EFF to Court: The Supreme Court Must Rein in Expansive Secondary Copyright Liability

EFF update
1 week ago

If the Supreme Court doesn’t reverse a lower court’s ruling, internet service providers (ISPs) could be forced to terminate people’s internet access based on nothing more than mere accusations of copyright infringement. This would threaten innocent users who rely on broadband for essential aspects of daily life. EFF—along with the American Library Association, the Association of Research Libraries, and Re:Create—filed an amicus brief urging the Court to reverse the decision.

The Stakes: Turning ISPs into Copyright Police

Among other things, the Supreme Court approving the appeals court’s findings will radically change the amount of risk your ISP takes on if a customer infringes on copyright, forcing the ISP to terminate access to the internet for those users accused of copyright infringement—and everyone else who uses that internet connection.

This issue turns on what courts call “secondary liability,” which is the legal idea that someone can be held responsible not for what they did directly, but for what someone else did using their product or service.

The case began when music companies sued Cox Communications, arguing that the ISP should be held liable for copyright infringement committed by some of its subscribers. The Court of Appeals for the Fourth Circuit agreed, adopting a “material contribution” standard for contributory copyright liability (a rule for when service providers can be held liable for the actions of users). The lower court said that providing a service that could be used for infringement is enough to create liability when a customer infringes.

In the Patent Act, where Congress has explicitly defined secondary liability, there’s a different test: contributory infringement exists only where a product is incapable of substantial non-infringing use. Internet access, of course, is overwhelmingly used for lawful purposes, making it the very definition of a “staple article of commerce” that can’t be liable under the patent framework. Yet under the Fourth Circuit’s rule, ISPs could face billion-dollar damages if they fail to terminate users on the basis of even flimsy or automated infringement claims.

Our Argument: Apply Clear Rules from the Patent Act, Not Confusing Judge-Made Tests

Our brief urges the Court to do what it has done in the past: look to patent law to define the limits of secondary liability in copyright. That means contributory infringement must require more than a “material contribution” by the service provider—it should apply only when a product or service is especially designed for infringement and lacks substantial non-infringing uses.

The Human Cost: Losing Internet Access Hurts Everyone

The Fourth Circuit’s rule threatens devastating consequences for the public. Terminating an ISP account doesn’t just affect a person accused of unauthorized file sharing—it cuts off entire households, schools, libraries, or businesses that share an internet connection.

  • Public libraries, which provide internet access to millions of Americans who lack it at home, could lose essential service.
  • Universities, hospitals, and local governments could see internet access for whole communities disrupted.
  • Households—especially in low-income and communities of color, which disproportionately share broadband connections with other people—would face collective punishment for the alleged actions of a single user.

With more than a third of Americans having only one or no broadband provider, many users would have no way to reconnect once cut off. And given how essential internet access is for education, employment, healthcare, and civic participation, the consequences of termination are severe and disproportionate.

What’s Next

The Supreme Court has an opportunity to correct course. We’re asking the Court to reject the Fourth Circuit’s unfounded “material contribution” test, reaffirm that patent law provides the right framework for secondary liability, and make clear that the Constitution requires copyright to serve the public good. The Court should ensure that copyright enforcement doesn’t jeopardize the internet access on which participation in modern life depends.

We’ll be watching closely as the Court considers this case. In the meantime, you can read our amicus brief here.

Betty Gedlu

[B] 私はガザ市にいる。荷物はまとめたが、家を出ることは拒否する 訳としまる

日刊ベリタ
1 week ago
(訳者まえがき)ガザにイスラエル軍の地上部隊が本格的に侵攻し、北部の住民を強制的に排除しはじめたことが報じられている。日々報道で映し出されるガザの光景から、私たちは、北部やガザ市に住みつづける人たちが今でも多くいることをつい忘れていまいがちだ。しかし。まだ住み続けている人たちが確実にいる。なぜなのか、安全な所などないとはいえ、まだ南部の方が相対的に安全ではないのか。以下に訳出したのは、+972magazineに掲載された記事で、筆者は今でも北部のガザ市に住む。この記事には、未だに住み続ける人たちの思いの深さが、そのコミュニティや家族、隣人たちやその場所への深い愛着――この愛着にはナクバの記憶が欠かせないものとして受け継がれている――とともに、読む者の胸に迫ってくる。生き延びてほしいと思う。ただそれだけの言葉しかかけらないとはいえ、生き延びてほしいと思う。ぜひお読みください。(としまる)
日刊ベリタ

San Francisco Gets An Invasive Billionaire-Bought Surveillance HQ

EFF update
1 week ago

San Francisco billionaire Chris Larsen once again has wielded his wallet to keep city residents under the eye of all-seeing police surveillance. 

The San Francisco Police Commission, the Board of Supervisors, and Mayor Daniel Lurie have signed off on Larsen’s $9.4 million gift of a new Real-Time Investigations Center. The plan involves moving the city’s existing police tech hub from the public Hall of Justice not to the city’s brand-new police headquarters but instead to a sublet in the Financial District building of Ripple Labs, Larsen’s crypto-transfer company. Although the city reportedly won’t be paying for the space, the lease reportedly cost Ripple $2.3 million and will last until December 2026. 

The deal will also include a $7.25 million gift from the San Francisco Police Community Foundation that Larsen created. Police foundations are semi-public fundraising arms of police departments that allow them to buy technology and gear that the city will not give them money for.  

In Los Angeles, the city’s police foundation got $178,000 from the company Target to pay for the services of the data analytics company Palantir to use for predictive policing. In Atlanta, the city’s police foundation funds a massive surveillance apparatus as well as the much-maligned Cop City training complex. (Despite police foundations’ insistence that they are not public entities and therefore do not need to be transparent or answer public records requests, a judge recently ordered the Atlanta Police Foundation to release documentation related to Cop City.) 

A police foundation in San Francisco brings the same concerns: that an unaccountable and untransparent fundraising arm shmoozing with corporations and billionaires would fund unpopular surveillance measures without having to reveal much to the public.  

Larsen was one of the deep pockets behind last year’s Proposition E, a ballot measure to supercharge surveillance in the city. The measure usurped the city’s 2019 surveillance transparency and accountability ordinance, which had required the SFPD to get the elected Board of Supervisors’ approval before buying and using new surveillance technology. This common-sense democratic hurdle was, apparently, a bridge too far for the SFPD and for Larsen.  

We’re no fans of real-time crime centers (RTCCs), as they’re often called elsewhere, to start with. They’re basically control rooms that pull together all feeds from a vast warrantless digital dragnet, often including automated license plate readers, fixed cameras, officers’ body-worn cameras, drones, and other sources. It’s a means of consolidating constant surveillance of the entire population, tracking everyone wherever they go and whatever they do – worrisome at any time, but especially in a time of rising authoritarianism.  

Think of what this data could do if it got into federal hands; imagine how vulnerable city residents would be subject to harassment if every move they made was centralized and recorded downtown. But you don’t have to imagine, because SFPD already has been caught sharing automated license plate reader data with out-of-state law enforcement agencies assisting in federal immigration investigations

We’re especially opposed to RTCCs using live feeds from non-city surveillance cameras to push that panopticon’s boundaries even wider, as San Francisco’s does. Those semi-private networks of some 15,000 cameras, already abused by SFPD to surveil lawful protests against police violence, were funded in part by – you guessed it – Chris Larsen

These technologies could potentially endanger San Franciscans by directing armed police at them due to reliance on a faulty algorithm or by putting already-marginalized communities at further risk of overpolicing and surveillance. But studies find that these technologies just don’t work. If the goal is to stop crime before it happens, to spare someone the hardship and the trauma of getting robbed or hurt, cameras clearly do not accomplish this. There’s plenty of footage of crime occurring that belies the idea that surveillance is an effective deterrent, and although police often look to technology as a silver bullet to fight crime, evidence suggests that it does little to alter the historic ebbs and flows of criminal activity. 

Yet now this unelected billionaire – who already helped gut police accountability and transparency rules and helped fund sketchy surveillance of people exercising their First Amendment rights – wants to bankroll, expand, and host the police’s tech nerve center. 

Policing must be a public function so that residents can control - and demand accountability and transparency from - those who serve and protect but also surveil and track us all. Being financially beholden to private interests erodes the community’s trust and control and can leave the public high and dry if a billionaire’s whims change or conflict with the will of the people. Chris Larsen could have tried to address the root causes of crime that affect our community; instead, he exercises his bank account's muscle to decide that surveillance is best for San Franciscans with less in their wallets. 

Elected officials should have said “thanks but no thanks” to Larsen and ensured that the San Francisco Police Department remained under the complete control and financial auspices of nobody except the people of San Francisco. Rich people should not be allowed to fund the further degradation of our privacy as we go about our lives in our city’s public places. Residents should carefully watch what comes next to decide for themselves whether a false sense of security is worth living under constant, all-seeing, billionaire-bankrolled surveillance. 

Josh Richman

【リレー時評】戦争とメディア 二重の危機=米倉 外昭(JCJ沖縄)

日本ジャーナリストクラブ(JCJ)
1 week ago
 戦後80年を迎えた今年、新たな戦前状況にあらがうため沖縄のメディアは、過去の戦争や戦後史を検証して教訓とし、再び戦争をさせない報道に懸命に取り組んでいる。 市民運動も新たな展開をしている。「戦争止めよう! 沖縄・西日本ネットワーク」が結成され、6月に東京行動を実施するなど、活動の規模を拡大してきた。 しかし、日本の軍事費は拡大を続け、米軍と一体となった戦争準備を着々と進めている。軍事演習が日常化し、生活の場に軍事が無遠慮に入り込み、全国でミサイル配備、弾薬庫整備などの計画が..
JCJ

Rayhunter: What We Have Found So Far

EFF update
1 week ago

A little over a year ago we released Rayhunter, our open source tool designed to detect cell-site simulators. We’ve been blown away by the level of community engagement on this project. It has been installed on thousands of devices (or so we estimate, we don’t actually know since Rayhunter doesn’t have any telemetry!). We have received dozens of packet captures, hundreds of improvements, both minor and major, documentation fixes, and bug reports from our open source community. This project is a testament to the power and impact of open source and community driven counter-surveillance.  

If this is your first time hearing about Rayhunter, you can read our announcement blog post here. Or if you prefer, you can watch our DEF CON talk. In short, Rayhunter is an open source Linux program that runs on a variety of mobile hotspots (dedicated devices that use a cellular connection to give you Wi-Fi). Rayhunter’s job is to look for cell-site simulators (CSS), a tool police use to locate or identify people's cell phones, also known as IMSI catchers or Stingrays. Rayhunter analyzes the “handshakes” between your Rayhunter device and the cell towers it is connected to for behaviors consistent with that of a CSS. When it finds potential evidence of a CSS it alerts the user with an indicator on the screen and potentially a push notification to their phone.  

Understanding if CSS are being used to spy on protests is one of the main goals of the Rayhunter project. Thanks to members of our community bringing Rayhunter to dozens of protests, we are starting to get a picture of how CSS are currently being used in the US. So far Rayhunter has not turned up any evidence of cell-site simulators being used to spy on protests in the US — though we have found them in use elsewhere.  

So far Rayhunter has not turned up any evidence of cell-site simulators being used to spy on protests in the US.  

There are a couple of caveats here. First, it’s often impossible to prove a negative. Maybe Rayhunter just hasn’t been at protests where CSS have been present. Maybe our detection signatures aren’t picking up the techniques used by US law enforcement. But we’ve received reports from a lot of protests, including pro-Palestine protests, protests in Washington DC and Los Angeles, as well as the ‘No Kings’ and ‘50501’ protests all over the country. So far, we haven’t seen evidence of CSS use at any of them.  

A big part of the reason for the lack of CSS at protests could be that some courts have required a warrant for their use, and even law enforcement agencies not bound by these rulings have policies that require police to get a warrant. CSS are also costly to buy and use, requiring trained personnel to use nearly one million dollars worth of equipment.  

The fact is police also have potentially easier to use tools available. If the goal of using a CSS at a protest is to find out who was at the protest, police could use tools such as:  

  • License plate readers to track the vehicles arriving and leaving at the protest. 
  • Location data brokers, such as Locate X and Fog Data Science, to track the phones of protestors by their mobile advertising IDs (MAID).
  • Cellebrite and other forensic extraction tools to download all the data from phones of arrested protestors if they are able to unlock those phones.  
  • Geofence warrants, which require internet companies like Google to disclose the identifiers of devices within a given location at a given time.
  • Facial recognition such as Clearview AI to identify all present via public or private databases of peoples faces.
  • Tower dumps from phone companies, which, similar to geofence warrants, require phone companies to turn over a list of all the phones connected to a certain tower at a certain time.  

We think, due to the lack of evidence of CSS being used, protestors can worry less about CSS and more about these other techniques. Luckily, the actions one should take to protect themselves are largely the same: 

We feel pretty good about Rayhunter’s detection engine, though there could still be things we are missing. Some of our confidence in Rayhunter’s detection engine comes from the research we have done into how CSS work. But the majority of our confidence comes from testing Rayhunter against a commercial cell-site simulator thanks to our friends at Cape. Rayhunter detected every attack run by the commercial CSS.  

Where Rayhunter Has Detected Likely Surveillance

Rayhunter users have found potential evidence of CSS being used in the wild, though not at protests. One of the most interesting examples that triggered multiple detections and even inspired us to write some new detection rules was at a cruise port in the Turks and Caicos Islands. The person who captured this data put the packet captures online for other researchers to review

Rayhunter users have detected likely CSS use in the US as well. We have received reports from Chicago and New York where our “IMSI Sent without authentication” signature was triggered multiple times over the course of a couple hours and then stopped. Neither report was in the vicinity of a protest. We feel fairly confident that these reports are indicative of a CSS being present, though we don’t have any secondary evidence to back them up. 

We have received other reports that have triggered our CSS detection signatures, but the above examples are the ones we feel most confident about.  

We encourage people to keep using Rayhunter and continue bringing it to protests. Law enforcement trends can change over time and it is possible that some cities are using them more often than others (for example Fontana, California reportedly used their CSS over 300 times in two years). We also know that ICE still uses CSS and has recently renewed their contracts. Interestingly, in January, the FBI requested a warrant from the Foreign Intelligence Surveillance Court to use what was likely a CSS and was rejected. This was the first time the FBI has sought a warrant to use a CSS using the Foreign Intelligence Surveillance Act since 2015, when the Justice Department began requiring a warrant for their use. If police start using CSS to spy on protests we want to know.

There is still a lot we want to accomplish with Rayhunter, we have some future plans for the project that we are very excited to share with you in the near future, but the biggest thing we need right now is more testing outside of the United States.  

Taking Rayhunter International  

We are interested in getting Rayhunter data from every country to help us understand the global use of CSS and to refine our signatures. Just because CSS don't appear to be used to spy on protests in the US right now doesn't mean that is true everywhere. We have also seen that some signatures that work in the US are prone to false positives elsewhere (such as our 2G signature in countries that still have active 2G networks). The first device supported by Rayhunter, the Orbic hotspot, was US only, so we have very little international data. But we now have support for multiple devices! If you are interested in Rayhunter, but can’t find a device that works in your country, let us know. We recommend you consult with an attorney in your country to determine whether running Rayhunter is likely to be legally risky or outlawed in your jurisdiction.

Related Cases: Carpenter v. United States
Cooper Quintin