Ask Me Anything - The Electronic Frontier Foundation (EFF)

Page 3 - Seeking answers? Join the Tom's Guide community: where nearly two million members share solutions and discuss the latest tech.
Status
Not open for further replies.

RaNdOmReDnEcK

Estimable
Mar 4, 2015
12
0
4,560
Electronic voting in itself is a bad idea in my opinion.... TOO often people manipulate data, this would just be another instance where the smarter you are the better you can manipulate the results... id be for it if it had no outside connection to the internet. In todays time you can TRUST NO ONE online.... everyone wants to be anonymous, and some people prefer to know who they are talking to!
 

Hels

Estimable
Mar 4, 2015
1
0
4,510
If someone doesn't have a great deal of time or expertise (or money) to invest, what practical or specific actions would you recommend an individual take towards personal and community electronic freedom? What actions or choices have the biggest impact?
 

xor_eff

Estimable
Feb 12, 2015
4
0
4,510


You'd think it might be safety issues, but that's not the source of the restriction. As you've noted, it's legal uncertainty stemming from the Digital Millennium Copyright Act: specifically, the provision that prohibits circumventing technical protection measures on a copyrighted work.

What's the "copyrighted work" here? The argument is that it's the firmware of the devices itself. If you think this sounds like an absolutely ridiculous application of copyright law, you're not alone. This section of the DMCA has been a wellspring of unintended consequences, restricting user autonomy and competition around all sorts of devices in ways never imagined for copyright law.

The public can request exemptions to the this section of the DMCA in a long process that takes place every three years. This triennial rulemaking is time-consuming and difficult, and each exemption must be argued from scratch every time. So we've gotten exemptions to unlock phones for different carriers, or jailbreak them to run unauthorized apps, or to rip DVDs for making noncommercial remixes of them; this time we're requesting those sorts of things, plus the right to modify old games to remain playable once the authorization servers have been taken offline, to repair and do security research on cars, etc, etc.
 
Well, now that I'm wound up I'm going to ask if a couple of my pet peeves are on the EFF's radar, or anyone's but mine.

The first is the legislation known in the vernacular as Check 21, the "Check Clearing for the 21st Century Act." A digital image that is supposedly a scan of a check I wrote has the same validity as a check that I wrote. Safety paper, permanent inks, any consumer protection is gone by the wayside. Anyone with Photoshop skills could take one of my checks and forge an extra ten thousand dollars onto it, and I'd have no way to prove it.

Check conversion ( http://www.federalreserve.gov/pubs/checkconv/ ) is even worse. A company gets to take money out of my account because they said that I wrote them a check - image not required. Even with a large, reputable financial institution, I have had things come back in the amount they considered appropriate, not the amount that I wrote the check for.

Is this protection of the consumer eliminated for the convenience and cost-saving of the banks and other institutions? Am I a raving paranoid? Or are both of those correct.

I still have in my file cabinet a letter of explanation and apology from the bank for the only time I have ever bounced a check. The bank cashed a check of mine with a "two" that I wrote, both in the numbers and the words, as a "five." Account overdrawn, subsequent check bounces, I provide check, bank takes responsibility. If the check was "converted," do I have any protection? Sure, I can file a fraud claim, but my ability to hire a lawyer vs. that of a major financial institution? And "file a fraud claim" isn't the imagination of my fevered mind; it's the only option a bank has presented me when I feel that a mistake was made. A form to file fraud charges.

Or are there proper protections in place and I just haven't heard about them?
 
[EDIT: This refers to xor_eff's response, not WK's]

That brings to mind another question:

From what I understand, the main barrier to unlocking phones in the US is that the radio firmware is copyright the carrier, and modifying it would be against the DMCA/other copyright law.

What effect does this have on completely replacing the radio firmware with a factory unlocked version, providing that it was not subject to copyright issues?
 
Another online thing that scares the spit out of me is the idea of electronic signatures as implemented in current law, or at least my poor understanding of current law. I have to make some sort of indication on the form, frequently typing my name or initials, and intend to have that serve as my enforceable agreement to whatever I'm "signing."

Well, fine as far as that goes. It's easy for me, and if I type my name there I'd better mean it. But what happens if Joe Blow signs up for credit in my name, or orders 500 pounds of pastrami and agrees for me to pay for it? Is there any way for me to prove that it wasn't I who typed my name into that box? Any equivalent of comparing signatures? I may write my name differently from the way Joe Blow writes my name, but I'll bet Joe can type WyomingKnott with exactly the same series of keystrokes that I use. So is there any practical protection at all for someone who claims "No, I did not sign that?"

(with my apologies to everyone out there named Joe Blow; I'll use Susan Smith next time.)
 

JGillula

Estimable
Jan 30, 2015
10
0
4,560
If by electronic voting you mean voting over the Internet, I am scared [censored]-less by the prospect of electronic voting. Electronic voting makes election fraud, which is difficult to do today (and almost never happens) into a feasible (and potentially much cheaper) way to subvert democracy.

It basically comes down to the economics/centralization: if I want to get someone elected, then I only need to put in the effort to find one vulnerability in the voting website/app/service/whatever--instead of hiring lots of people to do in-person voter fraud all over the place. Plus, finding a vulnerability (or hiring someone to do so) could be cheaper than actually running a campaign, and potentially leave far fewer traces than in-person voter fraud might.

Maybe if proofs of correctness weren't an NP-hard problem for actual software, we could do it. But everything has bugs, and I don't want one of those bugs to result in any more subversion of our democracy than already happens (even if it might help turnout amongst younger voters).

I think it already is having an impact. Many countries (Brazil, Germany, China) have reduced the amount of US technology (both hardware and software) that they purchase.

I think that US companies trying to position themselves as pro-encryption and pro-security, as well as some of the corporate blowback against the NSA, is due to this. While some of it might be PR, some of it is having a real impact on the amount of encryption being deployed in the world. (For example, Apple's iPhone encryption has absolutely zilch to do with any way the NSA has been spying on the world, but it's good PR for them, and it's good for everybody to have encrypted smartphones.) So I'd say it's having an impact. Maybe not as large an impact as I might wish for, but an impact nonetheless.

With that said, we should remind everyone that mass surveillance isn't a US only (or even Five Eyes only) thing. Many countries participate in mass surveillance, so no matter where you live you should call on your politicians to support the Necessary and Proportionate Principles.
 

JGillula

Estimable
Jan 30, 2015
10
0
4,560


Unfortunately I think these issues are outside EFF's wheelhouse. :(
 

Nadia_K

Estimable
Feb 12, 2015
3
0
4,510


You're absolutely right that abuse and harassment are very real problems .

People mean a variety of things when they talk about harassment. You mentioned protecting users, enforcing rules, and abusive comments, so I'll try to address those issues.

We think of the question of abuse and speech not as a zero-sum game, but as a problem that needs creative solutions. Waves of account suspensions and content takedown aren't the answer. And in fact, we regularly see content moderation go wrong—people get accounts suspended erroneously, while complaints about disturbing abuse remain unanswered. So, we don't encourage websites to enforce rules that just shut down dialogue.

When it comes to abusive comments, we encourage solutions that help people have more control over what they see (for instance, better blocking tools on Twitter). As you point out, free speech doesn't mean people have to be forced to listen. But platforms are often designed that way. That's not the whole answer, but it's a good start.

Finally, when you say protecting users, that again depends on what you mean. if you mean protecting people from offline danger, unfortunately, a lot of that has to do with law enforcement and the courts doing a very poor job of dealing with online threats. For example, no one should have to explain to the police what Facebook is if they had to call in a threat of violence...but we hear comments from people (especially women) that this happens on a regular basis. Additionally, posting people's address and other information can be incredibly dangerous, but underlying the issue is the fact that it is so easy to get that info from databrokers—something that deserves more attention in the conversation about harassment. If you've ever tried to get your data off of some of the "people search" websites that exist, you know what a pain it is.

We don't think anyone, including EFF, has the perfect answer to how to deal with abuse. But for more on our take, you can check out our detailed blog post on the issue: https://www.eff.org/deeplinks/2015/01/facing-challenge-online-harassment


 

snorlax316

Estimable
Feb 11, 2015
12
0
4,560


Thanks for the in-depth answer to my question, Nadia.
When I say protect from abuse, I don't simply mean in real life. People shouldn't have to SEE those kinds of messages.

To block on Twitter (reddit, facebook, really anything), you have to engage with nasty comments. Maybe it's just me, but I'm of the opinion you shouldn't have to engage with an Internet commenter's nastiness if you don't want to. Filtering options should be much stronger to prevent the psychological toll these can take on a person. Is it worth making a person click through piles of filth for someone else's speech? Just because they type it doesn't mean the receiver doesn't have to see the abuse.

As for real life, I agree, law enforcement is ill prepared, but that's another story.
 

Below0

Estimable
Jan 8, 2015
53
1
4,590
in the wake of Superfish and Lenovo, do we have to be afraid that every piece of tech we buy is bugged? Should have we been assuming that already?
 

bythelake23

Estimable
Mar 4, 2015
2
0
4,510
do you have any plans for a Canadian chapter and how would you describe the state of ISP regulation/net neutrality in Canada?
 

JGillula

Estimable
Jan 30, 2015
10
0
4,560

I think it's appropriate to be concerned, but I don't think we've quite hit "ZOMG I'm going to abandon all my technology and go live in the woods" yet. (Though some days, when I read the news and find out about yet another bug that risks the security of large numbers of people, I do briefly consider that...)

Right, back on topic. I think it's important to distinguish between tech being bugged and being buggy. Superfish was buggy--the security vulnerability wasn't intentional, even if the purpose of the software was creepy, questionable, and poorly thought out. Sadly, lots of code has bugs--and it'll always be that way. The only way to defeat this is for companies to pay more attention to security, and to be more conscious of what third-party tools they're using. (In the specific case of Lenovo, something good did come out of the debacle: Lenovo has promised to stop loading their machines with crapware.)

As for being bugged, although the NSA has shown it definitely has the capability and wherewithal to intercept tech and bug it, or to load malicious firmware onto peoples' machines, I don't think the average person has to worry about that too much. (It's a different story if you're an activist, politician, businessperson, journalist, sysadmin, prominent engineer, etc., though.) Of course, that's also different from dragnet mass surveillance--which is why you should rely on trusted tools for encrypting communications.

But of course, that brings us back to software being buggy (even pervasive software like OpenSSL). So in the end, the best you can do is try to assess for yourself what your threat model is, and what tech you trust. (This kind of seems like a non-answer, so feel free to reply and ask for more clarification. :) )

 

jcbeff

Estimable
Feb 13, 2015
3
0
4,510


To add some more to Jeremy's response, the biggest immediate consumer lesson from the Lenovo/Superfish fiasco is that when you buy a new computer, you should re-install the OS if you are technically capable of doing so. And, yes, we probably should have been assuming that already. PC makers have been bundling software for years that is often unwanted, annoying, and wasteful of resources; in the case of Superfish bundled software also opened up an enormous security hole. It's sad that the state of the PC market has gotten to that point where user's can't really trust their PC maker not to abuse their position to make a few bucks. Hopefully the reputation hit Lenovo is continuing to take on this will help push the industry to reform this practice, but in the short term re-installing is still smart.

Unfortunately, even though some users are going to re-install their OS (or better yet, switch to an open-source OS!), this is harder on Android devices and very difficult (by design) on iOS devices. And as my colleague Cooper Quintin blogged for EFF this week, to really be safe you need to check what firmware is running on all of your hardware-essentially you have lots of little OSes to re-install if you really want to be sure you're machine is safe.

Ken Thompson famously laid these issues out back in 1983 when receiving his Turing Award (considered the "Nobel Prize for Computer Scientists"). There's always a level below that can undermine your trust. Even if you install all of your device firmware, BIOS, and main OS yourself (and you compiled it yourself from known-good source code), how do you know there isn't microcode running on your CPU that's compromised, or backdoor CPU instrucitons?

Ultimately it's not practical for any individual, no matter how technically skilled, to use a device as complicated as a modern computer and ascertain for themselves that the overall system is trustworthy. This is a social problem and we need to do a lot better to ensure that the organizations building our hardware and software are delivering platforms that we have high confidence are not bugged.

In the short term though, please do re-install your OS on a new computer :)
 

natecardozo

Estimable
Jan 30, 2015
6
0
4,510


I had no idea the answer to these questions, so I asked my colleague Vera. Vera's a US lawyer, but she's a Canadian person, so she's the best situated here @EFF to answer. Here's what she said:

We don't do much work directly in Canada, we have lots of allied civil society organizations that do. See these for some more info:
https://cippic.ca/
https://openmedia.ca/saveournet/faq

The good news is that Canada currently has net neutrality! However, it's under threat recently with things like the zero rating ruling among other things.

Sorry, that wasn't the best answer, but hopefully it's a start.
 

xor_eff

Estimable
Feb 12, 2015
4
0
4,510


Yeah, it's possible the people who like using DRM to control secondary uses of their products aren't crazy about our pointing out how harmful to consumers it is. Probably the people who sell DRM software to those companies don't like it, either.

Beyond being bad for the users, though, there's not a lot of evidence that DRM is effective at stopping "piracy." You mention Ubisoft; last year that company's VP of digital publishing said as much. You get the same kind of comments about piracy being a "service problem" from Gabe Newell a few years back.

To the extent piracy is a business problem, there are solutions that don't involve DRM. Not only has DRM tech proven ineffective, but it comes at far too dear a price to your users' rights.
 

Nadia_K

Estimable
Feb 12, 2015
3
0
4,510


Thanks for asking! There are many things you can do. It's hard to say what has the biggest impact (especially when we deal with such a wide range of issues.) But you can check out our action center, where we have actions that deal with issues ranging from NSA spying to patent trolls. Sending emails does make a difference, when lots of people do it.

And on that note, educating yourself and others about the issues is a great thing to do to. If you don't have the time to check out our blog every day, you can sign up for our newsletter , which includes condensed versions of our top articles.

On a very practical tip, if you're concerned about surveillance, you can check out Surveillance Self-Defense. SSD is EFF's guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices. And fortunately, a lot of the tools for being more secure online are free and easy to use. If you start with threat modeling, you can figure out what the most meaningful privacy tools for you to use would be.

All that being said, if there's a particular issue that you're especially interested in, let us know. There may be a specific action we can point you towards!








 

AndrewEFF

Estimable
Jan 30, 2015
6
0
4,510



I don't know that I'm going to be able to convince you, but I will point out that I was saying we had a single hearing that lasted 3 hours. To repeat: we spent many, many hours in court in 2014.

I would still say you're taking a narrow view of our work. For example, in 2013 we won a major victory by having the National Security Letter statute (part of the Patriot Act) declared unconstitutional. We spent a sizable amount of time in 2014--including, yes, in a hearing--defending this victory on appeal. We still don't have a decision in that appeal yet, though, because litigation is slow. We can't control the courts--not their pace and not the decisions they issue. We make the most persuasive arguments we can, but we can't force victories in court.That's part of why we don't spend all of our time litigating. We have had numerous victories in getting legislative reforms, positive changes in technology, etc etc. I stand by our effectiveness and our success, but that's for you and our other supporters to judge.
 
G

Guest

Guest
I was looking around your website after you answered my question earlier. I noticed you sell stickers that cover laptop and smartphone cameras.

That actually scares me, as I never cover the camera. In the case of my laptop, there's a light that turns on when the camera is activated. Can that be turned on by third parties without the light going off?
 


Yes.

http://arstechnica.com/security/2013/12/perv-utopia-light-on-macbook-webcams-can-be-bypassed/
 
Status
Not open for further replies.