Press "Enter" to skip to content

Q&A: EFF’s Cindy Cohn

COVID and Privacy: ‘Bad Ideas About Tracking People’

By Nora Macaluso

Last of three parts.

Established in 1990, the Electronic Frontier Foundation has a history of fighting government and private efforts to monitor civilians.

In 2005, Cindy Cohn, as EFF’s legal director and general counsel, led a class-action lawsuit against Sony BMG, alleging that the entertainment giant built a flawed and invasive computer program into as many as 22 million music CDs to block copying by the public.

In a 2007 settlement with the Federal Trade Commission, Sony made available a patch that was designed to resolve the security vulnerability.

The next year, EFF began representing victims in a lawsuit challenging an illegal surveillance program run by the National Security Agency (NSA) conducted under the guise of the U.S. Patriot Act. The litigation continues.

Cohn, now EFF’s executive director, told Digital Privacy News in this final installment of a three-part interview that the advocacy group currently was watching for “COVID-wash” surveillance as new, pandemic-related technologies roll out.

This interview has been edited for length and clarity.

Could you give an update on the lawsuits involving the NSA and the mass surveillance of Americans? Are these cases still going on? Is EFF involved? 

Yes, they’re still going on.

In fact, we had an argument in the Ninth (U.S.) Circuit Court of Appeals in our landmark case, Jewel v. NSA, on Nov. 2.

The government is still trying to claim massive secrecy and get the case dismissed — and we are still fighting that.

It’s slow-going, but they have not succeeded in killing our case yet. We’re going to keep at it.

On NSA lawsuit:It’s slow-going, but they have not succeeded in killing our case yet. We’re going to keep at it.”

This is such an important thing: The NSA is sitting on the internet backbone and watching all the traffic that goes by — and is using secret lists to decide what it wants to keep and use.

That’s just not consistent with a self-governing democracy. 

What are your thoughts, 15 years on, about the Sony BMG settlement? Has it had any ramifications for other companies? 

It had huge ramifications. That case was really the nail in the coffin of using digital rights management on CDs. Right?

We didn’t see any other company try to use DRM on CDs after that.

There hadn’t been before, and Sony was experimenting with it — and it just killed it.

People don’t use CDs much anymore, but we did help stop something bad.

We really set a precedent that if you’re going to use DRM, copyright controls on media you make available, it has to protect the user.

The Sony rootkit case was a case in which Sony put software on CDs that took over people’s computers and created a backdoor into them.

The Sony BMG case was “really the nail in the coffin of using digital rights management on CDs. … We did help stop something bad.”

While we’ve seen lots of security problems over the years since then, this particular problem — where streaming turns into a vehicle that creates security vulnerabilities in your computer — we haven’t seen many of these types of stories.

I hope that’s because the Sony rootkit case sent a strong message that there were going to be consequences for companies that did that.

Sony paid a pretty-good price for that. 

Do you think EFF had an impact?

It’s always hard to know what didn’t happen as a result of what you did.

I do think we have a long way to go, but we’ve come a long way in terms of companies recognizing they need to protect their users’ security — and they need to build more secure tools.

The development of computer security over the last 15 years is really important.

It was a little late getting started, but now part of rolling out a new service or tool to people is making sure it doesn’t weaken the security of systems.

A lot of the credit for that goes, frankly, to Apple and Google tightening up security requirements for things that go on their laptops — and making people who provide software meet a higher standard for that.

I criticize those companies all the time, but it’s important to point out they’ve done quite a bit to up their security.

You didn’t mention the pandemic. Do you see any privacy implications there? 

What we’ve seen with the pandemic has been interesting.

We’ve seen a lot of attempts to what I call “COVID-wash” surveillance — bad ideas about tracking people.

We’re seeing proctoring apps, for example, that students are being asked to use when taking a test, being horribly invasive.

“We actually beat back a lot of bad ideas when COVID broke out that would have been incredibly invasive.”

We’re seeing the same things with other kinds of apps — and we’re also going to see it with some of the vaccine passports that are going to start coming out.

Was EFF involved?

We did have some initial victories.

We actually beat back a lot of bad ideas when COVID broke out that would have been incredibly invasive.

The actual tool that Apple and Google put in their phones ended up being more privacy-protective than what we have seen in earlier versions.

In some way, there’s a partial success story there. 

And, looking forward?

We always have to be vigilant.

Ultimately, there was a difference between what we feared was going to happen at the beginning of the COVID crisis with people’s privacy and where a lot of these tools ended up.

That indicates we have a strong voice if we want to.

Americans said: “We don’t want to be tracked. We’re not comfortable. We won’t use an app that tracks us too much.”

On vaccination passports: “We’re watching very, very closely.”

This is the power of the public’s having a voice in some of this stuff, which we try to amplify.

A lot of the stuff with Apple and Google ended up being pretty good on privacy. It isn’t actually the bad-news story we had been afraid it was going to be in March.

I don’t want to pretend this is over and people don’t have to be vigilant, because we see bad ideas all the time.

Where’s the next battle here?

There’s a lot of effort to get proof on people’s phones about whether they’ve been vaccinated or not, as a gating thing to whether people get to travel or go to work, get to go to various places.

We’re watching very, very closely.

That’s the kind of thing where, if you’re going to do it, you have to be very careful about it — especially given how inequitably our technology is spread. 

What is EFF’s concern?

If we do something like vaccination passports, we have to recognize and adjust for the fact that it’s going to be used in the same way.

“I don’t want to pretend this is over and people don’t have to be vigilant, because we see bad ideas all the time.”

It’s going to benefit the rich and the people who have the latest and greatest technologies in a way that’s going to really harm people who don’t have that kind of access — unless we’re careful about it.

Nora Macaluso is a Philadelphia writer.

  • Main Image: Karl Mondon/Bay Area News Group