jriding (1076733) writes AT&T Mobility, the nation's second-largest cellular provider, says it's no longer attaching hidden Internet tracking codes to data transmitted from its users' smartphones. The practice made it nearly impossible to shield its subscribers' identities online. Would be nice to hear something similar from Verizon.

Presto Vivace points out this troubling new report from the Electronic Frontier Foundation: Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the U.S. and Thailand intercepting their customers' data to strip a security flag — called STARTTLS — from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.

By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.

An anonymous reader writes: The EFF, representing a coalition of computer scientists, filed an amicus brief with the Supreme Court yesterday hoping for a ruling that APIs can't be copyrighted. The names backing the brief include Bjarne Stroustrup, Ken Thompson, Guido van Rossum, and many other luminaries. "The brief explains that the freedom to re-implement and extend existing APIs has been the key to competition and progress in both hardware and software development. It made possible the emergence and success of many robust industries we now take for granted—for example, mainframes, PCs, and workstations/servers—by ensuring that competitors could challenge established players and advance the state of the art. The litigation began several years ago when Oracle sued Google over its use of Java APIs in the Android OS. Google wrote its own implementation of the Java APIs, but, in order to allow developers to write their own programs for Android, Google's implementation used the same names, organization, and functionality as the Java APIs."

An anonymous reader writes A few weeks ago I noted how security researchers had discovered that Verizon has been injecting a unique new 'stealth cookie' identifier into all user traffic that tracks user online behavior, even if the consumer opts out. Using a unique Identifier Header, or UIDH, Verizon's ham-fisted system broadcasts your identity all across the web — and remains intact and open to third-party abuse — even if you opt-out of Verizon's behavioral ad programs. Now the Electronic Frontier Foundation has filed a complaint with the FCC and has strongly indicated that they're considering legal action against Verizon for violating consumer privacy laws.

blottsie writes The Electronic Frontier Foundation (EFF)'s new Secure Messaging Scorecard is designed to answer one important question: Which apps and tools actually keep your messages secure and safe from prying eyes? The results have been mixed. In the midst of many positive reactions from technology companies and users, the scorecard stoked a wave of criticism from several prominent figures in the security industry, who deemed the effort inaccurate, misleading, and vague."

Peter Eckersley writes: Over at EFF we just launched our Secure Messaging Scorecard, which is the first phase in a campaign to promote the development of communications protocols that are genuinely secure and usable by ordinary people. The Scorecard evaluates communications software against critical minimum standards for what a secure messaging app should look like; subsequent phases are planned to examine real world usability, metadata protection, protocol openness, and involve a deeper look at the security of the leading candidates. Right now, we don't think the Internet has any genuinely usable, genuinely secure messaging protocols — but we're hoping to encourage tech companies and the open source community to starting closing that gap.

itwbennett writes Tests on the latest version of Adobe System's e-reader software shows the company is now collecting less data following a privacy-related dustup last month, according to the Electronic Frontier Foundation. Adobe was criticized in early October after it was discovered Digital Editions collected metadata about e-books on a device, even if the e-books did not have DRM. Those logs were also sent to Adobe in plain text. Digital Editions version 4.0.1 appears to only collect data on e-books that have DRM (Digital Rights Management), writes Cooper Quintin, a staff technologist with the EFF.

An anonymous reader writes: The Electronic Frontier Foundation has issued a report grading online service providers for how well they side with users over intellectual property disputes. They looked at sites like YouTube, Imgur, tumblr, and Twitter. "The services could receive a maximum of five stars, based on criteria including publicly documented procedures for responses to DMCA takedown notices and counter-notices, how the services handle trademark disputes, and if the company issued detailed transparency reports." Only two sites got a perfect rating: WordPress and Namecheap. tumblr got the worst score, and Imgur was not far behind. The rest of the sites were in between, though the EFF did give a bit of extra credit to Etsy for its educational guides and Twitter for its transparency reports.

Frequent contributor Bennett Haselton writes: Facebook threatened to banish drag queen pseudonyms, and (some) users revolted by flocking to Ello, a social network which promised not to enforce real names and also to remain ad-free. Critics said that the idealistic model would buckle under pressure from venture capitalists. But both gave scant mention to the fact that a distributed social networking protocol, backed by a player large enough to get people using it, would achieve all of the goals that Ello aspired to achieve, and more. Read on for the rest.

maynard writes: Kathy Sierra spent a tech career developing videogames and teaching Java programming in Sun Microsystems masterclasses. Up until 2007, she'd been a well regarded tech specialist who happened to be female. Until the day she opined on her private blog that given the crap-flood of bad comments, maybe forum moderation wasn't a bad idea. This opinion made her a target. A sustained trolling and harassment campaign followed, comprised of death and rape threats, threats against her family, fabricated claims of prostitution, and a false claim that she had issued a DMCA takedown to stifle criticism. All of this culminated in the public release of her private address and Social Security Number, a technique known as Doxxing. And so she fled from the public, her career, and even her home.

It turned out that a man named Andrew Auernheimer was responsible for having harassed Sierra. Known as 'Weev', he admitted it in a 2008 New York Times story on Internet Trolls. There, he spoke to the lengths which he and his cohorts went to discredit and destroy the woman. "Over a candlelit dinner of tuna sashimi, Weev asked if I would attribute his comments to Memphis Two, the handle he used to troll Kathy Sierra, a blogger. Inspired by her touchy response to online commenters, Weev said he "dropped docs" on Sierra, posting a fabricated narrative of her career alongside her real Social Security number and address. This was part of a larger trolling campaign against Sierra, one that culminated in death threats."

Now, seven years later, Kathy Sierra has returned to explain why she left and what recent spates of online harassment against women portend for the future if decent people don't organize. The situation has grown much more serious since she went into hiding all those years ago. It's more than just the threat of Doxxing to incite physical violence by random crazies with a screw loose. Read on for the rest of maynard's thoughts.

Gunkerty Jeb writes The Ninth Circuit appeals court in San Francisco took oral arguments from the Electronic Frontier Foundation and the Department of Justice yesterday over the constitutionality of National Security Letters and the gag orders associated with them. The EFF defended a lower court's ruling that NSLs are unconstitutional, while the DoJ defended a separate ruling that NSLs can be enforced. Whatever the court rules, the issue of NSLs is all but certainly headed for the Supreme Court in the not too distant future.

realized sends this news from the EFF: For years, local law enforcement agencies around the country have told parents that installing ComputerCOP software is the "first step" in protecting their children online. ... As official as it looks,ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies. The way ComputerCOP works is neither safe nor secure. It isn't particularly effective either, except for generating positive PR for the law enforcement agencies distributing it.

As security software goes, we observed a product with a keystroke-capturing function, also called a "keylogger," that could place a family's personal information at extreme risk by transmitting what a user types over the Internet to third-party servers without encryption. EFF conducted a security review of ComputerCOP while also following the paper trail of public records to see how widely the software has spread. Based on ComputerCOP's own marketing information, we identified approximately 245 agencies in more than 35 states, plus the U.S. Marshals, that have used public funds (often the proceeds from property seized during criminal investigations) to purchase and distribute ComputerCOP. One sheriff's department even bought a copy for every family in its county.

HughPickens.com writes When Apple published its first Transparency Report on government activity in late 2013, the document contained an important footnote that stated: "Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us." Now Jeff John Roberts writes at Gigaom that Apple's warrant canary has disappeared. A review of the company's last two Transparency Reports, covering the second half of 2013 and the first six months of 2014, shows that the "canary" language is no longer there suggesting that Apple is now part of FISA or PRISM proceedings.

Warrant canaries are a tool used by companies and publishers to signify to their users that, so far, they have not been subject to a given type of law enforcement request such as a secret subpoena. If the canary disappears, then it is likely the situation has changed — and the company has been subject to such request. This may also give some insight into Apple's recent decision to rework its latest encryption in a way that makes it almost impossible for the company to turn over data from most iPhones or iPads to police.

An anonymous reader writes: For some time now, Comcast has setting up public Wi-Fi hotspots, some of which are run on the routers of paying subscribers. The public hotspots are free, but not without cost: Comcast uses JavaScript to inject self-promotional ads into the pages served to users. "Security implications of the use of JavaScript can be debated endlessly, but it is capable of performing all manner of malicious actions, including controlling authentication cookies and redirecting where user data is submitted. ... Even if Comcast doesn't have any malicious intent, and even if hackers don't access the JavaScript, the interaction of the JavaScript with websites could "create" security vulnerabilities in websites, [EFF technologist Seth Schoen] said. "Their code, or the interaction of code with other things, could potentially create new security vulnerabilities in sites that didn't have them," Schoen said."

jfruh writes A U.S. appeals court cleared Yelp of charges of extortion related to its interaction with several small businesses who claim Yelp demanded that they pay for advertising or face negative reviews. While Yelp says it never altered a business rating for money, the court's finding was instead based on a strict reading of the U.S. extortion law, classifying Yelp's behavior as, at most, "hard bargaining." Interestingly, the EFF supported Yelp here, arguing that "Section 230 of the Communications Decency Act (CDA) protects online service providers from liability and lawsuits over user-generated content, except in very narrow circumstances where the providers created or developed content themselves. In its amicus brief, EFF argued that mere conjecture about contributing content – like there was in this case – is not enough to allow a lawsuit to go forward."

An anonymous reader writes: A Los Angeles Superior Court judge has ruled that the Los Angeles Police Department is not required to hand over a week's worth of license plate reader data to the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF). He cited the potential of compromising criminal investigations and giving (un-charged) criminals the ability to determine whether or not they were being targeted by law enforcement (PDF). The ACLU and the EFF sought the data under the California Public Records Act, but the judge invoked Section 6254(f), "which protects investigatory files." ACLU attorney Peter Bibring notes, "New surveillance techniques may function better if people don't know about them, but that kind of secrecy is inconsistent with democratic policing."

Personal Audio has been trying to assert patents they claim cover podcasting for some time now; in March Adam Carolla was sued and decided to fight back. Via the EFF comes news that he has settled with Personal Audio, and the outcome is likely beneficial to those still fighting the trolls. From the article: Although the settlement is confidential, we can guess the terms. This is because Personal Audio sent out a press release last month saying it was willing to walk away from its suit with Carolla. So we can assume that Carolla did not pay Personal Audio a penny. We can also assume that, in exchange, Carolla has given up the opportunity to challenge the patent and the chance to get his attorney’s fees. ... EFF’s own challenge to Personal Audio’s patent is on a separate track and will continue ... with a ruling likely by April 2015. ... We hope that Personal Audio’s public statements on this issue mean that it has truly abandoned threatening and suing podcasters. Though a press release might not be legally binding, the company will have a hard time justifying any further litigation (or threats of litigation) against podcasters. Any future targets can point to this statement. Carolla deserves recognition for getting this result.

An anonymous reader writes: The Electronic Frontier Foundation has updated its guide for protecting yourself and your cell phone at a protest. In addition to being extremely powerful tools (real-time communication to many watchers via social media, and video recording functionality), cell phones can also give authorities a lot of information about you if they confiscate it. The EFF is trying to encourage cell phone use and prepare people to use them. (The guide is based on U.S. laws, but much of the advice makes sense for other places as well.) Here are a few small snippets: "Start using encrypted communications channels. Text messages, as a rule, can be read and stored by your phone company or by surveillance equipment in the area. ... If the police ask to see your phone, tell them you do not consent to the search of your device. Again, since the Supreme Court's decision in Riley, there is little question that officers need a warrant to access the contents of your phone incident to arrest, though they may be able to seize the phone and get a warrant later. ... If your phone or electronic device was seized, and is not promptly returned when you are released, you can file a motion with the court to have your property returned."

The EFF is only today able to release details of an attempt by the government to alter the historical record in the case brought by the EFF against the NSA in Jewel v. NSA. "On June 6, the court held a long hearing in Jewel in a crowded, open courtroom, widely covered by the press. We were even on the local TV news on two stations. At the end, the Judge ordered both sides to request a transcript since he ordered us to do additional briefing. But when it was over, the government secretly, and surprisingly sought permission to "remove" classified information from the transcript, and even indicated that it wanted to do so secretly, so the public could never even know that they had done so." As you'd expect of the EFF, they fought back with vigorous objections, and in the end the government did not get its way, instead deciding that it hadn't given away any classified information after all. "The transcript of a court proceeding is the historical record of that event, what will exist and inform the public long after the persons involved are gone. The government's attempt to change this history was unprecedented. We could find no example of where a court had granted such a remedy or even where such a request had been made. This was another example of the government's attempt to shroud in secrecy both its own actions, as well as the challenges to those actions. We are pleased that the record of this attempt is now public. But should the situation recur, we will fight it as hard as we did this time."

klapaucjusz writes: The EFF has released an experimental router firmware designed make it easy to deploy open (password-less) access points in a secure manner. The EFF's firmware is based on the CeroWRT fork of OpenWRT, but appears to remove some of its more advanced routing features. The EFF is asking for help to further develop the firmware. They want the open access point to co-exist on the same router as your typical private and secured access point. They want the owner to be able to share bandwidth, but with a cap, so guests don't degrade service for the owner. They're also looking to develop a network queueing, a minimalist web UI, and an auto-update mechanism. The EFF has also released the beta version of a plug-in called Privacy Badger for Firefox and Chrome that will prevent online advertisers from tracking you.