Brindle

Rumors that the US government used a university's research institute to uncloak Tor users began floating around nearly two years ago. In July of 2014, the first hint that something weird was going on at Carnegie Mellon took the form of a hastily-cancelled Black Hat Conference talk on the subject of de-anonymizing Tor users. Carnegie Mellon's lawyers stepped in and called the whole thing off at the last minute. The thought process at the time was that CMU's legal team may have been concerned the researchers' actions had broken wiretap laws.

Nearly a year-and-a-half later, hints were dropped that CMU's Tor-related efforts may not have been for research purposes only. An anonymous tipster claimed the FBI had paid CMU $1 million to unmask Tor users. A quasi-confirmation popped up during the DOJ's prosecution of Brian Ferrell, who was allegedly assisting Blake Benthall in running Silk Road 2.0. Ferrell and Benthall were both swept up in the wake of a Tor-related FBI raid known as "Operation Onymous," which began a few months after the hastily-cancelled Black Hat talk.

Included in the information handed over to Farrell's legal representative was the following:

On October 13, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a “university-based research institute” that operated its own computers on the anonymous network used by Silk Road 2.0.

Tor Project itself claimed it had noticed a series of attacks during the first six months of 2014, seemingly aimed at de-anonymizing users. The unmasking efforts it noticed occurred shortly before the FBI Silk Road 2.0 raids. All of this was disturbing but also very circumstantial. Both CMU and the FBI (very weakly) denied any involvement in the unmasking effort. Notably, both parties only specifically denied the payment aspect, with CMU reps saying they "were not aware of any payment" and the FBI stating the allegation it had paid CMU $1 million was "inaccurate" -- which is not nearly the same thing as saying the allegation was false.

Three months after the FBI rumor/tip, the government's use of CMU to de-anonymize Tor users has been confirmed. The only aspect that appears to be incorrect is the agency behind the effort. Joseph Cox at Motherboard has the details.

[B]oth the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases.

“The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU”) [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense (“DOD”),” an order filed on Tuesday in the case of Brian Farrell reads. Farrell is charged with conspiracy to distribute cocaine, heroin, and methamphetamine due to his alleged role as a staff member of the Silk Road 2.0 dark web marketplace.

“Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU,” the filing continues.

So, the DoD "hired" CMU researchers to find ways to unmask Tor users. It's probably worth noting here that the NSA... is a part of the DoD. The FBI was not directly involved, as alleged earlier, nor did it hand $1 million to CMU to facilitate its efforts. However, it was Johnny-on-the-Spot when it came to issuing subpoenas for Tor user info. Not that it's interested in discussing its fortuitous timing…

When asked how the FBI knew that a Department of Defense research project on Tor was underway, so that the agency could then subpoena for information, Jillian Stickels, a spokesperson for the FBI, told Motherboard in a phone call that “For that specific question, I would ask them [Carnegie Mellon University]. If that information will be released at all, it will probably be released from them.”

The buck has been passed, but CMU refuses to touch it.

Kenneth Walters, a spokesperson from CMU, told Motherboard in an email, "We have nothing to add beyond our Nov. 18 statement."

This statement says nothing more than CMU receives subpoenas from time to time and hints that everybody is probably wrong about everything because "inaccurate media reports."

Farrell's lawyers have tried to obtain more details on CMU's DoD-funded de-anonymization efforts, but the judge has denied further discovery along these lines. Judge Richard A. Jones, echoing the judge presiding over the FBI's now-infamous "Playpen" case (where the FBI ran a seized child porn site as a honeypot for two weeks), says there's no expectation of privacy in an IP address, even if said IP address was obscured by the use of Tor.

“SEI's identification of the defendant's IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny,” the order reads.

In short, there's no expectation of privacy in the use of a service specifically designed to protect users' privacy. Users may believe they have an expectation of privacy but it's a belief that won't be upheld by this nation's courts. Efforts made by the government to strip this protection away are not viewed as intrusive -- at least not in the Fourth Amendment sense of the word.

So, nearly two years later, the story coheres: the Department of Defense has been seeking ways to unmask Tor users with the assistance of CMU's researchers. And all the while, the FBI has apparently been looking over the DoD's shoulder and firing off subpoenas. No one involved wants to talk about it and now it appears they won't have to, thanks to Judge Richard Jones.

Permalink | Comments | Email This Story

As we've documented extensively, the auto industry has worked tirelessly to erect barriers to Tesla's market entry. Legacy automakers have been engaged in sustained hysterics specifically regarding Tesla's direct-to-consumer sales model, which lets customers buy vehicles directly from Tesla online, with limited showrooms to view, touch and test drive the Tesla vehicles. Annoyed by this pesky Californian upstart, the auto industry has frequently tied draft legislation to campaign contributions to ban Tesla's successful model. Why compete when you can cheat?

Undaunted by criticism of this practice in numerous states, Tesla says GM is now trying the same thing in Indiana. In a new letter sent to Tesla "owners and enthusiasts" in the state, Tesla warns that Indiana's HB1254 would once again try to ban direct-to-consumer auto sales in the state:

We need your help. Yesterday, the Indiana Senate Committee on Commerce & Technology held a hearing on a bill that would shut down Tesla in the state. Authored and pushed by General Motors, HB1254 with amendment 3 would prohibit any manufacturer from being able to hold a dealer license after December 31, 2017. Existing law allows ANY manufacturer to apply for a dealer license without the use of independent franchised dealers.

Despite having a lawfully granted license to sell Tesla vehicles directly since 2014 at the Fashion Mall at Keystone; despite contributing over $42M to the state through the purchase of parts and components from Indiana suppliers; and despite plans underway to construct a 26,000 square foot Tesla Service facility that will employ approximately a dozen Indiana residents and serve our customers, GM is pushing the Senate Committee to shut out Tesla.

In other words, it's another legacy company deriding regulation at every opportunity -- except when it protects it from having to actually compete. While Tesla tells Ars Technica that it has no direct proof GM authored the bill, as we've seen in telecom, legacy companies all but own many state legislatures. Legislatures that are happy to shovel forth any and every bill (usually middle manned by groups like ALEC to present the feeblest attempt at propriety) provided the price is right. Tesla notes that GM could mirror Tesla's direct to consumer sales model, but would rather erect new barriers to entry than actually compete.

GM seems relatively unfazed by the fact that the FTC last year slapped Michigan for trying the same thing. Ask GM, of course, and the narrative changes dramatically. The legacy automaker tried to tell Ars that it's Tesla that's trying to craft special rules for itself, despite the fact that GM is the one pushing for the rule changes:

GM supports HB 1254. GM believes that all industry participants should operate under the same rules and requirements on fundamental issues that govern how we sell, service and market our products. A benefit of a nationwide network of thousands of dealerships is that General Motors customers never have to worry about driving to another state to buy, service or support their vehicles.

Tesla's insistence on special rules could result in multiple manufacturers competing with similarly capable vehicles and similar price points, yet operating under a different set of rules. Tesla could open a franchised dealership with an independent operator in Indiana today, but instead they insist that the State must first provide them with unique rules and special exceptions to suit their own business interests. In fact, Tesla was willing to agree to a dealer model in Virginia. The Indiana legislature shouldn't create a special exemption for them here.

Of course that's crap, and GM is turning logic on its head. Tesla has been operating a showroom in the Fashion Mall storefront since December 2013. It's GM that could follow Tesla's lead (like some Seattle Honda and Toyota dealers) and push for direct-from-manufacturer sales, but would rather use our broken legislative process to protect the status quo franchise dealership system. This has been an ongoing headache for Tesla in states like New Jersey, Texas, Arizona and especially Virginia, where auto-industry laws prohibited the company from opening a simple showroom.

Be it telecom or the auto industry, the fact that legacy industries can still write and buy anti-competitive state laws is a problem we simply refuse to fix.

Permalink | Comments | Email This Story

"I helped to organize it [Digital Equilibrium Project] with McKinsey's help with the idea that people on various sides were talking past one another, often without the facts," former Executive Chairman of RSA Art Coviello told eWEEK. "Our participants bring significant networks and resources to bear from themselves and the organizations they work with, and we're confident we have the resources to execute on the mission."

[...]

"We hope to create a groundswell of thinking—not through acrimonious and emotional debate, but through active listening and fact-based dialogue so we can we make progress before it is too late," he said.

So says Art Coviello of his new project -- one that he hopes will bring some coherence to the balancing act between security and privacy.

This is the same Art Coviello who said anonymity is the "enemy of privacy." Why? Because it allows bad people to do bad things and get away with it -- a sentiment echoed by any number of law enforcement officials and intelligence agency heads.

Coviello's timing couldn't be better. Against the backdrop of the FBI's efforts to force Apple to help it break into iPhones, Coviello hopes a balanced discussion of the issues may result in workable common ground between parties he feels often "talk past each other."

But the Digital Equilibrium Project isn't going to be the balanced discussion Coviello is framing it as. The list of participants seems to indicate the discussion will result in severe inner ear damage, rather than equilibrium.

Stewart Baker
Former 1st Assistant Secretary of DHS General Counsel of the NSA

Michael Chertoff
Executive Chairman of The Chertoff Group
U.S. Secretary of Homeland Security (’05-’09)

Edward Davis
Former Boston Police Commissioner

Michael McConnell
Former Director of the NSA and
Director of National Intelligence
[and head of Booz Allen, which goes unmentioned on DEG page...]

JR Williamson
Corporate Chief Information Officer, Northrop Grumman

Richard Clarke
Former White House Advisor
Chairman and CEO, Good Harbor Security Risk Management
[Former "cybersecurity czar" to be more precise, one who has suggested the government "search" internet traffic travelling in and out of the US (to prevent theft by China{?}). On the plus side, he did sign a letter to the Administration stating that mandated encryption backdoors are a terrible idea.]

That's only part of the stacked deck, but what a hand! NSA, DHS, Boston PD, military-industrial contractor, a cybersecurity "czar…"

From there, it gets marginally better.

Tim Belcher
Former CTO, RSA
[RSA worked closely with the NSA to recommend an undermined encryption standard]

Jim Bidzos
Chairman and CEO, Verisign
[Verisign has worked with ICE and others to make site seizures easier, participated in global internet censorship]

Art Coviello
Former Executive Chairman, RSA
[See above]

Kasha Gauthier
Program Committee Co-Chair, NICE
Special Advisor, Boston College Cybersecurity Masters Program
[Not mentioned: Gauthier's position as Director of Academic and Community Alliances at RSA. Also serves as Director of Marketing and Strategy.]

It gets much better from there. Most of the remaining names on this list have a long history of protecting privacy and working towards enhancing security for all internet users, not just government agencies.

Dr. Ann Cavoukian, Ph.D.
Executive Director of the Privacy and Big Data Institute at Ryerson University
[Former Ontario Privacy Commissioner, who has stated that "encryption is freedom" and taken legal action against local law enforcement for sharing sensitive medical information with US law enforcement agencies.]

Larry Clinton
President and CEO, Internet Security Alliance
[The ISA is a trade alliance which lobbies on behalf of businesses. In light of FBI v. Apple, this is possibly a good thing. Clinton's statements indicate he feels the government's belief that "information sharing" will solve cybersecurity woes is largely unfounded.]

Brian Fitzgerald
Chief Marketing Officer, Veracode
[Veracode was founded by white hat hackers and routinely provides updates on the current state of cybersecurity in the nation. Just as routinely, it finds government agencies to be the worst at security.]

J. Trevor Hughes
President and CEO, International Association of Privacy Professionals
[IAPP is a non-profit, "non-advocacy" group, which would make it about as unbiased as anyone can get in this discussion.]

Nuala O’Connor
President and CEO,
Center for Democracy and Technology
[O'Connor was the DHS's first Chief Privacy Officer and did that job well enough to earn the praise of the ACLU and others -- a tough thing to do with the inherent limitations of the position, which did not allow her to publicly criticize the DHS's failures. Since then, she has headed up the Center for Democracy and Technology, which advocates for privacy, freedom of speech and surveillance reform.]

If the RSA insiders are "swing votes," this discussion could actually end up "balanced." But it seems unlikely to result in the common ground Coviello says he's seeking. He wants to break up "polarized, entrenched views" but a majority of those participating will likely advocate for positions that closely align with the government and its contractors.

Fortunately, this wasn't assembled by Congress or the administration, where it might do some actual damage. Some decent discussion may result from this blend of privacy advocates and former government officials, but the composition is still too one-sided to state this with any confidence.

Permalink | Comments | Email This Story

Over the years, the nation's courts have moved towards recognizing First Amendment protections for citizens who film public servants carrying out public duties. Nearly every case has involved a citizen arrested for filming police officers, suggesting far too many law enforcement entities still feel their public actions deserve some sort of secrecy -- even as these agencies deploy broader and more powerful surveillance tools aimed at the same public areas where no expectation of privacy (under the Fourth Amendment) exists.

A rather disturbing conclusion has been reached by a federal court in Pennsylvania. Two cases involving people who had their photography efforts interrupted by police officers have resulted in the court finding there is no First Amendment right to film public servants. (h/t Adam Steinbaugh)

U.S. District Judge Mark Kearney of the Eastern District of Pennsylvania issued his ruling in two consolidated cases filed against the city of Philadelphia by citizens whose cellphones were confiscated after they either photographed police activity or were barred from filming police activity.

Neither of the plaintiffs, Richard Fields nor Amanda Geraci, were filming the police conduct because they had a criticism or challenge to what they were seeing. For Fields, he thought the conduct was an interesting scene and would make for a good picture, Kearney said. And for Geraci, she was a legal observer trained to observe the police, Kearney said.

"The citizens urge us to find, for the first time in this circuit, photographing police without any challenge or criticism is expressive conduct protected by the First Amendment," Kearney said.

"While we instinctively understand the citizens' argument, particularly with rapidly developing instant image sharing technology, we find no basis to craft a new First Amendment right based solely on 'observing and recording' without expressive conduct and, consistent with the teachings of the Supreme Court and our court of appeals, decline to do so today."

The court has not yet discussed whether the actions of police in response to the filming violated the plaintiffs' Fourth Amendment rights, leaving that for a jury to determine. But what it does say about the First Amendment isn't encouraging.

According to this decision, the photography must be "expressive" to receive First Amendment protection.

Fields' and Geraci's alleged "constitutionally protected conduct" consists of observing and photographing, or making a record of, police activity in a public forum. Neither uttered any words to the effect he or she sought to take pictures to oppose police activity. Their particular behavior is only afforded First Amendment protection if we construe it as expressive conduct.

If taken on face value, this means informing cops that your recording is just a small part of a multimedia campaign highlighting the aggressive tactics of law enforcement or will be Twittered with #BTFSTTG or #BLM or whatever appended. The court apparently feels there's no expressive value to simply recording public servants performing public duties -- which would mean other efforts that routinely go unchallenged by the recorded, like city council meetings, etc., may now be shut down without worrying about First Amendment lawsuits.

Unfortunately, the Third Circuit Court of Appeals hasn't exactly been helpful in protecting citizens against public servants who wish to operate in public without third party documentation. While other circuits have found that the First Amendment "protects the right to gather information about what public officials do on public property," the Third Circuit has yet to challenge qualified immunity assertions claims made in cases involving citizens recording police officers.

One decision carefully weighing the state of the law and noting the competing public and private interests comes from the Third Circuit Court of Appeals in Kelly v. Borough of Carlisle, 622 F.3d 248 (3rd Cir. 2010). Kelly was a passenger in a truck stopped for a bumper height violation. When the officer saw Kelly videotaping the contact, he arrested Kelly for a wiretap law violation.

Those charges were later dropped.

Kelly sued.

The court granted qualified immunity to the officer with this instructive explanation:

We conclude there was insufficient case law establishing a right to videotape police officers during a traffic stop to put a reasonably competent officer on ‘fair notice’ that seizing a camera or arresting an individual for videotaping police during the stop would violate the First Amendment. Although Smith and Robinson announce a broad right to videotape police, other cases suggest a narrower right. [Other court decisions] imply that videotaping without an expressive purpose may not be protected, and in the Whiteland Woods case we denied a right to videotape a public meeting. Thus, the cases addressing the right of access to information and the right of free expression do not provide a clear rule regarding First Amendment rights to obtain information by videotaping under the circumstances presented here.

This decision will be appealed, but the path to protecting citizen photographers from public officials' attempts to shut them down doesn't appear to run through this Circuit. There's a circuit split on the issue and it would take the Supreme Court to resolve it. As it stands right now, there are Fourth Amendment implications yet to be addressed which, if resolved in favor of the plaintiffs, would at least deter future bogus arrests. But without a finding that affords First Amendment protection to the unadorned act of filming public officials, police officers who abuse their power to shut down recordings will likely be willing to roll the dice on civil lawsuits.

And, as is noted by the earlier Third Circuit Appeals Court decision, no First Amendment protection covers the recording of other public officials in public areas. This lack of protection creates a chilling effect, forcing anyone who can't articulate an expressive intent at the point in time where their act of recording is challenged to seek recourse through an unsympathetic court system. This is a depressing decision in light of the fact that other entities are seeking to have everything from automatic license plate readers to copyright trolling treated as protected expression.

Reporting on public activities of public officials has long been covered under the First Amendment. Gathering documentation is a large part of reporting, even if lots of collected footage is never used. The courts have given news gathering protection, even if there's no clear expressive purpose at the point the footage is collected -- or even after the fact, if the footage is discarded. The Third Circuit refuses to extend this blanket protection to citizens, even as the line between "citizen" and "journalist" has almost been completely erased.

Permalink | Comments | Email This Story

Jewel v. NSA is the EFF's big case against the NSA over its surveillance efforts. It predates the Snowden revelations (from a lot), and stems from that time an AT&T technician, Mark Klein, just walked through the doors of the EFF to provide the organization with evidence that AT&T basically routes a bunch of data through NSA filters for "upstream" collection (part of the NSA's "702" collection program). The case has gone through a bunch of permutations and procedural issues, many of which have not gone the EFF's way, unfortunately. However, the latest is a big one: the judge has said that EFF can move forward with discovery efforts, basically requiring the government to turn over a bunch of information:

This marks the first time a party has been allowed to gather factual evidence from the NSA in a case involving the agency’s warrantless surveillance. The government had fought all our requests to proceed with this lawsuit, arguing that the state secrets privilege protects it against both discovery and liability. Judge White previously rejected that argument for our statutory claims under the Wiretap Act, the Foreign Intelligence Surveillance Act, the Electronic Communications Privacy Act, and the Stored Communications Act. This ruling affirms Judge White’s previous decision and opens the door for discovery.

This is an important step forward to lifting the cloak of secrecy that has thus far shielded the NSA from judicial scrutiny, and EFF looks forward to finally getting to the nuts and bolts of this extraordinarily important lawsuit.

You can read the ruling here, which is mostly just procedural details. Still, given how successful the US government has been in basically killing off any and every lawsuit that attempts to challenge its surveillance, getting to move forward on discovery is a big, big deal. Kudos to the EFF team.

Permalink | Comments | Email This Story

Why does United States President Barack Obama have a soft spot for homosexuals? Because he was a gay hooker in the '80s, reports Mary Lou Bruner, a Republican candidate for the Texas State Board of Education.

"That’s how he paid for his drugs. He has admitted he was addicted to drugs when he was young and he is sympathetic with homosexuals; but he hasn’t come out of the closet about his own homosexual/bisexual background."

This is only one tread among many in the bright tapestry of Bruner's moral rug.

Meanwhile, “Climate change has nothing to do with weather or climate, it’s all about system change from capitalism (free enterprise) to Socialism-Communism. The Climate Change HOAX was Karl Marx’s idea. It took time to ‘condition’ the people so they would believe such a HOAX!”

Salon's article offers a smorgasbord of similarly spectacular Republicans from the Lone Star State.

Two months ago, five San Francisco police officers surrounded a man armed with a knife and shot him 21 times. In response, the police department has introduced reforms meant to keep this sort of "interaction" to a minimum in the future. On the positive side, the reform efforts include training that will hopefully lead to fewer tense situations being resolved by officers emptying their weapons in the direction of their target.

Recruits must attend two-hour classes on de-escalation tactics, which teach how to deal with people in crisis, consider proportional force options, respect the sanctity of life and slow down incidents when possible.

This is undercut, however, by a new policy so completely asinine even I'm against it, despite my theoretical ownership of timcushinghatescops.com.

New pistol training guidelines require police recruits to hear the command "threat" before they fire at targets, to shoot only two rounds at a time, and to stop and reassess threats after every two shots.

In what is likely to be referred to as the "Barney Fife Rule," officers will only be allowed to shoot two bullets at a time, no matter what the situation is.

In some cases, this won't be enough bullets. In far too many cases, this will still be too many bullets. The push towards de-escalation is undermined by a permission slip that says two (2) bullets may be fired per officer (at minimum) even if the situation would be better served by the methods discussed in the mandatory training session officers slept through/mocked/interrupted with logical questions like "the hell is this two-bullet limit?"

In the case of Mario Woods -- who was shot 21 times by five officers -- he'd have only been killed by ten bullets. I suppose this is how the SFPD has chosen to interpret "less-lethal force." On the plus side, surrounding homes/citizens are far less likely to be the recipients of wayward bullets. And it will definitely make it very difficult for any officers pulling a "Brelo" to explain why they unloaded 49 bullets in 30 seconds at a suspect from point-blank range.

What the rule does, unfortunately, is make it more dangerous to be a police officer. In exchange, it does nearly nothing to lessen the danger of being a citizen. Lose-lose. The correct response would be to throw the entire weight of the PD's upper echelon behind de-escalation training.

A two-hour class officers are forced to attend won't make the message stick. What will make it stick are rules that make it explicitly clear that lethal force is a last resort -- something that should be used only very rarely. Any shooting should be accompanied by a raft of paperwork and a full investigation, overseen by an independent review team. The "shoot first and shoot often" mentality is only partly addressed by the two-bullet limit, which itself is illogical, unworkable and -- at worst -- a guaranteed way to avoid additional scrutiny for questionable shootings. After all, if only two bullets were used (and it only takes one to kill/maim someone), then it's a by-the-book shooting that warrants no further examination.

If nothing else, the fact that the policy can so readily be linked to an incompetent law enforcement officer depicted in a Golden Era TV show should have been enough to deter the SFPD from moving forward with the initiative. It should have limited itself to altering the mindset of its officers, rather than giving them a two-bullet "out" that undercuts the department's "will this do?" approach to de-escalation.

Permalink | Comments | Email This Story

In California, the FBI is hoping to force Apple to write a hacking tool for it so it can access the contents of an iPhone. Further up the coast in Washington, the compelling force is moving in the opposite direction. The attorney representing a man swept up during the FBI's two-week stint as sysadmins for a child porn server has just had a motion granted that would force the agency to turn over details on the hacking tool it deployed.

A judge has ordered the FBI to reveal the complete code for its Tor exploit to defense lawyers in a child porn case. pic.twitter.com/AZ8QYgGwKe

— Brad Heath (@bradheath) February 17, 2016

The docket report Brad Heath screencapped shows a granted motion for discovery targeted at the FBI. Joseph Cox at Motherboard received confirmation from federal public defender Colin Fieman that the docket note indeed says what it appears to say.

On Wednesday, a judge ruled that defense lawyers in an FBI child pornography case must be provided with all of the code used to hack their client's computer.

When asked whether the code would include the exploit used to bypass the security features of the Tor Browser, Colin Fieman, a federal public defender working on the case, told Motherboard in an email, simply, “Everything.”

“The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,” he continued.

While the defense will likely see the code -- provided the FBI can't argue its way out of disclosing its methods -- it's highly likely the general public won't have access to these details. The docket is littered with documents sealed at the request of the FBI. Fortunately, there are also a few motions by Michaud's lawyer to unseal documents, so there's still a small chance information on the FBI's NIT (Network Investigative Technique) will make its way in the public domain. If so, it will probably be heavily-redacted, but it should still provide a small peek into the FBI's hacking efforts.

Cox also points out that the FBI has already turned over some of its NIT code, but what the defense received was missing several key elements.

Since September, Michaud's lawyers have been trying to get access to the NIT code. It wasn't until January that Vlad Tsyrklevitch, the defense's consulted expert, received the discovery.

However, according to Tsyrklevitch, the code was apparently missing several parts. One of those was the section of the code ensuring that the identifier issued to Michaud's NIT-infection was truly unique, and another was the exploit itself used to break into his computer.

The only other new document of import in the case is a sworn declaration from Special Agent Daniel Alfin, which claims the FBI has already handed over everything it should have to.

The NIT computer instructions provided to the defense on January 11, 2016, comprise the only "payload" executed on Michaud's computer as part of the FBI investigation resulting in his arrest and indictment in this case. Accordingly, the defense has been given access to the only "payload" as that term is used by the defense in its Third Motion to Compel, accompanying Declaration.

But the declaration also notes the FBI has more information it could "share" with the defense.

The government has advised the defense that it is willing to make available for its review the two-way network data stream showing the data sent back-and-forth between Michaud's computer and the government-controlled computer as a result of the execution of the NIT.

It also points out that at no time did images travel from Michaud's computer to an FBI-owned computer or vice versa. Agent Alfin also avers that once the investigation concluded, the FBI no longer had access to Michaud's computer.

Considering the judge has already given the FBI a pass for running a child porn website for two weeks, it seems unlikely the court will find anything about the NIT to be the basis for tossing evidence. There may be some issues troubling the outer reaches of the Fourth Amendment, but courts have historically forgiven questionable law enforcement behavior that serves a "compelling public interest" -- and it's hard to find a more "compelling" interest than fighting child pornography.

Permalink | Comments | Email This Story

Everyone's talking about the big legal fight that magistrate judge Sheri Pym has kicked off by ordering Apple to build a backdoor into an iPhone to get around security tools that would block attempts to decrypt the contents of the phone. As some are noting, if the ruling is not overturned it could force Congress to change the law. Over the last year or so, it had become clear that Congress did not support laws that mandate backdoors. Yes, some in Congress -- including Senators Richard Burr, Dianne Feinstein and John McCain -- have been pushing for such legislation, but most have admitted that there aren't nearly enough votes in support of that, and there are many in Congress who recognize the ridiculousness of such a law. A year ago, a congressional hearing made it clear that there was a ton of skepticism in Congress about ordering backdoors.

And now we see Congress speaking out about the court order as well. Rep. Ted Lieu -- who, people always point out, has a computer science degree, and who a year ago noted that backoors were "technologically stupid" -- has told the DailyDot that this order creates a very dangerous slippery slope:

"Can courts compel Facebook to provide analytics of who might be a criminal?" Lieu said in an email to the Daily Dot. "Or Google to give a list of names of people who searched for the term ISIS? At what point does this stop?"

Rep. Zoe Lofgren put out a detailed statement saying that the order was "an astonishing overreach of authority by the Federal government," and warned that it appeared to go against the wishes of Congress and that even if the order is upheld, it will only result in stronger encryption that can't be backdoored:

Apple, as do other technology companies, complies with lawful orders and warrants. But they are unable to deliver to the government what they do not have – in this case, a key to break into their operating system in the manner the FBI desires. It is astonishing that a court would consider it lawful to order a private American company be commandeered for the creation of a new operating system in response.

The issue of mandating back doors in encryption has been a topic of vigorous discussion in the Congress. The emerging consensus has been that creating back doors for the use of law enforcement, important as law enforcement is, would endanger Americans by generally weakening security. These weaknesses will inevitably be exploited by criminal hackers or foreign opponents. That a single magistrate should substitute her judgment for that of the duly elected President and Congress – that was already thoroughly engaged in the subject – is wrong as a matter of policy and of law.

Finally, should this order not be overturned, technology companies will have no choice but to further deploy robust encryption that would prevent their engineers from creating any system that would effectively open up previously deployed security measures.

I urge the judicial branch to swiftly overturn this misguided ruling and further urge the Director of the FBI to refrain from seeking public policy decisions from the courts that are more properly decided by the Legislative branch of government.”

Senator Ron Wyden put out a statement as well, noting how this ruling will be interpreted around the globe:

I don't take a backseat to anyone when it comes to hunting down terrorists and protecting Americans from harm. However, this unprecedented reading of a nearly 230-year-old law would create a dangerous precedent that would put at risk the foundations of strong security for our people and privacy in the digital age. If upheld, this decision could force U.S. technology companies to actually build hacking tools for government against their will, while weakening cybersecurity for millions of Americans in the process.

Furthermore, this move by the FBI could snowball around the world. Why in the world would our government want to give repressive regimes in Russia and China a blueprint for forcing American companies to create a backdoor? Companies should comply with warrants to the extent they are able to do so, but no company should be forced to deliberately weaken its products. In the long run, the real loses will be Americans' online safety and security.

Of course, not all our lawmakers are so enlightened. Senator Feinstein, despite technically representing Apple, has shown for a long time now that she has no interest at all in representing the true interests of anyone in California if it goes against the desire of the surveillance state. She basically told Apple to shut up and do what the court says. After pretending it's about protecting Californians (because San Bernardino is in California) she warns that if Apple doesn't obey it will force her and Senator Burr to push for the legislation they've already been pushing for:

I would hope that bill would not be necessary. I would hope Apple understand the seriousness of this request. I have no doubt that to deny the request would likely bring on law to change law, so that this can be done. We're in jeopardy if you cannot -- through proper evidence submitted by a probable cause warrant -- be able to open these systems.

The PBS interviewer who asked Feinstein about this also asked (twice!) about Apple's statement that creating backdoors will create opportunities for those with malicious intent to break into the phones as well, and Feinstein displays her technological ignorance by stating:

Oh I don't believe that's necessarily true.

She's wrong about that. She's literally advocating for everyone to be made less safe just so we can get a little more information on some people who we already know committed a crime. That's crazy.

And, of course, Senator Burr made a similar statement -- first by lying and pretending that the order is not about creating a backdoor:

There are no decryption demands in this case, and Apple is in no way required to provide a so-called backdoor. The FBI needs access to the phone so the agency can better piece together information about the terrorists and whom they contacted.

This is technologically ignorant as well. This is exactly what a backdoor is. Apple is being told to create a bit of software that disables security measures in order to decrypt encrypted material. That's the very definition of a backdoor. Burr goes on, pretending that weakening the safety and security of basically everyone is somehow making them more secure:

The iPhone precedent in San Bernardino is important for our courts and our ability to protect innocent Americans and enforce the rule of law. While the national security implications of this situation are significant, the outcome of this dispute will also have a drastic effect on criminal cases across the country. The newest Apple operating systems allow device access only to users — even Apple itself can’t get in. Murderers, pedophiles, drug dealers and the others are already using this technology to cover their tracks.

Yup, always bring up the holy trinity of "murderers, pedophiles and drug dealers." I'm amazed he didn't say terrorists as well. Of course, as people keep pointing out, there have always been ways for people with ill-intent to hide their communications. There's nothing in the law that says we have to be able to track every communication ever made by everyone. That's a dystopian vision -- but one that apparently Senator Burr likes.

Even worse, Burr insists that because the law "protects" Apple in other cases, it should roll over for this. And also, ridiculously, he argues that this is more about Apple's business model than protecting the safety of Americans.

Apple’s position in the San Bernardino case affirms that it has wrongly chosen to prioritize its business model above compliance with a lawfully issued court order. While the company may have routinely complied with such court orders in the past, it now claims that it cannot comply as a result of security features it has built into its newest products. Apple exists as a corporate entity with the protections provided by U.S. laws, but it cannot be allowed to pick and choose when to abide by those laws as it sees fit. We are a country of laws, and this charade has gone on long enough. Apple needs to comply with the court’s order.

Hilariously, this is the very same Senator Burr who, just months ago, was going on and on in Congress about the importance of cybersecurity, and fearmongering about "cyberattacks." What he doesn't seem to recognize is that the only real way to protect against those attacks is encryption. The very encryption he now seeks to undermine.

Others in the Senate are making similarly ignorant statements, including Senator Tom Cotton, whose statement is so over-the-top ridiculous and wrong as to almost not be worth mentioning:

"Apple chose to protect a dead ISIS terrorist's p‎rivacy over the security of the American people. The Executive and Legislative Branches have been working with the private sector with the hope of resolving the 'Going Dark' problem. Regrettably, the position Tim Cook and Apple have taken shows that they are unwilling to compromise and that legislation is likely the only way to resolve this issue. The problem of end-to-end encryption isn't just a terrorism issue. It is also a drug-trafficking, kidnapping, and child pornography issue that impacts every state of the Union. It's unfortunate that the great company Apple is becoming the company of choice for terrorists, drug dealers, and sexual predators of all sorts."

I mean, come on. Apple is not "protecting a dead ISIS terrorists' privacy," it's talking about the very real issue of whether or not courts have the power to order companies to hack their customers on behalf of the government. That's a big deal that you would think would matter to politicians.

These statements are not unsurprising, but they continue to show a level of profound ignorance about basic technology issues. The fact that Feinstein and Burr, at least, are working on legislation around an issue they so clearly have no clue about is downright scary. One hopes that the others who actually understand the technical and legal issues -- such as those at the top of this article -- will prevail in Congress.

Permalink | Comments | Email This Story

During a White House press briefing on Wednesday, Press Secretary Josh Earnest apparently kept brushing aside questions about the order to Apple to remove certain security features that would enable the FBI to brute force the passcode and decrypt the contents of Syed Farook's iPhone. However, eventually he insisted that the DOJ is not asking for a backdoor:

In a briefing with reporters, White House spokesman Josh Earnest deferred to the Justice Department but said it's important to recognize that the government is not asking Apple to redesign its product or "create a new backdoor to its products."

Earnest said the case was instead about federal investigators learning "as much as they can about this one case."

But that's bullshit -- and thankfully, at least some in the media are pointing this out.

As FBI Director James Comey has done saying he wants "front doors" rather than "back doors," the White House is playing word games that suggest they're either being deliberately misleading or they don't understand the basics of what's happening. Neither scenario makes the White House look very good.

The application and the order absolutely are about forcing Apple to create a backdoor. It is a specific backdoor, but the whole point is to undermine key security features that protect the users of the devices. The fact that it would just be targeted towards this one phone is basically meaningless in this context. The issue is that a court can order a tech company to deliberately undermine its own security and expose content on a device. That's a backdoor.

And, importantly, it's a backdoor that other countries will demand as well. China has already been using the US "debate" over backdooring encryption to support its own demands for backdoored encryption, and the results of this legal fight will absolutely be used by plenty of authoritarian countries to argue that they, too, can demand such backdoors.

As the NY Times notes, China is quite interested in this particular fight:

China is watching the dispute closely. Analysts say that the Chinese government does take cues from the United States when it comes to encryption regulations, and that it would most likely demand that multinational companies provide accommodations similar to those in the United States.

Last year, Beijing backed off several proposals that would have mandated that foreign firms provide encryption keys for devices sold in China after heavy pressure from foreign trade groups. Nonetheless, a Chinese antiterrorism law passed in December required foreign firms to hand over technical information and to aid with decryption when the police demand it in terrorism-related cases.

Any move towards deliberately forcing tech companies to undermine security and privacy protections for users absolutely is a backdoor and will be used by countries with much less regard for the privacy of its citizenry.

Permalink | Comments | Email This Story

These are two Star Wars inspired map drawings created by hardcore cyclist Stephen Lund while GPS tracking his rides around Victoria, British Columbia, Canada. Of course there's also the possibility that Stephen Lund is not a cyclist at all but a liar and just draws on maps of Victoria in Photoshop. Some of those lines do not look like they're on roads. Or maybe he does the majority of the picture on his bike then adds some details in Photoshop, I don't know. You can't believe everything you read on the internet. I got duped by an article earlier this week. The internet is full of lies and deceit. The internet is like a dark alley behind a theater: it got Batman's parents killed. Keep going for an equally questionable Yoda. Thanks to RHS, who agrees nothing tops a good GPS mapped penis.

Having trouble keeping your secure website secure? Why not try a DMCA takedown request?

Of all the things DMCA takedowns have been used for (mainly removing infringing material, censorship), I've yet to see one deployed as an ad hoc extension of a cop shop's IT department.

The Idaho State Police would apparently like Google to forget all about its publicly-accessible login page for its evidence database.

We have a private login page that is not on any internet webpage. It is law enforcement sensitive and we are trying to minimize the attempts to hack the site. We would appreciate Google not indexing the site. https://ilims.isp.idaho.gov/prelog/LIMSPrelog/

It's still indexed, although you have to perform a very specific search to see it. The URL takes you to the login page for access to its LIMS (Laboratory Information Management System) database. That's it.

It's not the only page of its type accessible via a Google search. Login pages for law enforcement agencies from York County (South Carolina), Westchester County (New York), Kansas (Criminal Justice Information System) and Minnesota (Dept. of Public Safety) can all be accessed using "LIMS" "prelog" or other related terms. If you'd like a copy of Porter Lee's "Crime Fighter BEAST" software -- which most of these databases utilize -- the Alabama Department of Forensics has a handy download link on its website. (Not that you can do anything with it but attempt to log in...)

A DMCA notice is not for removing pages you'd rather Google didn't index. It's for taking down infringing content. Beyond that, simply delisting the link will likely have no noticeable effect on hacking attempts. The page will still be accessible from the web -- and that's the main problem if the Idaho State Police are looking for a more closed/protected system. (And it doesn't help that the login screen indicates Internet Explorer and Adobe's PDF reader are both needed to make full use of the site…both of which have their own security issues, especially the latter.) It appears a blanket disallow was added to the site's robot.txt, but all it seems to have done is prevent Google from returning any descriptive information along with the URL.

Google appears to have ignored the request, which is how it should be. This has nothing to do with copyright and everything to do with people thinking DMCA takedown notices are the best hammer for every nail they come across.

Permalink | Comments | Email This Story

Back in January, we wrote with some concern over the news that US Marshals had seized a bunch of one wheel scooters that everyone wants to call hoverboards, even though they don't hover. The case involved a US company, Future Motion, that had gotten a lot of attention (and a utility patent and a design patent) on such single-wheel balancing scooters. Future Motion then sued a Chinese firm, Changzhou First International Trade Co., that was making a product that certainly looked similar. Changzhou was demonstrating its product at CES in Las Vegas, only to have the US Marshals raid its booth and seize all its products based on a 7 minute hearing in front a judge where Changzhou didn't even get to present its side.

And now that Changzhou has attempted to present its side... Future Motion turned tail and ran, ran away. It flat out dropped the case once it was clear that Changzhou was going to challenge the lawsuit. In fact, Changzhou is so up in arms over this that it's not accepting the case being closed and has asked the court to reopen the case so that it can seek attorney fees from Future Motion.

The filing by Changzhou is well worth reading. It accuses Future Motion of misleading the US Patent Office and the court, claiming that the lawsuit and the seizure were a combination attempt to stifle a competitor and get publicity for itself, and that this all helped Future Motion raise more money. It also says that Changzhou's product, the Trotter, does not infringe on Future Motion's patents. From the filing:

CES is the world's largest electronics and technology show, and was a major opportunity for Changzhou to promote sales of its Trotter product. Instead, Future Motion orchestrated an effort to obtain a baseless TRO and to effect seizure of Changzhou's products from CES. These acts caused Changzhou to lose sales and suffer public embarrassment at a critical juncture in marketing its new Trotter product. Indeed, Future Motion engaged in a significant media campaign to gain freee publicity from the fact that it wrongfully prevented Changzhou's sales....

Moreover, Future Motion directly relied upon its baseless TRO to obtain additional financial backing for itself. On February 3, 2016, Future Motion announced that it had obtained $3.2 million in additional funding for its business.... One of the stated bases for obtaining that funding was that Future Motion "vigorously protects its Intellectual Property as it protects safety and a ride experience that cannot be replicated by knock-offs."... Interestingly, Future Motion dropped this lawsuit against Changzhou on February 4, 2016 the next day after announcing it obtained the new funding.

It is now apparent that Future Motion's actions were conducted with full knowledge that that the asserted patents... were non-infringed and invalid.... Future Motion undoubtedly sought the TRO and preliminary injunction with the expectation that Changzhou would not fight back in this litigation, and therefore would not discover the fatal flaws in Future Motion's case. Unfortunately for Future Motion, Changzhou did fight back.

Changzhou filed an opposition to the preliminary injunction motion on January 29, 2016, explaining in detail that the two patents in suit were both noninfringed by Changzhou's Trotter product and invalid in light of Future Motion's own prior art (as well as the prior art of others), most of which was never disclosed to the United States Patent Office.... For example, with respect to Future Motion's design patent, its "proof" of infringement consisted of a single sentence by the inventor, coupled with a few of the figures in the patent.... This was insufficient on its face, as a design patent must be construed and infringement evaluated based on all of the figures.... Further, with respect to Future Motion's utility patent, the "proof" of infringement provided no claim construction analysis (which is required under Federal Circuit law) and relied on a conclusory claim chart.... Moreover, Future Motion baldly stated that it was aware of no anticipatory prior art to either patent, but it neglected to tell the Court about prior art disclosures of Future Motion's own product and other similar products....

Upon reviewing Changzhou's opposition and supporting declarations, Future Motion simply gave up, filing a voluntary notice of dismissal. Even then, Future Motion only offered to dismiss without prejudice despite the uncontroverted evidence that the patents in suit were non-infringed and invalid.

And this is why we're supposed to have an adversarial process in court, folks. Whichever side you come down on, it's ridiculous (1) that without even hearing the other side, the court simply ordered that the CES booth be raided and all products and other supplies be seized and (2) that the US Marshals got involved and seized the product.

Future Motion is claiming that it's dropping the lawsuit because "it had been outgunned" and that following through on the court case would cost too much. But that's ridiculous since it was Future Motion who filed the lawsuit in the first place. Those claims really do suggest that it filed the case for one reason only, which was to shut down a competitor, and then it also got a bunch of free publicity out of it. Maybe the company has a case, but if it wants to argue infringement it should have to make its case in court, not simply use the filing as an excuse to shut down and embarrass a competitor with no repercussions at all if the original claims were exaggerated or simply false.

Permalink | Comments | Email This Story

So... have you heard the story about how a magistrate judge in California has ordered Apple to help the FBI disable encryption on the iPhone of one of the San Bernardino shooters? You may have because it's showing up everywhere. Here's NBC News reporting on it:

A federal judge on Tuesday ordered Apple to give investigators access to encrypted data on the iPhone used by one of the San Bernardino shooters, assistance the computer giant "declined to provide voluntarily," according to court papers.

In a 40-page filing, the U.S. Attorney's Office in Los Angeles argued that it needed Apple to help it find the password and access "relevant, critical … data" on the locked cellphone of Syed Farook, who with his wife Tashfeen Malik murdered 14 people in San Bernardino, California on December 2.

And you'd be forgiven for believing that the court has now ordered Apple to do the impossible. After all, for well over a year, the DOJ has been arguing that the All Writs Act of 1789 can be used to force Apple to help unlock encrypted phones. And that's an argument it has continued to make in multiple cases.

Many people are now mocking this ruling, pointing out that with end-to-end encryption it's actually impossible for Apple to do very much to help the FBI, which makes the order seem ridiculous. But that's because much of the reporting on this story appears to be wrong. Ellen Nakashima, at the Washington Post, has a more detailed report that notes that Apple is actually required to do something a little different:

The order does not ask Apple to break the phone’s encryption, but rather to disable the feature that wipes the data on the phone after 10 incorrect tries at entering a password. That way, the government can try to crack the password using “brute force” — attempting tens of millions of combinations without risking the deletion of the data.

The order, signed by a magistrate judge in Los Angeles, comes a week after FBI Director James B. Comey told Congress that the bureau has not been able to open one of the killers’ phones. “It has been two months now, and we are still working on it,” he said.

In other words, the order does not tell Apple to crack the encryption when Apple does not have the key. Rather, it is asking Apple to turn off a specific feature so that the FBI can try to brute force the key — and we can still argue over whether or not it's appropriate to force Apple to disable a key feature that is designed to protect someone's privacy. It also raises questions about whether or not Apple can just turn off that feature or if it will have to do development work to obey the court's order. In fact, the same report notes that there is no way for Apple to actually do this:

According to industry officials, Apple cannot unilaterally dismantle or override the 10-tries-and-wipe feature. Only the user or person who controls the phone’s settings can do so. The company could theoretically write new software to bypass the feature, but likely would see that as a “backdoor” or a weakening of device security and would resist it, said the officials, who spoke on the condition of anonymity to discuss a sensitive matter.

So you could argue that this is effectively the same thing as asking Apple to break the encryption, since it (apparently) has no direct access to turning off that feature. However, the specifics do matter -- and most of the kneejerk responses to the order (and the reporting on it) are suggesting something very different than what the court order seems to say.

I think it's still perfectly reasonable to argue that this order is highly problematic, and not legally sound. However, it is still quite different than what most are claiming. It also seems like something that could be quite dangerous. Apple is being pressured to write code that undermines an important security feature, and will probably have little time to debug or test it overall, meaning that this feature it is being ordered to build will almost certainly put more users at risk.

Update: Okay, we've got the full order and it is, indeed, troubling. Here's the key part:

Apple's reasonable technical assistance shall accomplish the following three important functions: (1) it will bypass or disable the auto-erase function whether or not it has been enabled; (2) it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT DEVICE and (3) it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.

Apple's reasonable technical assistance may include, but is not limited to: providing the FBI with a signed iPhone Software file, recovery bundle, or other Software Image File ("SIF") that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory and will not modify the iOS on the actual phone, the user data partition or system partition on the device's flash memory. The SIF will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE. The SIF will be loaded via Device Firmware Upgrade ("DFU") mode, recovery mode, or other applicable mode available to the FBI. Once active on the SUBJECT DEVICE, the SIF will accomplish the three functions specified in paragraph 2. The SIF will be loaded on the SUBJECT DEVICE at either a government facility, or alternatively, at an Apple facility; if the latter, Apple shall provide the government with remote access to the SUBJECT DEVICE through a computer allowing the government to conduct passcode recovery analysis.

If Apple determines that it can achieve the three functions stated above in paragraph 2, as well as the functionality set forth in paragraph 3, using an alternate technological means from that recommended by the government, and the government concurs, Apple may comply with this Order in that way.

The order also sets out that:

To the extent that Apple believes that compliance with this Order would be unreasonably burdensome, it may make an application to this Court for relief within five business days of receipt of the Order.

I would imagine that Apple will be taking the court up on that...

Permalink | Comments | Email This Story

The New York ACLU has obtained documents from the NYPD -- a feat on par with prying paperwork away from the FBI, CIA or NSA -- showing the department has been deploying Stingrays without a warrant since 2008. This puts them on the same timeline (and with the same lack of legal paperwork) as the Baltimore Police Department, although the BPD was much more proactive with their deployments: over 4,300 since 2008, as compared to the NYPD's relatively restrained 1,016.

Not only does the NYPD deploy Stingrays without warrants, it apparently does so without any official guidance at all. (The better to keep paper trails from developing, I would guess. This also allows it to choose its own scapegoat when the political hammer falls, rather than there being a bunch of inculpatory signatures on internal policies/permission slips.)

The NYPD also disclosed that it has no written policy for the use of Stingrays but that, except in emergencies, its practice is to obtain a “pen register order” – a court order that is not as protective of privacy as a warrant – prior to using the device.

The use of pen register orders suggests major police departments all had the same idea when they got their hands on the repurposed military technology: it's a phone, so why not pen register orders? Well, to begin with, Stingrays capture a whole lot more than a pen register would -- like everyone connecting to the faux cell tower, rather than just the target. Pen registers also can't be used to track someone in motion. All they can do (in the historical sense) is generate phone records of calls made and received. Utilizing this paperwork lowers the amount of proof needed to obtain permission as well as obscures the technology behind the collection of "phone records."

That the NYPD is using Stingrays is no surprise, considering how many other law enforcement agencies in the country use them. The NYPD has always considered itself to be an extension of federal intelligence services and a bit of a standing military force, so it follows that it would be ahead of the curve when it comes to both surveillance equipment and repurposed military gear.

What is surprising is that these documents are in the ACLU's hands at all. The NYPD is notoriously resistant to FOIL (Freedom of Information Law) requests, having gone so far as to deny requesters copies of its FOIL response procedures.

And, as usual, the Stingrays went into use without any sort of public comment period or any information being passed on to affected citizens (which would be anyone with a cell phone) by the city representatives who signed off on the purchase orders. No doubt these were pushed through with maximum secrecy while NYPD officials chanted their "terrorism" mantra and spritzed the passing documents with holy water redactions.

"Terrorism" is the most frequently cited reason when law enforcement agencies seek to obtain military technology -- which Stingrays are -- but the documents obtained show no deployments for terrorist-related activity. Instead, they've been used to tackle all sorts of "normal" crime, from the violent (rape, homicide, armed robbery) to more mundance illegal activities -- like bail jumping, fraud, drug possession, suicide [?] and the location of material witnesses. For the most part, the NYPD's Stingrays seem to be effective in tracking people/phones down, but that's hardly any excuse for brushing past the Fourth Amendment with a minimum of paperwork or internal accountability.

Permalink | Comments | Email This Story

Copyright infringement kills creativity. It's killing artists and depriving future generations of a variety of works that -- if they could even be made in this era of lawlessness -- should rightfully be withheld from the public until long after the future generation is dead and next generation fully grown. So. They. Say.

Kids, I'm sure you've heard about this "Deadpool," the fourth-wall-breaking, foul-mouthed "superhero" currently raking in $$$ at the megaplexes. For years, it was a pet project passed back and forth between interested shepherds and less-interested studios. Everyone loved the idea but no one wanted to put their money behind it.

For one thing, the licensing alone was a nightmare. While Deadpool belongs to the Marvel "universe," the licensing for Deadpool as a movie character belongs to 20th Century Fox. Nearly everything else belongs to entertainment megagiant Disney. The licensing situation alone should have been enough to keep Deadpool from making it to the big screen. Very few entities want to tangle with Disney's lawyers and put millions of production dollars on the line.

But the movie still made it out into the wild, even with this potentially litigious entanglement. In fact, this weird licensing fact plays into the movie's very self-aware take on the comic book movie genre, as Ars Technica's Sam Machkovech points out:

Should you arrive at a Deadpool screening with high hopes for X-Men or X-Force character cameos or other strides toward comics continuity, you've got another thing coming. 20th Century Fox is behind this film, though Marvel Studios/Disney own most of Marvel's intellectual property, and the result is a world seemingly disconnected from the greater Marvel universe.

There are even disconnects with the Deadpool comics themselves, much to the movie's detriment. Ajax, for example, is a much more toothless supervillain than the one who brutalized the comic version of Wade Wilson, which negatively affects that entire portion of Deadpool's origin tale by opening up gaping plot and logic holes. In fact, the entire "how Wade turned into Deadpool" portion of the movie drags in both length and pacing so much that it borders on the edge of satire in practice.

Whether or not it's "satire in practice" or just the burden of dumping exposition on newcomers to better serve the franchise, Deadpool is still somewhat tangled up in licensing limitations. Crossover appeal is likely limited. And actual crossovers likely next to impossible. If only 20th Century Fox could have been as bold as those who somehow brought this film -- one that had been pronounced DOA repeatedly over the past several years -- to life.

What put this in motion is the same sort of behavior the MPAA works endlessly to prevent: the leaking of footage.

Ben Kuchera at Polygon notes that someone realized the best way to get this project underway was to show its potential audience how they (the actor, writers and director) would handle the subject matter. Fans have wanted a dark, sarcastic, fully-nihilistic Deadpool movie for a long, long time. Some test footage shot three years ago could have languished unseen on some shelf/hard drive somewhere in Hollywood and the unmade project would still be cruising from rejection to rejection. But one of these people decided to perform an action no studio would ever condone.

"I've been trying to get it made for 11 years, which is crazy," star Ryan Reynolds said in an interview with Jimmy Fallon. "We developed the script six years ago, wrote this fantastic script, it leaked online, Deadpool fans went nuts for it, so the studio granted us a small amount of money to make test footage. This test footage that we shot then sat on the shelf for four years, as it does, they didn't do anything with it, then just a little under two years ago it leaked, accidentally, onto the internet."

We, like just about every other outlet concerned with pop culture, ran the story. Everyone loved the footage, and the film went into full production.

"Here's the thing, the fans freaked out and overwhelmed Fox, and Fox basically had to greenlight the movie," Reynolds said. "The problem is the footage was owned by Fox so it was kind of illegal ... I know that one of us did it."

While no one will admit to leaking the footage, everyone involved couldn't be happier this act of copyright infringement has resulted in an actual Deadpool film.

"Oh my god, we were absolutely thrilled," Paul Wernick, one of the film's writers, told Variety. "If you go back and look at our emails after the test footage was made in 2012, we had said back and forth, 'How do we leak this? How do we get the groundswell support from our fans?' When it finally leaked in 2014 and got the reaction we hoped for, we were like, 'Here it goes!' This is confirmation we are not crazy to be passionate about this. There’s a whole fanbase of people clamoring for this movie."

That leak was, in fact, crucial. It was the film's last chance to be made.

"Had it not gotten that reaction, it would have been a disaster and the project would have been dead," Wernick continued. "We knew it in our bones this would be the reaction. We were thrilled and still to this day don’t know who did it. There is a very short list of suspects."

One of the entities who's likely happy the footage was leaked is the studio behind the film. Deadpool wasn't given much of a budget ($58 million) but it's already well on its way to turning a good-sized profit.*

*Non-Hollywood accounting methods only.

According to industry estimates this morning, 20th Century Fox’s Marvel pic, Deadpool whipped Fifty Shades’ Friday figure by 57% with a projected daily haul of $47.5M (that includes $12.7M in Thursday previews) on its way to a mindblowing 3-day opening of $118.4M-$123M and a 4-day between $129.6M-$136M.

Sure, leaking test footage isn't like leaking an entire film, but without that happening, nothing else does. The movie is never made and Fox doesn't have almost three times the budget grossed within the first four days of ticket sales. But because this leak happened, the studio is likely in control of a promising franchise, provided it can keep the lightning bottled and push forward without discarding everything that makes Deadpool Deadpool. And everyone involved can thank the unnamed person they won't rat out for shrugging off the insular "power" of copyright and mobilizing a fan base that is now making good on its promise to support the movie.

Permalink | Comments | Email This Story

We've talked a few times before about the US Treasury Department's Office of Foreign Assets Control, a government office theoretically designed to keep money from flowing to and from scary people in scary countries or whatever. Its work typically amounts to keeping businesses from doing business-y things with people in places like North Korea and such. On the other hand, sometimes the folks at the OFAC get their knickers in a twist over a graphic novel about some of these scary people, so it's not like these folks have a spotless record when it comes to keeping the proper targets in its collective sights.

But a couple of stories have been trickling in having to do with non-scary people who share names too-closely associated with actual scary people suddenly being denied online services due to the OFAC scare-list. The first of these concerned a man named Muhammad Zakir Khan being refused a registration for a multiplayer video game.

Gamasutra, which broke the story, reports that when Khan submitted his request, he received an unusual denial, one explaining that his name had come up as “a match against the Specially Designated Nationals list maintained by the United States of America's Office of Foreign Assets Control.” Epic was, in other words, refusing Khan the opportunity to try out its new game simply because his name resembles that of someone who might be financially involved with terrorism.

Khan tweeted a a screengrab of the rejection form and hashtaged it “#Islamophobia.” Surprisingly, Epic Games founder Tim Sweeney replied to another tweet about the issue, claiming that it had been caused by an “[o]verly broad filter related to US trade restrictions.”

Which, you know, good for Epic Games. And I wouldn't really refer to this as "islamophobia" so much as I'd refer to it as broad laziness by both a government agency and a corporation. Let's think this through for one moment. If our Treasury Department is going to cast a worried eye towards Islamic terrorism such that it compiles a list of names that businesses are refused from interacting with, and if those names come from a region of the world where there is a certain repetition of these sorts of names (Muhammad Khan sounds like it could be akin to John Smith), then how useful is this directory of scary people to begin with? The point of the list is to identify bad actors, but if innocent folks are getting caught up in it, then it isn't serving its chief function particularly well, now is it? But no matter, says the government agency. Just add the name to the list and damn the fallout to hell.

The broader question, of course, is why an online game should be checking registrations against the CFAC list to begin with. In this particular case, it appears the check was ported over from the game engine itself.

Unreal Engine 4 has a wide range of uses, both domestic and foreign, that apparently bring it under the umbrella of trade guidelines. Under ordinary circumstances, those restrictions should only apply to people who are using the engine to create new games. (For instance, the U.S. government presumably doesn't want ISIS to use the engine to create a recruiting game.) But when Epic used the engine to make Paragon, it accidentally left those restrictions in place. Thus, the filter shouldn't have been there in the first place, and no one should have been banned from Paragon, regardless of whether they show up on a watch list.

As I said: government laziness and corporate laziness combine to keep an innocent person from playing a video game. Success!

Such innocent circumstances don't appear to be replicated in the story of Noor Ahmed's attempt to sign up for a payment app called Venmo, which is normally a cinch to register for, but for which Ahmed still isn't able to use.

When she tried to sign up last year, Venmo refused to add her. The company sent her an email instead, asking Ahmed to provide a stack of additional information to verify her identity. What followed was the opposite of simplicity: Ahmed had to obtain paper copies of her utility bills as well bank statements, and then find a fax machine (a practically unheard of technology for many younger people) to send them to Venmo. After complying with this rigamarole, Ahmed still was unable to sign on to Venmo.

It turns out that she, like thousands of other Americans, shares a name with someone on a list created by a Treasury group called the Office of Foreign Assets Control. This list is called “Specially Designated Nationals and Blocked Persons,” and includes (on page 33) a 41-year-old Afghan man also named Noor Ahmed. The New York-based Ahmed, said she is familiar with such mix-ups.

“I was born and raised in California, but I’m taken into secondary customs at the airport no matter what because of my name,” said Ahmed. “I think it’s now extending to other parts of my life.”

Whatever your thoughts on terrorism and international politics, it's quite clear that this isn't helpful. It isn't stopping a terrorist from using the app; it's stopping a US citizen from using it. It isn't helpfully identifying a person for a US business to steer clear of; it's mis-identifying a US citizen. Hell, the list can't even keep men and women straight. For the CFAC list to useful, never mind non-discriminatory, it should at least be able to keep a valid US citizen from being caught up in the web.

If it can't manage that simple task, it's probably worth revisiting whether this list should be employed at all.

Permalink | Comments | Email This Story

This is 'Secret Friends', a photo series by AnaHell in which the subjects are bent over with a face drawn on their back, and wearing wigs sometimes. They are kind of uncomfortable to look at. Sort of like me. I'm not saying I'm a total monster, but I am saying I wear paper grocery bags over my head with different faces drawn on them to reflect my mood. Lately I mostly wear the frowny face one. Except when I sleep, then I wear the one with the eyes closed so my girlfriend doesn't think I'm staring at all night. "Your girlfriend -- the pillow with the face drawn on it?" Shhhhhhhhhhh -- she thinks she's a blanket. Keep going for a whole bunch more.

Legislators in two states have proposed (largely unworkable) bans on the sale of encrypted phones, citing (of course) concerns about all the criminals who might get away with something if law enforcement can't have near immediate access to the entire contents of their phones.

In reaction to these stupid bills, national legislators have stepped up to offer their own counterpunch: a nationwide ban on encryption bans. The Daily Dot's Kevin Collier has the details.

Congressmen Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas) have introduced what they call the Ensuring National Constitutional Rights of Your Private Telecommunications (ENCRYPT) Act of 2016. It’s an attempt, Lieu and Farenthold wrote in a letter to their colleagues, to address “[c]oncerns over the privacy, security and technological feasibility of a ‘backdoor’ into encrypted devices for the government and law enforcement” by making encryption a federal issue and keeping individual states from trying to ban it.

Not only would such bans/backdoors make device usage less safe for users, but the lack of unified stance on phone encryption would turn phone sales in the US into a logistical nightmare, to the detriment of all involved.

“We are deeply concerned,” Lieu told the Daily Dot in a phone interview, “that a patchwork system with different encryption requirements in every state would not only undermine national security—it would also threaten the competitiveness of American companies and dampen innovation.”

Lieu, as one of the few representatives with a background in computer science, is also one of the few who has been bold enough to refer to FBI director James Comey's ongoing anti-encryption efforts as "stupid."

Whether this will go anywhere remains to be seen. It would appear few legislators are willing -- at least as this point -- to tell the FBI to stop asking for backdoors or bans. Alarmingly, despite the ongoing discussion bringing more evidence to the surface that such actions are not only bad ideas, but pretty much impossible to implement without doing away with encryption entirely, it seems like more legislators are moving towards the FBI's line of thinking.

Unfortunately, that is often the nature of the political business, where fear nearly always trumps rational thinking. For too many, it's perfectly acceptable that thousands of phone users be left open to attacks than one criminal suspect go free.

Permalink | Comments | Email This Story

Are you going to finish that? This is a shot of a McDonald's Chicken McNugget Happy Meal six years after purchase. It was posted by Facebooker Jennifer LovDahl to raise awareness about how unhealthy fast food is (what -- it is?! I've never heard that before!), although that's not what I learned at all. What I learned is that McDonald's makes food that LASTS. Car and electronics manufacturers could really learn a thing or two from them. Thanks to Leslie P, Nathanrango and Marc, who want to see a six year old Mexican Pizza from Taco Bell.

Here's a fun free speech win from the 4th Circuit Appeals Court. Well, it's at least a fun read, especially when the judges go after the city of Norfolk's highly-questionable claim that its completely inconsistent zoning statute isn't loaded with content-based restrictions.

First, though, here's a bit of background. Norfolk's Central Radio Company's building was on the list of places to be destroyed by the city to make way for an expansion of Old Dominion University. To protest this plan, it hung a large sign on the side of its building stating its opposition to eminent domain abuse.

It also protested the university's planned expansion by suing it, ultimately undoing the government's plan to demolish CRC's building.

The city, tipped off by an Old Dominion employee, decided to "investigate" the company's sign and, of course, found it to be in violation of city advertising statutes.

This prompted another lawsuit from the Central Radio Company, this time seeking to have the ordinance found unconstitutional. Unfortunately, it wasn't quite so lucky this time. The district court found the statute did not infringe on the company's First Amendment rights. The Fourth Circuit Court of Appeals agreed.

CRC petitioned the Supreme Court. Its timing was fortuitous. The Supreme Court had recently handed down a decision in a similar case (Reed v. Town of Gilbert). The decision reaffirmed that government entities cannot impose content-based restrictions without narrowly crafting the limitations to "further a compelling government interest."

The US Supreme Court booted the case back to the appeals court with instructions to apply its recent Reed decision. Taking this into consideration, the Appeals Court finds in favor of Central Radio Company and isn't too impressed with Norfolk's ill-advised attempt to censor content that didn't agree with its eminent domain plans.

Based on Reed, we hold that the City’s regulation was a content-based restriction of speech. The former sign code exempted governmental or religious flags and emblems, but applied to private and secular flags and emblems. In addition, it exempted “works of art” that “in no way identif[ied] or specifically relate[d] to a product or service,” but it applied to art that referenced a product or service. On its face, the former sign code was content-based because it applied or did not apply as a result of content, that is, “the topic discussed or the idea or message expressed.”

Because of the internal inconsistencies in the statute (which has since been rewritten), the government can't claim its restrictions aren't content-based. Those assertions have been undone by the city's inability to craft a coherent policy. The law was supposedly put in place to improve the city's aesthetics and cut down on distracted driving. According to the city of Norfolk, these two things were supposedly "compelling government interests." The court disagrees, finding it to be a badly-written law with severe Constitutional issues.

With respect to the City’s stated interest in preserving aesthetic appeal, for example, the flag of a private or secular organization was “no greater an eyesore” than the flag of a government or religion, id. (quoting City of Cincinnati v. Discovery Network, Inc., 507 U.S. 410, 425 (1993)), and works of art that referenced a product or service did not necessarily detract from the City’s physical appearance any more than other works of art. Yet, the former sign code allowed the unlimited proliferation of governmental and religious flags, as well as works of art that met the City’s dubious criterion, while sharply restricting the number and size of flags and art bearing other messages.

[...]

The City also has not shown that limiting the size and number of private and secular flags, as well as works of art that referenced products or services, was necessary to eliminate threats to traffic safety. There is no evidence in the record that secular flags were any more distracting than religious ones, or that a large work of art displaying a reference to a product threatened the safety of motorists any more than any other large, exempted pieces of artwork.

A workable, Constitutional policy wasn't handed down by the city until well after its original statute proved to be a problem. Because the policy has been altered since the filing of the suit in 2012, the court finds no need to issue an injunction. Even if the city wasn't directly trying to censor critical speech (although it certainly appeared to be doing exactly that), the statute was so badly written that it couldn't help but trip over itself. Worse, it put the government in the position of deciding what was or wasn't "approved" art, and implied that art and commerce were mutually exclusive expressions.

"Nominal damages" are on the way to the Central Radio Company, which managed to not only save the building where it has spent the last half-century from destruction, but managed to get a bad law rewritten in the process.

Permalink | Comments | Email This Story

When the dashcam footage of the shooting of Laquan McDonald was finally released by the city of Chicago, it was notably missing the audio. In fact, no surviving footage of the shooting contains any audio. It's 2016 and the Chicago PD is still producing silent films.

There's a reason for this. Turns out cops aren't fans of recordings. DNAInfo Chicago requested information on the police department's camera problems after the eerily soundless shooting video was released. The documents obtained showed the PD may have plenty of cameras, but they're rarely generating complete recordings… or in some cases, any recordings at all.

On the night Laquan McDonald was shot 16 times by a Chicago Police officer, at least three dashboard video cameras in squad cars at the scene didn't work. And the ones that did capture video did not record audio.

This complete failure was no statistical quirk.

In fact, 80 percent of the Chicago Police Department's 850 dashcam video systems don't record audio due to "to operator error or in some cases intentional destruction" by officers, according to a review by the Police Department.

Additionally, about 12 percent of dashcams experience "video issues" on any given day due to "equipment or operator error," police spokesman Anthony Guglielmi said.

Cameras are only a part of the accountability equation. Putting them into use is a step forward, but if there's no accountability built into the process itself, this is the result. A mechanically inoperative camera is rarely going to be considered a problem by either the cops in control of it or the management overseeing them. And if officers feel more "comfortable" with less documentation of their activities, it doesn't take much to render the cameras useless.

The documentation obtained by DNAInfo makes it clear missing footage or recordings are anything but accidental. The following cannot be explained away by coincidence.

Additionally, only three of 22 Chicago Police-involved shooting investigations forwarded to the Cook County State’s Attorney’s Office from the Independent Police Review Authority this year included dashcam video evidence. And none of those videos included audio recordings, state’s attorney spokeswoman Sally Daly said.

Neither can it explain the "errors" that led to the dearth of Laquan McDonald shooting footage.

The dashcam in police vehicle No. 8489, shared by officers Thomas Gaffney and Joseph McElligott the night of Laquan's shooting, recorded 37 “event videos” in October 2014, and had an operational dashcam the night of the shooting. But “due to disk error” no video was recorded at the shooting scene, according to police reports.

[...]

Police vehicle No. 8756 had a working dashcam that recorded 124 “event videos” in October 2014 without a single request for maintenance that month.

But on the night of Laquan's shooting, the vehicle assigned to Arturo Bacerra and Leticia Valez reportedly had a “power issue” and the dashcam was “not engaged.”

In both cases, equipment was inspected later and found to have no mechanical problems. And yet, mysterious malfunctions somehow presented themselves during this controversial incident -- an incident in which the surviving footage contradicted officers' reports.

So, even purely as an internal investigative tool, the "recordings" are mostly useless. Officers clearly don't want their superiors to see what they've been up to, much less the general public. DNAInfo's report of the epidemic of unusable/missing recordings was unsurprisingly greeted by the local police union as an unwarranted attack on the reputation of Chicago's finest.

The union president called the report and CPD's statement that the department will not tolerate officers maliciously damaging equipment "just more kicks to the morale and kicks to the people that are out there working every day."

"If there are individuals that are involved in purposefully damaging equipment, they will be cited for it," he said. "But, to cite someone because of a repair tag not being the most recent request for repair, I think that’s arbitrary and I think that’s part of the problem.”

The union president points to "thousands" of repair tickets and months-long waits for service as the real problem here. But his attempt to portray this as a hardware problem doesn't hold up when actual accountability measures are put in place.

“Supt. Escalante sent a very clear message and has held people accountable. And since we took that corrective action, we have seen a more than 70-percent increase in the amount of [video] uploads at the end of each tour … and that is being audited weekly with reports sent to the superintendent.”

If it was mostly a problem with non-functioning equipment and long waits for repairs, the amount of uploaded footage should have remained nearly unchanged, rather than increasing 70 percent.

And the union president's statement would be more believable if similar tampering hadn't occurred at other police departments. This indicates that covering up wrongdoing is the prevailing mindset, rather than just the actions of a few rogue officers determined to thwart accountability at every turn.

Cameras can't fix officer accountability if no one's willing to hold them accountable for missing or incomplete recordings. The problem never seems to get fixed until it's been made public. When agencies are only interested in reacting to issues rather than trying to head them off, they play right into the hands of officers who prefer to perform public duties completely unobserved.

Permalink | Comments | Email This Story

The internet as we know it would be a very, very different place if 20 years ago today, President Clinton hadn't signed the Communications Decency Act. To be fair, nearly all of the CDA was a horrible mess that was actually a terrible idea for the internet. A key part of the bill was about "cleaning up" pornography on the internet. However, to "balance" that out, the bill included Section 230 -- added by two Congressmen in the House of Representatives: Ron Wyden and Chris Cox. They had pushed this clause as a separate bill, the Internet Freedom and Family Empowerment Act, but it didn't get enough traction. It was only when they attached it to the Communications Decency Act (which had passed the Senate without it), that it was able to move forward. And thus, 20 years ago today, when President Clinton signed the CDA, most of the attention was on the "stopping indecency" part, and very little on the "throw in" of Section 230. And yet, there's a strong argument that Section 230 may be one of the most important laws -- perhaps the most important -- passed in the past few decades.

As you hopefully already know, a year later, in Reno v. ACLU, the Supreme Court tossed out basically all of the CDA as unconstitutional. The only tidbit of the law that remained valid? You guessed it: Section 230. And, of course, it became the key law in enabling the internet to grow the way it did. It's been said in the past, fairly accurately, that no law contributed more to the growth of the internet than CDA 230, and that's because of a fairly simple and straightforward principle. CDA 230 simply said that an internet service is not liable for actions of its users. This meant that new websites and internet services didn't need to carefully monitor and track everything that every user did to make sure it wasn't violating a law. That meant the legal risks and liability for creating services that allowed the public to create all kinds of content went way down.

Without a robust Section 230, it's difficult to see many of the most popular platforms today existing. It's no surprise that soon after CDA 230 we saw the rise of blogging and social media -- and almost always coming from American companies. Both would be significantly more difficult without Section 230's protections. In fact, much of the push for Section 230 came in response to a horrible court case, Stratton Oakmont v. Prodigy, in which an internet bulletin board commenter attacked financial firm Stratton Oakmont, and its president, for apparently being involved in criminal and fraudulent activity. Stratton Oakmont -- now perhaps well known as the firm portrayed as doing all sorts of criminal and fraudulent things in the movie The Wolf of Wall Street -- sued Prodigy for the comment and won. The liability from such a ruling scared numerous online platforms, in particular because a key part of the ruling was that because Prodigy posted "guidelines" and removed posts with offensive language, it suddenly became a "publisher" of the content, and was liable for that content.

A key, and often overlooked, part of Section 230, is that it actually does encourage sites to take proactive measures to filter content, by noting that any kind of moderation or guidelines absolutely does not remove the protections of Section 230. As such, sites get to decide for themselves whether or not to moderate their content in any way, without facing the legal risk of suddenly being declared the publisher. Other countries have no such protections, leading to some dangerous rulings, and creating something akin to a "right to be forgotten" in some instances.

There have been numerous cases testing Section 230 over the years -- and the law has remained strong and in place -- though it is still being challenged to this day. The biggest and most important case was Zeran v. AOL, the first case testing Section 230, in which the court found that Section 230 was a powerful tool that kept sites from being held responsible for content posted by users.

Section 230 has been powerful in so many ways. It has both enabled and protected free speech online by letting companies set up platforms where people can speak openly. Without it, the internet would be much more limited as a platform for communicating to the public. As the 4th Circuit noted in its ruling in the Zeran case:

The amount of information communicated via interactive computer services is therefore staggering. The specter of tort liability in an area of such prolific speech would have an obvious chilling effect. It would be impossible for service providers to screen each of their millions of postings for possible problems. Faced with potential liability for each message republished by their services, interactive computer service providers might choose to severely restrict the number and type of messages posted.

It has protected privacy, by making it clear that there was no duty for websites to monitor and track their users, to avoid any kind of liability. It has created incentives to create tremendous economic value, by making it clear that companies could be formed to enable public communications, such as blogging, forums and social media -- without being sued into bankruptcy over misuse. And it has actually enabled better moderation of platforms in not making them give up protections, if they choose how to moderate certain content.

It is difficult to express just how important Section 230 has been over the past 20 years other than to say that, without it, it's unlikely that you would be able to comment on Techdirt today. It's also unlikely that you'd have tools like Twitter or Facebook or Yelp or AirBnb. Any service that relies on public input owes a huge debt to Section 230, and it's quite incredible that it was basically included as an "add-on" that very few noticed when it was signed.

So, as we're hanging out here on the internet today, in a place that is alive only because of Section 230, please thank (now Senator) Ron Wyden in particular for his role in creating Section 230, and pay attention, because there are very powerful forces working right now to undermine Section 230 entirely. It's been a key driver of free expression and economic growth for the past 20 years, and it would be a shame to undermine that now.

Permalink | Comments | Email This Story

It seems we've entered the next big moral panic: the fact that terrorists like ISIS use social media. It's a point of contention that keeps coming up, leading Presidential candidates to talk about stopping terrorists from using the internet. There was a whole big "summit" between White House officials and tech execs in which questions were raised about blocking ISIS from using social media. And, then, of course, you've even had some tech company execs support the idea.

And now, the inevitable followup on this is tech companies feeling the need to show just how "tough on terrorism" they are by highlighting how many people they've kicked off their service. Up first, Twitter. The company was just recently sued by a woman who lost her husband to an ISIS attack, in which she claims that Twitter is guilty of material support for terrorism, because it allowed ISIS to use Twitter to grow. And so now, Twitter feels the need to proudly highlight the removal of 125,000 terrorist accounts:

e condemn the use of Twitter to promote terrorism and the Twitter Rules make it clear that this type of behavior, or any violent threat, is not permitted on our service. As the nature of the terrorist threat has changed, so has our ongoing work in this area. Since the middle of 2015 alone, we’ve suspended over 125,000 accounts for threatening or promoting terrorist acts, primarily related to ISIS.

Our efforts have not stopped there. We have increased the size of the teams that review reports, reducing our response time significantly. We also look into other accounts similar to those reported and leverage proprietary spam-fighting tools to surface other potentially violating accounts for review by our agents. We have already seen results, including an increase in account suspensions and this type of activity shifting off of Twitter.

Every company, of course, has the right to determine who can and who cannot use their service, but is this really the best response? Hell, just recently there was a situation in which an ISIS leader used Twitter and other social media platforms to try to urge more Muslims to join ISIS, and it turned into a ton of Muslims totally mocking ISIS. When you start deleting accounts, you lose out on those kinds of interactions, which I would imagine are ridiculously more powerful than shutting down accounts of terrorists who will simply open up a new one hours later.

On top of that, merely deleting those Twitter accounts actually hides some information that can be used to track down ISIS members and see what they're doing. Obviously no one wants to be seen "supporting" ISIS, but building a moral panic over the fact that they happen to use social media to spread idiotic ideas hardly seems helpful. If anything, it suggests that their messages are a lot more powerful than they really are. Shutting them down makes them think that what they're saying is having an impact. Mocking them and laughing at them (or even ignoring them) shows that it's having the opposite effect.

But, of course, for much of the media and many politicians, such nuance is not allowed. Instead the focus needs to be on shutting such accounts down. And that leads you to silly announcements like Twitter's from last week.

Permalink | Comments | Email This Story

You can tell a lot about a person by what they search for online. In fact, if you're Google, you might even be able to tell if someone was a potential terrorist. Whether they're just looking to troll or actually looking to deter terrorist interest, Google is reportedly experimenting with a new pilot program that will forward "extremist" searches to anti-ISIS websites instead.

According to a recently-filed lawsuit, the media is apparently every bit as "helpful" as law enforcement when it comes to the responsible, logical handling of teens and sexting. Confusing "hurting" with "helping," Colorado's KOAA allegedly exposed not only the name of a teen involved in a sexting incident, but also the part that puts the "sex" in "sexting."

The station, KOAA TV, aired footage of the boy’s erect penis during a news report that was put together after his father’s girlfriend approached producers about an alleged blackmail attempt, according to a complaint filed Friday in U.S. District Court.

Producers were told on Feb. 24 by the woman that someone had tried to blackmail the teen, now 16, using sexually explicit material. That same day they arrived at the family house in Pueblo, Colorado to investigate the claims and interview the boy’s father, Elijah Holden. While on assignment, the suit alleges that the news team collected screenshots from the teen’s Facebook page, as well as images from the YouTube page where the blackmail video had been uploaded, to be used in their coverage.

The plaintiff and his father both asked that the name “be kept confidential through any report presented by Defendant KOAA,” attorney Matthew Schneider said in the filing.

Since law enforcement largely seems to feel sexting = child porn, the station should have found itself under investigation for distributing child porn. Instead, the only negative result of its allegedly terrible editorial practices so far is Holden's lawsuit.

Holden is seeking damages related to the outing of his name and sexual organs, with damages sought clearing the $1 million mark. In its defense, the station had this to say:

“Through a series of stories during the last several years, KOAA has informed its viewers about the dangers of sexting and cell phone security,” KOAA president and general manager Evan Pappas said in a statement to Courthouse News, where the suit was first reported on Tuesday this week. “At the specific request of the victim’s father, we ran a story two years ago about his son being blackmailed over a cellphone video.”

Well, I guess nothing better illustrates the dangers of sexting more than irresponsibly splashing a minor's name and penis all over the TV screen. Of course, considering these were tied to blackmail allegations by an adult, it would seem more -- much more -- discretion would have been in order. Instead, the TV station went the other way, displaying the name of the minor involved over a screen cap of his penis and topped it off by dragging his social circle into the mess.

The station claims the allegations are unsubstantiated, but there's really no excuse for using a minor's name -- even if the guardian gave permission to the news outlet to do so. But going past that, how does the station hope to explain its use of an explicit photo of a minor in a publicly-broadcast news report? According to the lawsuit, something that could be considered child pornography somehow made its way past internal censors and ended up on the evening news.

Defendant KOAA aired the thumbnail image of the YouTube video depicting Plaintiff's erect penis and his name as a part of the story shown on February 24th 2014.

While journalists have played an important part in exposing ridiculous prosecutions of sexting teens, there's no denying the lurid nature of the subject matter is also beneficial to the entities covering the stories. The implicit suggestion that YOUNG NAKED TEENS lie just beyond the next commercial break attracts additional viewers. This additional motivator might explain the apparent lack of discretion on the part of KOAA.

As of now, what we have is a news agency that claims it broadcasts these stories to educate the public on the dangers of sexting while apparently feeling compelled to drive that point home through its own actions.

Permalink | Comments | Email This Story

More sexting stupidity, this time in Michigan.

A Three Rivers, Michigan, teenager is both the victim and perpetrator of a sex crime. He might land on the sex offender registry, and face criminal charges, all because he took an inappropriate photo—of himself.

The boy is unnamed in local news reporters, which note that he is under 15 years of age. He allegedly took a nude photo of himself on a girl’s cell phone. That girl sent the picture to another girl, who sent it to another. Preliminary charges are pending for all three—the boy was charged with manufacturing child porn, and the girls with distributing it. A prosecutor is still weighing whether to pursue the charges.

Hopefully, the prosecutor will realize that pursuing the suggested charges could ruin a few teens' lives. The police detective working the case seems to want to destroy these kids' lives… for the good of other teens, or something.

Police Detective Mike Mohney told WBST.com that sexting is a serious crime because it leads to “bullying,” and “real severe things like people committing suicide or violent crimes against others because they're so embarrassed about it.”

As Reason's Robby Soave points out, Detective Mohney is a walking contradiction. Apparently, it's never occurred to him that bringing child porn charges against these young teens might result in bullying and suicide. Nothing makes the future look dim and hopeless like a long stint on the sex offender registry. Nothing destroys someone's reputation faster than being listed alongside criminals who manufactured actual child porn, rather than just took a photo of their own adolescent body.

For that matter, the preliminary charges make this teen's decision to photograph his own body and send it to another teen a far worse crime than if he'd simply showed up at the girl's house, stripped off his clothes and proceeded to engage in sexual activity with her.

Taking off his clothes at her house would have been nothing more than indecent exposure, a misdemeanor. More importantly, unless the person has been convicted for other sexual-related crimes, there's no sex offender registration tied to the charge.

Even if he'd pursued sexual contact with the other teen, it still would have been a better outcome than being branded a child pornographer. Michigan has no "Romeo and Juliet" law, so any contact between teens -- no matter their closeness in age -- could trigger statutory rape charges. (Obviously, if the sexual activity was not consensual, this would be actual rape, but there's no reason to believe a [possibly] unsolicited naked photo rises to the level of aggravated sexual assault.)

If the activity was consensual, the worst charge would be statutory rape, which does not require sex offender registration for teens.

[P]eople who are convicted of criminal sexual conduct based on consensual sexual conduct with children over the age of 13 who are not more than four years older than their victims are not required to register.

And, if the sexual contact contained no penetration, no criminal charges would be brought at all.

[A] 17-year-old who engages in consensual petting with a 14-year-old could not be prosecuted for a crime. However, if the parties engaged in oral sex, the 17-year-old could face prosecution.

So, this so-very-concerned detective has taken a digital photo -- taken by a teen of his own body -- and turned it into something worse than actual in-person nudity and/or sexual contact. That's a pretty fucked up way to show concern for sexting teens. Treating photos taken by minors and distributed to other minors as child porn is the worst possible way to handle a situation that, in all reality, should be left to the discretion of the teens' parents.

Permalink | Comments | Email This Story

Former DHS boss Janet Napolitano -- who once stated she "doesn't use email" (for many reasons, but mainly to dodge accountability) -- is now showing her underlings at the University of California why they, too, might not want to "use email": someone might be reading them over their shoulders.

UC professor Christopher Newfield has the inside details of the recently-exposed monitoring system secretly deployed by the University of California (and approved by school president Napolitano) to keep tabs on the communications, web surfing and file routing of its employees. The SF Chronicle has an article on the secretly-installed spyware behind its paysieve [try this link], but Newfield has the internal communications.

The installation of the third-party monitoring software was so secretive that even the university's campus information technology committee was forbidden from discussing it with other staff. The committee has now decided to go public.

UCOP would like these facts to remain secret. However, the tenured faculty on the JCCIT are in agreement that continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.

Some salient facts:

- The UCOP had this hardware installed last summer.

- They did so over the objections of our campus IT and security experts.

- For many months UCOP required that our IT staff keep these facts secret from faculty and others on the Berkeley campus.

- The intrusive hardware is not under the control of local IT staff--it sends data on network activity to UCOP and to the vendor. Of what these data consists we do not know.

- The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus, and has enough local storage to save over 30 days of *all* this data ("full packet capture"). This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus.

The official excuse for the installation of intrusive spyware is "advanced persistent threats" possibly related to a cyberattack on the UCLA Medical Center last summer. How monitoring staff emails plays into the thwarting of "threats" hasn't been explained. Now that the secret's out, the university is claiming it's all good because policies prevent the university from using any intercepted information/communications for "nonsecurity purposes."

The university may have a policy forbidding this activity, but that's not really the same thing as guaranteeing abuse of this surveillance will never happen. Its belated not-an-apology offers no contrition for keeping this a secret from a majority of its staff. And the statement does not name the third party in charge of the collection and monitoring.

While it certainly isn't unusual for employers to monitor employees' use of company computers and devices, it's normally clearly stated in policy manuals, rather than installed surreptitiously and cloaked in deep secrecy.

As Newfield points out, no one was apprised of the monitoring until after it was underway. Some heard a few weeks after the monitoring was put in place (August of last year) when the university updated its security policies following the medical center breach. Many more heard nothing until the first week of December. Following the wider exposure, staffers were assured by the school's vice president that the monitoring would cease and the software would be removed.

The VP said one thing and the school did another.

On Jan. 12, 2016, The Berkeley Joint Committee on Campus Information Technology (JCCIT) met with Larry Conrad and others. The committee was informed that contrary to the Dec. 21, 2015 statements, UCOP had decided to continue the outside monitoring and not disclose any aspects of it to students or faculty.

At this point, the decision was made to go public. A letter was drafted and sent to school administration. It was also sent to the New York Times. This prompted the generation of bullshit from the Executive VP's office.

On Jan. 19, 2016, UCOP Exec. VP and COO Rachael Nava sent a letter to those who signed the Jan. 15, 2016 letter. The original version was marked "CONFIDENTIAL: DO NOT DISTRIBUTE" and invoked "Attorney-Client privilege". After several recipients responded to her via email questioning who is the client and why her letter must be kept secret, a revised version of the letter was sent the next day removing that language, stating: "All: Please accept my apologies with regard to the confusion on the attorney client privilege language on the letter. It was a clerical error and was not intentional. Please find a revised version of the letter with the language removed."

The full letter contains some truly incredible statements.

With respect to privacy, the letter and structure of the University’s Electronic Communications Policy (ECP) reflect the principle that privacy perishes in the absence of security. While the ECP establishes an expectation of privacy in an individual’s electronic communications transmitted using University systems, it tempers this expectation with the recognition that privacy requires a reasonable level of security to protect sensitive data from unauthorized access.

Privacy does not "perish" in the absence of security. This conflation of the two is ridiculous. If a malicious party accesses private communications, that's a security issue. If an employer accesses these communications, that a privacy issue. Claiming to value privacy while secretly installing monitoring software (and then lying about removing said software) only serves to show the university cares for neither. By adding a third party to the monitoring process, the university has diminished the privacy protections of its staff and added an attack vector for "advanced persistent threats." It has effectively harmed both privacy and security and, yet, still hopes to claim it was necessary to sacrifice one for the other.

The other statement, tucked away as a footnote, absurdly and obnoxiously claims the real threat to privacy isn't the school, but people making public records requests.

Public Records Act requesters may seek far more intrusive access to the content of faculty or staff records than what the ECP permits for network security monitoring. The limits on the University’s own access to electronic communications under the ECP do not apply to Public Records Act requests.

Meanwhile, the school's tech committee has pointed out its IT staff is more than capable of handling the privacy and security of the network and, quite obviously, would show more respect for their colleagues' privacy while handling both ends of the privacy/security equation.

It's perfectly acceptable for entities to monitor employees' use of communications equipment. But you can't do it this way. You can't install the software secretly, swear certain employees to secrecy, not tell anyone else until the secret is out in the open, promise to roll it back and then secretly decide to do the opposite, etc. And when challenged, you can't play fast and loose with "security" and "privacy" as if they were both the same word spelled two different ways.

[Update: a TD reader has given us a copy of Janet Napolitano's response to the outcry over the school's secret surveillance efforts. A new post on that letter is on the way. If you'd like a head start, it's embedded below.]

Permalink | Comments | Email This Story