn hoger beroep, omdat niet kan worden vastgesteld dat het beroepschrift tijdig is ingediend. De hof vindt niet dat het een herstelmogelijkheid had moeten bieden: “Het mailen – één dag voor het verstrijken van de beroepstermijn – van een beschadigd, niet te openen, bestand dient voor risico te blijven van appellant.” Bovendien was de advocaat van de man de volgende ochtend door de wederpartij erop geattendeerd dat de bijlage niet kon worden geopend.

Het hof vindt ook dat geen sprake is van een ‘apparaatsfout’: “Consultatie door het hof van IVO (de ICT dienst van de rechtspraak) wijst uit dat het zeer onwaarschijnlijk is dat het ICT systeem van de rechtspraak een bij verzending nog deugdelijk te openen bestand bij ontvangst zodanig beschadigt dat het niet (meer) te openen is.”

In haar conclusie, voorzien van 43 noten, komt advocaat-generaal Wesseling-van Gent tot het oordeel dat de beslissing van het hof vernietigd moet worden; het hof had wél de mogelijkheid tot herstel moeten geven.
De Hoge Raad is het daar echter niet mee eens. Er was geen sprake van verstoring van de toegang tot Veilig Mailen, en daarom gaat een beroep op de hersteltermijn van artikel 8 Besluit elektronisch procederen niet op. Ook het beroep op een ‘apparaatsfout’ gaat volgens de Hoge Raad niet op.

Advocaat Marieke van der Keur gaat in een blog op de site van kantoor Ekelmans Advocaten in op de uitspraak. Ze schrijft dat die betekent dat het risico dat een document niet geopend kan worden voor de verzender is. “Wie geen enkel risico wil lopen om dat achteraf te horen, kan telefonisch nagaan bij het gerecht of het processtuk kan worden geopend. En anders zal hij toch ouderwets een koerier moeten sturen.”

Het bericht Veilig Mailen, of toch maar ouderwets een koerier inschakelen? verscheen eerst op Mr. Online.

113 artikelen, 13 bijlagen, 180 overwegingen, verwijzingen naar 27 andere wetten: de AI Act is het meest complexe stuk wetgeving dat ik ooit heb gezien. Mijn nieuwe boek “The Annotated AI Act” verheldert en analyseert de wet in gewone taal. Je kunt nu al voorintekenen!

Op hoofdlijnen is de AI Act vast al bekend. Een risicogebaseerde regulering van AI systemen, met aparte regels voor general-purpose AI en een markeerplicht voor synthetische content. Maar de risicobenadering werkt nét even anders dan bijvoorbeeld de AVG; het gekozen model is dat van productveiligheid en conformeren aan standaarden (CE keurmerk).

Met name in de laatste maanden van 2023 is er veel gebeurd met de tekst. Er moest en zou een regulering van GPAI in komen, maar dat past niet echt bij die productveiligheidsbenadering, en de auteursrechtlobby had zich ook gemeld ondertussen. Dit leidde tot een paar marathonsessies in december, waar uiteindelijk een politiek akkoord uit kwam dat in de maanden daarna uitgewerkt werd.

(Ik ben gaan schrijven toen dat akkoord er was, en moest uiteraard alles omnummeren toen de definitieve tekst werd gedropt want toen werden artikel 29a, overweging 80z+1, het lege artikel 19 en de twee artikelen 54 en nog wat van die missers aangepast.)

De haast heeft helaas een aantal dingen laten we zeggen iets minder optimaal gestructureerd. Het is dus flink zoeken naar het juiste artikel, of de combinatie met andere artikelen. Dat is waar ik dit boek voor geschreven heb: kruisverwijzingen, contrasten en literatuur (100+ referenties) voor meer achtergrond of kritische beschouwing.

Het boek verschijnt in mei wanneer de AI Act gepubliceerd is. Maar je kunt nu al voorintekenen:

Bestel The Annotated AI Act nu!

Arnoud

Het bericht The Annotated AI Act komt eraan verscheen eerst op Ius Mentis.

Data about potential voters—who they are, where they are, and how to reach them—is an extremely valuable commodity during an election year. And while the right to a secret ballot is a cornerstone of the democratic process, your personal information is gathered, used, and sold along the way. It's not possible to fully shield yourself from all this data processing, but you can take steps to at least minimize and understand it.

Political campaigns use the same invasive tricks that behavioral ads do—pulling in data from a variety of sources online to create a profile—so they can target you. Your digital trail is a critical tool for campaigns, but the process starts in the real world, where longstanding techniques to collect data about you can be useful indicators of how you'll vote. This starts with voter records.

Politicians have long had access to public data, like voter registration, party registration, address, and participation information (whether or not a voter voted, not who they voted for). Online access to such records has made them easier to get in some states, with unintended consequences, like doxing.

Campaigns can purchase this voter information from most states. These records provide a rough idea of whether that person will vote or not, and—if they're registered to a particular party—who they might lean toward voting for. Campaigns use this to put every voter into broad categories, like "supporter," "non-supporter," or "undecided." Campaigns gather such information at in-person events, too, like door-knocking and rallies, where you might sign up for emails or phone calls.

Campaigns also share information about you with other campaigns, so if you register with a candidate one year, it's likely that information goes to another in the future. For example, the website for Adam’s Schiff’s campaign to serve as U.S. Senator from California has a privacy policy with this line under “Sharing of Information”:

With organizations, candidates, campaigns, groups, or causes that we believe have similar political viewpoints, principles, or objectives or share similar goals and with organizations that facilitate communications and information sharing among such groups

Similar language can be found on other campaign sites, including those for Elizabeth Warren and Ted Cruz. These candidate lists are valuable, and are often shared within the national party. In 2017, the Hillary Clinton campaign gave its email list to the Democratic National Committee, a contribution valued at $3.5 million.

If you live in a state with citizen initiative ballot measures, data collected from signature sheets might be shared or used as well. Signing a petition doesn't necessarily mean you support the proposed ballot measure—it's just saying you think it deserves to be put on the ballot. But in most states, these signature pages will remain a part of the public record, and the information you provide may get used for mailings or other targeted political ads. 

All that real world information is just one part of the puzzle these days. Political campaigns tap into the same intrusive adtech tracking systems used to deliver online behavioral ads. We saw a glimpse into how this worked after the Cambridge Analytica scandal, and the system has only grown since then.

Specific details are often a mystery, as a political advertising profile may be created by combining disparate information—from consumer scoring data brokers like Acxiom or Experian, smartphone data, and publicly available voter information—into a jumble of data points that’s often hard to trace in any meaningful way. A simplified version of the whole process might go something like this:

1. A campaign starts with its voter list, which includes names, addresses, and party affiliation. It may have purchased this from the state or its own national committee, or collected some of it for itself through a website or app.
2. The campaign then turns to a data broker to enhance this list with consumer information. The data broker combines the voter list with its own data, then creates a behavioral profile using inferences based on your shopping, hobbies, demographics, and more. The campaign looks this all over, then chooses some categories of people it thinks will be receptive to its messages in its various targeted ads.
3. Finally, the campaign turns to an ad targeting company to get the ad on your device. Some ad companies might use an IP address to target the ad to you. As The Markup revealed, other companies might target you based on your phone's location, which is particularly useful in reaching voters not in the campaign's files. 

In 2020, Open Secrets found political groups paid 37 different data brokers at least $23 million for access to services or data. These data brokers collect information from browser cookies, web beacons, mobile phones, social media platforms, and more. They found that some companies specialize in more general data, while others, like i360, TargetSmart, and Grassroots Analytics, focus on data useful to campaigns or advocacy.

A sample of some categories and inferences in a political data broker file that we received through a CCPA request shows the wide variety of assumptions these companies may make.

These political data brokers make a lot of promises to campaigns. TargetSmart claims to have 171 million highly accurate cell phone numbers, and i360 claims to have data on 220 million voters. They also tend to offer specialized campaign categories that go beyond the offerings of consumer-focused data brokers. Check out data broker L2’s “National Models & Predictive Analytics” page, which breaks down interests, demographics, and political ideology—including details like "Voter Fraud Belief," and "Ukraine Continue." The New York Times demonstrated a particularly novel approach to these sorts of profiles where a voter analytics firm created a “Covid concern score” by analyzing cell phone location, then ranked people based on travel patterns during the pandemic.

Some of these companies target based on location data. For example, El Toro claims to have once “identified over 130,000 IP-matched voter homes that met the client’s targeting criteria. El Toro served banner and video advertisements up to 3 times per day, per voter household – across all devices within the home.”

That “all devices within the home” claim may prove important in the coming elections: as streaming video services integrate more ad-based subscription tiers, that likely means more political ads this year. One company, AdImpact, projects $1.3 billion in political ad spending on “connected television” ads in 2024. This may be driven in part by the move away from tracking cookies, which makes web browsing data less appealing.

In the case of connected televisions, ads can also integrate data based on what you've watched, using information collected through automated content recognition (ACR). Streaming device maker and service provider Roku's pitch to potential political advertisers is straightforward: “there’s an opportunity for campaigns to use their own data like never before, for instance to reach households in a particular district where they need to get out the vote.” Roku claims to have at least 80 million users. As a platform for televisions and “streaming sticks,” and especially if you opted into ACR (we’ll detail how to check below), Roku can collect and use a lot of your viewing data ranging from apps, to broadcast TV, or even to video games.

This is vastly different from traditional broadcast TV ads, which might be targeted broadly based on a city or state, and the show being aired. Now, a campaign can target an ad at one household, but not their neighbor, even if they're watching the same show. Of the main streaming companies, only Amazon and Netflix don’t accept political ads.

Finally, there are Facebook and Google, two companies that have amassed a mountain of data points about all their users, and which allow campaigns to target based on some of those factors. According to at least one report, political ad spending on Google (mostly through YouTube) is projected to be $552 million, while Facebook is projected at $568 million. Unlike the data brokers discussed above, most of what you see on Facebook and Google is derived from the data collected by the company from its users. This may make it easier to understand why you’re seeing a political ad, for example, if you follow or view content from a specific politician or party, or about a specific political topic.

Managing the flow of all this data might feel impossible, but you can take a few important steps to minimize what’s out there. The chances you’ll catch everything is low, but minimizing what is accessible is still a privacy win.

Install Privacy Badger
Considering how much data is collected just from your day-to-day web browsing, it’s a good idea to protect that first. The simplest way to do so is with our own tracking blocker extension, Privacy Badger.

Disable Your Phone Advertising ID and Audit Your Location Settings
Your phone has an ad identifier that makes it simple for advertisers to track and collate everything you do. Thankfully, you can make this much harder for those advertisers by disabling it:

• On iPhone: Head into Settings > Privacy & Security > Tracking, and make sure “Allow Apps to Request to Track” is disabled. 
• On Android: Open Settings > Security & Privacy > Privacy > Ads, and select “Delete advertising ID.”

Similarly, as noted above, your location is a valuable asset for campaigns. They can collect your location through data brokers, which usually get it from otherwise unaffiliated apps. This is why it's a good idea to limit what sorts of apps have access to your location:

• On iPhone: open Settings > Privacy & Security > Location Services, and disable access for any apps that do not need it. You can also set location for only "While using," for certain apps where it's helpful, but unnecessary to track you all the time. Also, consider disabling "Precise Location" for any apps that don't need your exact location (for example, your GPS navigation app needs precise location, but no weather app does).
• On Android: Open Settings > Location > App location permissions, and confirm that no apps are accessing your location that you don't want to. As with iOS, you can set it to "Allow only while using the app," for apps that don't need it all the time, and disable "Use precise location," for any apps that don't need exact location access.

Opt Out of Tracking on Your TV or Streaming Device, and Any Video Streaming Service
Nearly every brand of TV is connected to the internet these days. Consumer Reports has a guide for disabling what you can on most popular TVs and software platforms. If you use an Apple TV, you can disable the ad identifier following the exact same directions as on your phone.

Since the passage of a number of state privacy laws, streaming services, like other sites, have offered a way for users to opt out of the sale of their info. Many have extended this right outside of states that require it. You'll need to be logged into your streaming service account to take action on most of these, but TechHive has a list of opt out links for popular streaming services to get you started. Select the "Right to Opt Out" option, when offered.

Don't Click on Links in (or Respond to) Political Text Messages
You've likely been receiving political texts for much of the past year, and that's not going to let up until election day. It is increasingly difficult to decipher whether they're legitimate or spam, and with links that often use a URL shortener or odd looking domains, it's best not to click them. If there's a campaign you want to donate to, head directly to the site of the candidate or ballot sponsor.

Create an Alternate Email and Phone Number for Campaign Stuff
If you want to keep updated on campaign or ballot initiatives, consider setting up an email specifically for that, and nothing else. Since a phone number is also often required, it's a good idea to set up a secondary phone number for these same purposes (you can do so for free through services like Google Voice).

Keep an Eye Out for Deceptive Check Boxes
Speaking of signing up for updates, be mindful of when you don't intend to sign up for emails. Campaigns might use pre-selected options for everything from donation amounts to signing up for a newsletter. So, when you sign up with any campaign, keep an eye on any options you might not intend to opt into.

Mind Your Social Media
Now's a great time to take any sort of "privacy checkup" available on whatever social media platforms you use to help minimize any accidental data sharing. Even though you can't completely opt out of behavioral advertising on Facebook, review your ad preferences and opt out whatever you can. Also be sure to disable access to off-site activity. You should also opt out of personalized ads on Google's services. You cannot disable behavioral ads on TikTok, but the company doesn't allow political ads.

If you're curious to learn more about why you're seeing an ad to begin with, on Facebook you can always click the three-dot icon on an ad, then click "Why am I seeing this ad?" to learn more. For ads on YouTube, you can click the "More" button and then "About this advertiser" to see some information about who placed the ad. Anywhere else you see a Google ad you can click the "Adchoices" button and then "Why this ad?"

You shouldn't need to spend an afternoon jumping through opt out hoops and tweaking privacy settings on every device you own just so you're not bombarded with highly targeted ads. That’s why EFF supports comprehensive consumer data privacy legislation, including a ban on online behavioral ads.

Democracy works because we participate, and you should be able to do so without sacrificing your privacy. 

Lynn Hamadallah is a Syrian-Palestinian-French Psychologist based in London. An outspoken voice for the Palestinian cause, Lynn is interested in the ways in which narratives, spoken and unspoken, shape identity. Having lived in five countries and spent a lot of time traveling, she takes a global perspective on freedom of expression. Her current research project investigates how second-generation British-Arabs negotiate their cultural identity. Lynn works in a community mental health service supporting some of London's most disadvantaged residents, many of whom are migrants who have suffered extensive psychological trauma.

York: What does free speech or free expression mean to you? 

Being Arab and coming from a place where there is much more speech policing in the traditional sense, I suppose there is a bit of an idealization of Western values of free speech and democracy. There is this sense of freedom we grow up associating with the West. Yet recently, we’ve come to realize that the way it works in practice is quite different to the way it is described, and this has led to a lot of disappointment and disillusionment in the West and its ideals amongst Arabs. There’s been a lot of censorship for example on social media, which I’ve experienced myself when posting content in support of Palestine. At a national level, we have witnessed the dehumanization going on around protesters in the UK, which undermines the idea of free speech. For example, the pro-Palestine protests where we saw the then-Home Secretary Suella Braverman referring to protesters as “hate marchers.” So we’ve come to realize there’s this kind of veneer of free speech in the West which does not really match up to the more idealistic view of freedom we were taught about.

With the increased awareness we have gained as a result of the latest aggression going on in Palestine, actually what we’re learning is that free speech is just another arm of the West to support political and racist agendas. It’s one of those things that the West has come up with which only applies to one group of people and oppresses another. It’s the same as with human rights you know - human rights for who? Where are Palestinian’s human rights? 

We’ve seen free speech being weaponized to spread hate and desecrate Islam, for example, in the case of Charlie Hebdo and the Quran burning in Denmark and in Sweden. The argument put forward was that those cases represented instances of free speech rather than hate speech. But actually to millions of Muslims around the world those incidents were very, very hateful. They were acts of violence not just against their religious beliefs but right down to their sense of self. It’s humiliating to have a part of your identity targeted in that way with full support from the West, politicians and citizens alike. 

And then, when we— we meaning Palestinians and Palestine allies—want to leverage this idea of free speech to speak up against the oppression happening by the state of Israel, we see time and time again accusations flying around: hate speech, anti-semitism, and censorship. Heavy, heavy censorship everywhere. So that’s what I mean when I say that free speech in the West is a racist concept, actually. And I don’t know that true free speech exists anywhere in the world really. In the Middle East we don’t have democracies but at least there’s no veneer of democracy— the messaging and understanding is clear. Here, we have a supposed democracy, but in practice it looks very different. And that’s why, for me, I don’t really believe that free speech exists. I’ve never seen a real example of it. I think as long as people are power hungry there’s going to be violence, and as long as there’s violence, people are going to want to hide their crimes. And as long as people are trying to hide their crimes there’s not going to be free speech. Sorry for the pessimistic view!

York: It’s okay, I understand where you’re coming from. And I think that a lot of those things are absolutely true. Yet, from my perspective, I still think it’s a worthy goal even though governments—and organizationally we’ve seen this as well—a lot of times governments do try to abuse this concept. So I guess then I would just as a follow-up, do you feel that despite these issues that some form of universalized free expression is still a worthy ideal? 

Of course, I think it’s a worthy ideal. You know, even with social media – there is censorship. I’ve experienced it and it’s not just my word and an isolated incident. It’s been documented by Human Rights Watch—even Meta themselves! They did an internal investigation in 2021—Meta had a nonprofit called Business for Social Responsibility do an investigation and produce a report—and they’ve shown there was systemic censorship of Palestine-related content. And they’re doing it again now. That being said, I do think social media is making free speech more accessible, despite the censorship. 

And I think—to your question—free speech is absolutely worth pursuing. Because we see that despite these attempts at censorship, the truth is starting to come out. Palestine support is stronger than it’s ever been. To the point where we’ve now had South Africa take Israel to trial at the International Court of Justice for genocide, using evidence from social media videos that went viral. So what I’m saying is, free speech has the power to democratize demanding accountability from countries and creating social change, so yes, absolutely something we should try to pursue. 

York: You just mentioned two issues close to my heart. One is the issues around speech on social media platforms, and I’ve of course followed and worked on the Palestinian campaigns quite closely and I’m very aware of the BSR report. But also, video content, specifically, that’s found on social media being used in tribunals. So let me shift this question a bit. You have such a varied background around the world. I’m curious about your perspective over the past decade or decade and a half since social media has become so popular—how do you feel social media has shaped people’s views or their ability to advocate for themselves globally? 

So when we think about stories and narratives, something I’m personally interested in, we have to think about which stories get told and which stories remain untold. These stories and their telling is very much controlled by the mass media— BBC, CNN, and the like. They control the narrative. And I guess what social media is doing is it’s giving a voice to those who are often voiceless. In the past, the issue was that there was such a monopoly over mouthpieces. Mass  media were so trusted, to the point where no one would have paid attention to these alternative viewpoints. But what social media has done… I think it’s made people become more aware or more critical of mass media and how it shapes public opinion. There’s been a lot of exposure of their failure for example, like that video that went viral of Egyptian podcaster and activist Rahma Zain confronting CNN’s Clarissa Ward at the Rafah border about their biased reporting of the genocide in Palestine. I think that confrontation spoke to a lot of people. She was shouting “ You own the narrative, this is our problem. You own the narrative, you own the United Nations, you own Hollywood, you own all these mouthpieces— where are our voices?! Our voices need to be heard!” It was SO powerful and that video really spoke to the sentiment of many Arabs who have felt angry, betrayed and abandoned by the West’s ideals and their media reporting.

Social media is providing  a voice to more diverse people, elevating them and giving the public more control around narratives. Another example we’ve seen recently is around what’s currently happening in Sudan and the Democratic Republic of Congo. These horrific events and stories would never have had much of a voice or exposure before at the global stage. And now people all over the world are paying more attention and advocating for Sudanese and Congolese rights, thanks to social media. 

I personally was raised with quite a critical view of mass media, I think in my family there was a general distrust of the West, their policies and their media, so I never really relied personally on the media as this beacon of truth, but I do think that’s an exception. I think the majority of people rely on mass media as their source of truth. So social media plays an important role in keeping them accountable and diversifying narratives.

York: What are some of the biggest challenges you see right now anywhere in the world in terms of the climate for free expression for Palestinian and other activism? 

I think there’s two strands to it. There’s the social media strand. And there’s the governmental policies and actions. So I think on social media, again, it’s very documented, but it’s this kind of constant censorship. People want to be able to share content that matters to them, to make people more aware of global issues and we see time and time again viewership going down, content being deleted or reports from Meta of alleged hate speech or antisemitism. And that’s really hard. There’ve been random strategies that have popped up to increase social media engagement, like posting random content unrelated to Palestine or creating Instagram polls for example. I used to do that, I interspersed Palestine content with random polls like, “What’s your favorite color?” just to kind of break up the Palestine content and boost my engagement. And it was honestly so exhausting. It was like… I’m watching a genocide in real time, this is an attack on my people and now I’m having to come up with silly polls? Eventually I just gave up and accepted my viewership as it was, which was significantly lower.

At a government level, which is the other part of it, there’s this challenge of constant intimidation that we’re witnessing. I just saw recently there was a 17-year-old boy who was interviewed by the counterterrorism police at an airport because he was wearing a Palestinian flag. He was interrogated about his involvement in a Palestinian protest. When has protesting become a crime and what does that say about democratic rights and free speech here in the UK? And this is one example, but there are so many examples of policing, there was even talk of banning protests all together at one point. 

The last strand I’d include, actually, that I already touched on, is the mass media. Just recently we’ve seen the BBC reporting on the ICJ hearing, they showed the Israeli defense part, but they didn’t even show the South African side. So this censorship is literally in plain sight and poses a real challenge to the climate of free expression for Palestine activism.

York: Who is your free speech hero? 

Off the top of my head I’d probably say Mohammed El-Kurd. I think he’s just been so unapologetic in his stance. Not only that but I think he’s also made us think critically about this idea of narrative and what stories get told. I think it was really powerful when he was arguing the need to stop giving the West and mass media this power, and that we need to disempower them by ceasing to rely on them as beacons of truth, rather than working on changing them. Because, as he argues, oppressors who have monopolized and institutionalized violence will never ever tell the truth or hold themselves to account. Instead, we need to turn to Palestinians, and to brave cultural workers, knowledge producers, academics, journalists, activists, and social media commentators who understand the meaning of oppression and view them as the passionate, angry and, most importantly, reliable narrators that they are.

EFF is concerned that a new federal bill would freeze consumer data privacy protections in place, by preempting existing state laws and preventing states from creating stronger protections in the future. Federal law should be the floor on which states can build, not a ceiling.

We also urge the authors of the American Privacy Rights Act (APRA) to strengthen other portions of the bill. It should be easier to sue companies that violate our rights. The bill should limit sharing with the government and expand the definition of sensitive data. And it should narrow exceptions that allow companies to exploit our biometric information, our so-called “de-identified” data, and our data obtained in corporate “loyalty” schemes.

Despite our concerns with the APRA bill, we are glad Congress is pivoting the debate to a privacy-first approach to online regulation. Reining in companies’ massive collection, misuse, and transfer of everyone’s personal data should be the unifying goal of those who care about the internet. This debate has been absent at the federal level in the past year, giving breathing room to flawed bills that focus on censorship and content blocking, rather than privacy.

In general, the APRA would require companies to minimize their processing of personal data to what is necessary, proportionate, and limited to certain enumerated purposes. It would specifically require opt-in consent for the transfer of sensitive data, and most processing of biometric and genetic data. It would also give consumers the right to access, correct, delete, and export their data. And it would allow consumers to universally opt-out of the collection of their personal data from brokers, using a registry maintained by the Federal Trade Commission.

We welcome many of these privacy protections. Below are a few of our top priorities to correct and strengthen the APRA bill.

The APRA should not preempt existing and future state data privacy laws that are stronger than the current bill. The ability to pass stronger bills at the state and local level is an important tool in the fight for data privacy. We ask that Congress not compromise our privacy rights by undercutting the very state-level action that spurred this compromise federal data privacy bill in the first place.

Subject to exceptions, the APRA says that no state may “adopt, maintain, enforce, or continue in effect” any state-level privacy requirement addressed by the new bill. APRA would allow many state sectoral privacy laws to remain, but it would still preempt protections for biometric data, location data, online ad tracking signals, and maybe even privacy protections in state constitutions or some other limits on what private companies can share with the government. At the federal level, the APRA would also wrongly preempt many parts of the federal Communications Act, including provisions that limit a telephone company’s use, disclosure, and access to customer proprietary network information, including location information.

Just as important, it would prevent states from creating stronger privacy laws in the future. States are more nimble at passing laws to address new privacy harms as they arise, compared to Congress which has failed for decades to update important protections. For example, if lawmakers in Washington state wanted to follow EFF’s advice to ban online behavioral advertising or to allow its citizens to sue companies for not minimizing their collection of personal data (provisions where APRA falls short), state legislators would have no power to do so under the new federal bill.

The APRA should prevent coercive forced arbitration agreements and class action waivers, allow people to sue for statutory damages, and allow them to bring their case in state court. These rights would allow for rigorous enforcement and help force companies to prioritize consumer privacy.

The APRA has a private right of action, but it is a half-measure that still lets companies side-step many legitimate lawsuits. And the private right of action does not apply to some of the most important parts of the law, including the central data minimization requirement.

The favorite tool of companies looking to get rid of privacy lawsuits is to bury provision in their terms of service that force individuals into private arbitration and prevent class action lawsuits. The APRA does not address class action waivers and only prevents forced arbitration for children and people who allege “substantial” privacy harm. In addition, statutory damages and enforcement in state courts is essential, because many times federal courts still struggle to acknowledge privacy harm as real—relying instead on a cramped view that does not recognize privacy as a human right. In addition, the bill would allow companies to cure violations rather than face a lawsuit, incentivizing companies to skirt the law until they are caught.

APRA should close a loophole that may allow data brokers to sell data to the government and should require the government to obtain a court order before compelling disclosure of user data. This is important because corporate surveillance and government surveillance are often the same.

Under the APRA, government contractors do not have to follow the bill’s privacy protections. Those include any “entity that is collecting, processing, retaining, or transferring covered data on behalf of a Federal, State, Tribal, territorial, or local government entity, to the extent that such entity is acting as a service provider to the government entity.” Read broadly, this provision could protect data brokers who sell biometric information and location information to the government. In fact, Clearview AI previously argued it was exempt from Illinois’ strict biometric law using a similar contractor exception. This is a point that needs revision because other parts of the bill rightly prevent covered entities (government contractors excluded) from selling data to the government for the purpose of fraud detection, public safety, and criminal activity detection.

The APRA also allows entities to transfer personal data to the government pursuant to a “lawful warrant, administrative subpoena, or other form of lawful process.” EFF urges that the requirement be strengthened to at least a court order or warrant with prompt notice to the consumer. Protections like this are not unique, and it is especially important in the wake of the Dobbs decision.

The APRA has heightened protections for sensitive data, and it includes a long list of 18 categories of sensitive data, like: biometrics, precise geolocation, private communications, and an individual’s online activity overtime and across websites. This is a good list that can be added to. We ask Congress to add other categories, like immigration status, union membership, employment history, familial and social relationships, and any covered data processed in a way that would violate a person’s reasonable expectation of privacy. The sensitivity of data is context specific—meaning any data can be sensitive depending on how it is used. The bill should be amended to reflect that.

An important part of any bill is to make sure the exceptions do not swallow the rule. The APRA’s exceptions on biometric information, de-identified data, and loyalty programs should be narrowed.

In APRA, biometric information means data “generated from the measurement or processing of the individual’s unique biological, physical, or physiological characteristics that is linked or reasonably linkable to the individual” and excludes “metadata associated with a digital or physical photograph or an audio or video recording that cannot be used to identify an individual.” EFF is concerned this definition will not protect biometric information used for analysis of sentiment, demographics, and emotion, and could be used to argue hashed biometric identifiers are not covered.

De-identified data is excluded from the definition of personal data covered by the APRA, and companies and service providers can turn personal data into de-identified data to process it however they want. The problem with de-identified data is that many times it is not. Moreover, many people do not want their private data that they store in confidence with a company to then be used to improve that company’s product or train its algorithm—even if the data has purportedly been de-identified.

Many companies under the APRA can host loyalty programs and can sell that data with opt-in consent. Loyalty programs are a type of pay-for-privacy scheme that pressure people to surrender their privacy rights as if they were a commodity. Worse, because of our society’s glaring economic inequalities, these schemes will unjustly lead to a society of privacy “haves” and “have-nots.” At the very least, the bill should be amended to prevent companies from selling data that they obtain from a loyalty program.

We welcome Congress' privacy-first approach in the APRA and encourage the authors to improve the bill to ensure privacy is protected for generations to come.