Brindle

The NSA's Section 702 surveillance program is massive. It provides the NSA (and the FBI) with access to the email content and internet activity of millions of people, some of them US citizens. Quite obviously, the intelligence gathered with it has led to prosecutions. But the government is still seemingly uninterested in informing defendants about the origin of evidence being used against them.

Just Security's Patrick Toomey notes that the US government -- after a brief flurry of complying with federal law -- appears to have gone back to ignoring it.

Up until 2013, no criminal defendant received notice of Section 702 surveillance, even though notice is required by statute. Then, after reports surfaced in the New York Times that the Justice Department had misled the Supreme Court and was evading its notice obligations, the government issued five such notices in criminal cases between October 2013 and April 2014. After that, the notices stopped — and for the last 20 months, crickets.

Toomey notes that the DOJ -- after realizing its original interpretation of the statute was perhaps a bit flawed -- adopted a new interpretation of the statute, one that is only marginally broader.

Based on what can be gleaned from the public record, it seems likely that defendants are not getting notice because DOJ is interpreting a key term of art in Fourth Amendment law too narrowly — the phrase “derived from.” Under FISA itself, the government is obliged to give notice to a defendant when its evidence is “derived from” Section 702 surveillance of the defendant’s communications. There is good reason to think that DOJ has interpreted this phrase so narrowly that it can almost always get around its own rule, at least in new cases.

This is one of the government's favorite games: redefining common words to serve the purpose of obscuring surveillance efforts. How does the DOJ dodge having to report the origin of evidence "derived from" the 702 collection? Toomey speculates it could take multiple approaches. The easiest way to eliminate any mention of 702 collections from submitted evidence is to obscure its origin by citing other surveillance techniques -- in other words, parallel construction.

The five notices sent out after the DOJ briefly reappraised its notice obligations are probably the last we'll see for awhile. The DOJ clearly isn't interested in adhering to the statute. It has spent the intervening months perfecting its source obfuscation. It also may have obtained official legal guidance (from the Office of Legal Counsel) that "explains away" its obligation to inform defendants of the source of evidence. If so, the American public won't be apprised of the DOJ's interpretation of its notice obligations any time soon. The US government has made it almost impossible for the public to discover the legal rationales for its national security efforts.

The government likes its secrets. And it also likes to be challenged as infrequently as possible. That's the other reason the DOJ is burying links to FISA-authorized surveillance.

Crucially, it’s not only the rights of criminal defendants that are at stake, and it’s not only Section 702 surveillance that is implicated by the government’s cramped view of its notice obligations. The government’s use of standing doctrine and the state secrets privilege in civil cases has left precious few ways of obtaining public, adversarial court review of surveillance programs. If the government can regularly avoid its duty to give notice to criminal defendants, it will have succeeded in all but closing the courthouse doors to cases challenging surveillance that affects millions.

Few plaintiffs have been granted standing in national surveillance-related lawsuits and I'm sure that small number is still far more than the government would like to see. That number isn't going to increase anytime soon, not with the DOJ treating its notice obligations as entirely optional or never applicable.

Permalink | Comments | Email This Story

Drones — the consumer type often featured at Android Area, not the big spy machines the governments use — have exploded in popularity in recent years, and many people are taking to the skies to fly their own small air vehicles. These drones tend to be safe in responsible hands and haven’t caused many problems yet, but the FAA wants to get a handle on this thing in the early going before air space is dominated by people exercising their right to enjoy their hobby.

It is now required to register for a license to operate any drone that weighs between .55 and 55 pounds, which pretty much covers the entire gamut of technology available. The licenses cost $5 and last for 3 years, and if you register before January 20th you’ll get your money back (but is anyone really fretting over $5?).

Registration requires giving your name, email address and mailing address to the FAA, though those are also small prices to pay to ensure you can continue flying without a problem. It may be annoying, but the government typically doesn’t mess around when it comes to ensuring public safety, and their desire to start regulating drone usage is a natural step as the technology matures and becomes more popular. Registration begins December 21st, and you can do so right here.

Remember CISA? The "Cybersecurity Information Sharing Act"? It's getting much, much worse, with Congress and the administration looking to ram it through -- in the process, dropping any pretense that it's not a surveillance bill.

As you may recall, Congress and the White House have been pushing for a "cybersecurity" bill, for a few years now, that has never actually been a cybersecurity bill. Senator Ron Wyden was one of the only people in Congress willing to stand up and directly say what it was: "it's a surveillance bill by another name." And, by now, you should know that when Senator Wyden says that there's a secret interpretation of a bill that will increase surveillance and is at odds with the public's understanding of a bill, you should to listen. He's said so in the past and has been right... multiple times.

Either way, a version of CISA passed the House a while back, with at least some elements of privacy protection included. Then, a few months ago it passed the Senate in a much weaker state. The two different versions need to be reconciled, and it's been worked on. However, as we noted recently, the intelligence community has basically taken over the process and more or less stripped out what few privacy protections there were.

And the latest is that it's getting worse. Not only is Congress looking to include it in the end of year omnibus bill -- basically a "must pass" bill -- to make sure it gets passed, but it's clearly dropping all pretense that CISA isn't about surveillance. Here's what we're hearing from people involved in the latest negotiations. The latest version of CISA that they're looking to put into the omnibus:

1. Removes the prohibition on information being shared with the NSA, allowing it to be shared directly with NSA (and DOD), rather than first having to go through DHS. While DHS isn't necessarily wonderful, it's a lot better than NSA. And, of course, if this were truly about cybersecurity, not surveillance, DHS makes a lot more sense than NSA.
2. Directly removes the restrictions on using this information for "surveillance" activities. You can't get much more direct than that, right?
3. Removes limitations that government can only use this information for cybersecurity purposes and allows it to be used to go after any other criminal activity as well. Obviously, this then creates tremendous incentives to push for greater and greater information collection, which clearly will be abused. We've just seen how the DEA has regularly abused its powers to collect info. You think agencies like the DEA and others won't make use of CISA too?
4. Removes the requirement to "scrub" personal information unrelated to a cybersecurity threat before sharing that information. This was the key point that everyone kept making about why the information should go to DHS first -- where DHS would be in charge of this "scrub". The "scrub" process was a bit exaggerated in the first place, but it was at least something of a privacy protection. However, it appears that the final version being pushed removes the scrub requirement (along with the requirement to go to DHS) and instead leaves the question of scrubbing to the "discretion" of whichever agency gets the information. Guess how that's going to go?

In short: while before Congress could at least pretend that CISA was about cybersecurity, rather than surveillance, in this mad dash to get it shoved through, they've dropped all pretense and have stripped every last privacy protection, expanded the scope of the bill, and made it quite clear that it's a very broad surveillance bill that can be widely used and abused by all parts of the government.

There is still some hesitation by some as to whether or not this bill belongs in the omnibus bill, or if it should go through the regular process, with a debate and a full vote on this entirely new and different version of CISA. So, now would be a good time to speak out, letting your elected officials and the White House know that (1) CISA should not be in the omnibus and (2) that we don't need another surveillance bill.

In the meantime, if Congress were actually serious about cybersecurity, they'd be ramping up the acceptance and use of encryption, rather than trying to undermine it.

Permalink | Comments | Email This Story

During a recent 13-night run at Thalia Hall in Chicago Dave Chappelle tried something different. He partnered with a company by the name of Yondr in an attempt to keep attendees from not only taking photos or videos, but from so much as sending an emoji during the program. Yondr's solution to public performance cell phone etiquette is basically a smart cell phone sock. Or perhaps a cell phone cozy if you're a grandma (hi grandma). Effectively it's a pouch that attendees of an event are forced to put their devices in if they want to enter the performance:

The technology claims to be relatively effortless, with a performance venue surrounded by a perimeter. Inside of said perimeter, the phone in the sexy sock is locked and won't work. To use your phone (or, say, call 911), users need to exit through a set of technically-unspecified sensor gates, and head out the lobby:

"Attendees at any of Chappelle's 13 sold-out Thalia Hall performances will be greeted by staffers handing out gray smartphone sleeves, available in three sizes. They are then instructed to place their phones inside the sleeves and fasten them, at which point they are welcome to carry them inside the venue.

As soon as they enter the "no-phone zone," however, the pouches will have locked shut, preventing anyone from firing off so much as a winking emoji. Need to make a call or send an email? No problem. Simply leave the designated zone (and head, say, to the lobby bar), and, as you move past several strategically placed stations, the pouches can now magically be unlocked."

It's obvious to see the appeal for some folks given the recent hysterics surrounding bizarre behavior during Broadway performances. And while admittedly most of us remain nitwits when it comes to cell phone etiquette, it's hard to not see the peaceful cozy cell phone sock as a bit of a pipe dream.

As it stands, there's nothing stopping an individual from hiding a phone, with the act of removing that person probably causing more disruption to the audience and artist than just letting them take a photo would have. It also seems inherently dangerous in the age of seemingly endless mass shootings to disrupt all cell phone communications in an entire venue, which is why the FCC has historically banned outright cell phone signal blocking (Yondr claims that venue staff's phones will still work, but it still seems dangerous).

I think it probably feels good to believe you're force feeding civility and decorum upon the brutish and inconsiderate masses, but at the end of day, those thinking that hope and a phone cozy are a replacement for etiquette (or will stop people from recording their experiences) will probably be disappointed, especially as we stumble toward our inevitable, transhumanist future, and our implants, phones, cameras, and other devices become increasingly difficult to detect.

Permalink | Comments | Email This Story

It's no secret today's vehicles collect tons of data. Or, at least, it shouldn't be a secret. It certainly isn't well-known, despite even some of the latest comers to the tech scene -- legislators -- having questioned automakers about their handling of driver data.

More than one insurance company will offer you a discount if you allow them to track your driving habits. Employers have been known to utilize "black boxes" in company vehicles. These days, the tech is rarely even optional, although these "event data recorders" generally only report back to the manufacturers themselves. Consumer-oriented products like OnStar combine vehicle data with GPS location to contact law enforcement/medical personnel if something unexpected happens. Drivers can trigger this voluntarily to seek assistance when stranded on the road because of engine trouble, flat tires, etc.

They can also trigger this involuntarily, as one Florida woman found out.

Police responded to a hit-and-run in the 500 block of Northwest Prima Vista Boulevard on Monday afternoon. The victim, Anna Preston, said she was struck from behind by a black vehicle that took off. Preston was taken to the hospital with back injuries.

Around the same time, police dispatch got an automated call from a vehicle emergency system stating the owner of a Ford vehicle was involved in a crash and to press zero to speak with the occupants of the vehicle.

The owner of the vehicle seemed surprised to be receiving a call from a 911 dispatcher. The driver, Cathy Bernstein, first claimed she hadn't been in an accident. Unfortunately, the call was triggered by her airbag deploying, which can happen without a corresponding impact, but rarely enough that the dispatcher sent police officers to the driver's home following the phone call.

At that point, her story changed.

Police went to Bernsteins's home on Northwest Foxworth Avenue and saw that her vehicle had extensive front-end damage and silver paint from Preston's vehicle on it. Bernstein's airbag had also been deployed.

Police said Bernstein again denied hitting another vehicle, saying she had struck a tree.

From that point, the story gets even better.

It was later discovered that Bernstein had been involved in another accident prior to the one with Preston and was fleeing from that incident.

The whole recording is worth a listen, especially as Bernstein buys time after being blindsided by the unexpected incoming call.

Dispatcher: Are you broke down?
Bernstein: No. Unfortunately [looooooong pause] I'm fine.

[...]


Bernstein: The guy who hit me […] I could not control that.
Dispatcher: So, you HAVE been in an accident.
Bernstein: [pause, then very slowly] No.

In this case, the system worked, although not in the way anyone really expected. Someone who thought they had gotten away with two consecutive hit-and-runs found herself talking to police officers after her car tried to help her out by dialing 911. The onboard system is meant to ensure the safety of the driver. In this case, it was apparently everyone else that needed the protection, but the circuitous route still reached the most desirable conclusion.

Permalink | Comments | Email This Story

Another terrorist attack (this one thwarted) has renewed calls for private companies to work more closely with law enforcement and intelligence agencies.

The pair were arrested in counter-terror raids in Sydney’s west yesterday with police saying they and three other conspirators were involved in “formulating documents connected with preparations to facilitate, assist or engage a person to undertake a terrorist act”.

The group of alleged extremists used handwritten notes to plot a Sydney attack in a bit to circumvent police and ASIO surveillance, The Australian reports.

The scrawled messages circulating between the group allegedly detailed the an attack on a government building, believed to be the AFP’s Sydney headquarters.

FBI Director James Comey has spent the last several months expressing his concern that criminals and terrorists are eluding justice by using off-the-shelf products offered by manufacturers nationwide -- paper, pens, shredders, trash cans, etc.*

"We aren't seeking anything more than what we've always been able to obtain with court orders, subpoenas and warrants. But now, this information is unavailable to us, thanks to decisions being made by some very smart people who have, for whatever reason, decided to start supplying their customers with these items."

Comey acknowledged that a legislated ban on these items is highly unlikely, but pointed out that the lack of access to handwritten notes was on its way to becoming a day-to-day occurrence for law enforcement.

"The reality is that terrorist plots are going to be carried out, kids are going to be kidnapped and to-do lists are going be executed -- and law enforcement will be locked out. We go to Georgia-Pacific, Bic or Royal with a warrant and we still can't obtain the communications we're seeking because these companies have decided to allow their customers to use a destructible form of communication."

Addressing his critics, Comey coldly noted that approaching third parties for access to these communications has also been a dead end.

"We've sought the assistance of Staples, Office Depot and other office supply retailers, but have been stymied completely by the incredulous laughter of their legal representatives, along with their demands to know whether 'we're serious' and 'Where's the camera? Is this one of those punk'd shows?'"

Comey again expressed his belief that a solution is out there, but it takes law enforcement and nation's top office supply companies working together.

"There are some very smart people running these companies and I think if they were willing to apply themselves to the problem, they could come up with a solution."

The administration has less-than-firmly stated that it won't look into mandating the elimination of this communication method. Congress has similarly shown little support for Comey's quest to achieve the impossible.

But some long-time supporters of the NSA -- along with presidential candidates who believe everything the AP prints -- are calling for more extreme measures to be taken in response to recent terrorist attacks.

Sen. Tom Cotton, Marco Rubio and a handful of others are touting a plan for mandatory internet usage.

"Extremists and terrorists are hiding behind pen-and-paper while carrying out their violent plans. This is unacceptable. If the nation is going to be secure, citizens and non-citizens residing in the US should be required to use internet-based communication methods, preferably of the unencrypted variety."

Comey agreed that something must be done to prevent today's criminals from "going looseleaf." The key, he says, is no longer in the government's hands. It's in the hands of private companies, who he feels are more interested in their bottom line than a secure nation.

"It's not a security issue. It's a business model issue," Comey said, adding that customers should pressure companies into abandoning the production of these archaic items. "In a world where iPad-like devices are as prevalent as National Security Letters, it makes no sense for the Hammermills of the nation to continue to offer archaic communication methods."

*Just in case it wasn't obvious, nothing in the above post actually happened other than the thwarted terrorist attack in which the suspects used handwritten notes to avoid surveillance. They also used text messages, which was (part of) their downfall. But arguments against encryption because some bad people use it are no different than arguments against pen/paper, which also helps bad people avoid the scrutiny of law enforcement.

Permalink | Comments | Email This Story

Pepsi has just announced the return of 1992's must-drink novelty soda, Crystal Pepsi. Tomorrow (December 10th), the company will send a free six-pack to 13,000 lucky winners who download Pepsi's customer rewards app (Pepsi Pass), but the drink will allegedly hit stores nationwide in July. Unlike the original, the new version will be caffeinated. Also unlike the original, I have no intention of shooting the new one out of my nose in front of my middle school crush and ruining my chances of ever dating. I can close my eyes and still hear her laughing. And not laughing with me either, laughing at me and pointing and trying to think of a new horrible nickname to call me. Then the class bully gave me a wedgie and life has been pretty much rock bottom ever since. Keep going for their time-traveling announcement commercial. Thanks to everyone who sent this, at least two of which mentioned having unopened original bottles in the back of their closets. Those two people are nasty.

Apparently bored by the traditional route of collection agencies and courtesy, one Canadian cable operator recently decided to try something different: it started posting the names and account balances of customers with overdue accounts on Facebook. After complaining that it "always get excuses from everybody," Senga Services in Fort Simpson, Canada started posting the notices to all manner of local community Facebook pages. Not content with that, at least one of the company's representatives thought it was a good idea to lecture locals on fiscal responsibility and living "within one's means":Not too surprisingly, locals weren't too impressed with the cable operator's new bedside manner:

"Connor Gaule, an administrator of the popular Fort Simpson Bulletin Board page, took the post down immediately. "I thought that it was kind of illegal for her to be posting the people in arrears," he said. "And there's better ways to go about it. Especially on social media, where half the people on that list are elders that don't have access to that."

...Michelle Léger, a Fort Simpson resident studying in Fort Smith, said the post "just wasn't right." "If I had been a person on that list, I would have been really embarrassed," she said. "It's publicly shaming people. That's kind of abusive to your customer base."

Except, as we all know, the cable company doesn't have to care about whether or not it's abusing its customers, because usually it's the only game in town. Senga responded by insisting that not only was the practice effective, it's legal under Canada's Personal Information Protection and Electronic Documents Act for companies to disclose personal information without consent -- if "the disclosure of the information is necessary in order to collect a debt owed to the organization."

Not true, says the Canadian government. A few days after the original story broke, the CBC asked the Office of the Privacy Commissioner of Canada whether Senga's behavior crossed the line, and the agency stated the law doesn't say what Senga thought it did:

" In an email response, Tobi Cohen, a senior communications adviser at the office, told CBC that Senga Services had been contacted and "the company has complied with our request to take down the post." Cohen wrote that the Personal Information Protection and Electronic Documents Act "allows organizations to use or disclose people's personal information only for the purpose for which they gave consent."

"There is also an over-arching clause that personal information may only be collected, used and disclosed for purposes that a reasonable person would consider appropriate under the circumstances." Cohen also wrote that were an individual to make a complaint to the Office of the Privacy Commissioner, the office "could look at investigating further."

After a wrist slap from the Privacy Commissioner Senga has backed away from the practice, and returned to what cable companies historically do best: doing a piss poor job of providing an extremely expensive service.

Permalink | Comments | Email This Story

Earlier this year, the state of New Mexico passed one of the most solid pieces of asset forfeiture reform legislation in the country. All it asked for was what most people would consider to be common sense: if the government is going to seize assets, the least it could do in return is tie the seizure to a conviction.

Now, the state is finding out that bad habits are hard to break. CJ Ciaramella reports that the government is going after another part of the government for its refusal to stop taking stuff without securing a conviction.

Two New Mexico state senators are suing Albuquerque after the city has refused to stop seizing residents’ cars, despite a law passed earlier this year ending the practice of civil asset forfeiture.

In a lawsuit filed Wednesday, New Mexico state senators Lisa Torraco and Daniel Ivey-Soto said Albuquerque is defying the new law and “has continued to take property using civil forfeiture without requiring that anyone—much less the property owner—be convicted of a crime.”

These would be the two senators who pushed for the much-needed reform. They managed to get the law passed, but Albuquerque (along with other cities in the state) haven't shown much interest in altering their tactics. The only incentive the new law has on its side is the threat of legal action or legislative pressure. The old incentives -- hundreds of thousands of dollars -- are still motivating local law enforcement.

Albuquerque has a particularly aggressive program to seize vehicles from drivers suspected of DWI. According to the Albuquerque Journal, the city has seized 8,369 vehicles and collected more than $8.3 million in forfeiture revenues since 2010.

The city's attorney argues this newly-illegal activity is still legal, because drunk driving.

“Our ordinance is a narrowly-tailored nuisance abatement law to protect the public from dangerous, repeat DWI offenders and the vehicles they use committing DWI offenses, placing innocent citizens’ lives and property at risk,” city attorney Jessica Hernandez said in a statement to BuzzFeed News. “The ordinance provides defenses to forfeiture to protect innocent owners and has been upheld by the courts.”

Yes, all asset forfeiture statutes and ordinances theoretically provide "defenses to forfeiture" and have been "upheld by courts." That doesn't make them right, especially when a law directly governing the city's actions has been passed and forbids the very thing it continues to do.

And as for the DWI excuse, the city itself admits that half the vehicles it seizes do not belong to the person driving them. So, all it's really doing is taking cars because it can, not because it has any interest in preventing drunk drivers from driving. Then it lays the burden of proof -- along with the time and expense of fighting these seizures -- on the people whose vehicles have been taken (often for the actions of someone else) and calls it a reasonable avenue of "defense to forfeiture."

Once vehicles are seized, it generally takes $850 to liberate them. Most are auctioned. This money then becomes part of a cash-heavy feedback loop by going directly to the prosecutors and police departments who run the seizure program.

Stacking the deck further is the fact that the city counts its seizures before they're seized as part of its budgetary plans.

According to Wednesday’s lawsuit, Albuquerque forecasts how many vehicles it will not only seize but sell at auction. The city’s 2016 budget estimates it will have 1,200 vehicle seizure hearings, release 350 vehicles under agreements with the property owners, immobilize 600 vehicles, and to sell 625 vehicles at auction.

When government agencies have predetermined the amount of vehicles they will need to seize to hit budget projections, they will do everything in their power -- including, apparently, ignoring new laws forbidding this sort of thing -- to ensure the number of vehicles they seize is the number of vehicles they planned to seize. The incentives could not be more perverted and yet, government officials claim the system will somehow result in only the vehicles of the truly guilty being taken and sold to pay for more vehicles being taken and sold.

Permalink | Comments | Email This Story

Now that it's been a few weeks and we're used to the idea that the IRS has a Stingray device, more information has arrived to put us slightly more ill at ease. Sen. Ron Wyden asked IRS head John Koskinen some pointed questions about the IRS's cell tower spoofer ("WTF?" wasn't one of them) and has received some answers.

The IRS assures Wyden -- and by extension, the American public -- that it only uses them correctly and in a limited fashion through its criminal investigation division.

IRS use of cell-site simulation technology is limited to the federal law enforcement arm of the IRS, our Criminal Investigation division. Only trained law enforcement agents have used cell-site simulation technology, carrying out criminal investigations in accordance with all appropriate federal and state judicial procedures.

The IRS has only one* Stingray at this point, but is acquiring another, because you just can't have enough cell site simulators these days. It will also start obtaining warrants, in accordance with the DOJ's non-legally-binding suggestion that its agencies do so going forward.

*Possibly two -- see Marcy Wheeler's comments towards the end of this post.

But everything it said above about its Stingray use being limited to the IRS's Criminal Investigation division isn't exactly true. It may have sent its agents out to assist other law enforcement agencies with their work, but it did not limit its Stingray usage to its own investigations.

In addition, IRS-CI has used the cell-site simulator to assist in four non-lRS-CI investigations, one other federal and three state investigations. The federal case was a Drug Enforcement Agency (DEA) federal grand jury narcotics investigation, and tracked one cellular device. In this instance, IRS-CI operated the cell-site simulator, based upon the appropriate federal court order obtained by DEA, and followed all applicable laws under the guidance of an Assistant United States Attorney. The three state cases were non-grand jury investigations involving attempted murder, murder, and gun trafficking, and tracked six cellular devices.

So, the IRS sent its Stingray out to assist other agencies with their investigations. It's understandable that the DEA would be aware the IRS had a Stingray in its possession, but the three state investigations were performed by local agencies that somehow knew to ask the IRS if it had a cell site simulator they could borrow.

Even more absurd is the fact that the IRS is in the process of acquiring another cell site simulator. It's not as though it's worn the other one out, as Marcy Wheeler notes.

In other words, over the course of its almost 4 year life, the Stingray has tracked just 44 devices.

That seems to suggest this tracking isn’t just a quick one-off, otherwise they wouldn’t need another device, as they’re currently in the process of getting.

Perhaps however, this is a testament to the obsolescence of these devices. In his response to Wyden, Koskinen doesn’t mention the Stingray IRS bought in 2009, suggesting it may not be in use anymore.

The government is sure blowing through these expensive surveillance toys in quick succession.

If everything adds up (including Daniel Rigmaiden's exposure of the IRS's cell phone tracking efforts in his case), this would be the third device the IRS has purchased -- or at least the third it will have access to. Stingrays aren't cheap and at ~4 deployments a year, it would seemingly make more sense for the IRS to borrow one from another federal agency when it needs one, rather than acting as a small-time Stingray lending library for state agencies.

If Wheeler's other conjecture is accurate -- that these devices need periodic replacement -- then Harris is no different than a host of other tech manufacturers who make planned obsolescence an integral part of the business model.

Permalink | Comments | Email This Story

Congress is once again declaring its willingness to hold everyone in the nation accountable for their actions, present party excepted.

Back in 2011, it was revealed that members of Congress were participating in insider trading. Spending a great deal of time conversing with lobbyists tends to result in the discussion of information that has yet to be made public. Legislators, being the opportunists they are, chose to buy and sell stock based on this insider info. Lobbyists -- also opportunists -- sometimes did the same thing. And it was all perfectly legal... at least for Congress.

This revelation did nothing to increase the public's goodwill towards its so-called "representatives." With its approval percentage (15%) sliding below that of Bernie Madoff's personal loan applications, Congress swiftly acted to close this loophole in the law.

Two years later, with everyone safely re-elected, Congress quietly excised the disclosure requirement in the new law, making it virtually impossible to verify whether or not it was actually playing by the rules it had made for itself. Predictably, it called the disclosure of such information a "national security risk."

Meanwhile, the SEC opened an investigation into Congressional insider trading related to health insurance companies. Congress refused to answer subpoenas or provide documents to the Commission. When ordered to by a federal judge, the House Ways and Means Committee gently explained that it could do whatever the fuck it wanted to.

The U.S. House Ways and Means Committee and a top staff member say the panel and its employees are "absolutely immune" from having to comply with subpoenas from a federal regulator in an insider-trading probe.

Two years later, Congress is still arguing that rules and laws are for people who can't write their own rules and laws. Judge Paul Gardephe didn't buy Congress' arguments that its conversations with lobbyists were so "privileged" they couldn't be examined by another federal agency. He also pointed out that the "immunity" it relied on was carved out by the very law they had passed to address insider trading a steep drop in approval ratings.

On November 13, U.S. District Judge Paul Gardephe agreed with most of the SEC’s claims and ordered Congress to comply with the subpoena within 10 days. “Members of Congress and congressional employees are not exempt from the insider trading prohibitions arising under the securities laws,” he wrote. Gardephe reminded the attorneys that “Congress barred such claims of immunity when it adopted” the STOCK Act.

Congress' top lawyer fought back, claiming certain, very specific words were missing from the STOCK Act and that legislators' immunity was still intact.

Kerry W. Kircher, the House general counsel, requested more time. Then, shortly before Thanksgiving, on November 25, he filed a motion to appeal the subpoena to the 2nd Circuit. Kircher argued that the STOCK Act did not explicitly authorize the SEC to issue subpoenas to Congress, even to investigate insider trading.

This may not result in the investigation being scuttled or the lawsuit being tossed, but it does buy Congress more time to figure out its next accountability-dodging move. Meanwhile, Congress members are doing what they can to ensure the battle the SEC is waging to at least hold them as accountable as their own STOCK Act promised they would, will be long, expensive and hopefully, ultimately fruitless. These efforts are also shady as hell.

Away from the spotlight, however, congressional leaders continue to fight enforcement and to shore up the target of the SEC inquiry. Rep. Pat Tiberi, R-Ohio, and Rep. Diane Black, R-Tenn., two lawmakers who served on the same committee as Sutter, have used PAC money to donate to the legal defense fund set up to defend him.

Campaign funding -- itself a toxic wasteland where morality and ideals go to die -- is being rerouted to keep Bruce Sutter, a former Ways and Means Committee member who allegedly passed on non-public Medicare reimbursement information to a lobbyist for law firm Greenberg Taurig. Not only will Congress members let nothing stand in the way of personally profiting from their time in office, they'll also apparently ensure those who previously got away with it will continue to elude being held accountable.

Permalink | Comments | Email This Story

Earlier this year, we noted that Barbie had received a face lift for the internet of things age. Hello Barbie is able to take commands from your kids, but also connects to your home Wi-Fi network to shovel your children's conversations to the cloud -- purportedly to improve Barbie's voice recognition technology. At the time, groups like the Campaign for a Commercial Free Childhood complained that monetizing the ramblings of toddlers was a line that shouldn't be crossed, given that kids would no longer be talking to a doll, they'd be "talking directly to a toy conglomerate whose only interest in them is financial."

But beyond the ethical implications of marketing to kids is the more pressing lack of security and privacy standards apparent in most IOT devices. As hacked automobiles, tea kettles and refrigerators all perfectly illustrate, companies are so eager to cash in on the connected age that they "forget" about securing the end user. And now, as the Vtech hack recently illuminated, your kids' toys are no exception. Neither is Hello (I'm an NSA operative) Barbie.

A security researcher last week found it rather trivial to modify the doll to "access system information, Wi-Fi network names, its internal mac address, and account IDs," noting it would be easy to change what's collected and even where that data is stored. Granted, in Skynet Barbie's case, this requires physically obtaining the doll and torturing it. But the physical security of Barbie is only half the equation. Data's also obviously stored in the cloud, and Barbie's shiny new privacy policy warns kids this data can all be subpoenaed (so be good for goodness' sake):

"There are all sorts of issues about where that info is going, who’s listening and what it’s being used for and how it might come back to haunt you,” said Lori Andrews, Professor IIT Kent College of Law. Andrews describes the doll as a miniature surveillance device that can also record whatever else is going on in the room. The lengthy Barbie privacy statement discloses the company will report “a conversation that raises concern about the safety of a child or others”. “The company has said it’s going to take on the role of alerting the authorities,” said Andrews. “And in their privacy statement they also say they’re going to respond to legal subpoenas."

Here you were thinking you were just buying your child a Barbie. Little did you know you were providing an internal mole for use in future custody hearings. And again, like the Vtech hack reiterates, physical security of the toy itself is only a small part of the equation. Companies are so damn enamored with the lure of the Internet-of-whatsa-doodles, they tend to not only forget to secure the device, the transmission, and the storage, but they very often hungrily collect way more data than is actually necessary. The end result is a modern household full of toys, appliances and devices guarded by what's at best paper-mache grade security standards.

Permalink | Comments | Email This Story

The Second Circuit Court of Appeals has ruled that certain legal memos justifying the government's drone strikes can remain secret. The long-running FOIA lawsuit involving the New York Times and the ACLU has been covered previously here. At the center of this FOIA lawsuit are more than 100 legal opinions from the DOJ's Office of Legal Counsel (OLC) that provide the legal argument for the extrajudicial killing of suspected terrorists.

A few of these documents have made their way into the public's hands, thanks to the two plaintiffs, aided in no small part by government officials citing the memos in other documents and commenting publicly about the drone strike program.

But there are still a few memos being held back. The "most transparent administration" has been very active in ensuring the Freedom of Information Act doesn't live up to its stated ideals. Nine of these memos have been officially buried by the Appeals Court, which apparently believes the government when it says the legal guidance memos it uses to justify its drone strike program are nothing more than "discussions" with lawyers that are exempted from disclosure. Brett Max Kaufman at Just Security points out the flaws in the court's rationale.

In an OLC memorandum published, ironically or not, the same day (July 16, 2010) and over the same signature (David Barron’s) as the targeted killing memorandum released at the Second Circuit’s behest last year, the OLC explains that its “central function” is to provide “controlling legal advice to Executive Branch officials.” And not even two weeks ago, the acting head of the OLC told the public that even informally drafted legal advice emanating from his office is “binding by custom and practice in the executive branch,” that “[i]t’s the official view of the office, and that “[p]eople are supposed to and do follow it.”

Both sides of this "discussion" (OLC, Obama administration) continue to claim there's nothing binding in these memos when fighting to keep them secret, but both treat the secret documents as binding. The court, however, has resolved these contradictory statements in favor of the government.

On top of that -- via reasoning almost completely hampered by the court's inability to disclose almost anything about the disputed documents or the government's ex parte submissions and in camera discussions -- the court has chosen to allow one of the most controversial memos to remain in the government's possession.

[T]he Second Circuit’s new opinion endorses the continued official secrecy over any discussion of a document that has supplied a purported legal basis for the targeted killing program since almost immediately after the September 11 attacks. The document — a September 17, 2001 “Memorandum of Notification” — is not much of a secret. The government publicly identified it in litigation with the ACLU eight years ago; the Senate Intelligence Committee cited it numerous times in its recent torture report; and the press frequently makes reference to it. Not only that, but the Central Intelligence Agency’s former top lawyer, John Rizzo, freely discussed it in his recent memoir.

According to Rizzo, the September 17 MON is “the most comprehensive, most ambitious, most aggressive, and most risky” legal authorization of the last decade and a half — which is saying something.

This memo apparently contains the OLC's justification for the extrajudicial killing of targets "outside of recognized battlefields." According to Kaufman, the memo also likely contains the DOJ's "workaround" to bypass the restrictions on "assassinations" contained in Executive Order 12333. If so, these justifications would very much be of public interest, while simultaneously being something the administration (this one or the last one) would have no interest whatsoever in making public.

The Freedom of Information Act wasn't passed with the intention of making the government only as transparent as it wants to be. It was a forced change. The government didn't voluntarily decide to grant the public access to its inner workings. Siding with the administration by buying into its "discussions with counsel" arguments subverts the spirit of the law by using the letter of the law against the public.

Permalink | Comments | Email This Story

As we've covered before, the DOJ supports the idea of body cameras for local law enforcement agencies. It has set aside over $20 million a year in funding to help these agencies out. But it has no love for body cameras within its own agencies. There are no body cam requirements in place for FBI, DEA, ATF or the US Marshals Service.

In fact, if you're a member of a law enforcement agency which does have mandated body cams, you're no longer welcome to play in the big boys. (Subscription required. For everyone else, here's a way to get around the Wall Street Journal's pay sieve.)

[T]he department is telling some of its agents they cannot work with officers using such cameras as part of joint task forces, according to people familiar with the discussions.

[...]

At a meeting of Marshals supervisors several weeks ago in Colorado, Assistant Director Derrick Driscoll announced that the agency wouldn’t allow any local law-enforcement officers wearing body cameras to serve on Marshals task forces, according to several people who attended the meeting.

Do as we say, not as we do? The DOJ has an excuse for that. Currently, it has no guidelines in place for the use of body cameras. It wants other law enforcement agencies to get right on that, but seems to be in no particular hurry to equip its own personnel, much less even move towards getting the process underway.

A Justice Department spokesman said the agency “is looking into this issue and has been consulting with the law enforcement components” within the department.

I would imagine its "components" would rather not have additional accountability pinned to their chests, but it's not as though the DOJ hasn't had several months to carry out its "consulting." It can't stay abreast of small law enforcement agencies in terms of body cameras despite its access to far more money and power.

The only conceivable reason for this stasis is a lack of desire to move in the direction of additional accountability. More evidence of this reluctance can be found in nonsensical statements made to the Wall Street Journal.

Jon Adler, president of the nonprofit Federal Law Enforcement Officers Association, said there are good reasons to keep parts of the Marshals’ work out of the public eye. Witnesses and informants could be inadvertently exposed, he said, and fugitives could learn the Marshals’ tactics and how to evade them.

Ah, the old "expose police methods" excuse. Wonderful. This has been used to keep everything from Stingray surveillance to police department budgets secret. The manhunters would become the hunted… or at least the easily-evaded if body cameras were activated during the apprehension of a suspect. Secret methods like physical force, lots of shouting and handcuffs would be exposed by body camera footage. Adler's a bit more on point when discussing witnesses and informants, but even so, video can still be "redacted." That technology has been with up since the debut of COPS over 25 years ago.

Adler's next contention is even worse.

“The Marshals hunt down and apprehend the most despicable and violent people. When you engage in that type of mission, it wasn’t intended to be pretty and it won’t be pretty,” Mr. Adler said. “We don’t want the great work the Marshals Service does to devolve into bad reality TV or a sequence of bad YouTube videos.

Blame the media/internet indirectly. Because incidents are far more nuanced (supposedly) than the average YouTube viewer could possibly comprehend, let's just keep the Marshals camera-free. This sounds suspiciously like FBI Director James Comey's "Ferguson Effect" copsplaining. The fact that cameras exist makes it harder for police officers to do their job, what with the dangers posed by outside observation.

If local agencies are sporting body cams, so can the feds. There's no reason they should be excepted from this tool of accountability. If anything, the DOJ should be leading by example, rather than saying they're only a good idea for everyone else.

Permalink | Comments | Email This Story

Techdirt has written a few times about the pharmaceutical industry's use of "evergreening", whereby small, sometimes trivial, changes are made to drugs in order to extend their effective patent life. It turns out the technique is applied to one of the most widely-used drugs of all, insulin:

There are currently about 387 million people worldwide living with diabetes. Meanwhile, as discussed by Jeremy A. Greene and Kevin R. Riggs in their March 2015 article in the New England Journal of Medicine, there is no generic insulin available on the market despite great demand in poorer communities and regions of the world. As a result, many go without insulin and suffer complications including blindness, cardiovascular disease, amputations, nerve and kidney damage, and even death. Pharmaceutical companies patent small modifications to previous insulins while withdrawing those previous versions from the market to keep prices up.

The obvious solution is to produce a generic version of insulin that can be sold cheaply enough that nobody dies or suffers complications simply because they cannot afford Big Pharma's hefty price tags. That's just what the Open Insulin project, with its crowdfunding page, aims to do:

A team of biohackers is developing the first open source protocol to produce insulin simply and economically. Our work may serve as a basis for generic production of this life-saving drug and provide a firmer foundation for continued research into improved versions of insulin.

As well as making insulin more readily available to those in the poorer communities, the Open Insulin project could save Western countries huge sums too. As an article in Popular Science explains:

Since there are no generic versions available in the United States, insulin is very expensive -- that cost was likely a large proportion of the $176 billion in medical expenditures incurred by diabetes patients in 2012 alone.

Any project that could help save thousands of lives and billions of dollars would be noteworthy. What makes Open Insulin even more remarkable is that it is operating on a shoestring -- the initial crowdsourcing target was just $6,000, already surpassed -- and that it intends to put all its results in the open:

All protocols we develop and discoveries generated by our research will be freely available in the public domain. We will also be proactively investigating strategies to protect the open status of our work.

However, it's important to keep those exciting prospects in perspective. The Popular Science article includes a comment from the Kevin Riggs mentioned in the Open Insulin quotation above. He doesn't believe that Open Insulin on its own will be enough to bring a generic insulin drug to the market:

"I don't think the major hurdle is that the companies don't know how to make insulin, because that part is reasonably straightforward," he says. "The real hurdles are getting the drug approved by the FDA (and since insulin is a biologic drug, it requires a lot more original data than an application for a small-molecule generic would), and then upfront manufacturing costs (because making a biologic drug is different, so it requires different equipment)." He suspects that it will take "an altruistic entity with a lot of start-up money" to make generic insulin commercially available.

That may be so, but at least the Open Insulin project is doing something in an attempt to change the status quo that sees huge numbers of people suffering unnecessarily. In any case, Open Insulin is a wonderful demonstration of how much biohacking has advanced, allowing suitably-skilled people to make potentially important contributions to global health. Let's hope it does eventually lead to a generic insulin that can be made available around the world very cheaply.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Permalink | Comments | Email This Story

Nick Selby says an LA councilwoman has just proposed "the worst use of license plate data in history." He's not lying.

Automatic license plate readers gather tons of plate/location data, which can then be used for law enforcement purposes (when not being sold to, or by, private entities to insurance companies, repossession firms, etc.). The plate/location data may help recover stolen vehicles or track mobile criminals, but they also create massive databases of people's movements. This can create a chilling effect on motorists, as someone said to Selby at a surveillance-focused conference.

“The issue is the potentially chilling effect that this technology has on freedom of association and freedom of transportation.”

Cue chilling effect.

That’s literally the phrase that leapt into my mind when I read the monumentally over-reaching idea posed by Nury Martinez, a 6th district Los Angeles city councilwoman, to access a database of license plates captured in certain places around the city, translate these license plates to obtain the name and address of each owner, and send to that owner a letter explaining that the vehicle was seen in, “an area known for prostitution.”

This should create some additional household friction in the Los Angeles area. There's nothing like a letter from the city informing a vehicle owner that their car was spotted in an area known for prostitution, with the underlying assumption that the only reason a vehicle would be in these areas is because the driver was looking to exchange money for sexual favors.

Martinez says the non-guilty have nothing to worry about, because she's an idiot.

Councilwoman Martinez feels that prostitution is not a “victimless” crime, and that by discouraging johns, the incidence of the crime can be reduced. Martinez told CBS Los Angeles, “If you aren’t soliciting, you have no reason to worry about finding one of these letters in your mailbox. But if you are, these letters will discourage you from returning. Soliciting for sex in our neighborhoods is not OK.”

There are plenty of legitimate reasons for someone to be in an area law enforcement has determined is "known for solicitation." Many drivers live or work in areas "known for prostitution." Many other drivers may have to drive through areas "known for prostitution" to shop, go to work, or just get to the nearest freeway entrance ramp. So, there are plenty of reasons to "worry" about being falsely labelled as a john by the city. And it won't be the city that has to deal with the fallout. It will be the families that are destroyed by Martinez's horrifically misguided proposal.

Even if innocent drivers toss the letters before they do any damage to their personal relationships, each letter generated from this abuse of technology meant to aid police in locating stolen vehicles and/or dangerous criminals will create a public record that can be requested and published by nearly anyone. So, even if a person throws the letter in the garbage after receiving it, someone else could make this information public -- threatening personal relationships, damaging reputations and possibly costing people their jobs. And all because their vehicle happened to be in an arbitrarily "wrong place" at the wrong time.

Selby reports the city council is currently working with the district attorney to see how -- or if -- this can be implemented. Hopefully, someone more aware of the legal ramifications of this proposal will shut it down before it does any damage.

Permalink | Comments | Email This Story

The Institute for Justice has released its latest report on asset forfeiture. Despite some recent legislative attempts to add a much-needed conviction requirement to the seizure of property, most of the country still allows law enforcement to proceed under the assumption that money, vehicles and houses are "guilty," even if those they take this property from are, for all intents and purposes, innocent.

The absence of this key factor has resulted in decades of nationwide abuse. The IJ's updated chart ranking states' asset forfeiture policies on an A-F scale shows only one A rating: New Mexico. The state's recent passage of significant asset forfeiture reform is the only highlight in the report. The rest of the nation continues on its path of underachievement, preferring to defer to law enforcement's best judgment on how to fight the Drug War. (While also occasionally used to target fraud and organized crime, forfeiture programs are now mostly deployed to take money from people/vehicles that smell like marijuana.)

The largest amount of resistance to asset forfeiture reform efforts come from the agencies that benefit most from the liquidation of seized property.


The highest grades correspond directly to states where local agencies have the least to gain from seized assets. Unsurprisingly, removing the incentive to simply take money/property has resulted in less abuse of forfeiture programs.

But these (few) speed bumps have done next to nothing to slow the asset forfeiture machine. It's been on a downhill roll since the late 80s, resulting in $12.6 seized at the federal level from 1989 to 2010. Since 2010, though, the year-to-year increases have been exponential. In 2014 alone, US Attorneys "forfeited" $4.5 billion. This dollar amount now places federal law enforcement at the top of the list of of "People Who Take Stuff That Belongs To Others."

According to the FBI, the total amount of goods stolen by criminals in 2014 burglary offenses suffered an estimated $3.9 billion in property losses. This means that the police are now taking more assets than the criminals.

Of course, there are several legitimate (i.e., tied to convictions) forfeitures included in that amount, whereas no burglary can ever be considered "legitimate." And, as the DOJ points out, some recent sizable seizures have produced gaudy forfeiture numbers.

A Justice Department spokesman pointed out that big cases, like the $1.7 billion Bernie Madoff judgment and a $1.2 billion case associated with Toyota, have led to large deposits to forfeiture funds in a single year.

So, there are mitigating factors in this law enforcement-to-criminals comparison, but that doesn't mean asset forfeiture programs are largely "right" or free from abuse. The federal government has argued it has the right to seize even "untainted" funds and a majority of cash seizures -- especially at the local level -- don't rise to "drug kingpin" levels. As was noted, when Washington, DC moved forward with asset forfeiture reform, its local police force more resembled pathetic stickup men than the dismantlers of drug empires.

In addition, the bill sets other limits. Vehicles may not be seized unless "clear and convincing evidence" exists that they were used in the commission of a crime. Cash amounts under $1,000 would be presumed "innocent," i.e., not subject to forfeiture. This stipulation cuts to the heart of the DC PD's abuse of asset forfeiture -- more than half of its $5.5 million in cash seizures were for less than $141, with over 1,000 of the 12,000 seizures being for less than $20.

Further watering down the comparison is this depressing fact: in asset forfeiture, the government (both local and federal) tends to place the burden of proof on the former owners of seized property. Arrested burglars, however, are given the Constitutional benefit of a doubt (presumed innocent) when they end up in court.

Permalink | Comments | Email This Story

This is a video from the Slow-Mo Guys of a homemade fire tornado filmed in ultra slow motion. Previously: a natural fire tornado in (where else?) Australia. It was pretty mesmerizing to watch. You know what's even scarier than a fire tornado though? A LAVA HURRICANE. I like to call them lavacanes. "There's no such thing as lavacanes." What about windquakes? "No." Well I'm going to invent a fantasy universe where they do exist, and I'm gonna make a fortune writing books about wizards and sea monsters and all the other cool shit that lives there. Obviously, they will be romance novels, because if there's one thing I know how to write, it's a steamy sex scene. Check this out: She was fondling her pert breasts under his 1500 thread count Egyptian cotton bedsheets when he appeared at the bathroom door, swinging his penis around like an old-timey airplane propeller, just itching to take off. She smiled coyly before raising herself up in the bed and projectile vomiting all over the comforter because food poisoning from Applebee's the night before. Wait, wait -- let me start over. Keep going for the video. Thanks to IKnowHowYouFeelAboutFire, who really does. You get me.

Did you hear that story about how ISIS is so sophisticated with encryption that they have a special "opsec" manual on computer security protocols? You might have, because last week it was all over the internet. Yahoo kicked it off with a story, claiming it was the secret manual ISIS "uses to teach its soldiers about encryption." Wired followed up with its own story, as did The Telegraph. The "manual" was "discovered" by analysts at the Combating Terrorism Center, based out of the US Military Academy at West Point. Thankfully, Buzzfeed has the details, noting that the guide, created by a cybersecurity firm in Kuwait, named Cyberkov, is actually a guide for journalists and activists to protect their communications from oppressive governments. And there's nothing particularly secret about it, as apparently it's basically just repurposed stuff from the EFF's website:

“Our guide is based on publicly available tools, instructions and best practices. The guidelines in our manual are sourced from the EFF [Electronic Frontier Foundation] and other sources of privacy organizations,” wrote CyberKov CEO Abdullah AlAli to BuzzFeed News in an email. He said his organization had no idea its guide had been repurposed by ISIS. He was surprised to see it cited in articles, many of which have been updated since they were originally posted to note the document’s origin, and “even more shocked to see the Combating Terrorism Center at West Point simply Google-Translated it and claimed it as ISIS’s.”

Now, it does appear that some folks in ISIS may have sent around versions of the guide, but it sort of undermines the idea that they had created their own special set of guidelines to avoid being tracked, when all they're doing is picking up publicly available information on security best practices.

Permalink | Comments | Email This Story

From the good women and men over at the EFF: Earlier this year it was revealed that Lenovo was shipping computers preloaded with software called Superfish, which installed its own HTTPS root certificate on affected computers. That in and of itself wouldn't be so bad, except Superfish's certificates all used the same private key. That meant all the affected computers were vulnerable to a "man in the middle" attack in which an attacker could use that private key to eavesdrop on users' encrypted connections to websites, and even impersonate other websites. Now it appears that Dell has done the same thing, shipping laptops pre-installed with an HTTPS root certificate issued by Dell, known as eDellRoot. The certificate could allow malicious software or an attacker to impersonate Google, your bank, or any other website. It could also allow an attacker to install malicious code that has a valid signature, bypassing Windows security controls. The security team for the Chrome browser appears to have already revoked the certificate. People can test if their computer is affected by the bogus certificate by following this link. Did you buy a Dell computer during your Black Friday shopping thing over there in the US? Might want to look it over before handing it your loved one. Alternatively, just buy a Mac and don't deal with this nonsense.

In response to the attacks in Paris earlier this month, the French government has enacted a state of emergency. Like the War on Terror itself, this "state of emergency" has no discernible end in sight. The government has given itself an incredible amount of power for an indefinite period of time. When this power shift happens, abuse follows.

The Guardian is reporting that the nation's law enforcement agencies are straying far from their original targets: those responsible for the attacks, along with anyone who appears to be sympathetic to the cause. The government now appears to be authorizing the arrest of anyone it can brand a troublemaker.

At least 24 climate activists have been put under house arrest by French police, accused of flouting a ban on organising protests during next week’s Paris climate summit, the Guardian has learned.

One legal adviser to the activists said many officers raided his Paris apartment and occupied three floors and a staircase in his block.

French authorities did not respond to requests for comment but lawyers said that the warrants were issued under state of emergency laws, imposed after the terror attacks that killed 130 people earlier this month.

The French now understand what it's like to be Spanish. Of course, it must be pointed out that very few countries, even a country once at the forefront of personal freedoms, would handle this situation any differently.

The Garland (TX) attack ushered in several months of stepped-up use of 24/7 monitoring on suspected ISIS supporters. FBI Director James Comey has described the period between May and July as one that stretched the FBI's resources, and that isn't sustainable. Dozens of arrests were made, in many cases not for terrorism-related charges if the FBI couldn't gather enough evidence of a plot.

"In some cases we just needed to get people off the streets," one senior law enforcement official said.

A few of the targeted activists have been placed under house arrest. Others have been handed restraining orders by local judges. Police have also been confiscating computers and personal documents during these raids.

Some might argue that until everything calms down in France, the best plan for activists is to lay low. This could prevent the hijacking of a cause as cover for a violent attack motivated by a different ideology. But this sort of advice only makes sense if the government had expressed a fear of large gatherings in general.

Some protesters argue that the permission granted to football matches, trade fairs and Christmas markets in Paris over the summit period suggests that the authorities’ real concern is to suppress dissent.

This makes the orders some received to limit participants to less than 50 look hypocritical, at best. At worst, it looks like the government is using its state of emergency powers to protect itself from vocal and highly-visible criticism.

Permalink | Comments | Email This Story

Presidential candidate Hillary Clinton gave a speech yesterday all about the fight against ISIS in the wake of the Paris attacks. While most of the attention (quite reasonably so) on the speech was about her plan to deal with ISIS, as well as her comments on the ridiculous political hot potato of how to deal with Syrian refugees, she still used the opportunity to align herself with the idiotic side of the encryption debate, suggesting that Silicon Valley has to somehow "fix" the issue of law enforcement wanting to see everything. Here's what she said:

Another challenge is how to strike the right balance of protecting privacy and security. Encryption of mobile communications presents a particularly tough problem. We should take the concerns of law enforcement and counterterrorism professionals seriously. They have warned that impenetrable encryption may prevent them from accessing terrorist communications and preventing a future attack. On the other hand, we know there are legitimate concerns about government intrusion, network security, and creating new vulnerabilities that bad actors can and would exploit. So we need Silicon Valley not to view government as its adversary. We need to challenge our best minds in the private sector to work with our best minds in the public sector to develop solutions that will both keep us safe and protect our privacy.

Now is the time to solve this problem, not after the next attack.

It does not. Weakening encryption undermines both security and privacy. There's no "balance" to be had here. You want to maximize both security and privacy and the way you do that is with strong encryption.

Also, the bit about "Silicon Valley" has to "not view government as its adversary" is another bullshit line that has been favored by James Comey and others, who keep insisting that when technologists explain to him that backdooring encryption in a manner that only "the good guys" can use it is impossible that they really mean they haven't tried hard enough. Once again, that's not it. What pretty much the entire tech community has been saying is that it's impossible to create such a thing without undermining the whole thing and making everyone less safe. Hell, here's security expert Steve Bellovin explaining this pretty clearly. He goes step by step through why it won't work, why it makes things more dangerous, why it will be abused, and why it will put us all at risk.

And the reason that Silicon Valley views the government as adversaries is because speeches like Clinton's sets them up that way. Her speech, like Comeys' past speeches are directly setting up the government as an adversary to good computer security, asking technologists to undermine their own creations and make everyone less safe for some unclear amorphous belief that it might make a few people more safe at some point in the future. So, the answer isn't scolding Silicon Valley as Hillary has chosen to do, but rather understanding reality, and recognizing that what she is directly advocating for is to harm the safety of Americans and others around the globe.

This raise serious questions about who is advising Clinton on tech policy. When she was at the State Department, it actually did a lot of really good things on encryption and protecting communications of people around the globe. It's pretty ridiculous for Clinton to undermine her own efforts with such a dumb statement in this speech.

Permalink | Comments | Email This Story

In the wake of the tragic events in Paris last week encryption has continued to be a useful bogeyman for those with a voracious appetite for surveillance expansion. Like clockwork, numerous reports were quickly circulated suggesting that the terrorists used incredibly sophisticated encryption techniques, despite no evidence by investigators that this was the case. These reports varied in the amount of hallucination involved, the New York Times even having to pull one such report offline. Other claims the attackers had used encrypted Playstation 4 communications also wound up being bunk.

Yet, pushed by their sources in the government, the media quickly became a sound wall of noise suggesting that encryption was hampering the government's ability to stop these kinds of attacks. NBC was particularly breathless this week over the idea that ISIS was now running a 24 hour help desk aimed at helping its less technically proficient members understand encryption (even cults help each other use technology, who knew?). All of the reports had one central, underlying drum beat implication: Edward Snowden and encryption have made us less safe, and if you disagree the blood is on your hands.

Yet, amazingly enough, as actual investigative details emerge, it appears that most of the communications between the attackers was conducted via unencrypted vanilla SMS:

"...News emerging from Paris — as well as evidence from a Belgian ISIS raid in January — suggests that the ISIS terror networks involved were communicating in the clear, and that the data on their smartphones was not encrypted.

European media outlets are reporting that the location of a raid conducted on a suspected safe house Wednesday morning was extracted from a cellphone, apparently belonging to one of the attackers, found in the trash outside the Bataclan concert hall massacre. Le Monde reported that investigators were able to access the data on the phone, including a detailed map of the concert hall and an SMS messaging saying “we’re off; we’re starting.” Police were also able to trace the phone’s movements.

The reports note that Abdelhamid Abaaoud, the "mastermind" of both the Paris attacks and a thwarted Belgium attack ten months ago, failed to use any encryption whatsoever (read: existing capabilities stopped the Belgium attacks and could have stopped the Paris attacks, but didn't). That's of course not to say batshit religious cults like ISIS don't use encryption, and won't do so going forward. Everybody uses encryption. But the point remains that to use a tragedy to vilify encryption, push for surveillance expansion, and pass backdoor laws that will make everybody less safe -- is nearly as gruesome as the attacks themselves.

Permalink | Comments | Email This Story

Manhattan DA Cyrus Vance may not know what the fuck he's talking about when he discusses encryption, the internet and other tech-related issues. But that's certainly not going to keep him from talking about them.

A just-published "white paper" from the Manhattan DA's office (h/t Matthew Green) offers up all sorts of stupidity in its attempt to justify anti-encryption legislation.

It starts with lofty ideals…

This Report is intended to:

1) Summarize the smartphone encryption debate for those unfamiliar with the issue;
2) Explain the importance of evidence stored on smartphones to public safety;
3) Dispel certain misconceptions that many privacy advocates hold about law enforcement’s position related to encryption, including the myth that we support a “backdoor” or government-held “key;”
4) Encourage an open discussion with technology companies, privacy advocates, and lawmakers; and
5) Propose a solution that protects privacy and safety.

… before throwing most of these out completely, starting with the "open discussion" with the affected stakeholders.

Vance's office doesn't want to burden the nation's tech companies with "golden keys" or "good guy-only" backdoors. The paper admits such a "solution" would be complicated and expensive. (But not impossible, notably.)

His solution? Something that doesn't burden tech companies, but simply leaves their customers unprotected. No backdoors will be needed because there will be nowhere to install one.

The federal legislation would provide in substance that any smartphone manufactured, leased, or sold in the U.S. must be able to be unlocked, or its data accessed, by the operating system designer. Compliance with such a statute would not require new technology or costly adjustments. It would require, simply, that designers and makers of operating systems not design or build them to be impregnable to lawful governmental searches.

That's the big idea: a ban on encryption, presented disingenously as "Not A Ban." For all the paper's supposed "discussion" of the issues and contemplation of concerns expressed by companies and their customers, this is the DA's office's brilliant cure-all: federal legislation that would prevent companies from deploying encryption -- at least not without holding onto a set of keys for government use.

Offered in support of these arguments are the horrendous laws being contemplated/passed in other countries like the UK and France. If they can do it, we can do it! Vance's office argues any resulting harm to human rights civil liberties will be minimal. Undiscussed is the resulting harm to innocent users whose phones' contents are no longer encrypted.

The paper also discusses various workarounds that have been suggested, like accessing the unencrypted contents of cloud storage services connected to users' phones. The DA's office says that just isn't good enough. For one thing, not every user utilizes the cloud services offered by Google and Apple. The office's argument against seeking other routes to communications and data is astoundingly terrible.

[S]martphone users are not required to set up a cloud account or back up to the cloud, and therefore, many device users will not have data stored in the cloud. Even minimally sophisticated wrongdoers who use their devices to perpetrate crimes and who have cloud accounts will likely take the relatively simple steps necessary to avoid backing up those devices, or data of interest, to the cloud. In most instances, only one or two selections must be made in the device’s settings to turn off the back-up function or to remove certain types of content from the back up.

There's a huge problem with this paragraph. It makes the assertion that criminals are more likely to avoid utilizing cloud backup services while simultaneously noting that this process is entirely optional and will not be used by most people. Using this logic, an average user may also be a "minimally sophisticated wrongdoer," at least as far as law enforcement can tell from what it finds stored in the cloud.

The underlying point is that lots of data and communications still reside within the phone itself and law enforcement will not be able to access this without Apple or Google leaving a door open for it.

The office does further damage to its own arguments for banning encryption by highlighting a string of successful prosecutions utilizing evidence recovered from cell phones. It uses this list to highlight the amount of "probative evidence" obtained from cell phones while simultaneously (and inadvertently) pointing out that law enforcement really hasn't been stymied by encryption, despite Vance's FUD-filled imaginations to the contrary.

And, finally, let's take a look at one more bogus analogy made by Vance's office, in which he tries to equate phones with houses.

The Fourth Amendment dictates that search warrants may be issued only when a judge finds probable cause to believe that a crime has been committed and that evidence or proceeds of the crime might be found on the device to be searched. The warrant requirement has been described by the Supreme Court as “[t]he bulwark of Fourth Amendment protection,” and there is no reason to believe that it cannot continue to serve in that role, whether the object that is to be searched is an iPhone or a home.

In fact, what makes full-disk encryption schemes remarkable is that they provide greater protection to one’s phone than one has in one’s home, which, of course, has always been afforded the highest level of privacy protection by courts. Apple and Google should not be able to alter this constitutional balance unilaterally. Every home can be entered with a search warrant. The same should be true of devices.

A more honest analogy would compare phones to computers, which is basically what they are. While a warrant may give cops access to someone's computer -- allowing them to seize it -- it does not guarantee they'll be able to access its contents. Vance wants to compare opening a phone to opening a door, but it's not a true comparison. If people could make their houses as impregnable as their phones and computers, some very likely would -- and not just the theoretical "minimally sophisticated criminals." A house that cops can't get into is a house criminals can't get into. But there's no way to encrypt a door or window.

The paper tries to portray this as somehow making phones more private than houses in terms of the Fourth Amendment. But encrypted phones have nothing to do with a heightened expectation of privacy. Encryption makes phones more secure than houses, not more private than houses. The Fourth Amendment considerations aren't being shifted. It's only the level of instant access that's being changed. Vance's office -- being part of the law enforcement community -- should welcome efforts that make citizens more secure. Instead, all it's doing is bitching loudly and disingenously about all the power it imagines encryption will strip away from it.

Permalink | Comments | Email This Story

Because even dictionary companies want to feel edgy from time to time, Oxford Dictionaries has announced the 'face with tears of joy' emoji is its 2015 word of the year, despite the fact emojis aren't words and don't appear in dictionaries. HAS THE WHOLE WORLD GONE CRAZY? AM I THE ONLY ONE AROUND HERE WHO GIVES A SHIT ABOUT THE RULES?

"Although emoji have been a staple of texting teens for some time, emoji culture exploded into the global mainstream over the past year," the company's team wrote in a press release. "Emoji have come to embody a core aspect of living in a digital world that is visually driven, emotionally expressive, and obsessively immediate." According to their data, the "Face With Tears of Joy" emoji, also known as LOL Emoji or Laughing Emoji, comprised nearly 20% of all emoji use in the U.S. and the U.K., where Oxford is based. The runner-up in the U.S., with 9% of usage, was [the kissy face emoji].

Damn, I almost never use the happy crying face emoji. I must not be very hip. Or I've never actually experienced tears of joy. When I cry it is strictly DEEP DARK SADNESS crying. Tears of joy are for people who still have hope. Also, I think it's unfair that the word of the year comes out before the year is even over. Maybe if they waited until January the word of the year would have been Geekologie. "The word of the year will never be Geekologie." MAYBE IF I BLEW UP THE INTERNET BETWEEN NOW AND THEN IT WOULD BE. "Nope." Fine, deez nuts then. Thanks to my buddy York, who agrees there should be a flaming shit emoji, because that's exactly what this world has turned into.

We've talked a lot in the past few years about the desperate need to reform the CFAA -- an absolutely horrible "anti-hacking" law that has been stretched and broadened and twisted by people over the years, such that it's frequently used to "pile on" charges when nothing else will stick. If you want to go into a lot more detail, you can listen to the podcast we recently did about the CFAA, or listen to this wonderful podcast that Reply All did about the CFAA (where I also make a brief appearance). But one of the biggest problems with it is that it considers you to be a dangerous hacker if you access a computer/network "without authorization" or if you merely have "exceeded authorized access." It's that latter phrase that often causes trouble. What does it even mean? Historically, cases have been brought against employees who use their employer's computers for non-work related things, against someone for supposedly failing to abide by MySpace's terms of service and for downloading too many academic journals that were freely available for downloading on MIT's campus network.

Keep that in mind as you read this Associated Press story about how Presidential candidate and current Florida Senator Marco Rubio's "low-budget" Presidential campaign office got free internet access for a bit:

At one of the campaign's Nevada offices, staffers tried to do their part to live up to the less is more mantra. After noticing a pizza place next to a campaign office had free wireless internet that required a password, a staffer walked over and bought two pieces of pizza and asked for the internet access code.

But the cost-cutting measure was short-lived. After about three weeks, the pizza place caught on and asked the Rubio team to stop.

It's not at all difficult to see how that could be "exceeding authorized access" under the statute. After all, it's pretty clear that the intent of the access is for customers while they're in the restaurant. That seems to be confirmed by the fact that the pizza place asked the Rubio campaign to knock it off once it discovered what was going on. Now, for it to be a felony, there needs to be $5,000 worth of damage -- but considering that in another recent case, the DOJ turned a single news article defacement (that lasted just 40 minutes) into a supposed $929,977 in damages, I'm sure some creative math can make the use of the WiFi into something greater than $5,000. You just need to argue that the congestion on the WiFi likely turned off customers who may not ever come back, and the value of those losses exceeds $5,000.

Now, Rubio hasn't really been involved at all in the debate over the CFAA and reforming it. The only official "policy" line he has even closely related to it on his campaign issues page suggests he'd favor making the CFAA punishments even worse: "Use American power to respond harshly to international cyber attacks on American citizens, businesses, and governments." Of course, that's focused on foreign attacks, so may not apply directly.

Either way, this seems like something an enterprising political reporter might want to ask the Rubio campaign, seeing as they themselves may have potentially committed a felony under the current CFAA.

Permalink | Comments | Email This Story

Pastafarian Lindsay Miller just won her appeal to be allowed to wear a pasta strainer on her head in her driver's license photo, because she is wearing it for religious reasons. She was previously denied a license because the people at the DMV didn't take her seriously, which is hard to believe because there is nothing not serious about the Church of the Flying Spaghetti Monster.

According to the RMV's website, drivers are barred from wearing hats or head covers in their photos, unless the clothing items are "for medical or religious reasons." Miller filed for an appeal immediately after the August incident. Through a friend, she enlisted the help of Patty DeJuneas, a member of the Secular Legal Society, a network of lawyers that assist the American Humanist Association. DeJuneas said in a telephone interview that every religion deserves protection under the First Amendment, even if others think a certain sect may be "ridiculous."

So like, how mainstream does a religion have to be for it to be recognized by the department of motor vehicles? Because I just invented my own religion and part of that religion is having penises drawn on my face. Can I get my photo taken like that? Does anybody want to join my religion? Here -- take communion. "A warm Miller Lite and a Cheez-It?" Do you want to go to Candyland when you die or not? Thanks to Briana, Player Dos and Dave L, who have every intention of getting their next driver's license photos taken while hanging upside down because they worship Batman.

We already wrote a bit about the absolutely ridiculous attempts to connect the Paris attacks of last week with Ed Snowden and encryption. But, of course, the surveillance state sees successful terrorist attacks -- which often demonstrate their own failings -- as a way to double down on getting more power. Take, for example, our old friend and former NSA General Counsel Stewart Baker.

As pointed out by Marcy Wheeler, Baker used the Paris attacks to argue that it was evidence that the NSA should not shut down its Section 215 bulk collection of phone records.

NSA's 215 program was designed to detect a Mumbai/Paris-style attack. https://t.co/UelhvrlNPp Maybe this is the wrong month to drop it.

— stewartbaker (@stewartbaker) November 14, 2015

There are so many problems with this level of idiocy that it's difficult to know where to start, but let's go with the basics... (1) the NSA program is still on and still working for another few weeks before it shifts to a slightly modified version. (2) France has its own equivalent program that is still in operation. In fact, France famously expanded its surveillance laws late last year prior to both the Charlie Hebdo and Paris attacks. (3) Outside of the US, the NSA relies on Executive Order 12333, which allows the NSA to collect a hell of a lot more information than the somewhat limited Section 215 program. (4) None of those programs appears to have discovered the Paris attacks (or, if they did, they clearly failed in stopping the attacks). (5) In other words, these programs did not work and yet the knee-jerk surveillance state defenders are using them as proof that the programs work.

What the actual fuck, Stewart?

Look, it's one thing to use horrible tragedies to promote your own political desires. It's another thing entirely to use the out and out failure of these intelligence programs to argue that they're proof of why those programs work and/or should be expanded.

Permalink | Comments | Email This Story

This could be fun.

Last February, DEA agents took $11,000 from college student Charles Clarke. The funds were to be used to continue his education. The DEA, however, had other plans for the money.

Deciding that Clarke's one-way ticket, odor of marijuana smoke and the inability to instantly prove all of the $11,000 was obtained legitimately, the DEA seized it. Good thing it did, considering there were 13 law enforcement agencies expecting a percentage of the take.

Clarke was initially charged with assault because he struggled to prevent DEA agents from separating him from the cash he says he spent five years saving. That charge was dropped. No other charges were brought. No contraband or weapons were found on his person.

In asset forfeiture cases, those whose property has been seized by the government must challenge the seizure and provide proof of its legitimate origin. All the government has to do to keep the money is wait the challenge out. In a large percentage of cases, the seizure is never contested. The government has unlimited resources. Those challenging forfeitures do not. In fact, they have even less to work with, thanks to the government's prior actions, and fighting seizures can be incredibly expensive.

Fortunately for Clarke, a judge has flipped the script.

Clarke’s lawyers asked for documents from the government with the intent to prove there are constitutional problems with the practice and that it gives police a profit-driven motive to seize property and funds.

The U.S. attorneys were not able to give all the documents to Clarke’s team and so they took the issue up with Judge Bertelsman. He decide to split the case into two parts:

First; the U.S. attorneys have to prove they have grounds to keep Clarke’s money. I.e., they have to prove that Clarke made the money from drug dealing.

Second; if the government proves the money came from drugs, Clarke’s team will have to argue against the issue of civil asset forfeiture itself. I.e., arguing that the practice is profit-driven or worse.

The burden of proof has been shifted back to where it always should have been, especially when seizures continue without accompanying criminal charges. The government can no longer simply claim Clarke's ticket, odor and lack of receipts are indicative of illegal activity. It has been ordered to show its work. This will be difficult because, given the lack of charges against Clarke, it most likely has nothing to present to the judge in the way of evidence.

If it somehow manages to round up some evidence proving its "guilty money" theory, it's still not in the clear. It will then have to defend the idea of civil asset forfeiture if Clarke's lawyers sufficiently demonstrate to the court the program's nasty side effects.

But it's the first part that's the most important. Given the fact that government agencies can seize property without securing convictions, orders like this one force the government to come up with better evidence than "one-way ticket" or "marijuana odor." The DEA must now find some way to connect the money it took to criminal activity, something agencies that participate in forfeiture programs don't have much experience in doing.

Permalink | Comments | Email This Story

Retractions of scientific papers are by their nature quite dramatic -- the decision to withdraw recognition in this very public way is never taken lightly, especially given all the work that goes into writing a paper. But the specialist site Retraction Watch, which we wrote about back in August, has a new retraction story that is rather out of the ordinary. It concerns a much-cited 2004 paper about a piece of scientific software called Treefinder. The program is used to create phylogenetic trees, which show the probable evolutionary relationships between species based on comparing their respective DNA sequences. Retraction Watch explains what happened:

Recently, German scientist Gangolf Jobb declared that starting on October 1st scientists working in countries that are, in his opinion, too welcoming to immigrants -- including Great Britain, France and Germany -- could no longer use his Treefinder software, which creates trees showing potential evolutionary relationships between species. He'd already banned its use by U.S. scientists in February, citing the country’s "imperialism." Last week, BMC Evolutionary Biology pulled the paper describing the software, noting it now "breaches the journal’s editorial policy on software availability."

Here's the official retraction note published by the journal in question:

The editors of BMC Evolutionary Biology retract this article due to the decision by the corresponding author, Gangolf Jobb, to change the license to the software described in the article. The software is no longer available to all scientists wishing to use it in certain territories. This breaches the journal’s editorial policy on software availability which has been in effect since the time of publication.

The editorial policy on software availability is as follows:

If published, software applications/tools must be freely available to any researcher wishing to use them for non-commercial purposes, without restrictions such as the need for a material transfer agreement.

The policy then goes to make an important suggestion:

BMC Evolutionary Biology recommends, but does not require, that the source code of the software should be made available under a suitable open-source license that will entitle other researchers to further develop and extend the software if they wish to do so.

Another advantage of releasing the code as open source is that it would have avoided the current awkward situation, whereby the Treefinder program is no longer available to everyone, and BMC Evolutionary Biology retracted the original paper. Once code is published under a free software license, that can't be rescinded, although the same or modified versions of the source could be published later under a non-free license by the copyright holder. It's regrettable that Treefinder was not released under a free software license, but it's nonetheless good to see an open access journal sticking to its requirement for free availability of software, and retracting the offending paper.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Permalink | Comments | Email This Story