Brindle

Look, when it comes to Comcast, it's obviously quite easy to slap the company around for any number of its anti-consumer practices. Just sampling from the most recent news, Comcast was sued over its opt-out mobile hotspot from your home router plan, the company has decided to combat cord-cutting by hiking prices and fees on equipment for customers who cord-cut cable television, and it also has put in place a similar plan to charge all kinds of bullshit fees on equipment installations for customers who aren't bundling in other services with its ISP offering. You should be noticing a trend in there that has to do with how Comcast handles so-called "equipment rental" fees for its broadband customers and how it handles customers that choose to bring their own device to their home networks instead. Comcast has always hated customers that use their own WiFi routers, as the fees for renting a wireless access point represent a huge part of Comcast's revenue.

Which is why you would think that the company would at least not expose the home networks of customers who use that equipment. Sadly, it seems that Comcast's website made the network SSIDs and passwords available in plain text of customers who were renting router equipment, while those that used their own routers were completely safe.

A security hole in a Comcast service-activation website allowed anyone to obtain a customer's Wi-Fi network name and password by entering the customer's account number and a partial street address, ZDNet reported yesterday.

The problem would have let attackers "rename Wi-Fi network names and passwords, temporarily locking users out" of their home networks, ZDNet wrote. Obviously, an attacker could also use a Wi-Fi network name and password to log into an unsuspecting Comcast customer's home network.

It should be noted that Comcast almost immediately addressed the security flaw in its website after ZDNet's report. Still, we're not in the business of giving high marks to a company that fixes a laughable security hole on its website. Comcast reps also claimed that "There's nothing more important than our customers' security." But, if that were true, Comcast's position would be to advocate its customers use their own routers rather than renting Comcast routers, as those who did so were completely protected from this security risk.

Just to be clear, we're talking about really sensitive information exposed by this website flaw. WiFi network names and passwords are one thing, but malicious actors were also presented with the routers' physical home addresses, despite the attacker not needing a customer's full home address in order to access that information. And all of this was presented in plain text.

Any company making these kinds of dangerous mistakes would be bad, but it's worth putting all of this in the context of Comcast both operating in a competition-deprived unregulated ISP market and that it is trying to get even bigger through major acquisitions to gobble up even more market-share. That kind of attempt at ISP monoculture makes any security flaw exponentially worse and Comcast has not demonstrated its ability to live up to the security task.

Meanwhile, why anyone would rent a Comcast WiFi router is completely beyond me.

Permalink | Comments | Email This Story

This is it — the last day of the campaign! If you haven't yet backed our project to revamp and produce the CIA's declassified training game, today's your last chance to check out the Kickstarter page for CIA: Collect It All and secure a copy.

The campaign closes tonight at midnight! Don't delay!

We've had a huge influx of last-minute backers thanks in large part to The Verge's review of an advance copy of the game, so if you're not yet a backer, help us keep that momentum going — and if you are, please tell your friends! CIA: Collect It All comes with over 150 high-quality playing cards, with physical copies available for $29 (shipping to 170 countries), the print-and-play PDF version for $10 (anywhere, of course!) and a five-copy bundle for retailers or groups who want to team up to save on shipping.

We are planning to continue accepting some additional pre-orders before we complete the game, but we don't have that set up just yet, and we still have no plans to continue production beyond a single print run — so if you definitely don't want to miss out, back the campaign before it's too late!

Permalink | Comments | Email This Story

Microsoft and Google are jointly disclosing a new CPU security vulnerability that's similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled Speculative Store Bypass (variant 4), the latest vulnerability is a similar exploit to Spectre and exploits speculative execution "that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and Intel says these mitigations are also applicable to variant 4 and available for consumers to use today." However, unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs that could affect performance. Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won’t see negative performance impacts. This cat ain't going back in no bag anytime soon.

What do Photoshop, Matlab, Panic Transmit, and Eclipse have in common? They are among the 299 apps for which macOS applies compatibility fixes. Here's the full list of bundle IDs, along with the functions that checks for them, and the first caller to those functions. It's also available in CSV format. Note that this is just a list of apps Apple has developed compatibility tweaks to make them run on newer macOS versions. As the list demonstrates, even the best apps often needs some tweaks on newer macOS. In addition, most of these patches are only applied to older versions of apps. Here's how I extracted the list, and some interesting things I found in it. This is absolutely fascinating, and provides some amazing insight into which applications Apple considers crucial to the macOS user experience and platform. We all know Windows performs various tricks to maintain backwards compatibility, but I had no idea Apple went to decent lengths too for the same reasons.

Techdirt has written many stories about facial recognition systems. But there's a step-change taking place in this area at the moment. The authorities are moving from comparing single images with database holdings, to completely automated scanning of crowds to obtain and analyze huge numbers of facial images in real time. Recently, Tim Cushing described the ridiculously high level of false positives South Wales Police had encountered during its use of automated facial recognition software. Before that, a post noted a similarly unacceptable failure rate of automated systems used by the Metropolitan Police in London last year.

Now Big Brother Watch has produced a report bringing together everything we know about the use by UK police of automated facial recognition software (pdf), and its deep flaws. The report supplements that information with analyses of the legal and human rights framework for such systems, and points out that facial recognition algorithms often disproportionately misidentify minority ethnic groups and women.

The UK situation is fairly well known. There's been less coverage of automated facial recognition systems in the US, and the Big Brother Report offers some comments from experts about what is happening there. For example, Clare Garvie from the Georgetown Law Center on Privacy and Technology, writes:

Face recognition surveillance -- identifying people in real-time from live video feeds -- risks being an imminent reality for many Americans. Are we comfortable with a society where face recognition allows police to identify anyone with a driver’s license, without suspicion or consent? Are we comfortable with a society where the government can find anyone, at any time, by continuously scanning the faces of people on the sidewalk? Face recognition fundamentally changes the nature of privacy in public spaces. As government agencies themselves have cautioned, face recognition surveillance 'has the potential to make people feel extremely uncomfortable, cause people to alter their behaviour, and lead to self-censorship and inhibition,' chilling the exercise of the rights protected under the First Amendment and calling into question the scope of protections offered by the Fourth Amendment.

Alongside its report, Big Brother Watch has launched the "Face Off" campaign calling for the UK public authorities to stop using automated facial recognition software with surveillance cameras, and to remove the thousands of images of unconvicted individuals from the UK's Police National Database. Given the UK authorities' world-famous love of CCTV and surveillance, it's unlikely they will take much notice.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Permalink | Comments | Email This Story

The UK government's continuing efforts to save the country's children from the evils of internet porn are increasingly ridiculous. Filtering efforts applied by ISPs have managed to seal off access to plenty of non-porn sites while still remaining insanely easy to circumvent. The government -- with a straight face -- suggested there was nothing not normal about internet customers turning over personal information to ISPs in exchange for the permission to view porn. It's as if building a database of the nation's porn aficionados was the government's original intent.

Since nothing about this was working about the way the porn filter's architects (one of whom was arrested on child porn charges) imagined, the UK government decided the same non-functioning tech could be put to work filtering out "terrorist content." Bad ideas have repeatedly been supplanted by worse ones, and now it appears UK citizens may be able to opt out of ISP porn-related data harvesting by [squints at press report] buying a porn license from their local newsjobber.

High street newsagents are to sell so-called “porn passes” that will allow adults to visit over-18 websites anonymously.

The 16-digit cards will allow browsers to avoid giving personal details online when asked to prove their age.

Instead, they would show shopkeepers a passport or driving licence when buying the pass.

Trench coats are coming back! Somewhat of an ironic turn of events, given how much government effort was expended trying to limit the amount of public porn consumption by shutting down theaters and heavily regulating distribution of pornography. Instead of heading to porn shops in shady areas of town, porn consumers will be headed to newspaper kiosks to publicly announce their desire to consume porn in the privacy of their own homes.

I would imagine this will be regulated as well, with the government needing occasional access to porn license buyer lists to verify that newsagents are properly vetting porn license purchasers. Fortunately, the privacy-minded porn fan will now be providing personal info to someone other than their ISP. Unfortunately, they will be providing this to people in their neighborhood, possibly in front of their neighbors.

There is, however, a chance the purchase of a porn license may be treated as no different than a purchase of a pornographic publication: age verification only and no retention of records needed. Given the UK government's incessant push for a sanitized web, it seems unlikely this will be the case. Once you've gotten into the business of controlling access to legal content, the tendency is to continue expansion, rather than treat this as simply as a voluntary exchange between buyer and seller with only very limited government interest.

Permalink | Comments | Email This Story

It's apparently time for a legislative update to The War on Cops. Apropos of nothing, legislators from both sides of Congress have flung some more "cops are more equal than others" legislation into the ring. Senators Orrin Hatch and Heidi Heitkamp have joined their House counterparts in attempting to make any crime against a police officers a hate crime. From Hatch's press release:

Protect and Serve Act of 2018:

The legislation adds a new section to Chapter 7 of Title 18 that:

Makes it a federal crime to knowingly cause bodily injury to any person, or attempt to do so, because of the actual or perceived status of the person as a law enforcement officer;

Prescribes a penalty of up to 10 years imprisonment for a violation, or up to a life sentence in cases that result in death or involve kidnapping;

Requires that the offense have a federal nexus;

Requires certification by the Attorney General that a state has waived jurisdiction or that federal prosecution is in the public interest and necessary to secure substantial justice; and

Requires the Attorney General to issue guidelines for determining whether a crime was committed because of the actual or perceived status of person as a law enforcement officer.

Why do we need this law? We don't. But don't let that stop the bill's sponsors from arguing otherwise.

“In rural and urban areas alike, law enforcement officers face heightened risk every time they put on their uniforms,” Heitkamp said.

They actually face historically low risks, with last year's death stats being even lower than the year before. But let's not let actual death totals get in the way of increasing penalties for anyone who has the misfortune of dealing with cops. It doesn't just cover murder -- even though "targeted killings" are the main talking point. It covers any bodily injury, which makes it perfect for stacking charges on arrestees. Anything from an aborted fist swing to an accidental bump can be turned into an assault charge and this law gives federal prosecutors the chance to escalate the side effects of resisting arrest into a federal prison sentence. And it's a great way to keep abused citizens from filing complaints, as Radley Balko explains:

What harm could come of this bill? An assault on a police officer charge is often used a cudgel — it’s a way of dissuading legitimate victims of police brutality from filing complaints. If such an assault charge could soon come with an additional federal charge punishable by up to 10 years in prison, that cudgel grows by about 10 sizes. It gets awfully persuasive.

Lest there's any doubt this bill is a "hate crime" bill, the press release makes it crystal clear.

Since May 2016, several states have enacted laws that make attacking police because of their occupation a hate crime. The Protect and Serve Act takes a similar approach and is modeled after the federal hate crime statute, 18 U.S.C. § 249.

It's true. Several stupid state legislatures have decided to elevate some of the most powerful public servants in their jurisdictions to the status of "protected victim." Never mind the reason most hate crime laws are enacted is to bring more power to the powerless -- a (clumsy) way to address criminal acts predicated on hatred of someone's race or sexual orientation. Police officers are neither a race nor a sexual orientation. There is no conscription involved in a law enforcement career. It's strictly voluntary, unlike the personal traits involved in most hate crime laws.

It's not as though there's a lack of aggressive prosecution when officers are killed or injured. There's never a shortage of charges to be brought or a dearth of zeal to see this criminal act punished. Many states already provide sentencing enhancements if the crime victim is a police officer. This bill simply gives the federal government the option to swoop in and punish certain criminals more harshly, ignoring any lack of "Blue Lives Matter" state statute.

It's a stupid legislative proposition built on the ridiculous delusion that there's a War on Cops being waged day in and day out when it's really a lot of isolated incidents scattered across an ever-moving timeline. Being a cop in America is safe. Officers do not suffer for a lack of physical or legal protections. They are some of the most-protected individuals in this nation. A law like this is more than redundant and needlessly punitive. It's an implicit message sent to all Americans, telling them their public servants -- at least these ones -- are better and more deserving of protection than they are.

Permalink | Comments | Email This Story

Four of the largest cell giants in the US are selling your real-time location data to a company that you've probably never heard about before. In case you missed it, a senator last week sent a letter demanding the Federal Communications Commission (FCC) investigate why Securus, a prison technology company, can track any phone "within seconds" by using data obtained from the country's largest cell giants, including AT&T, Verizon, T-Mobile, and Sprint, through an intermediary, LocationSmart. Well, at least your messaging app is end-to-end encrypted, right?

The FBI continues its push for a solution to its "going dark" problem. Joined by the DOJ, agency head Christopher Wray has suggested the only way forward is a legislative or judicial fix, gesturing vaguely to the thousands of locked phones the FBI has gathered. It's a disingenuous push, considering the tools available to the agency to crack locked devices and obtain the apparently juicy evidence hidden inside.

The FBI hasn't been honest in its efforts or its portrayal of the problem. Questions put to the FBI about its internal efforts to crack locked devices are still unanswered. The only "new" development isn't all that new: Ray Ozzie's "key escrow" proposal may tweak a few details but it's not that far removed in intent from the Clipper Chip that kicked off the first Crypto War. It's nothing more than another way to make device security worse, with the only beneficiary being the government.

The FBI's disingenuousness has not gone unnoticed. Efforts have been made over the last half-decade to push legislators towards mandating government access, but no one has been willing to give the FBI what it wants if it means making encryption less useful. A new bill [PDF], introduced by Zoe Lofgren, Thomas Massie, Ted Poe, Jerry Nadler, Ted Lieu, and Matt Gaetz would codify this resistance to government-mandated backdoors.

The two-page bill has sweeping safeguards that uphold security both for developers and users. As the bill says, “no agency may mandate or request that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.”

This bill would protect companies that make encrypted mobile phones, tablets, desktop and laptop computers, as well as developers of popular software for sending end-to-end encrypted messages, including Signal and WhatsApp, from being forced to alter their products in a way that would weaken the encryption. The bill also forbids the government from seeking a court order that would mandate such alterations. The lone exception is for wiretapping standards required under the 1994 Communications for Law Enforcement Act (CALEA), which itself specifically permits providers to offer end-to-end encryption of their services.

The Secure Data Act shouldn't be needed but the FBI and DOJ have forced the hand of legislators. Rather than take multiple hints dropped by the previous administration, the agencies have only increased the volume of their anti-encryption rhetoric in recent months. Maybe the agencies felt they'd have the ear of the current administration and Congressional majority, but investigations involving the president and his staff have pretty much killed any "law and order" leanings the party normally retains. This bill may see widespread bipartisan support simply because it appears to be sticking it to the Deep State. Whatever. We'll take it. Hopefully, this makes a short and direct trip to the Oval Office for a signature.

Permalink | Comments | Email This Story

Another federal court is wrestling with compelled decryption and it appears the Fifth Amendment will be no better off by the time it's all over. A federal judge in North Carolina has decided compelling decryption of devices is only a small Fifth Amendment problem -- one that can be overlooked if the government already possesses certain knowledge. [h/t Orin Kerr]

The defendant facing child porn charges requested relief from a magistrate's order to compel decryption. The government isn't asking Ryan Spencer to turn over his passwords. But it wants exactly the same result: decrypted devices. The government's All Writs Order demands Spencer unlock the devices so law enforcement can search their contents. As the court notes in the denial of Spencer's request, the Fifth Amendment doesn't come into play unless the act of production -- in this case, turning over unlocked devices -- is both "testimonial" and "incriminating."

Spencer argued both acts are the same. The government may not ask him directly for his passwords, but a demand he produce unlocked devices accomplishes the same ends. As the court notes, the argument holds "superficial appeal." It actually holds a bit more than that. A previous dissenting opinion on the same topic said the government cannot compel safe combinations by "either word or deed."

This opinion [PDF], however, goes the other way. Judge Breyer likes the wall safe analogy, but arrives at a different conclusion than Justice Stevens did in an earlier dissent. The court finds drawing a Fifth Amendment line at password protection would produce a dichotomy it's not willing to accommodate.

[A] rule that the government can never compel decryption of a password-protected device would lead to absurd results. Whether a defendant would be required to produce a decrypted drive would hinge on whether he protected that drive using a fingerprint key or a password composed of symbols.

The refusal to craft this bright line ultimately makes little difference. The line already exists. Almost no courts have said the compelled production of fingerprints is a Fifth Amendment violation. Producing passwords, however, is an issue that's far from settled. In the cases that have gone the government's way, the key appears to be what the government already knows: the "foregone conclusions." The same goes here.

The court admits producing unlocked devices strengthens the government's case even before any searches take place.

So: the government’s request for the decrypted devices requires an act of production. Nevertheless, this act may represent incriminating testimony within the meaning of the Fifth Amendment because it would amount to a representation that Spencer has the ability to decrypt the devices. See Fisher, 425 U.S. at 410. Such a statement would potentially be incriminating because having that ability makes it more likely that Spencer encrypted the devices, which in turn makes it more likely that he himself put the sought-after material on the devices.

But that only deals with the incrimination side. Is it testimonial? The court thinks it isn't. Or at least, it believes whatever testimonial value it adds is almost nonexistent. All the government needs to show is that the defendant has the ability to unlock the devices.

Turning over the decrypted devices would not be tantamount to an admission that specific files, or any files for that matter, are stored on the devices, because the government has not asked for any specific files. Accordingly, the government need only show it is a foregone conclusion that Spencer has the ability to decrypt the devices.

It's a low bar but one that's sometimes difficult to reach if the government can't clearly link the defendant to the locked devices obtained during the search of a residence or business. As the court notes, it requires more than a reasonable assumption that files the government seeks might reside on the locked devices.

But it is nonsensical to ask whether the government has established with “reasonable particularity” that the defendant is able to decrypt a device. While physical evidence may be described with more or less specificity with respect to both appearance and location, a defendant’s ability to decrypt is not subject to the same sliding scale. He is either able to do so, or he is not. Accordingly, the reasonable particularity standard cannot apply to a defendant’s ability to decrypt a device.

The government needs far more if it seeks to compel decryption.

The appropriate standard is instead clear and convincing evidence. This places a high burden on the government to demonstrate that the defendant’s ability to decrypt the device at issue is a foregone conclusion. But a high burden is appropriate given that the “foregone conclusion” rule is an exception to the Fifth Amendment’s otherwise jealous protection of the privilege against giving self-incriminating testimony.

And the court finds the government does possess clear, convincing evidence.

All three devices were found in Spencer’s residence. Spencer has conceded that he owns the phone and laptop, and has provided the login passwords to both. Moreover, he has conceded that he purchased and encrypted an external hard drive matching the description of the one found by the government. This is sufficient for the government to meet its evidentiary burden. The government may therefore compel Spencer to decrypt the devices.

There is one caveat, however.

Once Spencer decrypts the devices, however, the government may not make direct use of the evidence that he has done so.

As the court points out, if the government's foregone conclusion is the correct conclusion, additional evidence linking Spencer to the locked devices will be unnecessary. The government should have no use for the testimony inherent in the act -- the concession that Spencer owned and controlled the now-unlocked devices, making him ultimately criminally responsible for any evidence located in them.

In terms of compelled production, passwords continue to beat fingerprints for device security, but only barely.

Permalink | Comments | Email This Story

There have been ongoing debates for a while now about the stupidity of backdooring encryption, with plenty of experts explaining why there's no feasible way to do it without causing all sorts of serious consequences (some more unintended than others). Without getting too deep into the weeds, the basic issue is that cryptography is freaking difficult and if something goes wrong, you're in a lot of trouble very fast. And it's very, very easy for something to go wrong. Adding in a backdoor to encryption is, effectively, making something go wrong... on purpose. In doing so, however, you're introducing a whole host of other opportunities for many, many things to go wrong, blowing up the whole scheme and putting everyone's information at risk. So, if you're going to show up with a "plan" to backdoor encryption, you better have a pretty convincing argument for how you avoid that issue (because the reality is you can't).

For at least a year (probably more) the one name that has kept coming up over and over as one of the few techies who insists that the common wisdom on backdooring encryption is wrong... is Ray Ozzie. Everyone notes that he's Microsoft's former Chief Software Architect and CTO, but some of us remember him from way before that when he created Lotus Notes and Groove Networks (which was supposed to be the nirvana of collaboration software). In recent months his name has popped up here and there, often by FBI/DOJ folks seeking to backdoor encryption, as having some possible ways forward.

And, recently, Wired did a big story on his backdoor idea, where he plays right into the FBI's "nerd harder" trope, by saying exactly what the FBI wants to hear, and which nearly every actual security expert says is wrong:

Ozzie, trim and vigorous at 62, acknowledged off the bat that he was dealing with a polarizing issue. The cryptographic and civil liberties community argued that solving the problem was virtually impossible, which “kind of bothers me,” he said. “In engineering if you think hard enough, you can come up with a solution.” He believed he had one.

This, of course, is the same sort of thing that James Comey, Christopher Wray and Rod Rosenstein have all suggested in the past few years: "you techies are smart, if you just nerd harder, you'll solve the problem." Ozzie, tragically, is giving them ammo. But he's not delivering the actual goods.

The Wired story details his plan which is not particularly unique. It takes concepts that others have proposed (and which have been shown to not be particularly secure) and puts a fresh coat of paint on them. Basically, the vendor of a device has a private key that it needs to keep secret, and under some "very special circumstances" it can send an employee into the dark chamber to do the requisite dance, retrieve the code, and give it to law enforcement. That's been suggested many times, and it's been explained many times why that opens up all sorts of dangerous scenarios that could put everyone at risk. The one piece that does seem different is that Ozzie wants a sort of limitation on the possible damage his system does if it goes wrong (in one particular way), which is that under his system if the backdoor is used, it can only be used on one phone and then it disables that phone forever:

Ozzie designed other features meant to ­reassure skeptics. Clear works on only one device at a time: Obtaining one phone’s PIN would not give the authorities the means to crack anyone else’s phone. Also, when a phone is unlocked with Clear, a special chip inside the phone blows itself up, freezing the contents of the phone thereafter. This prevents any tampering with the contents of the phone. Clear can’t be used for ongoing surveillance, Ozzie told the Columbia group, because once it is employed, the phone would no longer be able to be used.

So, let's be clear. That piece isn't what's useful in "reassuring skeptics." That piece is the only thing that really appears to be that unique about Ozzie's plan. And it hasn't done much to reassure skeptics. As the report notes, when Ozzie laid this out at a special meeting of super smart folks in the field, it didn't take long for one to spot a hole:

The most dramatic comment came from computer science professor and cryptographer Eran Tromer. With the flair of Hercule Poirot revealing the murderer, he announced that he’d discovered a weakness. He spun a wild scenario involving a stolen phone, a second hacked phone, and a bank robbery. Ozzie conceded that Tromer found a flaw, but not one that couldn’t be fixed.

"Not one that couldn't be fixed." But it took this guy just hearing about the system to find the flaw. There are more flaws. And they're going to be catastrophic. Because that's how cryptogrpahy works. Columbia computer science professor and all around computer security genius Steve Bellovin (who was also at that meeting) highlights how Tromer's flaw-spotting shows why Ozzie's plan is a fantasy with dangerous consequences:

Ozzie presented his proposal at a meeting at Columbia—I was there—to a diverse group. Levy wrote that Ozzie felt that he had "taken another baby step in what is now a two-years-and-counting quest" and that "he'd started to change the debate about how best to balance privacy and law enforcement access". I don't agree. In fact, I think that one can draw the opposite conclusion.

At the meeting, Eran Tromer found a flaw in Ozzie's scheme: under certain circumstances, an attacker can get an arbitrary phone unlocked. That in itself is interesting, but to me the important thing is that a flaw was found. Ozzie has been presenting his scheme for quite some time. I first heard it last May, at a meeting with several brand-name cryptographers in the audience. No one spotted the flaw. At the January meeting, though, Eran squinted at it and looked at it sideways—and in real-time he found a problem that everyone else had missed. Are there other problems lurking? I wouldn't be even slightly surprised. As I keep saying, cryptographic protocols are hard.

Bellovin also points out -- as others have before -- that there's a wider problem here: how other countries will use whatever stupid example the US sets for much more nefarious purposes:

If the United States adopts this scheme, other countries, including specifically Russia and China, are sure to follow. Would they consent to a scheme that relied on the cooperation of an American company, and with keys stored in the U.S.? Almost certainly not. Now: would the U.S. be content with phones unlockable only with the consent and cooperation of Russian or Chinese companies? I can't see that, either. Maybe there's a solution, maybe not—but the proposal is silent on the issue.

And we're just getting started on how many experts are weighing in on just how wrong Ozzie is. Errata Security's Rob Graham pulls no punches pointing out that:

He's only solving the part we already know how to solve. He's deliberately ignoring the stuff we don't know how to solve. We know how to make backdoors, we just don't know how to secure them.

Specifically, Ozzie's plan relies on the idea that companies can keep their master private key safe. To support that this is possible, Ozzie (as the FBI has in the past) points to the fact that companies like Apple already keep their signing keys secret. And that's true. But that assumes incorrectly that signing keys and decryption keys are the same thing and can be treated similarly. They're not and they cannot be. The security protocols around signing keys are intense, but part of that intensity is built around the idea that you almost never have to use a signing key.

A decryption key is a different story altogether, especially with the FBI blathering on about thousands of phones it wants to dig its digital hands into. And, as Graham notes, you quickly run into a scaling issue, and with that scale, you ruin any chance of keeping that key secure.

Yes, Apple has a vault where they've successfully protected important keys. No, it doesn't mean this vault scales. The more people and the more often you have to touch the vault, the less secure it becomes. We are talking thousands of requests per day from 100,000 different law enforcement agencies around the world. We are unlikely to protect this against incompetence and mistakes. We are definitely unable to secure this against deliberate attack.

And, even worse, when that happened, we wouldn't even know.

If Ozzie's master key were stolen, nothing would happen. Nobody would know, and evildoers would be able to freely decrypt phones. Ozzie claims his scheme can work because SSL works -- but then his scheme includes none of the many protections necessary to make SSL work.

What I'm trying to show here is that in a lab, it all looks nice and pretty, but when attacked at scale, things break down -- quickly. We have so much experience with failure at scale that we can judge Ozzie's scheme as woefully incomplete. It's not even up to the standard of SSL, and we have a long list of SSL problems.

And so Ozzie's scheme relies on an impossibility. That you could protect a decryption key that has to be used frequently, the same way that a signing key is currently protected. And that doesn't work. And when it fails, everyone is seriously fucked.

Graham's article also notes that Ozzis is -- in true nerd harder fashion -- focusing on this as a technological problem, ignoring all the human reasons why such a system will fail and such a key won't be protected.

It focuses on the mathematical model but ignores the human element. We already know how to solve the mathematical problem in a hundred different ways. The part we don't know how to secure is the human element.

How do we know the law enforcement person is who they say they are? How do we know the "trusted Apple employee" can't be bribed? How can the law enforcement agent communicate securely with the Apple employee?

You think these things are theoretical, but they aren't.

Cryptography expert (and professor at Johns Hopkins), Matt Green did a fairly thorough tweetstorm debunking of Ozzie's plan as well. He also points out, as Graham does, the disaster scenario of what happens when (not if) the key gets out. But, an even bigger point that Green makes is that Ozzie's plan relies on a special chip in every device... and assumes that we'll design that chip to work perfectly and never get broken. And that's ridiculous:

Green and Graham also both point to the example of GrayKey, the recently reported on tool that law enforcement has been using to crack into all supposedly encrypted iPhones. Already, someone has hacked into the company behind GrayKey and leaked some of the code.

Put it all together and:

Suddenly the fawning over Ozzie's plan doesn't look so good any more, does it? And, again, these are the problems that everyone who has dug into why backdoors are a bad idea have pointed out before:

Green expanded some of his tweets into a blog post as well, which is also worth reading. In it, he also points out that even if we acknowledge the difference between signing keys and decryption keys, companies aren't even that good at keeping signing keys safe (and those are almost certainly going to be more protected that decryption keys since they need to be access much less frequently):

Moreover, signing keys leak all the time. The phenomenon is so common that journalists have given it a name: it’s called “Stuxnet-style code signing”. The name derives from the fact that the Stuxnet malware — the nation-state malware used to sabotage Iran’s nuclear program — was authenticated with valid code signing keys, many of which were (presumably) stolen from various software vendors. This practice hasn’t remained with nation states, unfortunately, and has now become common in retail malware.

And he also digs deeper into the point he made in his tweetstorm about how on the processor side, not even Apple has been able to keep its secure chip from being broken -- yet Ozzie's plan is based almost entirely on the idea that such an unbreakable chip would be available:

The richest and most sophisticated phone manufacturer in the entire world tried to build a processor that achieved goals similar to those Ozzie requires. And as of April 2018, after five years of trying, they have been unable to achieve this goal — a goal that is critical to the security of the Ozzie proposal as I understand it.

Now obviously the lack of a secure processor today doesn’t mean such a processor will never exist. However, let me propose a general rule: if your proposal fundamentally relies on a secure lock that nobody can ever break, then it’s on you to show me how to build that lock.

Update: We should add that the criticisms raised here are not new either. Back in February we wrote about a whitepaper by Riana Pfefferkorn making basically all of these same points that the folks quoted above are making. In other words, it's a bit bizarre that Wired wrote this article as if Ozzie is doing something new and noteworthy.

So that's a bunch of experts highlighting why Ozzie's plan is silly. But, from the policy side it's awful too. Because having Ozzie going around and spouting this debunked nonsense, but with his pedigree, simply gives the "going dark" and "responsible encryption" pundits something to grasp onto to claim they were right all along, even though they weren't. They've said for years that the techies just need to nerd harder, and they will canonize Ray Ozzie as the proof that they were right... even though they're not and his plan doesn't solve any of the really hard problems.

And, as we noted much earlier in this post, cryptography is one of those areas where the hard problems really fucking matter. And if Ozzie's plan doesn't even touch on most of the big ones, it's no plan at all. It's a Potemkin Village that law enforcement types will parade around for the next couple of years insisting that backdoors can be made safely, even though Ozzie's plan is not safe at all. I am sure that Ray Ozzie means well -- and I've got tremendous respect for him and have for years. But what he's doing here is actively harmful -- even if his plan is never implemented. Giving the James Comeys and Chris Wrays of the worlds some facade they can cling to to say that this can be done is only going to create many more problems.

Permalink | Comments | Email This Story

Customs and Border Protection is inflating numbers to push a narrative about dangerous undocumented immigrants. And it's not just a little bit of fudging. It's a whole new way of counting -- one that fuels anti-immigrant rhetoric and keeps the agency well-funded.

As crime numbers around the nation remain at historic lows, there appears to be an explosion of violence near our southern borders, targeting Border Patrol officers.

According to U.S. Customs and Border Protection data, assaults on Border Patrol officers increased dramatically in fiscal year 2016, reversing a long downward trend. That year, CBP claims, there were 454 assaults on agents nationwide, compared with 378 in fiscal year 2015, a 20 percent increase. The increase from 2016 to 2017 was even more surprising. In 2017, according to CBP, there were 786 assaults, a spike of 73 percent, even as apprehensions fell from 415,816 to 310,532.

But there's actually been no spike in violent incidents. In fact, numbers have been trending downwards since 2012. In 2015, the CBP rolled out its new math, kick starting a rise in number of assaults on CBP officers and reversing the trend. This dramatic increase in assaults on officers isn't supported by any normal means of counting assaults. This is how the CBP does its "assaults on officers" addition. It involves a lot of multiplication.

Almost the entire increase — 271 purported assaults — was said to have occurred in one sector, the Rio Grande Valley, in South Texas. A large number of the assaults supposedly occurred on a single day, according to charts and details provided by Christiana Coleman, a CBP public affairs spokesperson. In response to questions from The Intercept, Coleman explained in an email that “an incident in the Rio Grande Valley Sector on February 14, 2017, involved seven U.S. Border Patrol Agents assaulted by six subjects utilizing three different types of projectiles (rocks, bottles, and tree branches), totaling 126 assaults.”

This is how you turn seven assaults in 126 assaults: 6 x 3 x 7 = 126. This is the formula used by the CBP since 2015 to greatly overstate violence near the borders and give Americans the false impression Border Patrol officers are increasingly subject to physical assault. A single incident involving seven assaulted officers becomes 119 additional "assaults."

There's more to it than simply turning simple tallies into multiplication problems. Apparently, assault doesn't even have to involve assault.

According to the FBI, most Border Patrol agents for whom assault data has been publicly reported were not injured. Rocks and water bottles don’t always hit their mark. Or they are never thrown in the first place — for reporting purposes, apparently, the mere brandishing of an object constitutes assault.

In all likelihood, being a Border Patrol agent today is as safe as it was in 2015, before CBP started messing with the math. A Border Patrol agent's relative safety surpasses that of law enforcement officers -- another group that tends to exaggerate the life-threatening aspects of the profession.

The decrease was so significant that by 2016, according to FBI statistics, Border Patrol agents were about five times less likely to be assaulted than officers in local police departments — and only half as likely to be killed on the job by homicide or by accident. As the Cato Institute observed in November, “Regular Americans are more than twice as likely to be murdered in any year from 2003 through 2017 than Border Patrol agents were.”

Despite this supposed spike in violent assaults, the CBP has issued zero press releases and made zero public statements about this self-created epidemic of violence. Instead, it has fed those numbers to people who can make the most of them: politicians.

At the Department of Homeland Security’s 15th anniversary celebration in March, Vice President Mike Pence talked about why the Border Patrol needs $21 billion in additional funding “to provide our front-line agents with the personnel, the technology, the equipment, and the facilities to do their job.”

Pence said all this was needed because “one of the most shocking stories we heard was in the last fiscal year” when “attacks on our Border Patrol agents had increased by 73 percent.” This, he added, was why the Trump administration was seeking $18 billion for a border wall.

The CBP is better off allowing politicians to stir anti-immigrant fervor. Politicians are naturally better at PR and selling narratives. What the CBP wants is a steadily-increasing budget and feeding fake stats to lawmakers ensures the paychecks will follow the rhetoric. It's blatantly dishonest to portray assaults in this manner. And the CBP knows it. But it has no interest in earning the public's trust or being a good steward of the funds and powers granted to it by the citizens and their government.

Permalink | Comments | Email This Story

Yes, the CIA made a card game. And... we're releasing it. No, really. If you want to play the top secret card game that the CIA used to train analysts, you can now back our Kickstarter project for CIA: Collect It All.

Let me explain how we got here...

We write a lot about the CIA here on Techdirt -- often covering just how secretive the organization is around responding to FOIA requests. After all, this is the same organization that invented the famous "Glomar Response" to a FOIA request: the now ubiquitous "we can neither confirm, nor deny." And that one "invention" is used all the time. Indeed, if you have a few extra hours to spend, feel free to go through just our archives demonstrating CIA obstructionism over FOIA.

But... the organization actually did recently respond to a set of interesting FOIA requests. Back in 2017, at SXSW, the CIA revealed its gaming efforts, and even let some attendees play them. That resulted in a few FOIA requests for the details of the game, including one by MuckRock's Mitchell Kotler and another by entrepreneur Douglas Palmer. In response to the FOIA requests, the CIA released the details of some of the games (though, somewhat redacted, and in typical FOIA response gritty photo-copy style), including a card game called "Collection Deck." My first reaction was... "Hey, that would be fun to play..." And then I had a second thought.

There's another super popular topic here on Techdirt: the public domain and how important it is to build on works in the public domain. Remember, under Section 105 of the US Copyright Act, works of the federal government of the United States are not subject to copyright and are in the public domain.

We've already been working with Randy Lubin of Diegetic Games on a few different projects (including Working Futures and others you'll need to stay tuned for). So, we started talking about making a version of the CIA's game to play for ourselves. And everyone we mentioned it to wanted to play as well. And the more we looked at the details, the more we realized that we could make a much nicer version (while paying homage to the original and its route through FOIAdom) that was playable, and maybe even offer some changes, fixes and alternative rules. We decided to name our version, "CIA: Collect It All." Not only does "Collect It All" spell out CIA and pay homage to the CIA's "Collection Deck" name, "Collect It All" was also General Keith Alexander's surveillance motto that we roundly mocked due to its inherent conflict with the old 4th Amendment. Anyway, this seemed like a way to take back the phrase a bit.

And that led us to Kickstarter. We're using Kickstarter in the real original sense of Kickstarter. We had an idea that we thought was pretty damn cool that we wanted for ourselves. And we want to see if others want it as well so we can produce it at scale. If people want it, awesome. We'll make a bunch. If we're wrong and no one really wants it... well, we'll probably still make a copy for ourselves, but you're on your own, working with redacted photocopies.

So... here's a chance to:

1. Get a cool, fun game that until just recently was a top secret training game by created by the CIA -- which, come on, is pretty cool
2. Help support Techdirt and all the reporting we do (including reporting on the CIA pushing back on FOIA requests)
3. Demonstrate why building on the public domain is a good thing
4. Did I mention that you get to play a fun game, with awesome design work (much better than the CIA's), that was originally created by the CIA?

So, check it out and back us on Kickstarter. And tell your friends. Because, look, they wanted to be CIA agents when they were kids too.

Permalink | Comments | Email This Story

A recently-released Inspector General's report shows the FBI didn't try as hard as it could to find a way into the San Bernardino shooter's locked iPhone. It appears FBI officials were more interested in obtaining a favorable court ruling than seeking technical assistance from anyone other than Apple, despite the DOJ's courtroom claims about time being of the essence.

This had a lot to do with the current FBI leadership. James Comey made fighting encryption his personal crusade -- one that has been carried forward by both the DOJ and the FBI's new director, Christopher Wray. Comey's new book about his government career -- one that came to an unceremonious end when President Trump fired him -- provides a few more details about his crusade against math and personal security.

A passage in Comey's new book briefly discusses his initial reaction to the news smartphone manufacturers would be moving to default encryption. Comey claims the Snowden leaks prompted a worldwide shift to encrypted communications before moving on to Apple and Google.

In September 2014, after a year of watching our legal capabilities diminish, I saw Apple and Google announce that they would be moving their mobile devices to default encryption. They announced it in such a way as to suggest -- at least to my ears -- that making devices immune to judicial orders was an important social value. This drove me crazy. I just couldn't understand how smart people could not see the social costs to stopping judges, in appropriate cases, from ordering access to electronic devices.

There's more to it than this, but this is from Comey's perspective. Part of the move to device encryption was due to pressure from legislators that phone companies "do more" to protect customers whose devices had been stolen. And some of it was probably backlash to the flow of Snowden leaks, showing the government had assembled a massive surveillance apparatus following the 9/11 attacks, turning tech companies into unwitting accomplices of the surveillance state.

As Comey sees it, the tech sector fails to comprehend the consequences of encrypted communications and devices because it only deals with the positive side of human connections.

The leaders of tech companies don't see the darkness the FBI sees. Our days are dominated by the hunt for people planning terrorist attacks, hurting children, and engaging in organized crime. We see humankind at its most depraved, day in and day out…

I found it appalling that the tech types couldn't see this. I would frequently joke with the FBI "Going Dark" team assigned to seek solutions, "Of course the Silicon Valley types don't see the darkness -- they live where it's sunny all the time and everybody is rich and smart." Theirs was a world where technology made human connections and relationships stronger.

Conversely, the FBI views any communications it can't see as suspect. It ignored solutions to engage in a courtroom battle over a phone that ultimately held nothing of interest. The FBI continues to push for a government solution to the problem -- a mandate it can wield in every situation. Under Comey's command, the FBI has shown it is unable to honestly hold an "adult" conversation about the issues. If officials like Comey feel tech companies are being deliberately obtuse, they cannot honestly argue the FBI isn't acting the same way.

Permalink | Comments | Email This Story

This morning I saw a lot of excitement and happiness from folks who greatly dislike President Trump over the fact that the Democratic National Committee had filed a giant lawsuit against Russia, the GRU, Guccifier 2, Wikileaks, Julian Assange, the Trump campaign, Donald Trump Jr., Jared Kushner, Paul Manafort, Roger Stone and a few other names you might recognize if you've followed the whole Trump / Russia soap opera over the past year and a half. My first reaction was that this was unlikely to be the kind of thing we'd cover on Techdirt, because it seemed like a typical political thing. But, then I looked at the actual complaint and it's basically a laundry list of the laws that we regularly talk about (especially about how they're abused in litigation). Seriously, look at the complaint. There's a CFAA claim, an SCA claim, a DMCA claim, a "Trade Secrets Act" claim... and everyone's favorite: a RICO claim.

Most of the time when we see these laws used, they're indications of pretty weak lawsuits, and going through this one, that definitely seems to be the case here. Indeed, some of the claims made by the DNC here are so outrageous that they would effectively make some fairly basic reporting illegal. One would have hoped that the DNC wouldn't seek to set a precedent that reporting on leaked documents is against the law -- especially given how reliant the DNC now is on leaks being reported on in their effort to bring down the existing president. I'm not going to go through the whole lawsuit, but let's touch on a few of the more nutty claims here.

The crux of the complaint is that these groups / individuals worked together in a conspiracy to leak DNC emails and documents. And, there's little doubt at this point that the Russians were behind the hack and leak of the documents, and that Wikileaks published them. Similarly there's little doubt that the Trump campaign was happy about these things, and that a few Trump-connected people had some contacts with some Russians. Does that add up to a conspiracy? My gut reaction is to always rely on Ken "Popehat" White's IT'S NOT RICO, DAMMIT line, but I'll leave that analysis to folks who are more familiar with RICO.

But let's look at parts we are familiar with, starting with the DMCA claim, since that's the one that caught my eye first. A DMCA claim? What the hell does copyright have to do with any of this? Well...

Plaintiff's computer networks and files contained information subject to protection under the copyright laws of the United States, including campaign strategy documents and opposition research that were illegally accessed without authorization by Russia and the GRU.

Access to copyrighted material contained on Plaintiff's computer networks and email was controlled by technological measures, including measures restricting remote access, firewalls, and measures restricting acess to users with valid credentials and passwords.

In violation of 17 U.S.C. § 1201(a), Russia, the GRU, and GRU Operative #1 circumvented these technological protection measures by stealing credentials from authorized users, condcting a "password dump" to unlawfully obtain passwords to the system controlling access to the DNC's domain, and installing malware on Plaintiff's computer systems.

Holy shit. This is the DNC trying to use DMCA 1201 as a mini-CFAA. They're not supposed to do that. 1201 is the anti-circumvention part of the DMCA and is supposed to be about stopping people from hacking around DRM to free copyright-covered material. Of course, 1201 has been used in all sorts of other ways -- like trying to stop the sale of printer cartridges and garage door openers -- but this seems like a real stretch. Russia hacking into the DNC had literally nothing to do with copyright or DRM. Squeezing a copyright claim in here is just silly and could set an awful precedent about using 1201 as an alternate CFAA (we'll get to the CFAA claims in a moment). If this holds, nearly any computer break-in to copy content would also lead to DMCA claims. That's just silly.

Onto the CFAA part. As we've noted over the years, the Computer Fraud and Abuse Act is quite frequently abused. Written in response to the movie War Games to target "hacking," the law has been used for basically any "this person did something we dislike on a computer" type issues. It's been dubbed "the law that sticks" because in absence of any other claims that one always sticks because of how broad it is.

At least this case does involve actual hacking. I mean, someone hacked into the DNC's network, so it actually feels (amazingly) that this may be one case where the CFAA claims are legit. Those claims are just targeting the Russians, who were the only ones who actually hacked the DNC. So, I'm actually fine with those claims. Other than the fact that they're useless. It's not like the Russian Federation or the GRU is going to show up in court to defend this. And they're certainly not going to agree to discovery. I doubt they'll acknowledge the lawsuit at all, frankly. So... reasonable claims, impossible target.

Then there's the Stored Communications Act (SCA), which is a part of ECPA, the Electronic Communications Privacy Act, which we've written about a ton and it does have lots of its own problems. These claims are also just against Russia, the GRU and Guccifer 2.0, and like the DMCA claims appear to be highly repetitive with the CFAA claims. Instead of just unauthorized access, it's now unauthorized access... to communications.

It's then when we get into the trade secrets part where things get... much more problematic. These claims are brought against not just the Russians, but also Wikileaks and Julian Assange. Even if you absolutely hate and / or distrust Assange, these claims are incredibly problematic against Wikileaks.

Defendants Russia, the GRU, GRU Operative #1, WikiLeaks, and Assange disclosed Plaintiff's trade secrets without consent, on multiple dates, discussed herein, knowing or having reason to know that trade secrets were acquired by improper means.

If that violates the law, then the law is unconstitutional. The press regularly publishes trade secrets that may have been acquired by improper means by others and handed to the press (as is the case with this content being handed to Wikileaks). Saying that merely disclosing the information is a violation of the law raises serious First Amendment issues for the press.

I mean, what's to stop President Trump from using the very same argument against the press for revealing, say, his tax returns? Or reports about business deals gone bad, or the details of secretive contracts? These could all be considered "trade secrets" and if the press can't publish them that would be a huge, huge problem.

In a later claim (under DC's specific trade secrets laws), the claims are extended to all defendants, which again raises serious First Amendment issues. Donald Trump Jr. may be a jerk, but it's not a violation of trade secrets if someone handed him secret DNC docs and he tweeted them or emailed them around.

There are also claims under Virginia's version of the CFAA. The claims against the Russians may make sense, but the complaint also makes claims against everyone else by claiming they "knowingly aided, abetted, encouraged, induced, instigated, contributed to and assisted Russia." Those seem like fairly extreme claims for many of the defendants, and again feel like the DNC very, very broadly interpreting a law to go way beyond what it should cover.

As noted above, there are some potentially legit claims in here around Russia hacking into the DNC's network (though, again, it's a useless defendant). But some of these other claims seem like incredible stretches, twisting laws like the DMCA for ridiculous purposes. And the trade secret claims against the non-Russians is highly suspect and almost certainly not a reasonable interpretation of the law under the First Amendment.

Permalink | Comments | Email This Story

This is the hopefully real story told by Ellisville, Mississippi man Tony Welsh, who decided to test the taser he bought his wife on himself to make sure it had adequate stopping power. The taser in question is a 100,000-volt pocket-sized taser powered by two AAA batteries, which he suspected wouldn't be powerful enough. He was wrong. Obviously, the best parts for me were SPOILER SPOILER SPOILER READ THE STORY FIRST: pooping himself and "My triceps, right thigh and both nipples were still twitching." Man, double nipple twitching -- that's bucket list stuff right there. Obviously, I wrote him to find out exactly what model it was so I can finally cross that off and move to the freaky stuff. Keep going for the whole story, but if you just want to read the actual test notes skip halfway down to where he's writing in all caps and I made a small pink tab on the left. Thanks to Shannon From HR, who also mentioned I need to stop playing browser games on company time.

In 2014, security researchers discovered a number of cell tower spoofers in operation in the DC area. Some may have been linked to US government agencies, but there was a good chance some were operated by foreign entities. This discovery was published and a whole lot of nothing happened.

Three years later, Senator Ron Wyden followed up on the issue. He sent a letter to the DHS asking if it was aware of these rogue Stingray-type devices and what is was doing about it. As was noted in the letter, the FCC had opened an inquiry into the matter, but nothing had ever come of it. As the agency tasked directly with defending the security of the homeland, Wyden wanted to know if anyone at the DHS was looking into the unidentified cell tower spoofers.

The DHS has responded to Wyden's queries, as the Associated Press reports. But a response is not the same as actual answers. The DHS appears to have very few of those.

The agency’s response, obtained by The Associated Press from Wyden’s office, suggests little has been done about such equipment, known popularly as Stingrays after a brand common among U.S. police departments. The Federal Communications Commission, which regulates the nation’s airwaves, formed a task force on the subject four years ago, but it never produced a report and no longer meets regularly.

The DHS pointed out that its own investigation, which detected several devices during a 90-day trial using ESD America equipment, had dead-ended, supposedly because of a lack of funding

[Christopher] Krebs, the top official in the department’s National Protection and Programs Directorate, noted in the letter that DHS lacks the equipment and funding to detect Stingrays even though their use by foreign governments “may threaten U.S. national and economic security.”

The answers [PDF] are all of the "we saw something and said something" variety. Fine for what it is, but does nothing to move things forward. Whatever "anomalous activity" the DHS saw during its trial was passed on to other agencies, which have not forwarded anything to Wyden or numerous Congressional committees concerned with national security, airwave regulation, and oversight.

According to the AP report, security experts are pretty sure every foreign embassy has a cell tower spoofer in use. Whether they limit themselves to call data -- as our government agencies do -- is another matter. Stingray devices are capable of intercepting communications and deploying malware. Since embassies function as tiny foreign countries on host's soil, there's a good chance those deploying cell tower spoofers aren't all that concerned with following US law when putting these to use.

Unfortunately, we're no closer to solid answers than we were last winter… or, indeed, four years ago, when the initial report triggered an FCC investigation. Of course, we may never get to see the full answer. One possible reason for this lack of investigatory movement is this practice isn't limited to foreign entities in the US. We absolutely deploy the same hardware in any country we have an embassy, in addition to all the countries in which we maintain a military presence. No one wants to talk about our own actions overseas, much less possibly expose local law enforcement's routine use of Stingray devices. For now, all we have is a tepid admission that Stingrays our government doesn't own are in operation in Washington, DC. But that's all we need to know, apparently. Unfortunately, that's possibly all our national security oversight entities know either.

Permalink | Comments | Email This Story

While the Trump FCC has certainly taken protectionism, corruption and cronyism to an entirely new level, it's important not to forget that Trump and Ajit Pai are just products of the country's long established bipartisan dysfunction when it comes to revolving door regulators, and it's going to take more than just ejecting Trump and Pai to repair the underlying rot that has allowed them to blossom.

Case in point: former Obama FTC boss Jon Leibowitz, who has long professed himself to be a "privacy advocate," has spent much of the last few years lobbying for Comcast while at Davis Polk. That has included making a myriad of false claims about ongoing, EFF-backed efforts to protect broadband consumer privacy in California.

In an endless wave of op-eds (where his financial conflicts of interest are almost never disclosed to the reader), Leibowitz has been busy insisting that rampant ISP privacy abuses are a "nonexistent problem," and that strong state and FCC oversight of ISPs are unnecessary because the FTC will somehow rush in to save the day in the wake of efforts to neuter the FCC, kill net neutrality, and embolden massive anti-competitive telecom duopolies.

We've already outlined in detail why that's a horrible take here. More specifically, the FTC lacks rule-making authority, and can only act against ISPs if behavior is clearly proven to be "unfair and deceptive," something ISPs can usually wiggle out of on the net neutrality front (we weren't throttling a competitor, we were protecting the safety and integrity of the network!). The FTC's also understaffed, under-funded, and over-extended. And oh, did we mention that AT&T has been busy in court trying to obliterate whatever authority over ISPs the FTC does have?

Leibowitz (like most ISP lobbyists pretending to be objective analysts) "forgets" to mention that.

With more than half the states in the nation now considering some flavor of net neutrality and privacy rules in the wake of federal apathy, Leibowitz is also busy trying to help Comcast scuttle privacy and net neutrality in other states like Massachusetts. Massachusetts, with the backing of dozens of lawmakers, is contemplating new net neutrality rules that would effectively mirror the ones Comcast lobbied the FCC To dismantle last December.

Leibowitz's oppositional testimony this week in front of state leaders included claims that net neutrality somehow hampered broadband industry investment, an ISP-lobbying claim routinely debunked by just looking at ISP earnings reports, SEC filings, and countless CEO statements:

"According to his prepared testimony for a hearing before the Joint Committee on Telecommunications, Utilities, Leibowitz said he recognized "the sky did not fall" when the FCC, during the Obama Administration, reclassified ISPs as Title II common carriers. But he said that reclassification did have costs to consumers, including diminished deployment of broadband, according to the FCC, as well as removing broadband consumer protection from the FTC's jurisdiction."

Again that diminished deployment never happened. ISP CEOs admit as much. Meanwhile, the "sky did not fall" because the FCC's 2015 net neutrality rules haven't even technically been repealed yet (that's expected to occur sometime in April). Even then, ISPs aren't expected to truly even start testing their newfound anti-competitive freedoms until they're sure the FCC (with ISP help) wins their looming legal battle. Even then ISPs may not truly be comfortable behaving badly until they're sure tougher state and federal rules are pre-empted (that's why they're pushing for a fake, loophole-filled net neutrality law.)

Knowing that states might fill the consumer protection vacuum, both Verizon and Comcast lobbied the Trump FCC to include language in their net neutrality repeal trying to ban states from protecting consumers (from net neutrality or privacy violations). And while Leibowitz tried to warn Massachusetts leaders that they might run afoul of the Trump FCC if they try to protect consumers (oh no!), that ignores the fact that legal experts say the FCC abdicated its authority on this front when they decided to back away from classifying ISPs as common carriers.

Again, dozens of individual state privacy and net neutrality protections aren't ideal, but that's something Leibowitz's client Comcast should have thought about before lobbying to demolish popular and modest federal level privacy and net neutrality protections. The fact that ISP lobbyists still cling to false claims that net neutrality "demolished sector investment" speaks volumes as to the integrity of their arguments. Meanwhile, at some point media outlets in the States need to wake the hell up to the harm caused by publishing lobbyist op-eds without disclosing authors' financial ties to industries they represent.

Permalink | Comments | Email This Story

The Fifth Circuit Appeals Court says it's fine if the government uses mandated emergency services to perform real-time GPS tracking. It doesn't go so far as to affirm the constitutionality of the actions, but it achieves the same ends by voting down the appellant's request for a rehearing.

What we can glean about the issue at stake comes from the eight-page dissent [PDF] written by judges James L. Dennis and James E. Graves, two of the seven judges who voted for a rehearing. In this case, the government used the defendant's cellphone provider to engage in real-time tracking. No warrant was obtained despite the government's shoulder-surfing of incoming GPS location data.

Defendant William Wallace contends that the Government violated the Fourth Amendment by ordering his service provider to activate his phone’s “Enhanced 911” capability and to relay his GPS coordinates in real time, including while he was in his home. The panel opinion concludes that, even if the Government’s real-time tracking of Wallace’s GPS coordinates was an unconstitutional search, Wallace cannot benefit from the exclusionary rule suppression of the fruits of that search because law-enforcement officials could have reasonably relied on open-ended language in 18 U.S.C. § 2703(c), a provision of the Stored Communications Act (SCA), as authorizing their actions.

Those are the facts of the case, but as the dissenting judges point out, the SCA clearly did not anticipate this use of the law, much less explicitly approve this GPS warrant end-around utilized by law enforcement. The government relied on good faith exception arguments made in two cases -- Leon and Krull. The latter holds that officers may rely on clear statutory authorization even if the statute is later proven to be unconstitutional. (In the Krull case, the statute was struck down a day after the disputed search took place.) This seems about right as courts hardly expect officers to know the laws they're supposed to enforce, much less the ones they're supposed to follow.

But that doesn't hold here. The dissent makes it explicit: the SCA provides no basis for warrantless commandeering of a phone's GPS system to track suspects. This isn't a passive collection of existing records. This turns a phone into a tracking device at the behest of law enforcement, even when the phone's owner may have taken measures to limit the collection of GPS data. There's nothing in the SCA that says any of this is constitutional.

Unlike in Krull, here there is no legislative judgment or dialogue between the courts and the legislature as to the constitutionality of the realtime GPS surveillance at issue. Congress passed the SCA over thirty years ago. At that time there was no E911 requirement, see 61 FED. REG. 40,374, and GPS was still experimental military technology that would not begin to be in widespread civilian use until over a decade later…

Furthermore, there's a Supreme Court decision to be considered -- one that strongly hinted real-time GPS tracking requires warrants (even if the Justices didn't actually go so far as to draw a bright line).

Moreover, as has been expressed by five members of the current Supreme Court and by members of this court, there is grave doubt as to the constitutionality of the kind of warrantless, real-time GPS tracking at issue in this case. See, e.g., United States v. Jones, 565 U.S. 400, 415–18 (2012) (Sotomayor, J. concurring) [...] Thus, both the nature of the statute and the nature of the alleged constitutional violation strongly suggest that Krull does not apply here.

The dissent then returns to the SCA. The government argues the SCA should be read to include real-time GPS tracking as something covered by the "or other information" phrase in the law. Since it's not communications, the government rationalizes, there should be no warrant requirement. The dissent points out the flaw in the government's reasoning by pointing to nothing more than the name of the law invoked to perform the warrantless tracking.

This holding ignores plain language in the SCA suggesting that real-time collection of GPS tracking information is not authorized by this statute. Section 2703(c) is part of the “Stored Communications Act.” (emphasis added). The pertinent section is entitled “Records concerning electronic communication service or remote computing service.” § 2703(c) (emphasis added). GPS coordinates that have not yet been created and would not be created absent the Government’s intervention cannot be called “records” or “stored” communications under any commonsense understanding of those terms.

This does nothing for the appellant or anyone who resides in the district, unfortunately. Law enforcement can still turn phones into tracking devices without warrants, barring any state legislation that provides more privacy protections than this district's interpretation of the Fourth Amendment. With its refusal to rehear this case, the Fifth Circuit has granted the government the luxury of interpreting "or other records" to include compelled real-time GPS tracking.

Permalink | Comments | Email This Story

As you probably recall, last year the FBI tried to force a court to effectively create a backdoor for encrypted iPhones, using the high profile San Bernardino shootings as the wedge. It seemed quite obvious with how the whole thing played out that the FBI didn't really need to get into Syed Farook's work iPhone, but that it hoped leverage the high profile nature of the case and the "fear, uncertainty and doubt" around a "terrorist" attack to finally get a court to force Apple to do this. A new report reveals that the FBI was very much focused on using this case to force the issue to the point that top officials were angry that a vendor figured out another way into the iPhone, and stopped the court proceedings.

Again: if the real goal (as stated publicly by the FBI at the time) was to find a way into this phone for important reasons, then you'd think the FBI would be excited when they found a way in, rather than pissed that a court wasn't needed to force a backdoor. But that's not what happened.

A recently-released Inspector General's report [PDF] shows the FBI jumped the gun in the San Bernardino case. The FBI insisted it had no other options when it asked a judge to grant its All Writs Act request to compel Apple to break into the shooter's recovered iPhone. But this report shows these claims -- one repeated by the DOJ in its legal filings and by James Comey in testimony to Congress -- weren't actually true.

The ROU [Remote Operations Unit] Chief told us that, at a monthly OTD managers’ meeting on February 11, 2016, the Chief of DFAS (of which CEAU [Cryptographic and Electronics Analysis Unit] is a part but ROU is not), indicated that CEAU was having problems accessing the data on the Farook iPhone and was preparing for court. The ROU Chief, who told the OIG that his unit did not have a technique for accessing the iPhone at the time, said that it was only after this meeting that he started contacting vendors and that ROU “got the word out” that it was looking for a solution. As discussed further below, at that time, he was aware that one of the vendors that he worked closely with was almost 90 percent of the way toward a solution that the vendor had been working on for many months, and he asked the vendor to prioritize completion of the solution.

There was a another option available at the time the DOJ filed its All Writs Request (February 16). It may not have been complete yet, but the FBI had reason to believe it would be soon. Instead of giving this option a shot, the FBI tried to secure a favorable ruling compelling Apple to crack the shooter's iPhone. This wasn't what was presented to the judge in the DOJ's filing.

Comey testified before Congress on February 9th. If there had been better communication between the FBI's Operational Technology Division (OTD) and the Cryptographic and Electronic Analysis Unit (CEAU), Comey may have been apprised of this fact before his first testimonial appearance. Given the national attention being paid to this case, there's no reason Comey should have been out of the operational loop, even at this early date.

But Comey repeated the same claim nearly a month later (March 1st): the FBI could not get into the iPhone without Apple's assistance. (And again three weeks later in an angry letter to the editor published by the Wall Street Journal.) There's no way Comey could not have been aware of these developments, not with the DOJ engaged in a high-profile courtroom battle with Apple over compelled assistance.

The Inspector General finds Comey's claims to be technically true: the breakthrough offered by the still-undisclosed vendor was not passed on to the FBI until March 16th and successfully demonstrated for agents on March 20th. The following day, the US Attorney's Office informed the court of this development and withdrew its All Writs request.

Comey's statements were technically true but not the parts where he insisted the only way to access the iPhone's contents was with Apple's assistance. If he was not being informed of ongoing developments on the tech side, that's inexplicable behavior by FBI entities directly tasked with cracking the shooter's iPhone. Given the high-profile status of this case, it's not just inexplicable. It's literally unbelievable.

But that's not the only concerning aspect of this report. The head of the FBI's Remote Operations Unit (ROU) -- the person who reached out to the vendor about the progress of its iPhone crack -- was never contacted or consulted by the other offices working on the same problem. As the ROU Chief stated, the ROU walled itself off to prevent national security tools from being used in normal criminal cases.

This would seem to be good news -- the FBI drawing internal lines in the sand between natsec and normal criminal investigations -- but it actually isn't. The CEAU head believed no line existed and it could bring tools over from the natsec side any time it wanted to. But that's not the worst of it. The CEAU actually did not want a solution found.

According to the ROU Chief, his only conversation with the CEAU Chief was well after the fact, during which the CEAU Chief “was definitely not happy” that the legal proceeding against Apple could no longer go forward.

This is further backed up by statements made to the IG by FBI Executive Assistant Director (EAD) Amy Hess.

After the outside vendor successfully demonstrated its technique to the FBI in late March, EAD Hess learned of an alleged disagreement between the CEAU and ROU Chiefs over the use of this technique to exploit the Farook iPhone – the ROU Chief wanted to use capabilities available to national security programs, and the CEAU Chief did not. She became concerned that the CEAU Chief did not seem to want to find a technical solution, and that perhaps he knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple. According to EAD Hess, the problem with the Farook iPhone encryption was the “poster child” case for the Going Dark challenge.

This was also admitted by the CEAU Chief in his interview with the Inspector General.

The CEAU Chief told the OIG that, after the outside vendor came forward, he became frustrated that the case against Apple could no longer go forward, and he vented his frustration to the ROU Chief. He acknowledged that during this conversation between the two, he expressed disappointment that the ROU Chief had engaged an outside vendor to assist with the Farook iPhone, asking the ROU Chief, “Why did you do that for?”

The report makes it clear those steering the iPhone-cracking efforts were less interested in an outside vendor cracking the phone than obtaining a precedential decision. In doing so, the DOJ ended up filing false statements as sworn assertions, claiming it had exhausted every option before approaching the court with an All Writs Request. This report may sort of clear Comey and the DOJ, but it exposes something much uglier: FBI officials are not making good faith efforts to find outside solutions to the FBI's supposed "going dark" problem. They'd much rather have favorable court decisions and legislative mandates than work with the tools others are crafting for them. This all but guarantees the number of uncracked phones in the FBI's possession will continue to grow. But they should never be viewed as investigative dead ends. They should be seen for what they are: rhetorical devices.

Update: Sen. Ron Wyden sees the report for what it is. Here's his statement on the matter:

"The FBI's leadership went straight to the nuclear option -- attempting to force Apple to circumvent its encryption -- before attempting to see if their in-house hackers or trusted outside suppliers had the technical capability to break into the San Bernardino terrorist's iPhone," Wyden said. "It's clear now that the FBI was far more interested in using this horrific terrorist attack to establish a powerful legal precedent than they were in promptly gaining access to the terrorist's phone."

Permalink | Comments | Email This Story

Even though Android is open source, virtually every Android device sold outside of China contains a chunk of closed code from Google in the form of Google Play Services and the GApps. These two deeply related software packages turn a rather stale mobile operating system into the full-on Google Android most of us know. There aren't a whole lot of Android users (again, outside of China) who aren't using these. Since these packages aren't open source, custom Android ROMs ship without them; you have to sideload them manually after installing your ROM image. Luckily for us, Google has always allowed this, but it's always been a bit tenuous. It's about to get a whole lot more tenuous, since Google appears to be blocking GApps from running on uncertified Android devices - but thankfully, they're allowing custom ROM users to register their Android device to get an exception. Earlier this week, we received an anonymous tip from a person claiming to be within the industry. This person, who said they worked for an OEM/ODM, notified us that Google has started entirely locking out newly built firmware from accessing Gapps. This change apparently went into effect March 16th and affects any software builds made after this date (Google Play Services checks ro.build.fingerprint for the build date apparently). You can register your device to get an exception, and you can register up to 100 devices per user - which should be enough for virtually everyone, I assume.

Another Alabama sheriff has been caught abusing a law that's inexplicably still on the books. Over the course of three years, Etowah County Sheriff Todd Entrekin took home at least $750,000 in funds meant to be used to feed inmates in his jail. Thanks to another bad law, there's no telling how much more than $750,000 Entrekin has pocketed, but he certainly seems to have a lot of disposable income. (h/t Guy Hamilton-Smith)

The News discovered the eye-popping figures on ethics disclosures that Entrekin sent to the state: Over the course of three years, he received more than $750,000 in extra compensation from "Food Provisions." The exact amount over $750,000 is unclear, because Entrekin was not required to specify above a $250,000 a year threshold, the paper writes.

The paper also found that Entrekin and his wife own several properties worth a combined $1.7 million, including a $740,000 four-bedroom house in Orange Beach, Ala., purchased in September.

Without the provision funds, Entrekin earns a little more than $93,000 a year, the paper says.

This aligns Sheriff Entrekin with sheriffs around the state who have enriched themselves at the expense of their inmates. Some sheriffs did enough skimming to force the federal government to step in and slap them with consent decrees in which they promised to spend all jail food funds on jail food. Unfortunately, this did little to help the sheriffs live up to their end of the federal bargain. Sheriffs keep getting richer and inmates keep getting less and less to eat.

Entrekin has decided to blame the media for his current reputational woes.

In a statement emailed to NPR, Entrekin said the "liberal media has began attacking me for following the letter of the law."

"The Food Bill is a controversial issue that's used every election cycle to attack the Sheriff's Office," Entrekin said. "Alabama Law is clear regarding my personal financial responsibilities of feeding inmates. Until the legislature acts otherwise, the Sheriff must follow the current law."

No one is forcing Entrekin to take home hundreds of thousands of dollars meant for feeding prisoners. The law allows this but does not require every sheriff running a jail to cut food expenses so there's a difference to pocket. Yes, the problem ultimately lies with the legislature which has allowed this abomination of a law to remain on the books despite it repeatedly being the source of national controversy.

But this story continues to get worse. It appears the sheriff has managed to take a journalist's source out of public circulation.

Sheets' investigation has also made headlines because of the arrest of a key source.

Sheets spoke with a landscaper named Matt Qualls who mowed Entrekin's lawn in 2015 and noticed the name of the account on his checks — the "Sheriff Todd Entrekin Food Provision Account." He shared pictures with Sheets.

"A couple people I knew came through the jail, and they say they got meat maybe once a month, and every other day, it was just beans and vegetables," Qualls told Sheets. "I put two and two together and realized that that money could have gone toward some meat or something."

Sheets' initial story was published on Feb. 18. On Feb. 22, Qualls was arrested and charged with drug trafficking after an anonymous call complained of the smell of marijuana from an apartment.

How fortuitous that an anonymous call would come along only days after AL.com exposed Sheriff Entrekin's discretionary spending. Even more fortuitously, another law enforcement agency actually performed the arrest (working with a drug task force that contained members of Entrekin's force), giving the Sheriff mostly implausible deniability.

[S]pokeswoman Natalie Barton said via email Monday that the case against Qualls "belongs to and was initiated by the Rainbow City Police Department" and "[t]he Etowah County Sheriff's Office did not have any involvement in the arrest of Mr. Qualls."

But it did have some involvement. The drug enforcement unit included deputies of Entrekin's. And it was the sheriff's department that decided to stack charges against Qualls, which could seem him facing several years in prison.

Rainbow City Police Capt. John Bryant said that his department only charged Qualls with second-degree marijuana possession, possessing drug paraphernalia and felony possession of a controlled substance, namely a few Adderall pills that were not prescribed to him.

But records on the Etowah County Sheriff's Office website show that Entrekin's office charged Qualls with three additional crimes: another paraphernalia charge, another felony possession of a controlled substance charge, and felony drug trafficking. Penalties for drug trafficking are extremely steep in Alabama, where people have been imprisoned for life for the crime.

What the drug unit actually found bears almost no resemblance to the charging sheet. Qualls possessed marijuana butter, but rather than use the actual amount of marijuana contained in the apartment (and the butter) -- which would have been less than 20 grams -- Entrekin's department decided to declare all of the butter to be marijuana, raising the total weight to 2.3 pounds. This conveniently clears the 2.2 pound bar needed to charge someone with drug trafficking. The chief of the Rainbow City Police, whose officers performed the arrest, says the Sheriff's weight calculations are "inaccurate."

Even stranger, Qualls is being charged even though it may not even be his marijuana. The arrest warrant shows a completely different address for Qualls. Qualls says he lives in Gadsen, while the warrant pinpoints his residence as Centre. The arrest took place in Rainbow City.

No matter what the spokesperson says, this is clearly a vindictive arrest of someone who made the mistake of outing a sheriff for blowing jail funds on himself. A 20-year-old who knows people who've gone to jail is expendable. It looks as though the sheriff is willing to ruin Qualls' life for slightly inconveniencing his.

Permalink | Comments | Email This Story

Last year you might recall that the GOP and Trump administration rushed to not only kill net neutrality at ISP lobbyist behest, but also some pretty basic but important consumer privacy rules. The protections, which would have taken effect in March of 2017, simply required that ISPs be transparent about what personal data is collected and sold, while mandating that ISPs provide consumers with the ability to opt of said collection. But because informed and empowered consumers damper ad revenues, ISPs moved quickly to have the rules scuttled with the help of cash-compromised lawmakers.

When California lawmakers stepped in to then try and pass their own copy of those rules, ISPs worked in concert with Google and Facebook to scuttle those rules as well. As the EFF documented at the time, Google, Facebook, AT&T, Verizon and Comcast all collectively and repeatedly lied to state lawmakers, claiming the planned rules would harm children, increase internet popups, and somehow "embolden extremism" on the internet. The misleading lobbying effort was successful, and the proposal was quietly scuttled without too much fanfare in the tech press.

Obviously this behavior has some broader implications in the wake of the Cambridge Analytica scandal. Especially given Facebook's insistence this week that it's open to being regulated on privacy, and is "outraged" by "deception" as it tries (poorly) to mount a sensible PR response to the entire kerfuffle:

But last year's joint ISP and Silicon Valley assault on consumer privacy protections wasn't a one off.

California privacy advocates are again pushing a new privacy proposal, this time dubbed the California Consumer Privacy Act of 2018. Much like last year's effort the bill would require that companies be fully transparent about what data is being collected and sold (and to who), as well as mandating mandatory opt-out tools. And this proposal goes further than the FCC's discarded rules, in that it would ban ISPs from trying to charge consumers more for privacy, something that has already been implemented by AT&T (temporarily suspended as it chases merger approval) and considered by Comcast.

But privacy groups note that Facebook and Google are again working with major ISPs to kill the proposal, collectively funneling $1 million into a PAC custom built for that purpose:

Privacy advocates at Californians for Consumer Privacy also wrote a letter to Facebook this week expressing their lack of amusement at the effort in the wake of the Cambridge scandal:

"Something’s not adding up here,” Mactaggart writes. “It is time to be honest with Facebook users and shareholders about what information was collected, sold or breached in the Cambridge Analytica debacle; and to come clean about the true basis for your opposition to the California Consumer Privacy Act of 2018."

As we recently noted, however bad Facebook's mistakes have been on the privacy front, they're just a faint shadow of the anti-consumer behavior we've seen from the telecom sector on this front, suggesting that a disregard for privacy is a cross-industry norm, not an exemption. That said, while Google and Facebook love to portray themselves as the same kind of consumer allies they were a decade ago, their refusal to seriously protect net neutrality -- and their eagerness to work with loathed companies like Comcast to undermine consumer privacy -- consistently paints a decidedly different picture.

Permalink | Comments | Email This Story

Tech’s biggest companies are still investing countless dollars into virtual reality, rushing to gobble up any new technology that shows any sort of promise. Lytro is reportedly the latest startup preparing itself for acquisition, with Google looking to buy the company for somewhere around $40 million.

You may remember Lytro as the imaging startup responsible for creating the strange Light Field Camera back in 2012. More recently, the company launched the Lytro Illum, a full-sized camera that “unlocks the ability to capture the color, intensity and direction of the light rays flowing into the camera.” Essentially, you can adjust the focus after the fact using Lytro’s custom software to translate that depth data into a photo. It was more a niche product with Lytro later pivoting to VR with Lytro Volume Tracer, a Light Field platform for mixed reality.

Lytro VT is a Light Field solution for pre-rendered CG content for a more immersive playback experience in virtual or augmented reality. Lytro provided a tech demo with a short animation called “One Morning” (video below) created using Lytro VT. It seems to have caught the eye of Google who is now looking to acquire Lytro’s assets — which include somewhere around 59 light field and other digital imaging related patents — for a bargain price of no more than $40 million.

During its last round of funding in 2017, Lytro raised a little over $200 million in funding and was valued at around $360 million. A sale for $40 million likely wont make investors happy but for consumers excited about VR, specifically how Google will be using it in next gen VR products, have a lot to be excited about.

via TechCrunch

We've made the point for a long time that, on a long enough timeline, pretty much everybody is a pirate. The point is that the way copyright laws have evolved alongside such useful tools as the internet makes knowing whether common sense actions are actually copyright infringement an incredibly dicey riddle to solve. Often times without even trying, members of the public engage in infringing activities, up to and including the President of the United States.

And, it appears, up to and including entire branches of the United States military, though claims of accidental infringement in this case would appear to be rather silly. Bitmanagement, a German software company that produces virtual reality software, is accusing the US Navy of what can only be described as massive levels of copyright infringement.

In 2011 and 2012, the US Navy began using BS Contact Geo, a 3D virtual reality application developed by German company Bitmanagement. The Navy reportedly agreed to purchase licenses for use on 38 computers, but things began to escalate.

While Bitmanagement was hopeful that it could sell additional licenses to the Navy, the software vendor soon discovered the US Government had already installed it on 100,000 computers without extra compensation. In a Federal Claims Court complaint filed by Bitmanagement two years ago, that figure later increased to hundreds of thousands of computers. Because of the alleged infringement, Bitmanagement demanded damages totaling hundreds of millions of dollars.

Both parties have since investigated the issue, with the Navy reportedly simply admitting that it installed the software on nearly half a million computers. Bitmanagement had assumed the Navy would be paying for these installations, but the military branch failed to do so and instead tried to work out much lower licensing costs with the company long after the fact. For its part, the government insists that it bought concurrent licenses rather than client licenses, but this defense makes little sense for any number of reasons. The scale of installations suggests that more than 38 users would be on the software at any given time, not to mention that Bitmanagement's VARs are not authorized to sell concurrent licenses, and that nothing in the contracts the Navy agreed to even mentions the word "concurrent."

In a request for summary judgement, Bitmanagement is asking for the government to be liable for the hundreds of thousands of installations it carried out and pay for them accordingly.

Now, while this infringement by the US government seems anything other than accidental, keep in mind that this same US government that regularly puts out reports and comments on the dastardly amounts of copyright infringement carried out by other foreign governments and their citizens. It seems as though America should get its own house in order, at least at the level of the federal government, before pointing any more fingers.

Permalink | Comments | Email This Story

Supposedly completely of its own volition, Maryland's court system has decided to extend extra rights to law enforcement officers. Going to bat for opacity, the Maryland Judiciary has made it harder for the public to find out what officers are doing (or how often they're being sued). This comes against a backdrop where more sunlight would seem essential, what with several Baltimore police officers facing corruption charges in a wide-ranging investigation that has already netted a handful of convictions and guilty pleas.

Citing a favorite cop excuse, the state's courts have decided the public should be less informed.

Maryland’s Judiciary on Friday defended a decision to remove the names of police officers and other law enforcement authorities from the state’s searchable public online court database, saying the change was made in response to “safety concerns raised by law enforcement.”

The change took effect Thursday, following a decision by a judicial rules committee last June. Officers’ names no longer appear on cases they were involved with, and searches using an officer’s name cannot be performed.

The Judiciary claims this "balances" public access to court information with its "obligation" to protect officers from "potential misuse." It did not cite any actual misuse in defense of its position. Nor did it cite any support from law enforcement agencies or "safety concerns" raised by them. While the Anne Arundel County police admitted to lobbying for a change, all the department had asked for was the removal of first names, not removal of officers' names entirely.

Multiple law enforcement agencies contacted by The Baltimore Sun expressed their concern with the Judiciary's decision.

[T]he Maryland State Police said they had not lobbied for such a change, and the [Baltimore] Police Department said they did not agree with it.

A spokesman for Gov. Larry Hogan said: “Public information should be public. End of story.”

[...]

Baltimore police said they didn’t lobby for a change and “really don’t see why they got rid of what was already publicly available.”

“We use it too,” chief spokesman T.J. Smith said of the data.

Even more bizarrely, the Judiciary claims this removal only affects "remote access." Supposedly the names of officers can still be accessed by using local court kiosks. This makes no sense. Why would cops be "safer" if their names can only be accessed inside a local court? Wouldn't that make these (apparently imaginary) threats to officer safety much more proximate to the officers affected?

Beyond that, there's the fact that kiosk access is limited. Or, in the case of the Baltimore Circuit Court, kiosks are nonexistent. According to the Sun, the Baltimore court runs searches through an "archaic" computer system (not a kiosk) that does not provide the same search options as its online counterpart.

Local public defenders were unaware officer information was being removed, which seems to be a key oversight in the process. Public defenders are very much a part of the judicial process, yet they were never informed information they need on a daily basis would no longer be available. Already overworked, public defenders will now be forced to visit courts to access officer information and hope that court has kiosks that actually provide the search functions they need.

The Judiciary claims all of this was done in the open and with the consultation of stakeholders. This can't possibly be true since both law enforcement agencies and defense lawyers were apparently unaware of the change until The Baltimore Sun contacted them. The Judiciary's own paper trail suggests this was done under the radar with zero public debate about the rules change.

The committee’s annual report from last year shows that the change was made by eliminating a clause in the section “Access to Judicial Records,” which said, “Unless shielded by a protective order, the name, office address, office telephone number and office e-mail address, if any, relating to law enforcement officers, other public officials or employees acting in their official capacity, and expert witnesses, may be remotely accessible.”

It was unclear whether the change was debated — the rules committee has not posted minutes of its meetings since April 2016.

No one agrees with the Judiciary's change, which is probably why no one was consulted before the change was made. Everyone from city council members to state's attorney candidates to journalists find the change unwarranted, unhelpful, and a serious blow to trust-building efforts between law enforcement agencies and the communities they serve.

This unpopular move from the state judiciary suggests its members will show plenty of deference to law enforcement agencies and officers in the future. And it will continue to do so even when there's plenty of evidence out there showing officers are often untrustworthy, when not completely corrupt. It has a single reason for making this move -- officer safety -- but there's nothing in the judiciary's past that even suggests court records are being used to target police officers. Even local police departments release the names of officers involved in shootings and cases involving apparent excessive force. The Judiciary has decided to roll back transparency at the worst possible time, giving cops extra privileges they weren't even asking for and further damaging the public's trust in their public servants.

Permalink | Comments | Email This Story