UK Data Breaches Were an Inside Job

Privacy advocates in the United Kingdom got the unfortunate opportunity to say "we told you so" last week, following revelations that nearly 1,000 civil servants working at the UK government’s Department for Work and Pensions had been disciplined for accessing citizens’ private and confidential data, including criminal records, employment histories and social security details. More than 150 of those data breaches occurred at the Department for Health, an agency tasked with providing health services – and maintaining all UK medical records.

The unsettling news came to light after reporters with an investigative television broadcast series filed Freedom of Information requests and published their findings.

As ZDNet’s Zack Whittaker shrewdly points out, the most disconcerting aspect of this rampant leakage is that it wasn't caused by a system malfunction, but rather active exploitation at the hands of "the very people we supposedly trust with our data."

Not Guilty? Met Police Can Still Snoop Through Your Cell Phone

Metropolitan Police in 16 London boroughs are now employing technology to instantly extract mobile phone data from suspects in custody. The upgrade allows police to access call history, texts and phone contacts, while eliminating the need for a forensic examination that used to take several weeks.

A particularly glaring problem with this new policy is that police will continue to retain the mobile phone data regardless of whether charges are brought, according to a BBC report. Privacy International has characterized the new policy as a "possible breach of human rights law," arguing that since it’s already illegal to indefinitely retain DNA profiles from detainees, sensitive mobile phone data should be held to the same standard. Another worry springing out of the new policy: Extracting mobile phone data at a police station is just a heartbeat away from doing the same during a stop-and-search on the street.

FBI Cozying Up with Europol on Cybersecurity

The European Union is actively seeking closer collaboration with the United States Department of Homeland Security (DHS) to fight cyber crime. In fact, EU Home Affairs Commissioner Cecilia Malmström recently went so far as to say, "EU-U.S. cooperation is not a choice, but a necessity." She then predicted the success of joint cybersecurity operations between the FBI and Europol. Malmström added that she has been working closely with DHS Secretary Janet Napolitano on joint cyber crime initiatives as part of a working group that's planning "a fully fledged EU-U.S. cyber exercise" in 2014.

"Yesterday, I had the opportunity to follow the work of the FBI and I was impressed by how advanced they are," Malmström noted. "This has reinforced my view that we should continue to deepen transatlantic cooperation against cyber threats." Her comments were delivered on May 2 in Washington, D.C., at the Transatlantic Cyber Conference, organized by the Center for Strategic and International Studies, the European Security Roundtable and SRA International.

Land of #OzLog: Data Retention Back on the Agenda in Australia

"OzLog" is shorthand for a proposed mandatory data retention policy the Australian government has been toying with the idea of implementing, despite popular backlash. Patterned after the notorious European Directive on Data Retention, the proposal would require Internet service providers Down Under to store information about customers’ web usage history for two full years.

Dormant for months, it was looking as though OzLog would make a comeback in recent weeks as part of a broader surveillance monstrosity taking shape under Australia’s Federal Attorney-General, Nicola Roxon. To flesh out the plan, the government sought feedback on ideas such as: "increase powers of interception; make it easier for [the Australian Security Intelligence Organization] to break into computers and computer networks, including those of third parties not targeted in warrants; [facilitate] the prosecution of anyone who names an ASIO officer; and [implement OzLog]," according to Crikey, an Aussie news outlet.

Fortunately, opposition to the proposed surveillance scheme is mounting. Australia’s Parliamentary Joint Committee on Intelligence and Security rejected the plan’s terms of reference last week, sending it back to the drawing board. And Sen. Scott Ludlam, a spokesperson for the Australian Greens, expressed bitter opposition, saying: "This is the idea that all our personal data should be stored by service providers so that every move we make can be surveilled or recalled for later data mining. It is premised on the unjustified paranoia that all Australians are potential criminal suspects."

Hey, Teachers! Leave Those Kids Alone!

High school students in the Australian state of Queensland who lack their own computers are given government-issued laptops to take home with them from school – but they come with a hidden price. A recent news report revealed that "screen spy" monitoring software run by the AB Tutor Client Program quietly takes time-stamped screenshots, monitors printing, and logs visits to websites and keystrokes. Students’ online activity is monitored even when they are working at home, and one mother complained that a screenshot had been taken of her daughter’s Skype conversation. During class, teachers can remotely control the computers.

Despite the uproar that was unleashed when parents and civil liberties advocates discovered the extent of the laptop monitoring, officials with Education Queensland, the governmental department responsible for running the schools, stuck by the practice. Responding to questions from the press, Queensland Education Minister John-Paul Langbroek noted that parents had signed an agreement disclosing that online communications could be audited and traced back to students. He then delivered a line that is often repeated but known by privacy advocates to be completely wrongheaded. "If they've done nothing wrong," he said, "they've got nothing to fear."

In Canada, Telcos Got Inside Track On Surveillance Bill

Several weeks before Canada’s controversial online surveillance legislation, Bill C-30, was introduced, major telecommunication companies partnered with government officials to develop a secret forum on "Lawful Access," the deceptive term used to describe governmental interception of online activity and information. The closed-door collaboration was revealed in documents obtained via Canada’s Access to Information Act (the equivalent of the U.S.’s Freedom of Information Act), according to Michael Geist, a law professor at the University of Ottawa. News of the secret meeting served to clear up confusion as to why Canada’s telcos stayed mum on C-30 when it reached the height of controversy earlier this year.

After Bill C-30 had formally entered the approval process, government officials continued to work with telcos behind the scenes to respond to their concerns — such as whether they would receive "adequate compensation" in exchange for providing subscriber information, according to the released documents.

As Geist points out, the behind-the-scenes collaboration essentially "created a two-tier approach to Internet surveillance policy, granting privileged access and information for telecom providers." Though it’s on the back burner for now, Bill C-30 nevertheless remains in legal limbo, with Public Safety Minister Vic Toews promising that it will be sent to committee for further study.

Senator Ron Wyden yesterday introduced a bill on the floor of the U.S. Senate demanding access to draft texts of international trade agreements under negotiation by the Office of the United States Trade Representative such as the Trans-Pacific Partnership Agreement (TPP) that carry provisions that could severely choke off users' rights on the Internet around the world. This is a great positive step in the right direction.

The proposed bill, titled the "Congressional Oversight Over Trade Negotiations Act", calls for all Members of Congress, together with all of their staff with proper security clearance, to be given access to "documents, including classified materials, relating to negotiations for a trade agreement to which the United States may be a party and policies advanced by the Trade Representative in such negotiations." 

Article 1 Section 8 of the U.S. Constitution gives Congress the sole power to regulate foreign commerce in order to ensure that such laws and policies take into consideration all the interests of the people rather than those of the select few. Congress has delegated certain powers to the Office of the U.S. Trade Representative (USTR), but remains subject to Congressional oversight. The USTR is required to consult wth the Senate Finance Committee and the House Ways and Means Committee, and is supposed to regularly consult with the House and Senate Leadership Offices. In addition, under amendments to the Trade Act enacted by Congress in 2002, the USTR is required to consult with members of the Congressional Oversight Group.

Senator Wyden is a member of the Senate Finance Committee (which has jurisdiction over "reciprocal trade agreements; tariff and import quotas, and related matters thereto") and is Chair of its subcommittee on International Trade, Customs and Global Competitiveness. And yet, as he explains, neither he nor his staff which have obtained proper security clearance, have been able to get access to material related to the negotiations of the TPP from the USTR. This is something that he also raised with the U.S. Trade Ambassador at a Senate hearing on 7 March. The USTR has apparently read the 2002 legislation as narrowing the requirement for the USTR to consult with Members of Congress, contrary to what Senator Wyden and others had intended at the time it was enacted. Meanwhile, the USTR is continuing to consult on TPP negotiating texts with representatives of large entertainment companies, and the pharmaceutical industry on the private sector Industry Trade Advisory Committee on Intellectual Property. Senator Wyden introduced yesterday's bill to rectify this situation.

In his remarks introducing yesterday's bill, Senator Wyden states:

Put simply, this legislation would ensure that the representatives elected by the American people are afforded the same level of influence over our nation’s policies as the paid representatives of PhRMA, Halliburton and the Motion Picture Association.

Senator Wyden has nailed it. The USTR has continued to exclude our Congressional representatatives, civil society and public interest groups from learning about the policy issues that are being discussed in these negotiations, while welcoming private sector industry groups' inputs on negotiation texts with open arms.

The leaked U.S. TPP Intellectual Property chapter has provisions that will directly impact the future of the open Internet. This is a vital issue that all of us should have a say in, not just representatives from a few selective parts of the economy. Sound and balanced policy-making requires transparency and meaningful input from all affected Internet stakeholders.

Through our action alert, concerned citizens have sent over 20,000 emails to our Congressional representatives since February, calling on Congress to demand transparency in these negotiations. That demonstrates that there is very substantial interest from constitutents in understanding how what the USTR is negotiating will affect our digital rights and the open Internet. However, this battle is not close to being over. 

Help us keep the pressure on Congress and let them know we'd like to see them defend Internet freedom against the powerful trans-national industries that are currently unilaterally shaping these secret international trade agreements.

Click here to take action. Tell Congress that you refuse any more backroom deals to regulate the Internet.

Use the hashtag #TPP and #TPPA to keep talking and raising awareness on the agreement on Twitter.

CIA Still Claims Its Drone Program is "Secret"

Last week, the Wall Street Journal reported the Obama Administration may finally lift the legal veil of secrecy surrounding the CIA’s covert drone program. The ACLU has been involved in a lawsuit over the US government’s constitutional authority to target American citizens with strikes overseas with its supposedly covert CIA drone program. On Monday, however, the CIA decided to continue to claim the program is a state secret and that they should not have to admit or deny it exists.

This, despite the fact that, as Journal reported, "U.S. drone strikes are hardly a secret. Officials have spoken openly about them, even discussing the operations in formal speeches. But they are still classified, and unauthorized disclosures about details of individual missions could constitute a felony."

Ironically, on the same day, the White House announced a new policy for which suspects get targeted by the covert program, saying counterterrorism chief John Brennan would have the final say on who gets targeted by The Program Which Must Not Be Named.

EFF Releases New FOIA Documents and Files Amicus Brief in Transparency Case

• Patriot Act

EFF published the full set of documents the Justice Department has handed over so far in our FOIA lawsuit for the Justice Department’s secret interpretation of section 215 of the Patriot Act, of which Senators Ron Wyden and Tom Udall warned "most Americans would be stunned to learn the details of how these secret court opinions have interpreted section 215 of the Patriot Act."

Meanwhile, a court in New York ruled against New York Times reporter Charlie Savage, along with the ACLU, in their separate lawsuit asking for the Justice Department’s secret memo on the same matter. Both EFF and ACLU have separate suits pending related to Section 215 in different jurisdictions.

• State Department documents on ACTA

The EFF also received a response from the State Department last week in response to our FOIA request for documents related to the Anti-Counterfeiting Trade Agreement (ACTA). ACTA contains harsh copyright standards that EFF has been protesting for years. The documents suggested that ACTA was not submitted to the normal State Department review process to determine its constitutionality before it was signed by the Deputy Trade Ambassador. Read more about the FOIA request and how law professors cast further doubt on ACTA’s constitutionality here.

• FOIA Suit for White House Visitor Records

EFF, along with Citizens for Responsibility and Ethics in Washington (CREW) and a host of other civil society organizations, recently filed an amicus brief in the long running Freedom of Information Act case against Department of Homeland Security (DHS) and the Secret Service for access to the White House visitor logs. Previously, the Obama administration released many of the logs, but is still arguing in court that they are not subject to FOIA because they do not belong to a specific agency. However, given it’s clear Secret Service is part of DHS, there is no threat to public safety, and the White House has released many records already, that there is no reason they should be withheld from the FOIA process.

NSA Forced to Declassify Document It Accidentally Posted Online

In an embarrassing incident two weeks ago, the National Security Agency (NSA)—notorious for overclassification and secrecy—was forced to use a "rarely used authority" to declassify a "properly classified" document in full after they mistakenly posted it on their website, according to secrecy expert Steven Aftergood. Instead of redacting the alleged sensitive material in the online post, they highlighted it.

But, according to Aftergood, as is the case in many circumstances of government classification, it is hard to see why it wasn’t declassified in the first place:

There was nothing exceptional about the contents of the document, and there was no overriding public interest that would have compelled its disclosure if it had been properly classified.  Nor is any national security damage likely to follow its release.

Final Volume of the CIA’s Bay of Pigs Study Will Remain Classified

Two weeks ago, a federal judge ruled for the government in a FOIA suit filed by the National Security Archives asking the CIA to formally declassify a draft of the last volume of a history of the Bay of Pigs Invasion. Unfortunately, the federal judge ruled the government could keep the draft version classified, despite the fact that it was written 31 years ago about an event that happened more than 50 years ago.

The judge reasoned that the final volume was a draft not intended "for inclusion in the final publication" and therefore the ‘deliberative process’ exemption to FOIA applied, which provides an exemption to disclosure for documents that help government officials arrive at final agency policy positions. As McClatchy reported, "The judge agreed with the CIA assertion that release of Volume V would have a chilling effect on current CIA historians who might be reluctant to try out ‘innovative, unorthodox or unpopular interpretations in a draft manuscript’ if they thought it would be made public."

The deliberative process privilege – when narrowly invoked – serves legitimate purposes. It is designed to provide lower level government employees with the freedom to express ideas, without fear of public disclosure if those ideas are not ultimately adopted by the agency. However, in this case, the (former) government employee who wrote the draft volume sought its release – through a FOIA request – 10 years ago. At the time, the information contained within the draft was still classified, so his request was denied. Now, however, the information is no longer classified, and, given that the person whose "deliberative process" the CIA is allegedly protecting sought the draft’s release, it is hard to understand what the public interest in protecting the document, 30 years after its creation, could possibly be.

Eurovision Song Contest Sets Stage for Online Protest

Last Thursday, Azeri hackers calling themselves Cyberwarriors for Freedom temporarily took down four different websites for the Eurovision Song Contest, which is being hosted by Azerbaijan this week. Hackers replaced the home pages with an Azeri-language message demanding that President Ilham Aliyev cancel the event. While they condemned the destruction of homes to make way for the Eurovision arena and the silencing of independent journalists, the hackers’ message also included homophobic language, calling the contest a "gay parade."

While Azeri authorities continue to investigate the hacking, the International Partnership Group for Azerbaijan also launched a new campaign petitioning Eurovision performers to show support for human rights in Azerbaijan. The campaign echoes statements from Amnesty International and Human Rights Watch, who have called upon Azeri authorities to release detained opposition activists and guarantee free expression for peaceful protesters planning demonstrations before the contest.

The Azeri parliament is currently debating laws curtailing social media access, even though 78% of Azeris have never used the Internet and only 7% go online daily.

French Judicial Investigation Calls Out Amesys’ Complicity With Libyan Torture

The International Federation of Human Rights (FIDH) and the League of Human Rights (LDH) announced on Monday that Amesys, a subsidiary of the French defense firm Bull S.A., will be investigated for supplying the Gadhafi regime with electronic surveillance tools. Both NGOs have accused Amesys of complicity with the dictator’s crimes against humanity after NATO forces found equipment bearing the company logo in an abandoned security building in August 2011. FIDH and LDH originally filed their complaint against Amesys with a French civil party in October 2011.

A Wired report coinciding with the announcement of the French judicial investigation details Libyan Internet activism and government monitoring during the 2011 revolution. Amesys’ EAGLE Interception system was one of the many Western-built Internet surveillance systems that NATO found in the monitoring bunker. The EAGLE equipment suite can monitor Internet users beyond the scope of "lawful interception" wiretaps that require a warrant for a particular IP address. Instead, EAGLE uses "massive interception," which can analyze all network communications and store them in a database that is searchable by keywords, dates, and user names or addresses.

If Amesys has to pay damages for working with Gadhafi during the revolutions, it will serve as a warning for Internet technology firms that sell to human rights abusers. Earlier this year, the United States Congress re-introduced the Global Online Freedom act, which seeks to restrict exports of surveillance or censorship technologies to Internet-restricting governments. While the bill is imperfect, its commitment to corporate accountability for human rights could inspire a set of legal best practices for multinational corporations that governments could use for future investigations of firms like Amesys.

Anonymous Hacks Indian Government Sites to Protest Blocking of Video-Sharing Services

The Indian Congress Committee and Supreme Court websites were both taken down by distributed denial-of-service attacks as part of Anonymous’ #OpIndia, which sought to chastise Indian Internet service providers for blocking video-sharing websites such as Vimeo. The ISPs acted in response to a state proposal for a UN Committee for Internet Related Policies (CIRP) that would give India’s ruling party discretion to censor all online content. This proposal comes in the wake of several movie piracy lawsuits that Indian and international media conglomerates have filed since February 2011.

These lawsuits have resulted in the issuance of court orders, known in India as "Ashok Kumar" orders, that ask all parties to halt the distribution, display, or download of particular movies. It is unclear why the ISPs chose to block entire websites, a move that removed access to considerable non-infringing content. Indian copyright law is similar to the American Digital Millennium Copyright Act in that intermediaries such as Vimeo and Dailymotion are actually protected from most copyright litigation. ISPs reported that they were following the temporary restraining order the Madras High Court recently published, which condemned "copying, recording, reproducing, camcording or communicating, or allowing others to communicate" the contents of the film 3 in any form.

Anonymous was not the only organization to protest the sloppy content-management of ISPs and Indian state lawyers. Sanjay Tandon, vice president of music and anti-piracy from Reliance Entertainment, stated, "Our requirement from ISPs has never been to block entire sites… ISPs just want to block the entire site because it’s less work than to identify content individually."

South Korean Podcasters Accused of Breaking Election Law

Two hosts of the popular South Korean liberal podcast "Naneun Ggomsuda" ("I’m a Petty-Minded Creep") have been summoned for questioning in regards to the Seoul Metropolitan Election Commission’s charges relating to the organization of eight large, public rallies showing support for the Democratic United Party. South Korea’s election laws prohibit any endorsement of candidates outside of a two to three-week official campaign period, but the rallies in question were held within ten days of the election. Typically, the government contacts the hosting providers of websites or media outlets found to have violated this rule before investigating citizen journalists, but the investigation of Kim Eo-Joon and Joo Jin-Woo began immediately following the election and has been ongoing for over a month.

South Korea has a rich history of arbitrarily censoring online free expression. In 2008, newly-elected conservative President Lee Myung-bak created the Korean Communication Standards Commission. This organization patrols the web for obscenity, national security threats, and defamation, and it has great latitude when defining standards for these offenses. Park Jeong Keun was slapped with a prison sentence last week for re-tweeting "self-evidently ludicrous missives" from North Korean regimes own Twitter account. After Park’s arrest earlier this year, Sam Zarifi, Asia-Pacific director of Amnesty International, said, "This is not a national security case; It's a sad case of the South Korean authorities' complete failure to understand sarcasm."

San Francisco - Today the Immigration Policy Center (IPC) and the Electronic Frontier Foundation (EFF) release "From Fingerprints to DNA: Biometric Data Collection in U.S. Immigrant Communities and Beyond." The paper outlines the current state of U.S. government collection of biometric information and the problems that could arise from these growing databases of records. It also points out how immigrant communities are immediately affected by the way this data is collected, stored, and shared.

There is a growing push to link biometric collection with immigration enforcement. The U.S. Department of Homeland Security (DHS) takes approximately 300,000 fingerprints per day from non-U.S. citizens crossing the border into the United States, and it collects biometrics from noncitizens applying for immigration benefits and from immigrants who have been detained. In addition, state and local law enforcement officers regularly collect fingerprints and DNA, as well as face prints and even iris scans. All of these government databases are growing and are being increasingly interconnected. For example, the Secure Communities program takes the fingerprints of people booked into local jails, matches them to prints contained in large federal immigration databases, and then uses this information to deport people.

"Some people believe biometrics and databases are the silver-bullets that will solve the immigrant enforcement dilemma. But biometrics are not infallible, and databases contain errors. These problems can result in huge negative consequences for U.S. citizens and legal immigrants mistakenly identified," said Michele Waslin, Senior Policy Analyst at the IPC.

"Biometric data collection can lead to racial profiling and can disproportionately affect immigrants," said EFF Staff Attorney Jennifer Lynch. "It also gives the government a new way to find and track people throughout the United States. The government needs to act now to limit unnecessary biometric collection and address the serious privacy issues regarding the amount and type of data collected, as well as what triggers that data collection, with whom the data is shared, and the security of that data."

For the full white paper "From Fingerprints to DNA: Biometric Data Collection in U.S. Immigrant Communities":
https://www.eff.org/document/fingerprints-dna-biometric-data-collection-us-immigrant-communities-and-beyond

For "From Fingerprints to DNA: By the Numbers":
https://www.eff.org/document/fingerprints-dna-numbers

For more on biometrics:
https://www.eff.org/issues/biometrics

Contacts:

Jennifer Lynch
   Staff Attorney
   Electronic Frontier Foundation
   jlynch@eff.org

New York - The Electronic Frontier Foundation (EFF) is urging a federal judge not to let television networks squash an innovative streaming service with a bogus copyright infringement lawsuit.

In an amicus brief filed today, EFF and Public Knowledge asked the court to block a preliminary injunction that could prevent Aereo Inc. from establishing a customer base in New York City, arguing that shutting down the service at this early stage sends a dangerous message to other start-up companies working to improve consumers' TV viewing experience.

"The threat of lengthy litigation would discourage any business from working to add value to the television viewing experience, leaving the market in the hands of a few established players," said EFF Staff Attorney Mitch Stoltz. "Remember, these are the same folks who tried to keep VCRs off the market years ago, and more recently fought viciously against remote DVRs, which allow cable subscribers access to content they've already bought but is stored elsewhere. This is yet another attempt by TV networks to profit from, control, or stop new technology they didn't think of first."

Aereo lets users in New York watch local channels by renting their own small antenna located at the Aereo facility, with the signal from the antenna sent over the Internet to that single user. The TV networks argue that this somehow constitutes a public performance and therefore infringes their copyright, even though it would be perfectly legal for someone to install their own antenna and run a wire to a TV set without paying a fee to anyone.

"All Aereo is doing, conceptually, is moving the rabbit ears from your roof to theirs," said EFF Senior Staff Attorney Kurt Opsahl. "Yet the TV networks want to play games with the law to get a cut of the profits or shut it down. We're asking the court to consider the legal and customary rights of television viewers, as well as the threats a preliminary injunction could bring to future innovation."

For the full brief in WNET v. Aereo Inc.:
https://www.eff.org/node/70851

Contacts:

Mitch Stoltz
   Staff Attorney
   Electronic Frontier Foundation
   mitch@eff.org

Kurt Opsahl
   Senior Staff Attorney
   Electronic Frontier Foundation
   kurt@eff.org

This week, the Supreme Court put to rest any doubt that when it invalidated a patent that added nothing novel to an otherwise unpatentable idea, back in March, it was talking about software patents, too. In that case, Mayo v. Prometheus, the Court reviewed the three types of inventions that cannot be patented: laws of nature, natural phenomena, and abstract ideas and held that the patent at issue there—one covering diagnostic testing—represented nothing more than a law of nature, with "conventional steps, specified at a high level of generality," appended. At the time, we commented that this ruling should likewise apply to software patents, so that merely adding a "conventional step" to an otherwise abstract idea would not make that abstract idea patentable (which is exactly what happened in the Ultramercial v. Hulu case). On Monday, the Supreme Court told the Federal Circuit to reconsider its Ultramerical ruling in light of Mayo, which sounds a lot like an endorsement that Mayo's limitations on patentable subject matter should extend to software, too.

When Mayo was first decided, we were pleased to see that the Supreme Court’s language included abstract ideas in its analysis. Of course, many consider most software, and the algorithms that form its basis, abstract ideas that should not be patented. So you can see why the Mayo ruling, applied to abstract ideas, would have the potential to limit some of the worst software patents we’ve seen. 

Case in point: Ultramercial.  We’ve written about this dangerous ruling before (here and here), but, in case you missed it, there the Federal Circuit upheld a patent that merely claimed a process for doing no more than viewing ads online before accessing copyrighted content. The court claimed that the patent was not abstract because the steps were completed on the Internet, despite the fact that the underlying idea—viewing ads in exchange for content—was indeed abstract. Essentially, if more courts and the Patent Office follow Ultramercial, the mere act of performing an abstract idea on the Internet would somehow make that otherwise abstract idea no longer abstract. Given the myriad ways in which the world is moving online, you can see just how badly this could go. 

Lately, many have argued about whether the Mayo ruling would apply to software, too. We think it clearly should, and does. It seems the Supreme Court thinks so, too. We hope the Federal Circuit will get it right this time and strike Ultramercial from the books. 

EFF is proud to participate in World IPv6 Launch Day on June 6, 2012.

It is a testament to the enduring success and growing importance of the Internet that the original space of over four billion addresses has effectively been exhausted. Workarounds are in common use to share and reuse addresses, making this a problem that most users can continue to ignore for now. On the other hand, it already forces network engineers to work under difficult constraints and justify each request for a new address. Serving a variety of hostnames from only one IP address can make SSL certificate management complex, adding a needless obstacle to HTTPS adoption. Address scarcity also presents a serious roadblock to new ISPs, especially outside North America. As every new mobile device service is now an ISP too, the problem is only accelerating.

IPv6 solves this issue by starting out with a much larger block of addresses. Famously, the address space of 2¹²⁸ is large enough to assign almost 5 x 10²⁸, or 50 billion billion billion, addresses to every living human. The protocol also includes built-in features for configuration and encryption that have traditionally been performed by other software running on top of the IP network layer, and support for extremely large frame sizes for future scalability.

The transition to IPv6 presents some privacy concerns that users should be aware of. As first conceived, a portion of an IPv6 address would be generated from a device's MAC address, making it possible for every remote machine a user communicates with to calculate the unique hardware identity of the user's machine. That allows sites and services anywhere in the world to recognize and track the user's device forever. The sparse address space and decreased need to pool IP addresses with Network Address Translation also make it easier to uniquely identify and track a user.

However, more and more operating system vendors are including plugins to mitigate these concerns and, better yet, enabling them by default. IPv6 support is also available from the Tor Project, but for now you will need to know the address of an IPv6 bridge to use it. As more people adopt IPv6, we should all be vigilant about protecting our privacy, but right now we see no serious hurdles that should warrant putting off IPv6 adoption.

Because the IPv6 protocol follows the standard TCP/IP networking model and sits squarely on the Internet layer, many IPv4 applications can be updated to add IPv6 support with only small changes. For site operators like EFF, the changes can be almost as simple as updating the server software's configuration file to include its IPv6 address and adding IPv6 'AAAA' domain name records. We also recommend configuring an IPv6 aware firewall, such as ip6tables for GNU/Linux.

If getting ready for the Internet of the future is so easy, why hasn't everyone already done it? Unfortunately, for major hosting providers and ISPs, it can be a much bigger task. In order to provide your server with a v6 IP address, they might need to upgrade a significant portion of their network infrastructure. Very few home ISPs offer IPv6, and home routers with IPv6 support haven't been on the shelves for very long. Until demand increases, uptake might be slow, and with workarounds to share IPv4 addresses in place demand remains low. The organizations taking part in World IPv6 Launch Day are helping to change this picture.

If your ISP or hosting provider doesn't offer native IPv6, you can still offer connectivity or start using IPv6 care of a transition technology whereby v6 traffic is tunneled through an IPv4 address. A number of providers and client packages can help make configuring this scenario relatively painless.

www.eff.org will launch over IPv6 on June 6, 2012. Due to hosting limitations, our other sites and services will follow at an as yet undetermined date. In the meantime, future-proofed users can enjoy a preview at ipv6.eff.org.

In the ongoing effort to bring you cool things that support important civil liberties issues, EFF is happy to unveil our third annual DEF CON hacker conference t-shirt featuring the dangerous, and yet cuddly Script Kitty. He hacks, he glows, and he demands coders' rights.

Our spokeskitten shows that, if you own a killer robot, you have the right to pwn it.  The front of the shirt features our EFF-DEF CON logo mashup in a subtle homage to our mutual support (as well as a shout-out to EFF's advocacy for remix culture and fair use).  And watch the front and back glow acid green under cover of darkness!

In honor of DEF CON's 20th anniversary, we've made this year's special edition member t-shirt available on our site! Get a cottony chunk of hacker history even if you can't make it to Las Vegas this summer.  Just join EFF or renew your membership through our D(EFF)CONtest page. Support one of the amazing fundraising teams on the leaderboard, or make an independent donation.

While you're at it, start your own D(EFF)CONtest team and be your own first contributor.  Compete to protect coders' rights and win a whole lot of 1337 including a stay at the Rio Hotel and Casino, DEF CON Human Badges, Ninja Party badges, passes to theSummit, and more!

New legislation in the Netherlands makes it the first country in Europe to establish a legal framework supporting net neutrality. In addition to the net neutrality provisions, the law contains language that restricts when ISPs can wiretap their users, and limits the circumstances under which ISPs can cut off a subscriber's Internet access altogether.

The anti-wiretapping section of the new law specifies that ISPs may not use technologies like deep packet inspection (DPI), except under limited circumstances, or with explicit consent from the ISP’s customer, or to comply with a court order or other legislative provisions. One Dutch ISP, KPN, came under fire last year for using DPI to determine whether its subscribers were using VoIP on mobile devices.

The new law sets out an exhaustive list of six circumstances in which an ISP can disconnect or suspend the Internet access of subscribers. These include: termination at the request of the subscriber, non-payment by a subscriber, in cases of deception, at the expiry of a fixed contract, force majeure, or if the ISP is required to terminate by law or a court order. In addition, the network neutrality provisions also permit blocking of an Internet connection where necessary for the integrity and security of a network.

The provisions are the Dutch government’s implementation of  the 2009 EU Telecoms Package revision framework. Article 1(3a) of the Framework Directive states that EU Member States may only adopt measures interfering with citizens’ ability to access and use the Internet in limited circumstances. In particular measures may only be imposed if they are "appropriate, proportionate and necessary within a democratic society, and their implementation shall be subject to adequate procedural safeguards in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms and general principles of Community law, including effective judicial protection and due process."

As Dutch digital rights group Bits of Freedom notes, the new provisions are needed because "[c]urrently, Internet providers on the basis of their terms and conditions may terminate or suspend the Internet connection for various reasons." This law ensures that ISPs cannot disconnect users for nebulous terms of service violations. This gives Internet users some protection against ISPs adopting voluntary or semi-voluntary measures, such as policies to disconnect Internet users on three allegations of copyright infringement.

This is important as voluntary three strikes policies become an increasingly real danger. In the United States, for example, ISPs and major media trade groups have developed a voluntary "graduated response" program — the so-called "six strikes" deal — that is set to go into effect this July. EFF is now calling on Internet users to pressure the participating ISPs for a public commitment not to cut users off under the new program.

The Dutch law comes after vigorous campaigning by civil society groups including influential digital rights group, Bits of Freedom. Ot van Daalen, the Director of that organization, hopes it will spark similar legislation elsewhere. "Bits of Freedom campaigned hard for these provisions and our work paid off. The law sets an example for other countries, and we call on the rest of Europe to follow."