Documents Show A Bunch Of Canadian Government Agencies Have Access To Phone-Hacking Tools

(Mis)Uses of Technology

from the fisheries-just-out-there-hacking-phones dept

Looks like everybody who’s anybody has got a set of hacking tools in Canada. Well, at least in terms of the federal government. Documents obtained by the CBC shed some light on the prevalence of phone-cracking tech within the government. And what that light shows isn’t all that flattering.

Tools capable of extracting personal data from phones or computers are being used by 13 federal departments and agencies, according to contracts obtained under access to information legislation and shared with Radio-Canada. 

Radio-Canada has also learned those departments’ use of the tools did not undergo a privacy impact assessment as required by federal government directive.

Well, that’s pretty much how it goes here in the US, too. Tech is obtained and deployed. Years later — if ever — privacy impact assessments are delivered. Act first. Get into compliance later. And don’t even worry about apologizing. Sure, governments are supposed to serve the public’s interest. But if those interests don’t align with the government’s interests, well… tough shit, I guess.

It’s not surprising law enforcement and national security agencies have access to these tools. What’s a bit more surprising is how many regulatory agencies have (or have had) possession of device-cracking tech. The full list of agencies with these tools is bound to provoke some questions that won’t be all that easy to answer.

Fisheries and Oceans Canada
Environment and Climate Change Canada
Canadian Radio-Television and Telecommunications Commission
Canada Revenue Agency
Shared Services Canada
Competition Bureau Canada
Global Affairs Canada
Transportation Safety Board of Canada
Natural Resources Canada
Correctional Service Canada
National Defence
Royal Canadian Mounted Police

Here are some details on just one of the oddities on this list. Shared Services Canada is the government’s IT wing, providing infrastructure and support for the federal government. This government agency acquired a whole suite of device crackers to crack devices.

According to the documents Light shared with Radio-Canada, Shared Services Canada purchased the equipment and software for the end users from suppliers Cellebrite, Magnet Forensics and Grayshift. (The latter two companies merged earlier this year).

No explanation was given as to why this entity should need this tech. The only explanation given for any of this was this defensive, nonsensical statement from Cellebrite, in which it defended itself from accusations no one was making.

After publication of this story, Cellebrite said in an email that its “technologies are not used to intercept communication or gather intelligence in real time. Rather, our tools are forensic in nature and are used to access private data only in accordance with legal due process or with appropriate consent to aid investigations legally after an event has occurred.   The person/suspect does know our technology is obtaining data through court/judicial permission through a search warrant or consent by the individual.”

Um. OK. No one was accusing Cellebrite of engaging in illegal (or even legal) interception of communications or real-time surveillance. That the company chose to lead with that almost suggests that it does provide these services to other governments or government entities, just not the ones being discussed here. (It probably doesn’t. So far, Cellebrite has only been shown to provide phone-cracking devices that require those doing the cracking to have possession of the device being cracked. But still, it’s a weird thing to say when no one’s accusing you of doing those things.)

As for the mandatory privacy impact assessments that have yet to be created, only one agency (Fisheries and Oceans) said it planned to whip one up. The rest of the agencies that bothered to respond to this query suggested no privacy impact assessment was necessary because any deployment of the tech was backed by a court order or warrant. That’s an obviously wrong assumption, but that’s the excuse being given.

As for the legal justifications that supposedly allow these entities to skip publishing PIAs, they’re almost as ridiculous as the excuses offered for ducking their own legal obligations to the general public. Fisheries and Oceans listed “Fisheries Act” as its sole justification for deploying device-cracking tech. The Radio-Television and Telecommunications Commission claimed “Canada’s Anti-Spam Legislation” allowed it to break into devices and computers. The Environment and Climate Change agency was just as vague, citing “enforcement of different laws and regulations.”

The more plausible explanation for the possession of these devices by agencies that aren’t actually in the law enforcement/national security business is this: they’re being used to perform internal investigations.

Some of the departments say they use the tools to conduct internal investigations when employees are suspected of fraud or workplace harassment, for example. They say data is only extracted from government-issued devices in accordance with internal protocols that govern the collection and storage of personal information to ensure its protection.

And the statements provided by the Transportation Safety Board strongly suggest forensic devices are being used to search devices recovered from traffic accidents, most likely to determine whether or not they were due to distracted driving.

All in all, a pretty eye-opening set of revelations. Agencies one would never suspect had any need for these powerful tools not only have them, but are using them for reasons that are mostly left unexplained. The lack of privacy impact assessments isn’t surprising, though. It’s just disappointing. Obligations to the public are always put on the back burner, especially when agencies possess little-known tech with capabilities that have yet to be fully exposed. They want every chance to exploit these before their oversight catches on and/or public records requesters figure out what questions to ask and who to ask them to.

Filed Under: canada, hacking, phone cracking, surveillance
Companies: cellebrite, grayshift, magnet forensics

Carmakers Push Forward With Plans To Make Basic Features Subscription Services, Despite Widespread Backlash

(Mis)Uses of Technology

from the breathing-clean-air-will-now-cost-extra dept

Automakers are increasingly obsessed with turning everything into a subscription service in a bid to boost quarterly returns. We’ve noted how BMW has embraced making heated seats and other features already in your car a subscription service, and Mercedes has been making better gas and EV engine performance something you have to pay extra for — even if your existing engine already technically supports it.

And despite widespread backlash (BMW had to backtrack on many of its plans), the auto industry shows absolutely no indication they’re going to back away from their plan, with numerous automakers currently working on efforts to “subscriptionize” basic functions and features. And now they’re apparently trying to pretend that this shift is necessary to finance the shift to EVs:

Alistair Weaver, editor-in-chief at Edmunds, says automakers are counting on the new revenue stream to pay for the expensive transition to electric cars.

“So if your car payment is 600 bucks a month, it’s now $675,” Weaver said.

There are several problems here. One, most of the tech they want to charge a recurring fee to use is already embedded in the car you own. And its cost is already rolled into the retail cost you’ve paid. They’re effectively disabling technology you already own, then charging you a recurring additional monthly fee just to re-enable it. It’s a Cory Doctorow nightmare dressed up as innovation.

The other problem: nobody genuinely wants this shit. Surveys have already shown how consumers widely despise paying their car maker a subscription fee for pretty much anything, whether that’s an in-car 5G hotspot or movie rentals via your car’s screen. Other studies indicate that consumers are generally opposed to making functions subscription based, unless they wind up paying less overall:

Alix Partners, a global consulting firm, found that more than 60% of consumers are willing to consider subscribing for enhanced safety and convenience features as long they don’t feel like they are being charged for something they already paid for.

“A lot of people in the auto industry certainly use Apple as a shining light on the hill,” said Mark Wakefield, Alix Partners CEO.

“The car has to be cheaper, plus this option of subscribing,” Wakefield added.

But there’s zero chance that consumers will ever pay less. I’ve often seen carmakers like BMW try to pretend that turning heated seats and other features into recurring subscriptions lowers the vehicle retail cost, but I’ve not seen any evidence to indicate that’s actually true.

The entire point of integrating subscription systems like these is to please Wall Street’s insatiable, often myopic desire for consistent, upwardly scaling, improved quarterly returns. Once implemented, the subscription costs will inevitably be jacked steadily skyward to please Wall Street. It’s simply how these things work. The end result is higher overall costs, and annoying new subscription systems to manage.

There’s a whole bunch of additional unintentional consequences of this kind of shift. Right to repair folks will be keen on breaking down these phony barriers, and automakers (already busy fighting tooth and nail against right to repair reform) will increasingly respond by doing things like making enabling tech you already own and paid for a warranty violation.

The shift toward endless subscriptions for basic functions may not annoy folks with endless piles of disposable income, but for the majority of Americans that struggle to even afford new vehicle costs already, it’s hard to not see this impacting new car sales — or driving more users to older, used cars with dumber tech.

Filed Under: automobiles, cars, consumer rights, fees, heated seats, right to repair, subscription service

Google Takes Down ‘Downloader’ App Again After Bullshit DMCA Complaint, Restores It Again

Copyright

from the again?!? dept

Earlier this year we discussed an app being removed from the Google Play store over copyright concerns and a DMCA notice that was sent in by a firm representing several Israeli television networks. The app, called “Downloader,” was created by Elias Saba, and he was very confused by the takedown. The reason for his confusion is based on what his app actually does: it combines a simple file management solution and a web browser for smart/streaming devices. It does not host any infringing content. It does not even point a user to any infringing content. If this app is a copyright problem, in other words, so is, oh, I don’t know… Google Chrome. And, yet, Google took the app down, before eventually realizing its mistake and reinstating the app to the Play Store.

As if that whole story isn’t annoying enough, it just happened again. And in the exact same way.

Downloader has been suspended by Google Play again, and this time the reason is even harder to understand. Based on a vague DMCA notice, it appears that Downloader was suspended simply because it can load the Warner Bros. website.

Google notified Saba that the app was suspended again last night, according to the notice that Saba shared with Ars. “Your app contains content that allegedly infringes upon the copyright of others, and violates applicable copyright laws in the relevant country/jurisdiction,” the notice from Google said.

The notice includes a copy of the DMCA complaint, which came from MarkScan, a “digital asset protection” firm that content owners hire to enforce copyrights. MarkScan said in its complaint that it represents Warner Bros. Discovery Inc.

It’s really that simple. In the DMCA notice itself, where MarkScan was supposed to list the infringing content within the app, the notice lists only https://www.warnerbros.com/. Again, my smart TV has a browser on it that can also access that website. It’s called Chrome and is a Google product. But for some reason, that app gets to remain on the Play Store while Downloader has been taken down a second time for the same bullshit reason as the last go around.

And Saba is rightly pointing out that this sort of DMCA abuse, or at least a complete neglect by both MarkScan and Google to actually review what these DMCA notices are claiming to ensure they comply with copyright law, shows just how wide open the current DMCA notice and takedown process is for abuse, error, or collateral damage.

Unsurprisingly, Saba is outraged. “You would think that Google would at least verify that the takedown request is actually making a plausible claim,” he told Ars today. “The most important field in the takedown where the claimant has to specify where the copyright infringement exists is void of all detail. If this complete lack of information is all it takes to take an app down, then no app in the Google Play Store is safe from being suspended with just a few clicks and a frivolous takedown request.”

Saba has since appealed the takedown, but that appeal was almost immediately rejected by Google. From there, he had to submit a counter-notice, and now MarkScan has two weeks to either file legal action, or else his app will be reinstated.

Fortunately it didn’t take that long. After initially delisting the app from the Play Store, Google reversed that decision, noting correctly, and far too late, that the DMCA notice didn’t list any actually infringing content within it.

Google has defended its DMCA-takedown process by saying that, under the law, it is obligated to remove any content when a takedown request contains the elements required by the copyright law. But in this case, Google Play removed Downloader even though the DMCA takedown request didn’t identify a copyrighted work—one of the elements required by the DMCA.

That’s probably why Downloader’s latest suspension was reversed more quickly than the previous one. But the incident raises questions about whether Google will do anything to prevent repeated suspensions of apps wrongly targeted by vague or bogus DMCA notices.

Yeah, it sure as shit does! And Saba has gone on to note that it sure would have been nice for Google to have reviewed the notice and found that it was insufficient before taking his app down instead of after.

If we’re going to suffer under this notice and takedown nonsense, there should be a responsibility on the service provider to determine whether a notice is valid to begin with, never mind real toothy penalties for those submitting this sort of garbage as well.

Filed Under: copyright, dmca, downloader, notice and takedown
Companies: google, markscan, warner bros. discovery

Decentralization Matters: But Why?

Innovation

from the decentralize-all-the-things dept

About a year ago, the Filecoin Foundation for the Decentralized Web asked if I would help edit and compile a “magazine” talking about decentralization and why it’s important. It was a fun and interesting challenge, and now the final product is out, the D-Web Digest.

There are a bunch of fascinating articles in there, which I summarize in my editor’s letter to open up the issue. I’m not going to go over all of the articles (you can see that in the editor’s letter) but I would like to highlight a few that I think are particularly worth checking out:

I think, by far, the piece in the collection that made me think the most is Danny O’Brien’s piece on “terminal values and cognitive liberty.” You need to read the whole thing, but it really gets at the question of why decentralization is so important. I’ve been citing and quoting the piece to people since last Spring, but now it’s finally out for people to see.

The key to Danny’s piece is understanding what fundamental, core, “terminal” values are so important, and whether or not decentralization is one of those, or rather a means to reach one of them. His conclusion (though you should read the process by which he gets there) is that cognitive liberty is the terminal value, and the only real way to get there is through decentralization. Here’s just a snippet:

Our own consciousness cannot be rented from others, or temporarily conceded to us, with built-in police or backdoors or hidden ad men. We need to seize the means of computation, and that means ejecting all of these interlopers, and relocating it back into the personal domain we control: whether that’s physically, or by using tools like encryption and zero-knowledge proofs to preserve our control when our data and processing power sits on others’ hardware.

That’s the pyramid of digital rights for me: a firm foundation of decentralized, user-controlled technology, giving us broader cognitive liberty, internal privacy, freedom of self-expression, and freedom of self-determination.

A second piece I want to call out is Mai Ishikawa Sutton’s piece that finally addresses the whole DWeb/Web3 split that has been so frustrating to me over the past few years. Effectively, there are two camps within the decentralized tech world: one that believes it will be powered by crypto and blockchains, and one that… most certainly does not. They sometimes use the same language, and talk about the same goals, but often do not. And the two groups don’t seem to trust each other much. Mai moves the debate significantly forward not by digging into what the two groups agree or disagree on, but looking into a core element of the technology (which is similar to Danny’s piece above) regarding who is designing the technology, who controls it, and who stands to benefit from it. A snippet:

Building new and shinier tools out of the same political and economic conditions will do nothing to fundamentally change the world. But “decentralization” is also not a value in itself, and it’s not enough to build the kinds of technological networks we need to confront intensifying global crises. People need to continue to discuss, shape, and re-shape collective values. With those values held at their core, communities with common interests can collectively coordinate and embody them, first and foremost through how they govern themselves and treat one another. After all, the current internet is a reflection of shared values; the question is how we embed justice and mutual care into the Webs to come. Instead of expecting some technology to save us, we need to organize and save ourselves.

Farzaneh Badiei and Holmes Wilson both tackle important points regarding centralization being unavoidable, even in decentralized systems. These systems always have certain elements of centralization to make them work, and being aware of what these are and how they work is critical.

Badiei highlights the role of DNS, and how it has become increasingly centralized, and the potential risks that creates.

One such space is the operation of DNS resolvers, which is increasingly centralized. Imagine if we provided the capability for thousands of operators to run efficient and secure resolvers. Imagine there were so many of these operators that they were not restricted to a single jurisdiction, ensuring that any intellectual property lawsuit would not affect access to web services as a result of the resolvers being forced to block them.

Wilson, meanwhile, highlights that for all the benefits found in open source software for decentralized systems, centralization often rears its head in various cloud services, as necessitated by scale:

Cloud services such as AWS, Microsoft Azure, and Google Cloud enjoy such significant marketshare not because they control the code for technologies they deploy (tools such as Linux, Postgres, and Kubernetes are free and open source software) but because they control the ability to use it at scale. Most engineers don’t even learn these tools directly anymore; they simply learn to turn to a cloud services company, purchase the correct service, and make it work for their needs. The power to operationalize code is creating the same lock-in and barriers to entry that software licenses once did.

This leads well into my own contribution to the series, which tries to highlight how to think about decentralization vs. centralization, recognizing that there are certain tradeoffs, benefits, and costs to each, but suggesting a framework for considering where each makes more sense, and how to implement them in a manner that minimizes the problems of centralization, while enabling more of the benefits of decentralization:

This lesson is important: having centralized infrastructure that is open and on which others can build in a decentralized manner can open up tremendous possibilities.

And we see that same pattern in the internet.

In some ways the internet is an even better example than the U.S. interstate highway system, because the internet did not require a huge centralized planning system to build the infrastructure, nor is the upkeep of the internet reliant on the same centralized system. Instead, it was built and created in a distributed manner, as an open system that anyone could build on, adapt, and contribute to.

As a centralized open protocol, it enabled amazing decentralized benefits. The protocol allowed anyone to build on it and experiment. And out of that grew tremendous benefits, through open innovation. A consistent, standardized protocol allowed for widespread innovation through competition, a standardized infrastructure basis on which to build, and a singular ability to communicate across the different experiments.

Out of this comes the best benefits of both centralization (efficiency, economies of scale, enabling infrastructure) and decentralization: distributed power, adaptive and rapid innovation, and the ability to be more nimble and responsive to opportunities.

The final piece I’ll post a snippet of is one by Cory Doctorow, that highlights one of the biggest dangers of centralization: twiddling. That is, how centralized companies, moving down Cory’s famed enshitification curve, start “tweaking” the knobs to benefit themselves over their users (and partners).

There’s a bitter irony in enshittification: the internet’s great promise was disintermediation, but the calcified, monopolized internet of “five giant websites, each filled with screenshots of the other four” is a place where intermediaries have taken over the entire supply chain.

As Douglas Ruskoff puts it, the platforms have “gone meta” — rather than providing goods or services, they have devoted themselves to sitting between people who provide goods and services and people who want to consume them. It’s chokepoint capitalism, a market where the intermediaries have ceased serving as facilitators and now run the show.

The double irony is how the platforms seized power: by installing so many sliders and knobs in the back-end of their services that they can twiddle away any temporary advantage that business customers, advertisers or end users take for themselves.

Again, that’s not all of the pieces, but I need to leave some room for surprise. Adam Rose and Basile Simon provide very real (and extremely important) examples of where decentralized storage are hugely important. Kurt Opsahl writes about how recognizing code as speech is central to making this all work. Naomi Brockwell highlights how privacy as a core (or terminal?) value is a part of why decentralization is key. Chris Riley talks about the too frequently underexplored issue of how the data flows (not just where it’s stored). And Kristin Smith looks at the regulatory landscape in which all of this plays.

Not all of the pieces in the collection agree with each other (and I certainly don’t agree with everything said in them either), but taken together, they represent a really interesting exploration of decentralization, why it’s so important, and what challenges and tradeoffs there are to building out a decentralized world.

As we seriously consider how to make the world more decentralized, I think this collection of articles should be considered important primary reading, even if only to get everyone thinking.

Filed Under: centralization, decentralization, distributed, enshittification, privacy, protocols, terminal values

Documents Show The DEA Has Problems Constraining Itself To Losing The War On Drugs

Legal Issues

from the don't-quit-your-day-job,-I-guess dept

It’s simply not enough to be part of one problem. The DEA feels the need to be part of several problems.

You’d think it would have its hands full blowing billions of dollars on a lost drug war and filling people’s heads with hysterical stupidity about the magical powers of fentanyl.

But, as FOIA terrorist Jason Leopold documented for BuzzFeed News in mid-2020, the DEA felt it needed to travel out of its wheelhouse, asking the DOJ for permission to “conduct covert surveillance” on… people protesting police violence following the murder of George Floyd by Minneapolis police officer Derek Chauvin.

Prompted by that revelation, the Cato Institute went searching for more documentation of the DEA’s mission creep. And it found something. As Patrick Eddington reports, the DEA has sent its officers and agents all over the nation to do things definitely not related to its primary directive: ensuring Americans never run out of illicit drugs.

The DEA was given permission to “enforce any federal crime” committed by police violence protesters, but that temporary pass was supposed to expire two weeks after the DOJ issued it. The DEA apparently felt the free pass to go off-task was permanent.

That authority was supposed to expire after two weeks, but after pursuing litigation using the Freedom of Information Act (FOIA), an investigation by the Cato Institute has thus far failed to confirm that the DEA’s covert surveillance operations were, in fact, terminated by mid‐​June 2020. Moreover, DOJ documents obtained by Cato in the litigation show that the DEA has engaged in such non‐​drug enforcement operations nearly 30 times since February 2005.

Of the 27 specific episodes listed in the documents, four involved providing security at Super Bowls and 10 other sporting events; five involved unspecified “assistance” after natural disasters, including after Hurricane Matthew in Haiti in 2016; three others involved “investigative assistance” after the murder of local police officers in Dallas, San Antonio, and Baton Rouge, Louisiana. None of the 27 episodes appear to have had any connection to the DEA’s stated mission of enforcing the nation’s drug laws.

The document [PDF] obtained by Cato contains a very strange list of things the DEA has been permitted to do. Or maybe not explicitly permitted. Maybe just ignored. The DEA sought explicit permission to engage in surveillance of police protesters in 2020. But Cato notes the list handed to it by the DEA dates back to 2005. Maybe the agency has always sought permission for these off-task actions. Or maybe it has just showed up on the scene without being explicitly told they weren’t allowed and/or needed.

Either way, here’s the full list of events/incidents the DEA chose to taint with its interloping:

Security at Super Bowl XXXIX in Miami, Florida (2005)
Assistance after Hurricane Katrina (2005)
Assistance after Hurricane Rita (2005)
Security at various events in Phoenix (2006-2007)
Investigative assistance after Boston Marathon Bombing (2013)
Security at Pittsburgh Marathon (2013)
Security at Vermont Marathon (2013)
Security at Boston July 4th celebration (2013)
Assistance after flooding in South Carolina (2015)
Security at visit of Pope Francis in El Paso (2016)
Security at Super Bowl (2016)
Security at Copa America soccer tournament in California (2016)
Investigative assistance after Pulse Nightclub shooting in Orlando (2016)
Security at US Track & Field trials (2016)
Investigative assistance after shooting of six police officers in Baton Rouge (2016)
Investigative assistance after shooting of Dallas police officers (2016)
Security at presidential debate in St. Louis (2016)
Assistance after Hurricane Matthew in Haiti (2016)
Investigative assistance after shooting of San Antonio police officer (2016)
Security at the Boston Marathon (2017)
Assistance after tornadoes in Dallas (2017)
Security at Boston July 4th celebration (2017)
Security at Chicago Marathon (2017)
Assistance in aftermath of Las Vegas shooting (2017)
Security at Chicago Marathon (2018)
Security at Super Bowl (2019)
Security at funeral of NJ Detective Joseph Seals (threats to retaliate at event to be attended by high government officials) (2019)

Some of this list looks like officers pitching in to help following national disasters. Some of this looks like the DEA pitching in to investigate serious crimes. The rest of it… it’s tough to tell what to make of this. The hit-and-miss list shows the DEA showing up at certain events repeatedly, but not consecutively. It shows up at Super Bowls, but only a handful of them. It seems to be very interested in marathons, but can’t be bothered to show up every year they’re run. For some reason, it provided security at a single presidential debate.

None of this looks like the DEA has policies in place that govern its extracurricular activities. None of this suggests the DOJ — which oversees the DEA — has anything in place that designates the DEA as an entity to be used when extra security or investigative resources are needed. Perhaps it’s better than it looks. Maybe this is the feds smartly flexing underutilized DEA agents to areas where help is needed. Or maybe it’s just the DEA deciding it wants to do things and being obliged by people who either don’t know or don’t care how the DEA utilizes its resources.

Whatever the case, it clearly shows the DEA is willing to bring its drug warring expertise to places it isn’t needed. And, given that the agency has a singular focus, there’s a good chance many of these events it chose to attend never asked for its help. It just showed up and hung around until the event was over.

None of this looks particularly nefarious. But it does look wasteful and more than a little disorganized. You shouldn’t be asking for the big bucks to fight a drug war but then act like you’re a private security force (or worse, the National Guard) just because you can. Sure, I think the Drug War is a waste of money. But I would expect those who believe it isn’t — that being the DEA and its employees — to at least maintain the pretense as long as they’re going to be blowing my money.

Filed Under: dea, police protests

Daily Deal: The 2023 Complete Linux E-Degree Training Bundle

Deals

from the good-deals-on-cool-stuff dept

Linux is the most fundamental technology required by all real developers. It is required in almost all fields of Software engineering. DevOps, Cloud, Full Stack, and App developers must have a working knowledge of Linux. With five comprehensive modules and over 40 Linux technologies covered, this Linux Training Bundle offers a detailed program tailored for absolute beginners. The curriculum includes a compilation of important topics such as security, DevOps, and cloud, combining all the necessary elements to become a well-rounded Linux professional. The program goes beyond theory, offering real-time project building and quizzes to help you apply your knowledge in practical scenarios. By engaging in hands-on activities, you’ll develop a strong foundation and gain the confidence needed to tackle real-world challenges. It’s on sale for $30.

Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.

Filed Under: daily deal

If Creators Suing AI Companies Over Copyright Win, It Will Further Entrench Big Tech

Copyright

from the be-careful-what-you-wish-for dept

There’s been this weird idea lately, even among people who used to recognize that copyright only empowers the largest gatekeepers, that in the AI world we have to magically flip the script on copyright and use it as a tool to get AI companies to pay for the material they train on. But, as we’ve explained repeatedly, this would be a huge mistake. Even if people are concerned about how AI works, copyright is not the right tool to use here, and the risk of it being used to destroy all sorts of important and useful tools is quite high (ignoring Elon Musk’s prediction that “Digital God” will obsolete all of this).

However, because so many people think that they’re supporting creators and “sticking it” to Big Tech in supporting these copyright lawsuits over AI, I thought it might be useful to play out how this would work in practice. And, spoiler alert, the end result would be a disaster for creators, and a huge benefit to big tech. It’s exactly what we should be fighting against.

And, we know this because we have decades of copyright law and the internet to observe. Copyright law, by its very nature as a monopoly right, has always served the interests of gatekeepers over artists. This is why the most aggressive enforcers of copyright are the very middlemen with long histories of screwing over the actual creatives: the record labels, the TV and movie studios, the book publishers, etc.

This is because the nature of copyright law is such that it is most powerful when a few large entities act as central repositories for the copyrights and can lord around their power and try to force other entities to pay up. This is how the music industry has worked for years, and you can see what’s happened. After years of fighting internet music, it finally devolved into a situation where there are a tiny number of online music services (Spotify, Apple, YouTube, etc.) who cut massive deals with the giant gatekeepers on the other side (the record labels, the performance rights orgs, the collection societies) while the actual creators get pennies.

This is why we’ve said that AI training will never fit neatly into a licensing regime. The almost certain outcome (because it’s what happens every other time a similar situation arises) is that there will be one (possibly two) giant entities who will be designated as the “collection society” with whom AI companies will have to negotiate or to just purchase a “training license” and that entity will then collect a ton of money, much of which will go towards “administration,” and actual artists will… get a tiny bit.

And, because of the nature of training data, which only needs to be collected once, it’s not likely that this will be a recurring payment, but a minuscule one-off for the right to train on the data.

But, given the enormity of the amount of content, and the structure of this kind of thing, the cost will be extremely high for the AI companies (a few pennies for every creator online can add up in aggregate), meaning that only the biggest of big tech will be able to afford it.

In other words, the end result of a win in this kind of litigation (or, if Congress decides to act to achieve something similar) would be the further locking-in of the biggest companies. Google, Meta, and OpenAI (with Microsoft’s money) can afford the license, and will toss off a tiny one-time payment to creators (while whatever collection society there is takes a big cut for administration).

And then all of the actually interesting smaller companies and open source models are screwed.

End result? More lock-in of the biggest of big tech in exchange for… a few pennies for creators?

That’s not a beneficial outcome. It’s a horrible outcome. It will not just limit innovation, but it will massively limit competition and provide an even bigger benefit to the biggest incumbents.

Filed Under: ai, big tech, copyright, licensing, monopolies

Our Ongoing Refusal To Regulate Data Brokers Is Going To Bite Us On The Ass

Privacy

from the we've-tried-nothing-and-we're-all-out-of-ideas dept

Every few weeks for the last fifteen years there’s been a massive scandal involving some company, telecom, data broker, or app maker over-collecting your detailed personal location data, failing to secure it, then selling access to that information to any nitwit with a nickel. And despite the added risks this creates in the post-Roe era, we’ve still done little to pass a real privacy law or rein in reckless data brokers.

The latest case in point: a new report by Rolling Stone shows how easy it is to buy location data (often down to the meter and millisecond) and track pretty much anyone. Including, apparently, visitors to Mar-a-Lago. The reporters simply paid some money to Near, a company that uses smartphone location data to closely track the behavior of more than 1.6 billion people across 70 million locations in 44 countries. 

They were able to track the locations, everyday habits, and home addresses of Trump devotees down to the meter:

“Checking tabs conveniently labeled “Common Evening Location” and “Common Daytime Location,” we were able to identify the likely homes and workplaces of any given visitor, marked as dots over buildings on a map.”

And that’s of course just location data. Movement data is often fused with other data (income, race, gender, sexual orientation, energy consumption habits, shopping tendencies) to create detailed profiles of everyone that are shared internationally like popcorn.

Companies and data brokers spent years trying to claim that all of this rampant over-collection was no big deal because the data was “anonymized.” It apparently didn’t matter that study after study has shown that it’s trivial to identify folks in such data sets with just a little additional data. Rolling Stone reporters, unsurprisingly, found the same to be true here:

“Even though the data is technically “anonymized” (we can’t see the age, income, or ethnicity of a specific visitor, let alone their name), the pinpoint locations of where they spend their days and nights makes educated guesswork pretty easy.”

We do nothing about this problem for two reasons: one, the ongoing privacy nightmare is hugely profitable to a long line of companies (telecoms, app makers, hardware OEMs, marketing firms, insurance agencies, “Big Tech,” small tech, whoever), creating a massive lobbying firewall and stunting any and all incentive for meaningful reform. Creating empowered, informed citizens and healthy, competitive, competently regulated markets would cost companies billions, so we just… don’t bother.

Two, the government doesn’t really want anything to change because this barely accountable data-hoovering ecosystem we’ve created is a great way for them to bypass getting a fucking warrant.

But there’s not only the public privacy harms involved here, but the national security risk of this kind of reckless data trafficking at global scale. We’ve spent three straight years hyperventilating about the potential risk of Chinese intelligence having access to your TikTok likes, failing to realize (or care) that data brokers are tracking far more, at a much larger scale:

“We managed to spy on a sitting president in his own home from the comfort of our couches just by messing around with the free version of a single data broker’s web app. Now imagine what a dedicated forensic team could do, working 24/7, with access to the full paid services of every commercial data broker, in addition to all of the other data sources out there, from high-tech hacking to old-fashioned surveillance.”

We’ve seen so many scandals like this I’m just not sure what is needed to push the needle on reform. But I suspect it will need to be a scandal so massive that ignoring the problem is simply no longer politically tenable. What would that have to look like? Either the massive leak of embarrassing information on rich and powerful people at historic scale, or something involving a significant loss of life.

I don’t say that to be hyperbolic. It’s a natural extension of the chaos we’ve already seen, whether it’s the abuse of location data by stalkers or people pretending to be law enforcement, to the abuse of location data to ruin folks’ lives because of their sexual preferences. It couldn’t be any more obvious that the trajectory we’re on ends very badly, and at unprecedented scale.

Filed Under: anonymization, data brokers, location data, privacy, reform, security, surveillance

Funniest/Most Insightful Comments Of The Week At Techdirt

Techdirt

from the as-they-say dept

This week, our first place winner on the insightful side is a simple anonymous response to the claim that Elon Musk fights censorship:

Remember when Elon happily complied with the Turkish government’s request to censor anti-Erdogan content during its presidential election?

In second place, it’s a double-winning comment from Thad that also takes first place on the funny side, responding to Elon’s unhinged interview in which he said “Earth” would judge the conflict between him and ExTwitter advertisers:

Earth? Hey, I’m from Earth!

And my judgement is…it’s not Bob Iger’s fault that Elon Musk is a fucking nazi.

For editor’s choice on the insightful side, we start out with a comment from That One Guy about the flood of people finding more ads next to awful content on ExTwitter:

Right for all the wrong reasons

So it turns out Elon was right, Media Matters’ article was deceptively misleading!

It is way easier than they were making it out to be to find that sort of vile content next to ads for major companies.

Next, it’s an anonymous response to Cathy’s post about Marin County’s plan to collect license plate camera data:

Just a note:

“Owned by the Sheriff’s department” does not mean “limited in distribution to only the Sheriff’s department”.

q.v. license plate records.

Once they have it, they’ll get requests from all over the country “did our guy pass by one of your cameras?”.

And if the department hires some third party to do things like “provide software showing travel records for given licenses”, said third party is likely to also have access to those records. … At which point you might as well give up pretending there is any privacy.

Over on the funny side, we’ve already had our first place winner above, so we’ll move on to second place, where Stephen T. Stone replied to one of my own comments in which I described another comment as being like “an unholy hybrid of a Linda Yaccarino tweet and a Donald Trump tweet”:

So…it’s an Elon Musk tweet?

For editor’s choice on the funny side, since pretty much all the jokes this week were about Elon Musk, we’ve got two of those. First, it’s an anonymous comment about the cease and desist letter over the name of Musk’s AI:

Elon probably can’t understand it, let alone grok it.

Finally, it’s thecleric with a comment about Musk’s silly and bizarre conceptions of free speech:

Free as in beer or free as in speech?

Musk: Neither.

That’s all for this week, folks!