The FCC Wants to Eliminate Net Neutrality Protections. We Can't Let That Happen.

The FCC Wants to Eliminate Net Neutrality Protections. We Can't Let That Happen.


In 2015, following years of dedicated activism – including individual actions by millions of Internet users – Team Internet scored a crucial victory: clear, enforceable protections for net neutrality. The new head of the Federal Communications Commission (“FCC”) wants to take away those protections and allow broadband providers like Comcast and AT&T to become permanent Internet gatekeepers. The good news is we can stop him. We need to tell Congress: Don’t let the FCC surrender the Internet!

Image/photoTell Congress: Don't Surrender the Internet.

According to several news reports, FCC Chairman Ajit Pai is planning to gut the FCC’s Open Internet Order, eliminating hard-fought net neutrality protections. What do we get instead? ISPs have to promise, cross their hearts and hope to die, to include certain net neutrality “principles” in their terms of service.  The ISPs will doubtless jump at the chance, because they know what we know: artfully drafted pledges and promises don’t mean much when there’s no firm legal obligation to back them up.

In theory, of course, there is a way to enforce terms of service commitments. Pai’s plan would reportedly rely on the Federal Trade Commission to go after service providers that violate their promises, on the theory that any such violation would be an unfair and deceptive business practice. But as The Verge’s Nilay Patel, and former FCC Counselor Gigi Sohn point out, companies change their terms of service all the time, and as yet we haven’t heard of anything in Pai’s plan that would stop them from doing so. Moreover, it’s not clear that all ISPs would have to make those promises. And, while the FCC’s current rules are proactive, the FTC would be limited to bringing enforcement actions after the harm has already occurred – and there’s only so many actions it can bring. Moreover, there’s no reason to expect that the FTC – or most subscribers – will have the expertise needed to figure out when service providers are breaking their promises. Finally, in at least some states, the FTC can’t actually bring enforcement actions against many ISPs, thanks to a 2016 decision by the Ninth Circuit Court of Appeals. As Sohn explains, “Another name for the Pai Plan might be “Just Trust Us.” Hardly a comforting thought in a market where ISPs face little competition and serve as the sole gatekeeper to the [I]nternet.”

Pai is expected to announce his plan as early as tomorrow, and if so, the FCC could vote on the plan at the Commission’s May 18th open meeting.

But Pai can’t reverse the will of millions of Internet users without giving us a chance to weigh in – directly and through our representatives. The FCC’s net neutrality rules are crucial for the Internet – they help make sure that ISPs run their networks in ways that are fair to users and innovators alike. Without those protections, ISPs can abuse their position as gatekeepers to the broader Internet to further cement their monopolies, hurting Internet users, content providers, nonprofits and small businesses in the process. We don’t need to look back very far to see the kind of harmful practices ISPs can get up to without effective oversight. We can’t let the FCC trade the desperately-needed rules of road we fought so hard to put in place for empty promises. It’s time to tell Congress: Don’t let the FCC surrender the Internet!

Image/photoTell Congress: Don't Surrender the Internet.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
Net Neutrality Free Speech Innovation

EFF and Allies Write to Congress: FCC Chairman Pai's Network Neutrality Plan Unworkable

EFF and Allies Write to Congress: FCC Chairman Pai's Network Neutrality Plan Unworkable

EFF and a coalition of other groups wrote a letter to Congress today detailing the failings of Federal Communications Commission (FCC) Chairman Ajit Pai's reported—but undisclosed—network neutrality plan and requesting that lawmakers hold hearings over any FCC plans for the Internet.

So far, media outlets have reported that Chairman Pai intends to surrender the legal authority the FCC holds over cable and telephone companies. All the FCC apparently wants in exchange is empty promises from the industry to not end Internet freedom while relying on the Federal Trade Commission to protect users. Our letter to Congress details why that plan, as reported, will fail to protect an open Internet and how placing all of their eggs in the Federal Trade Commission (FTC) basket invites the industry to game the system and avoiding any meaningful accountability.

Here is why the plan fails:

1) The FTC lacks rulemaking power and therefore can not create open Internet rules much like the Open Internet Order.

2) A recent circuit court ruling has vastly limited the FTC's ability to oversee the activities of telephone companies due to their status as common carriers, granting the telecoms a powerful loophole from any federal enforcement actions. In essence, FCC Chairman Pai's plan could allow AT&T, Verizon, and any local telephone company in the states of Oregon, Arizona, Alaska, Hawaii, California, Idaho, Montana, Nevada, and Washington to exempt their broadband business from any federal consumer protections.

3) The undisclosed plan appears to rely on cable and telephone companies publishing written pledges to do no harm to the open Internet so the FTC could hold them accountable, but nothing in the law will require those companies to keep those promises. They are more than free to change their pledges to reshape the Internet, charge higher prices, and invade consumer privacy.

In short, Americans are being asked to substitute the rule of law that guarantee an open Internet for promises that do not have to be kept. Tomorrow the FCC Chairman is scheduled to deliver a speech regarding his vision for the future of the Internet. We will find out if Chairman Pai intends to continue down the path of surrendering the Internet to Comcast, Verizon, and AT&T or if he will reverse course.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
Legislative Analysis Net Neutrality

Tell FCC Commissioner Ajit Pai: Startups Depend on Net Neutrality

Tell FCC Commissioner Ajit Pai: Startups Depend on Net Neutrality

Startups, entrepreneurs, investors, accelerators, and incubators are signing onto a letter urging Trump’s FCC Commissioner Ajit Pai not to undermine the FCC’s net neutrality rules.

The letter affirms the need for net neutrality rules to protect entrepreneurs and innovators, and responds to recent reports that Pai plans to roll back the Commission’s net neutrality rules, replacing them with empty promises from broadband providers:
Without net neutrality, the incumbents who provide access to the Internet would be able to pick winners or losers in the market. They could impede traffic from our services in order to favor their own services or established competitors. Or they could impose new fees on us, inhibiting consumer choice. Those actions directly impede an entrepreneur’s ability to “start a business, immediately reach a worldwide customer base, and disrupt an entire industry.” Our companies should be able to compete with incumbents on the quality of our products and services, not our capacity to pay tolls to Internet access providers.

Fortunately, in 2015 the Federal Communications Commission put in place light touch net neutrality rules that not only prohibit certain harmful practices, but also allow the Commission to develop and enforce rules to address new forms of discrimination. We are concerned by reports that you would replace this system with a set of minimum voluntary commitments, which would give a green light for Internet access providers to discriminate in unforeseen ways.

It’s not too late to add your voice to theirs. Engine Advocacy, Y Combinator, and Techstars are calling for members of the startup community to sign on to the letter by 5pm ET on April 28th.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
Net Neutrality

EFF Asks Appeals Court to Break Through Five-Year Logjam in Megaupload Case

EFF Asks Appeals Court to Break Through Five-Year Logjam in Megaupload Case

Lawful Users Still Waiting for Return of Files After Government Seizure

San Francisco - The Electronic Frontier Foundation (EFF), on behalf of its client Kyle Goodwin, is asking a federal appeals court to break through the five-year logjam in the case, and help lawful users who are still waiting for the return of their photos, videos, and other personal files after the government seized Megaupload’s servers.

Megaupload was a popular cloud-storage site when the FBI shut it down in January of 2012 looking for evidence of copyright infringement. Agents seized all of Megaupload’s assets during their search, locking out customers from their accounts. Goodwin, a sports videographer, lost access to video files containing months of his professional work.

For five years, the U.S. government has continued pursuing a criminal case against Megaupload and its owners. But the data stored by millions of customers—including obviously lawful material like Goodwin’s sports videos—have languished on servers that sit disconnected in a warehouse.

“Mr. Goodwin, and many others, used Megaupload to store legal files, and we’ve been asking the court for help since 2012. It’s deeply unfair for him to still be in limbo after all this time,” said EFF Senior Staff Attorney Mitch Stoltz. “The legal system must step in and create a pathway for law-abiding users to get their data back.”

In a petition filed today with the United States Court of Appeals for the Fourth Circuit, EFF, along with the firm of Williams Mullen and attorney Abraham D. Sofaer, argue that the court should issue a writ of mandamus to the trial court, ordering it to act on Goodwin’s request and create a process for other users to retrieve their data.

“We’re likely to see even more cases like this as cloud computing becomes increasingly popular,” said EFF Legal Director Corynne McSherry. “If the government takes over your bank, it doesn’t get to keep the family jewels you stored in the vault. There’s a process for you to get your stuff back, and you have a right to the same protection for your data.”

For the full brief filed today:

For more on this case:




Senior Staff Attorney



Legal Director

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF

Access Now and EFF Condemn the Arrest of Tor Node Operator Dmitry Bogatov in Russia

Access Now and EFF Condemn the Arrest of Tor Node Operator Dmitry Bogatov in Russia

This post was written in collaboration with Amie Stepanovich at Access Now.

On April 6, Russian math instructor Dmitry Bogatov was arrested in Moscow and charged with “preparing to organize mass disorder” and making “public calls for terrorist activity” due to a gross misunderstanding about the operation of the Tor internet anonymization service. Bogatov is accused of authoring a series of online posts published to the discussion platform on March 29 under the username “Ayrat Bashirov.” One post called for protesters to attend an unsanctioned, anonymously organized demonstration on April 2 with “rags, bottles, gas, turpentine, styrofoam, and acetone.” Another post linked to the music video for Kanye West’s “No Church in the Wild,” described by investigators as “a video recording with insubordination to the legal demands of the police, and mass disorder.”

The posts appear to have come from the IP address of a server located in Bogatov’s home, but this server is a part of the Tor network—an exit node that routes anonymous traffic from all over the world and makes it appear to have originated from that computer.

There is considerable evidence that Bogatov did not post the content at issue. According to a Global Voices report, “Surveillance footage shows Bogatov and his wife leaving a supermarket four minutes before one of the posts was made on March 29. Given that the supermarket is half a kilometer from their home, it is unlikely that Bogatov could have made it home and posted online within four minutes.” Additionally, “Ayrat Bashirov” has continued posting on the forum and has even exchanged messages with an Open Russia journalist explicitly denying that he is Bogatov.

Tor exit node operators mistakenly accused of crimes committed from their exit nodes is nothing new. This is one of the reasons that EFF cautions against running an exit node in your home in its Legal FAQ for Tor Relay Operators. In the past, law enforcement has always backed down once it had become clear that they had the wrong party.

But rather than acknowledge their mistake, the Investigative Committee (the main federal investigative committee in the Russian Federation), appears to be doubling down. When a judge initially ruled that the charges against Bogatov were not serious enough to justify his continued detention, the Investigative Committee added the second, more serious charge of inciting terrorism. Days later, the court upheld the additional charges, formally arrested Bogatov, and ordered that he be held until his trial date on June 8.

The arrest comes in midst of an online crackdown related to anti-corruption protests in cities across Russia on April 2. The protests have resulted in the arrest of hundreds of individuals, including Leonid Volkov, who was arrested for having livestreamed the protests. Volkov was detained for ten days, and as a result was unable to attend RightsCon, where he was scheduled to speak about Russian surveillance systems.

As global organizations working to defend human rights, Access Now and EFF condemn Dmitry Bogatov’s continued detention and the detention of others by Russia or other governments for exercising their human rights or facilitating increased internet security. Put simply: running a Tor exit node is not a crime and Tor exit node operators should not be treated like criminals.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF

Adobe Puts an End to Indefinite Gag Order

Adobe Puts an End to Indefinite Gag Order

In a newly unsealed case [.pdf], a Los Angeles federal court ruled that Adobe could not be indefinitely gagged about a search warrant ordering it to turn over the contents of a customer account.

This is important work by Adobe. Gag orders almost always violate the First Amendment; they prevent service providers from notifying users that the government is requesting their sensitive data and from being transparent about surveillance in general. And yet, providers receive indefinite gags with frustrating frequency. In most contexts, the government must do little to justify these gags and instead relies on rote invocations of national security and the sanctity of investigations.

The Adobe gag was issued under 18 U.S.C. § 2705(b), the same law Microsoft is challenging as facially unconstitutional because it allows for indefinite gags.1 These arguments are also at the heart of EFF’s long-running national security letter (NSL) lawsuit, which was argued in the Ninth Circuit Court of Appeals last month.

Thankfully, the court in Adobe’s case recognized the serious harm to free speech these gags represent. It held that orders barring companies from notifying their users about government data requests are both prior restraints and content-based restrictions on speech subject to strict scrutiny. That’s a very high bar. The court found that the indefinite gag order imposed on Adobe fails strict scrutiny because the government could make “no showing[] that Adobe’s speech will threaten the investigation in perpetuity.”

The government’s attempts to save the Adobe gag order were nearly identical to arguments it made in our NSL litigation. It claimed gags don’t even implicate Adobe’s First Amendment rights because the company only wants to speak about information learned from the government, and that an indefinite gag was OK because Adobe could simply come to court when the need for a gag had passed. But on point after point, the court rejected these arguments. The First Amendment requires gag orders to be narrowly tailored, and Section 2705(b) orders and NSL gags come nowhere close to meeting that standard. As the court put it, “the fact that the speaker cannot know when the restriction's ‘raison d'etre fades’ effectively equates to no tailoring at all.”

While the appeals court in our NSL case doesn’t have to follow this court’s lead, we think any First Amendment arguments that can be deployed against 2705(b) orders are doubly effective for NSLs. That’s because the FBI can issue indefinite NSL gags without even going before a court, as Section 2705(b) requires.

Adobe’s fight should demolish another of the government’s arguments in our NSL case: that providers don’t want to speak out about gags. Adobe promises to notify its customers about government data requests in all cases unless “legally prohibited from doing so.” And it goes one step further, stating upfront that indefinite gags “are not constitutionally valid and we challenge them in court.” Following through on this promise gives lie to the unsupportable claim that providers don’t care to speak out on these issues.

Here’s hoping the days of indefinite gag orders are numbered.
  • 1. Section 2705(b) allows a court to issue a gag “for such period as the court deems appropriate.” There’s an interesting split of opinion on whether that language allows for indefinite gag, or whether the word “period” implies a finite limit. The court in Adobe’s case determined that periods can in fact be indefinite, which led to its First Amendment ruling.
Related Cases:

Microsoft v. Department of Justice
In re: National Security Letter 2011 (11-2173)
In re National Security Letter 2013 (13-80089)
In re National Security Letter 2013 (13-1165)

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF

Tell the DHS: Social Media Passwords Should Not Be a Condition of Entry to the U.S.

Tell the DHS: Social Media Passwords Should Not Be a Condition of Entry to the U.S.

New proposals to make U.S. entry screening even more invasive will threaten our privacy, freedom of expression, and digital account security—and you can raise your voice against them.

The Department of Homeland Security (DHS) is currently considering new procedures to screen certain foreign travellers. Specifically, Secretary of Homeland Security John. F. Kelly said in a congressional hearing that the DHS is considering requiring certain foreign travelers to hand over their social media passwords in order to apply for a visa and enter the United States.

EFF is joining with Access Now and other digital rights organizations to raise your voices against this dangerous proposal. Sign the Fly Don’t Spy petition to tell Secretary Kelly to reject any proposal requiring passwords as a condition of entry to the United States.

Image/photoSign the Fly Don't Spy petition.
While you’re at it, email your representatives directly and demand that border agents get a warrant before conducting digital searches.

Image/photoEmail Congress and demand a warrant at the border.
We have written before about the serious privacy risks and Constitutional concerns of border searches, particularly when agents demand social media information. Social media profiles expose not only one’s social network and contacts, but can also provide a detailed map of one’s digital life if that social media account if used to log into other sides.

Requiring passwords and log-in access to social media--whether as part of screening procedures before arrival at the border, or at the border itself--expands border agents’ access to particularly sensitive information like direct messages, and invades the privacy of a traveller’s friends and connections. Such a requirement will chill online speech and association, and undermine the digital security and account protections otherwise available to users.

Want more information about your rights at the border? Check out our in-depth “Privacy at the U.S. Border” report, as well as two shorter guides on your constitutional rights at the border and digital security tips for before, during, and after your border crossing.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
EFF Action Center

Tell Congress: Don't Surrender the Internet

 last edited: Mon, 24 Apr 2017 01:10:47 -0500  
Tell Congress: Don't Surrender the Internet

The FCC's 2015 Open Internet Order was a huge victory for Internet users. Thanks to the millions of you who spoke up for a free and open Internet, we won essential net neutrality protections.

Now those protections could disappear, as Chairman Pai is considering reversing the Open Internet Order and handing control over the Internet to major telecommunications companies.

In place of the clear rules established by the FCC's Open Internet Order, Pai wants to substitute voluntary industry promises to uphold some net neutrality principles. We need to let Congress know that we won’t trade real protections for empty promises.

April 24, 2017

As your constituent, I'm writing to urge you to protect the FCC's 2015 Open Internet Order.

According to recent news reports by the Wall Street Journal and Reuters, FCC Chairman Ajit Pai plans to reverse the FCC's reclassification of broadband Internet providers as common carriers, and substitute the FCC's net neutrality rules with empty industry promises.

Please oppose any attempt by Chairman Pai to roll back the FCC's net neutrality protections. In addition, please oppose any effort in Congress to undermine the Open Internet Order.

A free and open Internet is essential for a free society. I urge you to resist attempts to weaken net neutrality protections and entrench Internet monopolies.


Your Name

A Municipal Vote in Providence for Police Reform Carries National Implications

A Municipal Vote in Providence for Police Reform Carries National Implications

After three years of sustained community mobilization and advocacy, the Providence City Council in Rhode Island voted this Thursday to unanimously approve among the most visionary set of policing reforms proposed around the country to protect civil rights and civil liberties, including digital liberties. EFF supported the proposed Community Safety Act (CSA), and its adoption represents a milestone that should prompt similar measures in other jurisdictions.

Reflecting an understanding of of how many different communities endure parallel—but seemingly separate—violations of civil rights and civil liberties, the CSA aims to address surveillance alongside racial and other dimensions of discriminatory profiling. The ordinance imposes crucial limits on police powers at a time when local police have become the leading edge of mass surveillance, as well as longstanding abuses of civil rights and digital liberties rooted in the war on drugs.

The most notable facet of the CSA is its sheer breadth. It addresses a wide-ranging set of issues in a single reform measure.

For instance, the Act requires that any collection of intelligence information—whether by electronic surveillance mechanisms or more traditional means—be supported by reasonable suspicion of criminal activity. On the one hand, that requirement should be implicit given the First and Fourth Amendments, and the history of politicized domestic surveillance within the United States. On the other hand, relative to the prevailing practice of ubiquitous intelligence collection, the Act’s requirements represent a monumental legal shift.

In addition, the CSA protects the right of residents to observe and record police activities. That right has been vital to sparking a sustained debate across the country about police accountability, but has come under fire. Just this month, a federal appellate court heard oral argument in an appeal seeking to vindicate the right to record police in the wake of trial court decisions in multiple cases perversely holding that residents gain a right to record only after announcing their hostility to police, effectively inviting retaliation or even violence.

The bill also protects Due Process rights threatened by the otherwise arbitrary and secretive inclusion of individuals in government gang databases. In California, for instance, state auditors discovered that the state’s program received “no state oversight” and operated “without transparency or meaningful opportunities for public input,” prompting the state legislature to intervene by passing a new law providing notice of inclusion and an opportunity to contest it.

At the same time, responding to controversy about traffic stops and pedestrian stop and frisks rooted in bias rather than observed behavior, the Act requires that police change their processes for searching subjects. In particular, when seeking to search subjects without either a judicial warrant or probable cause to suspect criminal activity, the Act requires police to inform the subjects that they have the right to decline consent to the requested search. That represents a sea change in policing, given the practice among some police departments to train officers to use deception to induce a subject's consent, ensuring that it is neither informed nor voluntary.

Similarly, the Act's restrictions on racial profiling and intelligence collection absent reasonable suspicion of criminal activity offer important bulwarks to reinforce our Fourth Amendment rights to be free from unreasonable searches and seizures, as well as 14th Amendment protections to be free from racial and other forms of discrimination.

Beyond the CSA’s substantive breath lies a novel theory of change informing its construction. Rather than a discrete reform proposed by advocates and then suggested to community members and groups for support, the CSA represents a concerted attempt to address the intersectional concerns of several communities responding to a common challenge: discriminatory or otherwise unconstitutional police practices.

While Providence has distinguished itself in the remarkably diverse coalition of community groups that have come together to pursue common cause, the issues to which Providence activists are responding are hardly unique to their city. Ultimately, grassroots groups in every major city across the country might learn something from the coalition to pass the Providence Community Safety Act.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
Mass Surveillance Technologies Surveillance and Human Rights Know Your Rights

Las Empresas de Internet de Paraguay defienden la información, pero mantienen a sus clientes en la oscuridad

Las Empresas de Internet de Paraguay defienden la información, pero mantienen a sus clientes en la oscuridad

Image/photoEs el turno de Paraguay para examinar de cerca las prácticas de sus proveedores locales de Internet y la manera en que tratan la información privada de sus clientes. La edición paraguaya de  ¿Quien Defiende Tus Datos? es un proyecto de TEDIC, la principal organización de derechos digitales del país y es parte de una iniciativa a nivel de todo el continente de los principales grupos de derechos digitales de América del Sur para arrojar una luz sobre las prácticas en materia de privacidad en Internet en la región y está basado en el informe anual de EFF, ¿Who Has Your Back?. (El informe de Derechos Digitales de Chile fue publicado el lunes, y grupos de derechos digitales en Colombia, México, Brasil y Argentina pronto publicarán estudios similares).

La encuesta de TEDIC llega en un momento tenso en la política paraguaya. Después de 24 años de democracia relativamente estable, el país ha pasado los últimos meses atrapados en una batalla política de alto nivel. El actual presidente, Horacio Cartes, impulsó una ley para poner fin a los límites del mandato constitucional de su gestión. La oposición ve ecos del incremento del poder presidencial que los llevó a la ultima dictadura. Después de los disturbios en marzo que llevaron al incendio del Congreso y al tiroteo de un destacado político opositor por la policía, Cartes ha declarado que no se presentará a la reelección. Sin embargo, la mención de la "sombra de la dictadura" sigue presente en Asunción. Los usuarios paraguayos de Internet quieren saber cómo sus ISPs defenderán sus datos en caso de un estado represivo.

Las seis empresas encuestadas por TEDIC - Tigo, Telecom Personal, Claro, Vox, Copaco, and Chaco Communications - forman la gran mayoría del mercado fijo, móvil y de banda ancha en Paraguay. Sus archivos históricos tienen registros íntimos de los movimientos y relaciones de casi todos los ciudadanos del país. TEDIC, en la tradición de Who Has Your Back (quién cuida tu espalda) , evaluó a las compañías por su compromiso con la privacidad y la libre expresión, y otorgó estrellas basadas en sus prácticas actuales y comportamiento público.

Image/photoTEDIC evaluó a los principales proveedores de servicios de Internet de Paraguay en siete categorías: sus políticas públicas de privacidad, la exigencia de órdenes judiciales para las demandas de datos, si notifican a los clientes sobre las demandas de datos gubernamentales, si se oponen públicamente a la vigilancia masiva y sus políticas de bloqueo de contenido.

La buena noticia del informe de TEDIC es que todas las compañías de telecomunicaciones declararon explícitamente que sólo entregan datos a las autoridades (tanto los metadatos como el contenido de las comunicaciones) en respuesta a una orden judicial legítima. Eso puede parecer un mínimo básico para la protección de datos, pero un compromiso público con el estado de derecho puede ser una declaración importante en tiempos inquietantes. Cada empresa revisada tiene una estrella completa para esto.

La noticia menos positiva es que los consumidores paraguayos todavía no tienen una manera de verificar - confiablemente - que las compañías están cumpliendo verdaderamente con sus promesas públicas. Ninguna de las compañías tenía políticas para notificar a los usuarios si eran objetivo de la vigilancia, por ejemplo, incluso si esa orden fue anulada o si la investigación finalizó completamente.

El equipo de investigación de TEDIC señala que notificar al usuario sería, realmente, un signo de un compromiso con la privacidad del cliente más allá de los requisitos financieros o legales. La ley de Paraguay no requiere notificación y, en algunos casos, los ISP podrían tener que solicitar permiso legal explícito para transmitir el aviso de vigilancia a sus usuarios. Sin embargo, sin notificación, es difícil conocer el alcance de la vigilancia, o que cualquier persona pueda impugnar una vigilancia que considere innecesaria o desproporcionada.

La transparencia es importante para la supervisión, tanto para mostrar a los clientes cómo a menudo sus gobiernos solicitan datos y si determinadas empresas son más propensos a poner al cliente en primer lugar al responder. Muchas compañías de Internet y telecomunicaciones publican ahora informes de transparencia, documentando el número total de solicitudes que reciben para la vigilancia o retiradas de contenido de agencias gubernamentales o por orden judicial. Estos informes anuales proporcionan información valiosa sobre los niveles de vigilancia y censura del gobierno y sobre cómo cambia la vigilancia con el tiempo. Paraguay tiene su propia entrada en muchos informes globales. Las actividades de Tigo están documentadas en reportes regionales por su multinacional matriz; Millicom. Por desgracia, las filiales locales de telecomunicaciones de Millicom no siguen el ejemplo de la empresa matriz y publican informes específicos de cada país. Eso niega a los usuarios paraguayos de tecnología la oportunidad de rastrear el nivel de espionaje de su propio gobierno, y significa que ninguna compañía en el reporte de TEDIC recibió una estrella completa en esta categoría.

No tenemos mucha información sobre el bloqueo o filtrado paraguayo de Internet por las compañías de telecomunicaciones tampoco. A pesar de los incidentes preocupantes en el pasado, como cuando un ISP bloqueó una mordaz sátira en línea de un periódico, parece que hay poca comprensión pública de cómo o por qué un ISPs podría censurar De los usuarios de Internet. Ninguna de nuestras compañías describe cómo manejarían una orden de bloqueo, si recibieron una, o dieron alguna idea de si litigarían contra ella, o notificarían a alguien que no fuera el tribunal o el departamento gubernamental. Sólo una empresa hizo una declaración pública sobre cómo podría bloquearlo: Chaco Comunicaciones, cuya declaración amenazaba con prohibir el tráfico P2P, los dejó como el único ISP sin estrellas en un mar de medias estrellas para esta categoría.

Las dos últimas categorías muestran algunos de los incentivos para las empresas de telecomunicaciones en un mercado competitivo. Tres de las seis empresas ganaron media estrella participando en el debate legislativo sobre vigilancia y neutralidad de la red, haciendo un compromiso explícito con los derechos humanos o contribuyendo a foros internacionales de políticas de Internet como los Foros de Gobernanza de Internet. Esto demuestra que al menos algunas empresas reconocen que la política puede tener un impacto en sus clientes, y quizás sus beneficios.

Pero, al igual que las compañías telefónicas de todo el mundo, las empresas de telefonía paraguayos son reticentes a descartar nuevos usos para los datos personales de los clientes. Ninguna empresa en la encuesta publicó cómo planean utilizar los datos de los consumidores o dio una detallada política de privacidad que sus clientes podrían utilizar al comprar un proveedor de Internet.

Esta es el primer informe ¿Quien Defiende Tus Datos? en Paraguay, y TEDIC planea lanzar uno anualmente. El informe de este año muestra a Tigo a la cabeza, pero con muchas oportunidades para que sus competidores se pongan al día. Tigo tiene mucho espacio para mejorar su propio historial. Cualquier empresa que haya decidido comenzar a notificar en caso de vigilancia a sus usuarios, publicar un informe de transparencia o adoptar públicamente principios sólidos de protección de datos podría fácilmente asumir el liderazgo para 2018 y hacer que sus clientes se sientan más seguros contra el uso indebido comercial y estatal de los detalles más privados de su vida.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
Announcement Privacy International Surveillance and Human Rights

Paraguay's Internet Companies Defend Data, But Keep Customers in the Dark

Paraguay's Internet Companies Defend Data, But Keep Customers in the Dark

Image/photoIt's Paraguay's turn to take a closer look at the practices of their local Internet companies, and how they treat their customer's private information. Paraguay's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of TEDIC, the country's leading digital rights organization. It's part of a continent-wide initiative by South America's leading digital rights groups to shine a light on Internet privacy practices in the region, based on EFF's annual Who Has Your Back report. (Derechos Digitale's Chile report was published on Monday, and digital rights groups in Colombia, Mexico, Brazil, and Argentina will be releasing similar studies soon.)

TEDIC's survey comes at a tense moment in Paraguayan politics. After 24 years of relatively stable democracy, the country has spent the last few months caught in a high-stakes political battle. The current President, Horacio Cartes, pushed through legislation to end his office's constitutional term limits. The opposition sees echoes of the presidential power-grab that led to Paraguay's last dictatorship. After riots in March led to setting fire of the Congress and the shooting of a prominent opposition politician by police, Cartes has now declared he will not run for re-election. Still, talk of the "shadow of dictatorship" continues to hover over Asunción. Paraguayan Internet users want to know how their ISPs will defend their data in the event of a repressive or suspicious state.

The six companies surveyed by TEDIC—Tigo, Telecom Personal, Claro, Vox, Copaco, and Chaco Communications—together make up the vast majority of the fixed, mobile, and broadband market in Paraguay. Their logs hold intimate records of the movements and relationships of almost every citizen of the country. TEDIC, in the tradition of Who Has Your Back, evaluated the companies for their commitment to privacy and free expression, and awarded stars based on their current practices and public behavior.

Image/photoTEDIC reviewed Paraguay's top ISPs in seven categories: their public privacy policies, whether they require court orders for data demands, whether they notify customers of government data demands, if they publicly stood against mass surveillance, whether they published transparency reports, and their policies on blocking content.

The good news from TEDIC's report is that every telco explicitly stated that they only hand over data to the authorities (both metadata and the content of communications) in response to a legitimate court order. That may seem like a basic minimum for data protection, but a public commitment to the rule of law can be an important statement in unsettling times. Every company reviewed got a full star for this.

The less positive news is that individual consumers in Paraguay don't yet have a way to reliably check that the companies are truly complying with their public promises. None of the companies had policies in place to notify users if they were the target of surveillance, for instance, even if that order was overturned, or the investigation was complete.

The TEDIC research team notes that user notification would truly be sign of a commitment to customer privacy over and above financial or legal requirements. Paraguay law does not require notification, and in some cases the ISPs might have to seek explicit legal permission to pass on notice of surveillance to their users. But without notification, it is difficult to know the extent of surveillance, or for anyone to challenge surveillance they believe to be unnecessary or disproportionate.

Transparency is important for oversight, both to show customers how often their governments request data, and whether particular companies are more likely to put the customer first when responding. Many Internet and telecommunication companies now publish transparency reports, documenting the total number of requests they receive for surveillance or content takedowns from government agencies or by court order. These annual reports provide valuable insight into the levels of government surveillance and censorship, and how that surveillance changes over time. Paraguay has its own entry in many global reports. Tigo's activities are documented in regional reporting by its multinational parent corporation, Millicom. Unfortunately, Millicom’s local telecommunication subsidiaries do not follow the parent company’s lead and publish country specific reports. That denies technology users in Paraguay a chance to track their own government's level of spying, and means not one company in TEDIC's report received a full star in this category.

We don't get much insight into Paraguayan Internet blocking or filtering from the telecommunication companies either. Despite worrying incidents in the past, such as when ISPs blocked an online satire of a newspaper, it seems that there is very little public understanding of how or why ISPs might censor their users' Internet feeds. None of our companies describe how they would handle a blocking order if they received one, or gave any insight as to whether they would challenge it, or notify anyone other than the court or government department. Only one company made any public statement about how it might block at all: Chaco Communications, whose statement threatened to ban P2P traffic, left them as the only no-star ISP in a sea of half-stars for this category.

The final two categories show something of the incentives for telecommunication companies in a competitive market. Three of the six companies gained half stars by participating in the legislative debate over surveillance and net neutrality, making an explicit commitment to human rights, or contributing to international Internet policy fora like the Internet Governance Forum. This shows that at least some companies recognize that politics can have an impact on their customers, and perhaps their profits.

But, like telephone companies around the world, Paraguayan phone companies are reticent to rule out new uses for customers' personal data. No company in the survey published how they plan to use consumer data, or gave a detailed privacy policy that their customers could use when shopping for an Internet provider.

This is the first ¿Quien Defiende Tus Datos? report in Paraguay, and TEDIC plans to release one annually. This years' report shows Tigo in the lead, but with plenty of opportunity for their competitors to catch up. Tigo has plenty of room to improve on its own track record too. Any company that decided to pioneer user notification of surveillance, publish a transparency report, or publicly adopt strong data protection principles could easily seize the lead for 2018—and make its customers feel safer against both state and commercial misuse of the most private details of their lives.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
Announcement Privacy International Surveillance and Human Rights

The Bill of Rights at the Border: Fifth Amendment Protections for Account Passwords and Device Passcodes

The Bill of Rights at the Border: Fifth Amendment Protections for Account Passwords and Device Passcodes

This is the third and final installment in our series on the Constitution at the border. Today, we’ll focus on the Fifth Amendment and passwords. Click here for Part 1 on the First Amendment or Part 2 on the Fourth Amendment.

Lately, a big question on everyone's mind has been: Do I have to give my password to customs agents?

As anyone who’s ever watched any cop show knows, the Fifth Amendment gives you the right to remain silent and to refuse to provide evidence against yourself – even at the border. If a CBP agent asks you a question, you can tell them you choose to remain silent and want to speak to an attorney, even if you don’t have one retained yet. That choice may not stop CBP agents from pressuring you to “voluntarily” talk to them, but they are supposed to stop questioning you once you ask for a lawyer. Also, beware that government agents are permitted to lie to you in order to convince you to waive your right to remain silent, but you can be criminally prosecuted if you lie to them.

CBP agents are unlikely to advise you that you have this choice because the government generally argues that such warnings are only required if you are taken into “custody” and subjected to a criminal prosecution. And at least one federal court of appeals has determined that secondary inspection – the separate interview area you get referred to if the CBP officer can’t readily verify your information at the initial port of entry – doesn’t qualify as “custody.”

But you don’t have to be in custody or subject to a criminal prosecution before you choose to invoke your Fifth Amendment rights to remain silent or to object to being deprived of your property without due process of law. For example, the Second Circuit Court of Appeals has held that a person’s request for an attorney is enough to invoke the privilege against self-incrimination, even at the border.

And that privilege includes refusing to provide the password to your device. For example, in 2015, a Pennsylvania court held that you may properly invoke the Fifth Amendment privilege to avoid giving up your cell phone passcode – even to an employer’s phone – because your passcode is personal in nature and producing it requires you to speak or testify against yourself.

Some courts have been less protective, overriding Fifth Amendment protections where the information sought is a so-called “foregone conclusion.” In 2012, a Colorado court ordered a defendant to provide the password to her laptop, only after the government had obtained a search warrant based on the defendant’s admission that there was specific content on her laptop and that the laptop belonged to her. On appeal, the Eleventh Circuit clarified that the government "must [first] show with some reasonable particularity that it seeks a certain file and is aware, based on other information, that . . . the file exists in some specified location" and that the individual has access to the desired file or is capable of decrypting it.

So, Fifth Amendment protections do apply at the border, and they protect your right to refuse to reveal your password in most circumstances. That said, individuals passing through the border sometimes choose to surrender their account information and passwords anyway, in order to avoid consequences like missing their flight, being made subject to more constrictive or prolonged detention, or being denied entry to the US.

As we have noted in our Digital Border Search Whitepaper, the consequences for refusing to provide your password(s) are different for different classes of individuals. If you are a U.S. citizen, CBP cannot detain you indefinitely as you have a right to re-enter the country. However, agents may escalate the encounter (for example, by detaining you for more time), or flag you for heightened screening during future border crossings. If you are a lawful permanent resident, agents may also raise complicated questions about your continued status as a resident. If you are a foreign visitor, agents might deny you entry to the country entirely.

But whatever your status, whether you choose to provide your passwords or not, border agents may decide to seize your digital devices. While CBP guidelines set a five-day deadline for agents to return detained devices unless a CBP supervisor approves a lengthier detention, in practice, device detentions commonly last many months.

As always, we want to hear from you if you experience harm or harassment from CBP for choosing to protect your digital data. We’re still collecting stories of border search abuses at:

We recommend that you review our pocket guides for Knowing Your Rights and Protecting Your Digital Data Privacy at the border for a general overview or take a look at our Border Search Whitepaper for a deeper dive into the potential issues and questions you may face.

And join EFF in calling for stronger Constitutional protection for your digital information by contacting Congress on this issue today.

Related Cases:

United States v. Saboonchi

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
Call To Action Mobile devices Commentary Privacy International Border Searches Know Your Rights Travel Screening Law Enforcement Access Security

Dissent Made Meaningful

Dissent Made Meaningful

Over the last year, large numbers of Americans have grown politically active for the first time. Reflecting the depth of our constitutional crisis, however, many seem not to know how to meaningfully raise their voices or participate in the political process.

Civic Participation Beyond Elections

Turnout in American elections has remained abysmally low for decades, suggesting some degree of either apathy, suppression, or both. Even Americans who do vote often overlook a litany of further opportunities available to those who pursue them.

One source of guidance to many nascent activists has been the Indivisible guide, which emphasizes constituent communications to Members of Congress. It was compiled by congressional staffers whose suggestions aim to replicate the direct engagement of Congress successfully promoted by Tea Party networks that have shared EFF’s transpartisan concerns about, for instance, mass surveillance and the threat it poses to democracy.

To their credit, the Indivisible guide's authors acknowledge that their guide “is not a panacea, and it is not intended to stand alone.” While important, letters from individual constituents are most effective when combined with other strategies.

How to Make a Letter Matter

Contacting an elected member of Congress represents an important act of political expression. Even when taking the time to write letters, however, individual constituents can be disregarded, or engaged in passing without commanding attention. Many who do gain the attention of their elected representatives’ offices receive only a form response.

Letters can, however, carry influence, particularly when they include:
  • An explicit request or demand for a particular vote on a specific piece of proposed legislation,
  • A request for a meeting in person, and
  • Support from at least three (and ideally half a dozen to a dozen) neighbors who co-sign the letter, identify themselves as constituents living in that office's legislative district, and attend the meeting together.
Are you part of a community group that gathers to examine the issues and write letters together? Letter writing events can become infinitely more influential when participants simply sign each other's letters, so that they reflect—and are received as indicating—dissent not just by an individual, but rather by an organized group of constituents.

To expand its reach, a grassroots group can easily direct letters not only at its Member of the House of Representatives, but also two U.S. senators, as well as members of the state legislature. It takes only five people writing one letter each to meaningfully raise a shared concern across those layers of federal and state representation.

Groups of more than five can also reach elected officials at the municipal and the county level, where policy opportunities are most fluid and potentially transformative.

Dissent in Public

Even letters written on behalf of groups remain generally private communications. Escalating pressure on elected representatives requires taking one's concerns to the public sphere.

One way to express public dissent is to write and submit an op-ed for publication in a local newspaper. Concise, persuasive, forceful writing of 700 words or fewer can often interest editors seeking commentary to share with a broad audience. Whether or not an op-ed submission is published by a newspaper, social media or outlets like can offer an alternative platform for publication. Finally, groups of constituents can sometimes meet a newspaper's editorial board to educate editors who write their own columns.

Beyond press–based public dissent are any number of event–based alternatives, from expressive events like rallies, marches, and protests, to educational ones like teach ins, public discussions, or debates. Even seemingly recreational events like concerts or parties can prompt a public discourse if organized to emphasize substantive themes.

Finally, creative visual stunts, like flash mobs, light brigades, and banner drops—especially when amplified through social media—can offer groups with relatively few participants the chance to reach large audiences.

Events educating a public audience can shift the ground beneath an elected official and ultimately offer more influence than requests or demands made directly to their offices.


Training is available for any of these tactics through the Electronic Frontier Alliance, a network of local grassroots groups across the U.S. that remotely convenes each month. Any network of neighbors who share concerns about digital rights is welcome to explore and apply to join the EFA.

The Alliance offers groups that join access to EFF supporters in their own areas, other grassroots organizers elsewhere, and EFF staff available to provide policy or organizing guidance on request (including a sample letter seeking a meeting with a congressional office). Materials are currently under development offering detailed guidance on various campaign models, from hosting digital security workshops, to seeking legal restrictions on mass surveillance by local police.

Throughout the year, Congress takes occasional recesses, when lawmakers return to their states and districts. During these periods, congressional delegations are most accessible to constituents—and more vulnerable to their criticism. The Senate and House calendars include information about in-district work periods, one of which concludes this week.

During this week’s recess, we urge concerned readers to: Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
NSA Spying Net Neutrality Electronic Frontier Alliance Commentary

Hollow Privacy Promises from Major Internet Service Providers

Hollow Privacy Promises from Major Internet Service Providers

It’s no surprise that Americans were unhappy to lose online privacy protections earlier this month. Across party lines, voters overwhelmingly oppose the measure to repeal the FCC’s privacy rules for Internet providers that Congress passed and President Donald Trump signed into law.

But it should come as a surprise that Republicans—including the Republican leaders of the Federal Communications Commission and the Federal Trade Commission—are ardently defending the move and dismissing the tens of thousands who spoke up and told policymakers that they want protections against privacy invasions by their Internet providers.

Since the measure was signed into law, Internet providers and the Republicans who helped them accomplish this lobbying feat have decried the “hysteria,” “hyperbole,” and “hyperventilating” of constituents who want to be protected from the likes of Comcast, Verizon, and AT&T. Instead they’ve claimed that the repeal doesn’t change the online privacy landscape and that we should feel confident that Internet providers remain committed to protecting their customers’ privacy because they told us they would despite the law.

We’ve repeatedly debunked the tired talking points of the cable and telephone lobby: There is a unique, intimate relationship and power imbalance between Internet providers and their customers. The FTC likely cannot currently police Internet providers (unless Congress steps in, which the White House said it isn’t pushing for at this time). Congress’ repeal of the FCC’s privacy rules does throw the FCC’s authority over Internet providers into doubt. The now-repealed rules—which were set to go into effect later this year—were a valuable expansion and necessary codification of existing privacy rights granted under the law. Internet providers have already shown us the creepy things they’re willing to do to increase their profits.

The massive backlash shows that consumers saw through those industry talking points, even if Republicans in Congress and the White House fell for them.

Now that policymakers have effectively handed off online privacy enforcement to the Internet providers themselves, advocates for the repeal are pointing to the Internet providers’ privacy policies.

“Internet service providers have never planned to sell your individual browsing history to third parties,” FCC Chairman Ajit Pai and FTC acting Chairwoman Maureen Ohlhausen wrote in a recent op-ed. “That’s simply not how online advertising works. And doing so would violate ISPs’ privacy promises.”

Aside from pushing back on oversimplification of the problem at hand, we should be asking: What exactly are the “privacy promises” that ISPs are making to their customers?

In blog posts and public statements since the rules were repealed, the major Internet providers and the trade groups that represent them have all pledged to continue protecting customers’ sensitive data and not to sell customers’ individual Internet browsing records.  But how they go about defining those terms and utilizing our private information is still going to leave people upset. These statements should also be read with the understanding that existing law already allows the collection of individual browsing history.

Comcast said it won’t sell individual browsing histories and it won’t share customers’ “sensitive information (such as banking, children’s, and health information), unless we first obtain their affirmative, opt-in consent.” It also said it will offer an opt-out “if a customer does not want us to use other, non-sensitive data to send them targeted ads.” We think leaving browsing history out of the list of information Comcast considers sensitive was no accident. In other words, we don’t think Comcast considers your browsing history sensitive, and will only offer you an opt-out of using your browsing history to send you targeted ads. There’s no mention of any opt-out of any other sharing of your browsing history, such as on an aggregated basis with third parties. While we applaud Comcast’s clever use of language to make it seem like they’re protecting their customers’ privacy, reading between the lines shows that Comcast is giving itself leeway to do the opposite.

Verizon similarly pledged not to sell customers’ “personal web browsing history” (emphasis ours) and described its advertising programs that give advertisers access to customers based on aggregated and de-identified information about what customers do online. By our reading, this means Verizon still plans to collect your browsing history and store it—they just won’t sell it individually.

AT&T pointed to its privacy policies, which carve out specific protections for “personal information … such as your name, address, phone number and e-mail address” but explicitly state that it does deliver ads “based on the websites visited by people who are not personally identified.” So just like Verizon, we think this means AT&T is collecting your browsing history and storing it—they’re just not attaching your name to it and selling it to third parties on an individualized basis.

In a filing to the FCC earlier this year, CTIA—which represents the major wireless ISPs—argued that “web browsing and app usage history are not ‘sensitive information’” and said that ISPs should be able to share those records by default, unless a customer asks them not to.

The common thread here is that Internet providers don’t consider records about what you do online to be worthy of the heightened privacy protections they afford to things like your social security number. Internet providers think that our web browsing histories are theirs to profit off of—not ours to protect as we see fit. And because Congress changed the law, they are now free to change their minds about the promises they make without the same legal ramifications.

These “privacy promises” are in no way a replacement for robust privacy protections enforced by a federal agency. If Internet providers want to get serious about proving their commitment to their customers’ privacy in the absence of federal rules, they should pledge not to collect or sell or share or otherwise use information about the websites we visit and the apps we use, except for what they need to collect and share in order to provide the service their customers are actually paying for: Internet access.

That would be a real privacy promise.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
Commentary Net Neutrality Privacy Locational Privacy Online Behavioral Tracking
EFF Action Center

Join the Electronic Frontier Alliance


¿Quién cuida tu espalda en Chile? Primer informe anual busca saber qué ISPs chilenos están del lado de sus usuarios

¿Quién cuida tu espalda en Chile? Primer informe anual busca saber qué ISPs chilenos están del lado de sus usuarios

Image/photoEFF y Derechos Digitales, la organización líder en derechos digitales en Chile, se han unido para lanzar un nuevo informe evaluando las prácticas de privacidad de los Proveedores de Servicios de Internet chilenos. Este proyecto forma parte de una serie en toda América Latina, y está adaptado de la publicación anual del informe de EFF ¿Quién cuida tu espalda?. Los informes tienen por objeto evaluar a los proveedores de servicios de telefonía móvil y fijo para ver cuál se pone del lado de sus usuarios al responder a las solicitudes gubernamentales de información personal. Si bien es cierto que hay margen de mejora, la primera edición chilena del informe ¿Quién defiende sus datos? tiene algunos indicadores esperanzadores.

Los chilenos entran a la red más que cualquier otra nacionalidad en América Latina. Cuando los chilenos utilizan Internet, revelan sus datos más privados, incluyendo sus relaciones en línea, discusiones políticas, artísticas y personales, e incluso sus movimientos minuto a minuto. Y todos esos datos necesariamente tienen que pasar por un puñado de ISP. Eso significa que los chilenos son más propensos a confiar en sus proveedores para defender sus datos que nadie en América Central o del Sur.

El informe de Derechos Digitales se propuso examinar qué proveedores de servicios de Internet y compañías telefónicas chilenas son quienes mejor defienden a sus clientes. ¿Cuáles, entre ellos, son transparentes acerca de sus políticas con respecto a las solicitudes de datos? ¿Cuáles requieren una orden judicial antes de entregar información personal? ¿Alguno de ellos objeta alguna de las leyes de vigilancia  o de las demandas individuales de los datos de sus usuarios? ¿Alguna de las compañías notifica a sus usuarios cuando cumplen con las solicitudes judiciales? Derechos Digitales examinó la información publicada públicamente, incluyendo las políticas de privacidad y los códigos de prácticas de cinco de los mayores proveedores chilenos de acceso a telecomunicaciones: Movistar, VTR, Claro, Entel y GTD Manquehue. Entre estos proveedores se cubre la gran mayoría de los mercados móviles, fijos y de banda ancha.

A cada empresa se le dio la oportunidad de responder a un cuestionario, participar en una entrevista privada y enviar cualquier información adicional que considerara apropiada, información que se incorporó al informe final. Este enfoque se basa en el trabajo anterior de EFF con Who Has Your Back? En los Estados Unidos, aunque las preguntas específicas del estudio de Derechos Digitales fueron adaptadas para ajustarse al marco legal de Chile. Investigaciones personalizadas que utilizan metodologías similares están siendo trabajadas por grupos de derechos digitales en toda América Latina. La Fundación Karisma en Colombia está a punto de publicar por segundo año, el informe ¿Dónde Están Mis Datos?. ADC en Argentina, Hiperderecho en Peru, InternetLab en Brasil, R3D en Mexico, y TEDIC en Paraguay están también trabajando en estudios similares.

Abajo encontrará los rankings de Derechos Digitales para los ISP chilenos y las compañías telefónicas; El informe completo, que incluye detalles sobre cada empresa, está disponible en:

Criterios de evaluación para ¿Quién Defiende tus Datos?
  • Protección de datos: Un ISP gana una estrella completa en esta categoría si publica su contrato de servicios de Internet para todos los tipos de planes y sus políticas de protección de datos en su sitio web de manera clara y accesible para los usuarios. Las políticas de protección de datos deben ajustarse a las normas nacionales. El cumplimiento parcial fue recompensado con media estrella.
  • Transparencia: Para ganar una estrella, los ISP deben publicar un informe de transparencia sobre como ellos manejan la información de los usuarios y los requerimientos del gobierno sobre esa información. Los informes de transparencia deben incluir información útil sobre el número especifico de peticiones de información que los ISP han aprobado y rechazado; un resumen de las peticiones ordenado por autoridad investigadora, tipo y propósito, el número específico de individuos durante el último año que han sido afectados por cada solicitud; Y si los terceros que administran datos de usuario lo hacen de una manera que protege la privacidad. Se concedió una media estrella a los ISP que publicaron informes de transparencia, pero no se refirieron específicamente a la protección de datos y al monitoreo de las comunicaciones. Si el proveedor no ha publicado un informe de transparencia, no se otorga ninguna estrella.
  • Notificación al usuario: Para obtener una estrella en esta categoría, los ISP deben, si están autorizados legalmente a hacerlo, notificar a sus usuarios de manera oportuna cuando las autoridades soliciten acceso a su información personal para que los usuarios puedan solicitar un recurso o apelación según sea necesario. Se otorgó una media estrella a los ISP que notifican a sus clientes cuando las autoridades hacen una solicitud de datos de usuario, pero no lo hacen de manera oportuna, lo que dificulta que los usuarios busquen una solución. Si no hubo evidencia de que un ISP notifica a sus usuarios cuando una autoridad solicita datos de usuario, la compañía no recibió ninguna estrella.
  • Pautas de privacidad de datos: Un ISP obtuvo una estrella en esta categoría si, en su sitio web, explica cómo maneja los datos del usuario, y especifica específicamente los requisitos y las obligaciones legales que las autoridades solicitantes deben cumplir al solicitar datos de la empresa. La explicación debe ser fácil de entender; Debe especificar los procedimientos que la empresa usa para responder a las solicitudes de datos de las autoridades; Y debe indicar durante cuánto tiempo retiene los datos de usuario. Un ISP ganó media estrella si publicó información sobre cómo maneja los datos del usuario, pero no especificó las obligaciones y procedimientos que requiere a las autoridades que solicitan datos del usuario.
  • Compromiso con la privacidad: Para ganar una estrella, un ISP debe haber defendido activamente la privacidad de sus usuarios en los tribunales, o ante el Congreso para impugnar alguna legislación invasiva, perjudicial para la privacidad de sus usuarios. Un ISP podría ganar una media estrella si ha defendido a sus usuarios en una de las dos áreas antes mencionadas (en los tribunales o frente al Congreso)
Las compañías en Chile han comenzado bien, pero todavía tienen un camino a seguir para proteger totalmente los datos personales de sus clientes y ser transparentes sobre quién tienen acceso a ellos. Derechos Digitales y EFF esperan publicar este informe anualmente para incentivar a las empresas a mejorar la transparencia y proteger los datos de los usuarios. De esta manera, todos los chilenos tendrán acceso a información sobre cómo se usan sus datos personales y cómo los ISP los controlan para que puedan tomar decisiones más inteligentes del consumidor. Esperamos que el informe brille con más estrellas el próximo año.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
Surveillance and Human Rights Privacy International

Who Has Your Back in Chile? First-Annual Report Seeks to Find Out Which Chilean ISPs Stand With Their Users

Who Has Your Back in Chile? First-Annual Report Seeks to Find Out Which Chilean ISPs Stand With Their Users

Image/photoEFF and Derechos Digitales, the leading digital rights organization in Chile, have teamed up to launch a new report evaluating the privacy practices of Chilean Internet Service Providers (ISPs). This project is part of a series across Latin America, adapted from EFF’s annual Who Has Your Back? report. The reports are intended to evaluate mobile and fixed ISPs to see which stand with their users when responding to government requests for personal information. While there’s definitely room for improvement, the first edition of our Chilean ¿Quién Defiende Tus Datos? (Who Defends Your Data?) report has some hopeful indicators.

Chileans go online more than any other nationality in Latin America. When Chileans use the Internet, they put their most private data, including their online relationships, political, artistic and personal discussions, and even their minute-by-minute movements online. And all of that data necessarily has to go through one of a handful of ISPs. That means that Chileans are more likely to be putting their trust in their providers to defend their data than anyone else in Central or South America.

Derechos Digitales’ report set out to examine which Chilean ISPs and telephone companies best defend their customers. Which are transparent about their policies regarding requests for data? Which require a judicial warrant before handing over personal information? Do any challenge surveillance laws or individual demands for their users’ data? Do any of the companies notify their users when complying with judicial requests? Derechos Digitales examined publicly posted information, including the privacy policies and codes of practice, from five of the biggest Chilean telecommunications access providers: Movistar, VTR, Claro, Entel, and GTD Manquehue. Between them, these providers cover the vast majority of mobile, fixed line and broadband markets.

Each company was given the opportunity to answer a questionnaire, to take part in a private interview and to send any additional information they felt appropriate, all of which was incorporated into the final report. This approach is based on EFF’s earlier work with Who Has Your Back? in the United States, although the specific questions in Derechos Digitales’ study were adapted to match Chile’s legal environment. Customized investigations using similar methodologies are being worked on by digital rights groups across Latin America. The Karisma Foundation in Colombia is about to publish their second-annual, ¿Dónde Están Mis Datos? report. ADC in Argentina, Hiperderecho in Peru, InternetLab in Brazil, R3D in Mexico, and TEDIC in Paraguay are all also working on similar studies.

Derechos Digitales’ rankings for Chilean ISPs and phone companies are below; the full report, which includes details about each company, is available at:

Evaluation Criteria for ¿Quién Defiende tus Datos?
  • Data Protection: An ISP earned a complete star in this category if they published their Internet service agreement—for all types of plans—and their data protection policies on their website in a clear and accessible way to users. The data protection policies must be aligned with national regulations. Partial compliance was rewarded with half a star.
  • Transparency: To earn a star, ISPs must have published a transparency report on how they manage their users’ data and handle government requests for data. The transparency report must have included useful information about the specific number of data requests the ISP has approved and rejected; a summary of the requests by investigation authority, type, and purpose; the specific number of individuals over the last year who have been affected by each request; and whether third-parties managing user data do so in a privacy-protective manner. A half star was awarded to ISPs that published transparency reports, but did not specifically refer to data protection and the monitoring of communications. If the provider has not published a transparency report, no star was awarded.
  • User Notification: To earn a star in this category, ISPs must, if legally permitted, notify their users in a timely manner when authorities request access to their personal information so users may seek remedy or appeal as necessary. A half star was awarded to ISPs that notify their customers when authorities make a request for user data, but do not do so in a timely manner, making it difficult for the users to seek remedy. If there was no evidence that an ISP notifies its users when an authority requests user data, the company was not awarded a star.
  • Data Privacy Guidelines: An ISP earned a star in this category if, on their website, it explains how it handles user data—and specifically outlines the requirements and legal obligations requesting authorities must comply with when requesting user data from the company. The explanation must be easy to understand; it must specify the procedures the company uses to respond to data requests from authorities; and it must indicate how long it retains user data. An ISP earned a half star if it published information about how it handles user data, but did not specify the obligations and procedures it requires of authorities who request user data.
  • Commitment to Privacy: To earn a star, an ISP must have actively defended the privacy of their users in the courts, or in front of Congress to challenge broad legislation that is detrimental to the privacy of their users. An ISP could earn a half star if it has defended its users in one of the two areas listed above (in the courts, or in front of Congress).
Companies in Chile are off to a good start but still have a ways to go to fully protect their customers’ personal data and be transparent about who has access to it. Derechos Digitales and EFF expect to release this report annually to incentivize companies to improve transparency and protect user data. This way, all Chileans will have access to information about how their personal data is used and how it is controlled by ISPs so they can make smarter consumer decisions. We hope the report will shine with more stars next year.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
Surveillance and Human Rights Privacy International

EFF to California Supreme Court: Website Owners Have a First Amendment Right to Defend Content on Their Platform

EFF to California Supreme Court: Website Owners Have a First Amendment Right to Defend Content on Their Platform

A bad review on Yelp is an anathema to a business. No one wants to get trashed online. But the First Amendment protects both the reviewer’s opinion and Yelp’s right to publish it. A California appeals court ran roughshod over the First Amendment when it ordered Yelp to comply with an injunction to take down speech without giving the website any opportunity to challenge the injunction’s factual basis. The case is on appeal to the California Supreme Court, and EFF filed an amicus brief asking the court to overturn the lower court’s dangerous holding.

The case, Hassell v. Bird, is procedurally complicated. A lawyer, Dawn Hassell, sued a former client, Ava Bird, for defamation in California state court over a negative Yelp review. Bird never responded to the lawsuit, so the trial court entered a default judgment against her. The court—at Hassell’s request—not only ordered Bird to remove her own reviews, but also ordered Yelp to remove them—even though Yelp was never named as a party to the suit. (If this kind of abuse of a default judgment sounds familiar, that’s not a coincidence; it seems to be increasingly common—and it’s a real threat to online speech.)

Yelp challenged the order, asserting that Hassell failed to prove that the post at issue was actually defamatory, that Yelp could not be held liable for the speech pursuant to the Communication Decency Act, 47 U.S.C. § 230 (“Section 230”), and that Yelp could not be compelled to take down the post as a non-party to the suit. The trial court rejected Yelp’s arguments and refused to recognize Yelp’s free speech rights as a content provider. The California Court of Appeal affirmed the trial court’s decision, holding that Yelp could be forced to remove the supposedly defamatory speech from its website without any opportunity to argue that the reviews were accurate or otherwise constitutionally protected.

This decision is frankly just wrong—and for multiple reasons. Neither court seemed to understand that the First Amendment protects not only authors and speakers, but also those who publish or distribute their words. Both courts completely precluded Yelp, a publisher of online content, from challenging whether the speech it was being ordered to take down was defamatory—i.e., whether the injunction to take down the speech could be justified. And the court of appeals ignored its special obligation, pursuant to California law, to conduct an “independent examination of the record” in First Amendment cases.

Both courts also seemed to completely ignore the U.S. Supreme Court’s clear holding that issuing an injunction against a non-party is a constitutionally-prohibited violation of due process.

EFF—along with the ACLU of Northern California and the Public Participation Project—urged the California Supreme Court to accept the case for review back in August 2016. The court agreed to review the case in September, and we just joined an amicus brief urging the court to overrule the problematic holding below.  

Our brief—drafted by Jeremy Rosen of Horvitz & Levy and joined by a host of other organizations dedicated to free speech—explains to the California Supreme Court that the First Amendment places a very high bar on speech-restricting injunctions. A default judgment simply cannot provide a sufficient factual basis for meeting that bar, and the injunction issued against Yelp in this case was improper. We also explained that the injunction violated clear Supreme Court case law and Yelp’s due process rights, and that the injunction violates Section 230, which prohibits courts from holding websites liable for the speech of third parties.

As Santa Clara University law school professor Eric Goldman noted in a blog post about the case, the appeals court’s decision opens up a host of opportunities for misuse and threatens to rip a “hole” in Section 230’s protections for online speech—protections that already seem to be weakening. If not overturned, as the already pervasive misuse of default judgments teaches, this case will surely lead to similar injunctions that infringe on publishers’ free speech rights without giving them any notice or opportunity to be heard. The California Supreme Court cannot allow this.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
Free Speech

Victory for Now: California Hits Pause on A.B. 165, Bill that Sought to Undermine Student Privacy

Victory for Now: California Hits Pause on A.B. 165, Bill that Sought to Undermine Student Privacy

It's a great day for digital privacy in California. In the face of a powerful and diverse coalition, Assemblymember Jim Cooper has pulled A.B. 165 from consideration by the Assembly Privacy and Consumer Protection Committee. EFF joined over 60 civil rights organizations, technology companies, and school community groups in opposing A.B. 165, and we thank all the EFF members and friends who joined us in speaking out. The unrelenting, principled opposition to this anti-privacy bill stopped it from reaching its first committee hearing.

A.B. 165 attempted to create a carve-out in the California Electronic Communications Privacy Act (CalECPA), one of the strongest digital privacy bills in the nation. If A.B. 165 had passed, it would have left millions of Californians who attend our schools without strong protections against invasive digital searches.

California students need privacy on their digital devices in order to research sensitive topics, explore political issues, and connect with friends and family members. That’s especially true in this political moment when many students who come from immigrant families, are exploring their sexuality, or who are engaging in political protest may feel heightened concern around government access to their digital data.

The students of today will be the voters, creators, and policymakers of tomorrow. By teaching students that our laws respect and uphold their digital privacy from a young age, we can help create a future generation of engaged citizens who understand the value of digital privacy.

We thank the California Assemblymembers who responded to the privacy concerns with AB 165 and halted this bill in response to the public outcry, especially Assemblymember Ed Chau, Chair of the Committee.

While we are celebrating today, this fight isn’t over. A.B. 165 could be revived at some point during this two-year legislative cycle. If you haven’t already, please tell your California representative you stand for privacy.

The price of freedom is vigilance, and EFF relies on individual donations to vigilantly defend digital privacy. Please support our work.

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF
Privacy Announcement

EFF Urges Court to Roll Back Ruling Allowing Remote-Control Spying

EFF Urges Court to Roll Back Ruling Allowing Remote-Control Spying

Recent Decision Would Allow Foreign Governments to Wiretap Americans on U.S. Soil

Washington, D.C. – The Electronic Frontier Foundation (EFF) urged an appeals court today to review a dangerous decision by a three-judge panel that would allow foreign governments to spy on Americans on U.S. soil—just as long as they use technology instead of human agents.

In Kidane v. Ethiopia, an American living in Maryland had his family computer infiltrated by the Ethiopian government. Agents sent an infected email that made its way to Mr. Kidane, and the attached Microsoft Word document carried a malicious computer program called FinSpy that’s sold only to governments. The spyware took control of the machine, making copies of every keystroke and Skype call, and sending it back to Ethiopia as part of its crackdown on critics.

But last month, a panel of judges on U.S. Court of Appeals for the District of Columbia Circuit ruled that Mr. Kidane could not seek justice for this surveillance in an American court because the spying was carried out without a human agent of the Ethiopian government setting foot in the U.S. In essence, this would mean governments around the world have immunity for spying, attacking, and even murdering Americans on American soil, as long as the activity is performed with software, robots, drones, or other digital tools.

“We already know about technology that will let attackers drive your car off the road, turn off your pacemaker, or watch every communication from your computer or your phone. As our lives become even more digital, the risks will only grow,” said EFF Senior Staff Attorney Nate Cardozo. “The law must make it clear to governments around the world that any illegal attack in the United States will be answered in court in the United States.”

In a petition filed today, EFF and our co-counsel Scott Gilmore plus attorneys at the law firms of Jones Day and Robins Kaplan ask the appeals court to rehear this case en banc, arguing that last month’s panel decision puts the U.S. in the absurd situation where the American government must follow strict requirements for wiretapping and surveillance, but foreign governments don’t have the same legal obligations.

“American citizens deserve to feel safe and secure in their own homes using their own computers,” said EFF Executive Director Cindy Cohn. “The appeals court should vacate this decision, and ensure that the use of robots or remote controlled tools doesn’t prevent people who have been harmed by foreign government attacks from seeking justice.”

For the full petition for rehearing:

For more on this case:




Senior Staff Attorney



Executive Director

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF