New submitter zfc writes: Online tracking has become a pervasive invisible reality of the modern web. Most sites you load are likely to be full of ads, tracking pixels, social media share buttons, and other invisible trackers all harvesting data about your web browsing. These trackers use cookies and other methods to read unique IDs associated with your browser, the result being that they record all the sites you visit as you browse around the internet. This sort of tracking is invisible to most web users, meaning they never get the option to agree to or opt-out of it. Today the EFF has launched the 1.0 version of Privacy Badger, an extension designed to prevent these trackers from accessing unique info about you and your browsing.

An anonymous reader writes: Knowledge Ecology International (KEI) [Wednesday] morning released the May 2015 draft of the copyright provisions in the Trans Pacific Partnership (copyright, ISP annex, enforcement). The leak appears to be the same version that was covered by the EFF and other media outlets earlier this summer. Michael Geist unpacks the leaked documents, noting the treaty includes anti-circumvention rules that extend beyond the WIPO Internet treaties, new criminal rules, the extension of copyright term for countries like Canada and Japan, increased border measures, mandatory statutory damages in all countries, and expanding ISP liability rules, including the prospect of website blocking for Canada.

v3rgEz writes: Police departments are increasingly tracking your face, your fingerprints, your tattoos — and even your DNA. The Electronic Frontier Foundation and MuckRock are working to uncover how local agencies are tracking you and bring some much-needed transparency to the murky world of biometric surveillance through a free public records audit: Just put in some basic information about an agency near you, and they'll publicly file a request to see what vendors your city is using, how they protect your privacy, and more.

An anonymous reader writes: The Electronic Frontier Foundation, privacy company Disconnect, and several other organizations are publishing a new DNT standard. Partners in the coalition include: publishing site Medium, analytics service Mixpanel, AdBlock, and private search engine DuckDuckGo. Thought it's still a voluntary policy, the EFF hopes the new proposed standard will provide users better privacy online. "We are greatly pleased that so many important Web services are committed to this powerful new implementation of Do Not Track, giving their users a clear opt-out from stealthy online tracking and the exploitation of their reading history," said EFF Chief Computer Scientist Peter Eckersley. "These companies understand that clear and fair practices around analytics and advertising are essential not only for privacy but for the future of online commerce."

Patrick O'Neill writes: In the days following a massive hack that confirmed Hacking Team's dealings with repressive regimes around the world, experts are wondering once again how to stop Western technology companies from equipping certain governments with weapons meant to attack journalists, human rights activists, and ordinary civilians. Regulation's backers say that "this is an industry that has failed to police itself," ACLU's Christopher Soghoian argued, but many including the EFF warn that overly broad legislation would harm more than help. In addition, wiredmikey points out that a number of exploits have been released in the wake of the hacking: Several exploits have been discovered, including ones for zero-day vulnerabilities, in the hundreds of gigabytes of data stolen by a hacker from the systems of surveillance software maker Hacking Team. Researchers at Trend Micro analyzed the leaked data and uncovered several exploits, including two zero-days for Adobe Flash Player. A readme document found alongside proof-of-concept (PoC) code for one of the Flash Player zero-days describes the vulnerability as "the most beautiful Flash bug for the last four years since CVE-2010-2161." In addition to the Flash Player exploits, researchers spotted an exploit for a Windows kernel vulnerability, a flaw that fortunately has already been patched. Adobe told SecurityWeek that it's aware of the reports and expects to release a patch on Wednesday.

New submitter Neil_Brown writes: The Supreme Court of the United States has today denied Google's request to appeal against the Court of Appeals for the Federal Circuit's ruling (PDF) that the structure, sequence and organization of 37 of Oracle's APIs (application program interfaces) was capable of copyright protection. The case is not over, as Google can now seek to argue that, despite the APIs being restricted by copyright, its handling amounts to "fair use". Professor Pamela Samuelson has previously commented (PDF) on the implications if SCOTUS declined to hear the appeal. The Verge reports: "A district court ruled in Google's favor back in 2012, calling the API "a utilitarian and functional set of symbols" that couldn't be tied up by copyrights. Last May, a federal appeals court overturned that ruling by calling the Java API copyrightable. However, the court said that Google could still have lawfully used the APIs under fair use, sending the case back to a lower court to argue the issue. That's where Google will have to go next, now that the Supreme Court has declined to hear the issue over copyright itself.

Since starting his own company in 1980, Steve Jackson, founder and editor-in-chief of Steve Jackson Games, has created a number of hits, starting with Car Wars . . . followed shortly by Illuminati, and later by GURPS, the "Generic Universal Roleplaying System." In 1983, he was elected to the Adventure Gaming Hall of Fame - the youngest person ever so honored. He has personally won 11 Origins Awards. In the early 90's, Steve got international press due to the Secret Service's invasion of his office. The EFF helped make it possible for SJ Games to bring suit against the Secret Service and the U.S. government and win more than $50,000 in damages. His Ogre kickstarter a couple of years ago brought in close to a million dollars. His current hits are Munchkin, a very silly card game about killing monsters and taking their stuff, and Zombie Dice, in which you eat brains and try not to get shotgunned. His current projects include a variety of Munchkin follow-ups, and the continuing quest to get his games translated into digital form. Steve has agreed to put down the dice and answer any questions you may have. As usual, ask as many as you'd like, but please, one per post.

angry tapir writes: Privacy advocates are sounding the alarm over a potential policy change (PDF) that would prevent some people from registering website addresses without revealing their personal information. ICANN, the regulatory body that oversees domain names, has asked for public comment on whether it should prohibit the private registration of domains which are "associated with commercial activities and which are used for online financial transactions."

An anonymous reader writes: Let's Encrypt, the project that hopes to increase the use of encryption across websites by issuing free digital certificates, is planning to issue the first ones next month. Backed by the EFF, the Mozilla Foundation, the Linux Foundation, Akamai, IdenTrust, Automattic, and Cisco, Let's Encrypt will provide free-of-charge SSL and TSL certificates to any webmaster interested in implementing HTTPS for their products. The Stack reports: "Let's Encrypt's root certificate will be cross-signed by IdenTrust, a public key CA owned by smartphone government ID card provider HID Global. Website operators are generally hesitant to use SSL/TLS certificates due to their cost. An extended validation (EV) SSL certificates can cost up to $1,000. It is also a complication for operators to set up encryption for larger web services. Let's Encrypt aims to remove these obstacles by eliminating the related costs and automating the entire process."

An anonymous reader writes: A paper from Microsoft researchers (PDF) posits the possibility of 'pushing' web ads to a user's own computer and serving them into pre-arranged containers on web pages, with the EFF or ACLU serving as privacy mediators between the user and the advertisers who want to engage them. However the framework — dubbed 'Privad' — would need to get installed on the user's system by the same familiar means which the likes of Superfish use. The report admits that Privad would probably need to be disseminated "through adware-style software bundling, shopping discounts, toolbars or other incentives."

HughPickens.com writes: Cindy Cohn writes at EFF that when a criminal started lacing Tylenol capsules with cyanide in 1982, Johnson & Johnson quickly sprang into action to ensure consumer safety. It increased its internal production controls, recalled the capsules, offered an exchange for tablets, and within two months started using triple-seal tamper-resistant packaging. Congress ultimately passed an anti-tampering law but the focus of the response from both the private and the public sector was on ensuring that consumers remained safe and secure, rather than on catching the perpetrator. Indeed, the person who did the tampering was never caught.

According to Cohn the story of the Tylenol murders comes to mind as Congress considers the latest cybersecurity and data breach bills. To folks who understand computer security and networks, it's plain that the key problem are our vulnerable infrastructure and weak computer security, much like the vulnerabilities in Johnson & Johnson's supply chain in the 1980s. As then, the failure to secure our networks, the services we rely upon, and our individual computers makes it easy for bad actors to step in and "poison" our information. The way forward is clear: We need better incentives for companies who store our data to keep it secure. "Yet none of the proposals now in Congress are aimed at actually increasing the safety of our data. Instead, the focus is on "information sharing," a euphemism for more surveillance of users and networks," writes Cohn. "These bills are not only wrongheaded, they seem to be a cynical ploy to use the very real problems of cybersecurity to advance a surveillance agenda, rather than to actually take steps to make people safer." Congress could step in and encourage real security for users—by creating incentives for greater security, a greater downside for companies that fail to do so and by rewarding those companies who make the effort to develop stronger security. "It's as if the answer for Americans after the Tylenol incident was not to put on tamper-evident seals, or increase the security of the supply chain, but only to require Tylenol to "share" its customer lists with the government and with the folks over at Bayer aspirin," concludes Cohn. "We wouldn't have stood for such a wrongheaded response in 1982, and we shouldn't do so now."

New submitter Steven King writes with a link to The Daily Dot's report that the U.S. Senate has rejected the controversial USA Freedom Act, thus "all but guaranteeing that key provisions of the USA Patriot Act will expire"; had it passed, the bill would have allowed continued use of some mass data-collection practices, but with the addition of stronger oversight. From the article: The Senate failed to reach agreement on passage of the USA Freedom Act, a bill to reauthorize and reform Section 215 of the USA Patriot Act, which the government has used to conduct bulk surveillance of Americans' phone records. The House of Representatives passed the bill last week by an overwhelming bipartisan majority, but Senate Democrats, who unified behind the bill, did not get enough Republican votes to assure passage. The linked piece also mentions that the EFF shifted its position on this bill, after a panel of Federal judges ruled that the Feds at the NSA had overstepped their bounds in collecting a seemingly unlimited trove of metadata relating to American citizen's phone calls.

Florida-based JPay has a specialized business model and an audience that is at least in part a (literally) captive one: the company specializes in logistics and communications services involving prisons and prisoners, ranging from payment services to logistics to electronic communications with prisoners. Now, via Cory Doctorow at Boing Boing comes a report from the EFF that the company has back-pedaled on a particularly strange aspect of the terms under which the company provided messaging services for prisoners: namely, JPay's terms of service made exhaustive copyright claims on messages sent by prisoners, claiming rights to "all content, whether it be text, images, or video" send via the service. That language has now been excised, but not in time to prevent at least one bad outcome; from the EFF's description: [Valerie] Buford has been running a social media campaign to overturn her [brother, Leon Benson's] murder conviction. However, after Buford published a videogram that her brother recorded via JPay to Facebook, prison administrators cut off her access to the JPay system, sent Benson to solitary confinement, and stripped away some of his earned "good time." To justify the discipline, prison officials said they were enforcing JPay's intellectual property rights and terms of service.

eldavojohn writes: The staggering ingenuity of the U.S. Patent system has again been showcased by the EFF's analysis of recent patents. This week's patent and follow-up patent cover the futuristic innovative idea that when you order something, you can update your order and add additional amounts to your order while it's being processed. But wait, it gets even more innovative! You may one day be able to even to notify when you would like it delivered — on your phone! I know, you're busy wiping all that brain matter off your screen as your head seems to have exploded. Well, it turns out that inventor and patent holder Scott Horstemeyer (aka Eclipse IP, LLC of Delray Beach, FL) found no shortage of targets to go after with his new patents. It appears Tiger Fitness (and every other online retailer) was sending notices to customers about shipments. Did I mention Horstemeyer is a lawyer too? But not just a regular lawyer, a "SUPER lawyer" from the same firm that patented social networking in 2007, sued Uber for using location finding technologies in 2013 and sued Overstock.com as well as a small time shoe seller for using shipping notifications in 2014. A related article at Vox makes this case: "The primary problem with the patent system is, well, the patent system. The system makes it too easy to get broad, vague patents, and the litigation process is tilted too far toward plaintiffs. But because so many big companies make so much money off of this system, few in Congress are willing to consider broader reforms."

An anonymous reader writes: The Electronic Frontier Foundation is warning against a new potential privacy threat: cameras that look inside cars and try to identify how many people are inside. This technology is a natural combination of simpler ones that have existed for years: basic object recognition software and road-side cameras (red light cameras, speeding cameras, license plate readers — you name it). Of course, we can extrapolate just a bit further, and point out that as soon as the cameras have high enough resolution, they can start running face recognition algorithms on the images, and determine the identities of a vehicle's occupants.

"The San Diego Association of Governments (SANDAG), a government umbrella group that develops transportation and public safety initiatives across the San Diego County region, estimates that 15% of drivers in High Occupancy Vehicle (HOV) lanes aren't supposed to be there. After coming up short with earlier experimental projects, the agency is now testing a brand new technology to crack down on carpool-lane scofflaws on the I-15 freeway. ... In short: the technology is looking at your image, the image of the people you're with, your location, and your license plate. (SANDAG told CBS the systems will not be storing license plate data during the trial phase and the system will, at least for now, automatically redact images of drivers and passengers. Xerox's software, however, allows police the option of using a weaker form of redaction that can be reversed on request.)"

Ars Technica reports some good news on the YRO front. An excerpt: A year-and-a-half after the Electronic Frontier Foundation created a crowd-funded challenge to a patent being used to threaten podcasters, the patent has been invalidated. In late 2013, after small podcasters started getting threat letters from Personal Audio LLC, the EFF filed what's called an "inter partes review," or IPR, which allows anyone to challenge a patent at the US Patent and Trademark Office. The order issued today by the USPTO lays to rest the idea that Personal Audio or its founder, Jim Logan, are owed any money by podcasters because of US Patent No. 8,112,504, which describes a "system for disseminating media content representing episodes in a serialized sequence." The article points out, though, that the EFF warns Personal Audio LLC is seeking more patents on podcasting. Mentioned within: Adam Carolla's fight against these patents and our Q&A with Jim Logan.

An anonymous reader writes: Ken White at Popehat explains how the U.S. Drug Enforcement Agency has been purposefully sowing disinformation to hide the extent of their surveillance powers. The agency appears to have used a vast database of telecommunications metadata, which they acquired via general (read: untargeted, dragnet-style) subpoenas. As they begin building cases against suspected criminals, they trawl the database for relevant information. Of course, this means the metadata of many innocent people is also being held and occasionally scanned. The Electronic Frontier Foundation has filed a lawsuit to challenge this bulk data collection. The DEA database itself seems to have been shut down in 2013, but not before the government argued that it should be fine not only to engage in this collection, but to attempt to hide it during court cases. The courts agreed, which means this sort of surveillance could very well happen again — and the EFF is trying to prevent that.

jones_supa writes: As part of an effort to make encryption a standard component of every application, the Linux Foundation has launched the Let's Encrypt project (announcement) and stated its intention to provide access to a free certificate management service. Jim Zemlin, executive director for the Linux Foundation, says the goal for the project is nothing less than universal adoption of encryption to disrupt a multi-billion dollar hacker economy. While there may never be such a thing as perfect security, Zemlin says it's just too easy to steal data that is not encrypted. In its current form, encryption is difficult to implement and a lot of cost and overhead is associated with managing encryption keys. Zemlin claims the Let's Encrypt project will reduce the effort it takes to encrypt data in an application down to two simple commands. The project is being hosted by the Linux Foundation, but the actual project is being managed by the Internet Security Research Group. This work is sponsored by Akamai, Cisco, EFF, Mozilla, IdenTrust, and Automattic, which all are Linux Foundation patrons. Visit Let's Encrypt official website to get involved.

eldavojohn writes It's 2015 and the EFF is still submitting requests to alter or exempt certain applications of the draconian DMCA. One such request concerns abandoned games that utilized or required online servers for matchmaking or play (PDF warning) and the attempts taken to archive those games. A given example is Madden '09, which had its servers shut down a mere one and a half years after release. Another is Gamespy and the EA & Nintendo titles that were not migrated to other servers. I'm sure everyone can come up with a once cherished game that required online play that is now abandoned and lost to the ages. While the EFF is asking for exemptions for museums and archivists, the ESA appears to take the stance that it's hacking and all hacking is bad. In prior comments (PDF warning), the ESA has called reverse engineering a proprietary game protocol "a classic wolf in sheep's clothing" as if allowing this evil hacking will loose Sodom & Gomorrah upon the industry. Fellow gamers, these years now that feel like the golden age of online gaming will be the dark ages of games as historians of the future try to recreate what online play was like now for many titles.

An anonymous reader writes Comedian and journalist John Oliver set out to understand US Government surveillance in advance of the June 2015 expiration of section 215 of the Patriot Act. What resulted was a humorous but exceptionally journalistic interview of Edward Snowden which distilled the issues down in a (NSFW) way everyone can understand. Regardless of whether you view Snowden as a despicable traitor or an honorable whistleblower, it's worth a watch.