Electronic Frontier Foundation Patrols Uncharted Online Territory

By Ericka Chickowski  |  Posted 2008-10-02

The Electronic Frontier Foundation (EFF) is best known for its work in promoting individual civil liberties, but its broad body of activism and litigation also benefits IT shops and businesses at large by promoting not just free speech, but also free innovation.

Many IT professionals are already well aware of the work done by the Electronic Frontier Foundation to promote online civil liberties. This nonprofit has gained admiration across the board, from workaday admins and tech-savvy executives to rank-and-file geeks, for its 18-year-long crusade to protect individual rights to privacy and free speech on the Internet.  What these supporters might not be aware of is that the EFF has its own business interests in mind, as well.

Even though the EFF is known for suing some pretty big businesses in the technology and entertainment industries, its leaders generally call themselves “pro business and free innovation,” and much of their work is actually a good thing for technologists and businesses involved in technology.

“We’ve filed plenty of briefs on behalf of companies like Google and other big Internet companies that are finding themselves embroiled in intellectual property disputes, but, by the same token, we often attack them on other fronts, such as [for] their privacy policies,” says Fred von Lohmann, senior staff attorney for EFF specializing in intellectual property matters. “So, [for us], it is not about whether you're a big company or a little company or whether you're somebody that is incumbent or a new entrant. From our perspective the principles are what matter.”

Headed up by lawyers, analysts and technology experts, the EFF was founded on the backs of these principles, which von Lohmann says still guide how the organization moves forward with its actions today.

“Our founding philosophy is still really the one that we start with when we 're looking at any situation, which is to make sure that people’s Constitutional rights make it intact in cyberspace,” says Cindy Cohn, legal director for EFF and one of the keepers of the organization’s vision.

The group is best known for its litigation team, creating the most action through high-profile lawsuits and defense trials.

“I think that their litigation program is something that really fills a gap in looking at the civil liberty implications of intellectual property and how that applies to technology and the industry,” says Sherwin Siy, staff attorney for the lobbying group Public Knowledge, which works to promote principals similar to those of the EFF, but via the legislative route rather than in the courtroom.

The case law and precedents EFF has established reach far and wide. For example, EFF lawyers were the first to establish computer code as a court-accepted means of free speech. It regularly has forced the courts to rule against the RIAA and the MPAA in their quest to badger the little guy in numerous online-content cases. And it is on the warpath to prevent the federal government from moving forward with its warrantless wiretapping program.

While free speech and copyright issues are often paramount in the eyes of EFF lawyers, much of their focus is also on intellectual property (IP) and patent law that affects any kind of free innovation.

“I  think we share with EFF the idea that copyright and IP law generally should be used to encourage innovation and it shouldn't be used or abused to curb it,” says Siy. “You want to reward creators, yes, but at the same time we see it too often being used to stifle innovation and creativity.”

These pro-innovation battles are fought on numerous fronts, but those most likely to affect IT gurus and technology-centric companies fall into one of three categories: fighting the abuse of the Digital Millennium Copyright Act (DMCA) to prevent reverse engineering; fighting blatant patent trolls and other patent-system manipulators; and fighting for the free exchange of information by computer-security researchers.

Passed in 1998, DMCA makes it illegal for anyone to circumvent mechanisms put in place to control access to copyrighted works or other computerized intellectual property. This wide -ranging law has been used by dozens of companies as a big club to beat back a number of different activities, from the actual circumvention of controls to steal copyrighted material, to the more likely scenario of circumvention in order to reverse-engineer hardware or software to improve interoperability or get fair use out of a product that the customer bought in the first place.

According to von Lohmann, DMCA is often used to hamstring enterprises and small businesses from getting full use out of software or hardware they have purchased. These organizations are locked into technological ecosystems closed by burdensome digital rights management (DRM), often without legal recourse that would allow IT staffs to improvise solutions.

Von Lohmann explains that a few years ago, for instance, the EFF brought a case to trial in which a digital-storage vendor had installed maintenance code on its systems that was locked down by a DRM mechanism so only that vendor’s authorized repair and maintenance people could access it. The defendant in the case chose to hire an outside party to develop a little hack to get around this mechanism so his staff could fix the system that it had bought from the vendors.

“The maintenance code was running already; they just needed to do some reverse engineering to figure out what the protocol was,” von Lohmann says. He notes that the vendor sued its customer based on DMCA charges, but the EFF managed to get the court to rule that this was not a true DMCA violation because no copyright infringement took place.

“That is exactly the kind of anticompetitive use of the DMCA we think isn’t legitimate,” he says. “Bans on reverse engineering, I think, are particularly problematic, because this bans not only bad reverse engineering, but also the kind of legitimate compatibility and interoperability work that the courts have repeatedly said is legitimate.”

In that particular case, the EFF prevailed because the customer never signed an end-user license agreement (EULA), which specifically forbids reverse engineering. The issues are a lot more unsettled in the court’s eyes in these cases.

“I don't think there is an easy way to explain [DMCA interpretation],” says von Lohmann. “That is part of the problem, and it’s part of the reason you have people who are trying to do legitimate interoperability work spending more time talking to lawyers than they actually spend doing the work. Once there is an end-user license agreement that has a ban on reverse engineering in it, the [situation] gets very murky. If you've ever clicked on ‘yes’ in an agreement, you do your own reverse-engineering work at your own peril.”

Sadly, that leaves the business world saddled with a much less interoperable system than it needs—which is why the EFF keeps an eye on [such] cases to better define this area of the law and, further, acts as an advocate for businesses that just want some flexibility [in] their technology investments.

“I think a lot of customers in these circumstances feel like they're over a barrel--they don't really have any choices,” von Lohmann explains. “Often, these tools don't provide them with any good migration path, any way to switch vendors. And you also see other anticompetitive lock-in efforts.”

But the DMCA isn’t just used as a blunt weapon beating down reverse engineering. It is also one of several tools used by technology vendors to suppress valuable security-vulnerability information from ever seeing the light of day. The EFF has made a particular point to try cases on behalf of security researchers, who are being bullied into keeping quiet about security problems that can affect a wide range of businesses.

“Security research is critical for IT professionals because, quite frankly, a vendor is always going to tell you its product is rock solid, totally secure,” von Lohmann says. “And most it professionals don't have their own in-house red team to test every one of those statements. So, it is incredibly important for all the customers out there that there are security researchers to kick the tires on all of this stuff to figure out if it works.”

But many of these vendors want to avoid the bad press of flagrant security errors and bugs, choosing, instead,to go through the courts to keep embarrassments at bay rather than simply fixing any problems.

“You have to have an open dialogue about problems, and the initial instinct of a lot of large institutions is to try to hide the mess,” the EFF’s Cohn says. “I think we're going to continue to be busy in this area for a while. I've watched this so many times now, handled many, many cases and advised more researchers than I can count on these issues.”

This was the situation recently, when a group of MIT students were sued from disclosing a very high-profile vulnerability in the card-swiping technology employed by the Massachusetts Bay Transportation Authority. The EFF swooped to their defense and got the initial gag order against the students lifted.

“They were very helpful to the students that were in my class, and I now think they should be commended for their work and help,” says Ron Rivest, a professor in MIT's Department of Electrical Engineering and Computer Science. “The question of disclosing vulnerabilities is a difficult one,” explains Rivest, “and there are always tensions between making vulnerabilities public and considering the current users and vendors and so on. [But] I think the field advances when the vulnerabilities are ultimately discussed and researchers have a chance to examine vulnerabilities and propose better solutions to them.”

Most recently, the EFF instituted a formalized Coders’ Rights Project that will bring together all of its legal work surrounding this issue to advance the rights of these researchers. The ultimate goal is to better protect businesses and consumers at large, according to Cohn and von Lohmann.

Another way EFF protects the interests of businesses and IT practitioners is in the area of patent litigation. Von Lohmann’s team tries plenty of cases where patents are misused and abused to keep the little guy from innovating and using technology fairly.

 “A patent is just an extraordinarily powerful thing, and many times claims are construed so broadly that it just locks down progress in entire fields--even progress in completely unrelated fields,” says Public Knowledge’s Siy, who believes the EFF is fighting a good fight against those who perpetuate that lock-down.

Not only has the EFF protected businesses and university researchers wrongly accused of infringing on patents for the benefit of a few litigious bullies, it also heads a grass-roots movement, called the Patent Busting Project ,to completely get rid of bad patents owned by known “patent trolls.”

As did many technology experts, leaders at the EFF saw a growing trend several years ago of companies that exist solely to buy up or register broadly worded patents for the sole purpose of casting a wide net across industries and suing innovators working in the purview of these patents for the “right” to continue their work.

“A typical patent case is very difficult to do for less than even 500 thousand to a million dollars, and that is just a barebones patent defense,” says Paul Grewal, a partner at Day Casebeer and member of the EFF advisory board. “So, if you're a small business or you're a university researcher and you've been accused of infringing on a patent, you have every incentive in the world to quickly sign a license agreement with them, pay a nominal sum and move on with the rest of your life. What the EFF was saying was, 'Wow, this is really stifling a lot of innovation.’”

In addition to its own cadre of staff lawyers, the EFF recruits a number of private-practice lawyers to help out with certain cases—Grewal is one of them. As a highly specialized patent lawyer, he has seen too many egregious abuses of patent law to turn a blind eye.

“Most of my clients are patent holders, and my firm believes in intellectual property rights,” Grewal says “(B)ut when bogus patents are being used to squeeze small settlements from people who can’t afford to defend themselves, we have a real problem with that. It is an abuse of the system and, frankly, devalues the innovation.”

Because trying patent cases is an expensive prospect, the EFF has taken the alternative tack of going after particularly bad abusers of patent law by getting their patents reexamined by the patent office. The Patent Busting project leverages EFF’s goodwill in the tech community by asking its supporters to not only suggest particularly bad patents to target, but also to dig up prior art that invalidates the claim to a patent. Then, using the help of partnering patent lawyers such as Grewal, who have experience with these reexamination proceedings, EFF takes the information and makes the community case for an overturned patent.

”What the Patent Busting project has done more than anything else is raise awareness of the issue of abuse of the system, because the unfortunate reality is that there are hundreds, if not thousands, of patents out there that should have never have been issued in the first place,” Grewal says. “And if you are a startup there is the real possibility that, just as you're finally turning a corner and going red to black—maybe you're finally getting a first release out—someone can show up at your door with a completely spurious claim. Unless you're prepared to commit millions of dollars in defending yourself in a federal lawsuit, there is not a heck of lot that you can do.”

Grewal says he does a lot of pro bono work for EFF because “I very much believe in what they are trying to do. They not only bring the passion that a lot of public interest organizations bring to their work—which is admirable—but they are some of the most knowledgeable lawyers in this particular area of law that I've ever worked with.”