Judge Benchslaps Cops And Courts For Turning Law Enforcement Lies Into 'Objectively Reasonable' Mistakes

from the probable-cause-of-one's-own dept

It's always fun to read a good benchslap of cops who've tried to turn nothing at all into "probable cause." It doesn't happen very often because courts are far too obliging far too often. The standard law enforcement officers are held to -- objective reasonableness -- rarely seems reasonable, no matter how objectively you approach it.

This ruling [PDF] by a Florida federal court does not coddle the officer who made a mockery of both objective reasonableness and probable cause. You can tell this is headed into unconstitutional territory during the recounting of the events that led to the arrest of Jorge Sanchez. (via FourthAmendment.com)

Local officers were working with the DEA on a drug trafficking investigation. They decided to pull over someone heading away from the house they were surveilling. But the officers had nothing approaching probable cause. All they had was someone driving away from a house they suspected might be tied to drug sales. But that wasn't going to stop them from stopping Sanchez. So, they did what they had to do.

Deputy Steuerwald asked Sgt. Beuer to “develop his own probable cause and conduct a traffic stop on the car.”

This would be a lot more shocking if it wasn't nearly pretty much every pretextual stop ever. You can't fish unless you have someone else's (drivers) license in your hand, so any real or imagined traffic violation will do. Only this one was so imaginary the court's not having any of it.

Sgt. Beuer did so—or at least he thought he did (more on this later)—and pulled Sanchez over for violating the Florida “stop bar” statute.

The "more on this later" is the best part of the suppression order. The bogus stop led to a search of the vehicle and the arrest of Sanchez. None of that matters any more because Sgt. Beuer was objectively awful at creating probable cause.

The state's stop bar statute says this:

[E]very driver of a vehicle approaching a stop intersection indicated by a stop sign shall stop at a clearly marked stop line, but if none, before entering the crosswalk on the near side of the intersection or, if none, then at the point nearest the intersecting roadway where the driver has a view of approaching traffic on the intersecting roadway before entering the intersection.

And here's what Sgt. Beuer testified Sanchez had done:

At the hearing, Sgt. Beuer identified this intersection and confirmed that Sanchez brought his vehicle to a complete stop at a position in relation to the stop sign as depicted in this photo.

There's no stop bar on the road and the vehicle is stopped "where the driver has a view of approaching traffic."

The government said Sgt. Beuer's lie was reasonable enough to generate probable cause for a stop. The court disagrees, using evidence Beuer agreed was true, as well as his own testimony about the stop.

While generally familiar with stop bars, and believing them to be fairly ubiquitous, Sgt. Beuer acknowledged he was not overly familiar with this area of Rockledge, Florida. (Doc. 30.) But Sgt. Beuer had walked back and forth on Skelly Drive at or near the intersection with Florida Avenue, so he had an opportunity to view the road surface condition and the general “lay of the land,” both in his vehicle and on foot.

Looking at the photographic evidence, which Sgt. Beuer accepts as properly depicting the scene (Doc. 31-5; Doc. 32-8, p. 8), it is difficult to imagine how a motorist might, at this particularly odd intersection, have any ability to see oncoming traffic from the left if stopped anywhere short of the point where Sgt. Beuer concedes Sanchez stopped his vehicle on this night. An added stop bar would have made the situation worse from a safety perspective.

This isn't even subjectively reasonable, says the court.

In short, it was not objectively reasonable for Sgt. Beuer to believe that Sanchez violated Florida Statute § 316.123 by failing to stop at a stop bar that not only was not there, but where there was nothing about this intersection to suggest it would be there—quite the contrary. When you add the fact that Sgt. Beuer actually traversed the area on foot, the reasonableness of his predication is further undermined.

Now, here's where the order gets really good. The court not only slaps the government, but judges who are far too willing to overlook blatant Constitutional violations by law enforcement officers because it's presumably too difficult to do police work and respect rights at the same time.

If these facts qualify as “objectively reasonable”, then the Fourth Amendment’s protection against unreasonable search and seizure is simply not applicable to a pretextual traffic stop. The Court should stop imbuing the “objectively reasonable” officer with a cloak of constitutional comfort for justifications that strain credulity and discount the facts out of deference to their necessary “game time decisions”. See Chanthasouxat, 342 F.3d at 1276. While deference is a necessary component of the analysis, it does not warrant a rubber stamp. The Fourth Amendment still has some teeth in a traffic stop.

Courts are supposed to act as a bulwark against government overreach, not as an enabler of unconstitutional behavior. But qualified immunity, the good faith exception, and other defenses cops can raise when accused of illegal behavior -- defenses that aren't available to citizens -- have turned the courts into an entity that rarely allows for the actual redress of grievances.

Filed Under: benchslap, dea, florida, law enforcement, objectively reasonable, police, probable cause

Senator Loeffler's COVID-Related Stock Trades Looking Even Worse, While Feds Start Investigating Senator Burr's

from the insider-trading dept

As we noted just a few weeks ago, two Senators -- Kelly Loeffler from Georgia and Richard Burr from North Carolina, both of whom were publicly trying to play down the risks associated with COVID-19 -- were quietly engaging in stock trades that suggested they had a different viewpoint (while five different Senators sold stock during this period, only Loeffler's and Burr's look particularly suspicious). Burr's stock sell-off was revealed first, and got the most attention, in part because he's also the Chair of the Senate Intelligence Committee and was getting classified briefings about COVID-19. The latest news on that front is that the Justice Department has supposedly opened an investigation:

Senate Intelligence Committee Chairman Richard Burr sold off a large amount of stocks before the coronavirus market crash, and now the Justice Department is looking into his statements around this time period, NPR can report.

Others have reported that the FBI has been in contact with Burr. That doesn't mean much for now, and the investigation may turn up nothing. But it's worth noting that it's happening.

The other Senator, Kelly Loeffler, has some more bad news, as new reports suggest even more stock trading that at least looks suspicious. As was noted in the original report, Loeffler had sold off a bunch of retail stock, and bought into a company that does videoconferencing. The original reports suggest that she sold off somewhere between $1.3 million and $3.1 million in stock right before the US economy went south. Turns out it was way more. The new report shows that she also sold off nearly $19 million in stock of Intercontinental Exchange, the company that owns the New York Stock Exchange. It is worth noting that Loeffler's husband is the chair and CEO of Intercontinental Exchange, and the sales took place between February 26th and March 11th. That means at least some of those sales were happening while she was insisting that the US had everything under control.

Perhaps even more damning, though? Beyond buying into a videoconferencing software company, Loeffler and her husband, Jeff Sprecher, also purchased a bunch of stock in DuPont, a major supplier of the personal protective gear that hospitals are all now desperate for:

Sprecher bought $206,774 in chemical giant DuPont de Nemours in four transactions in late February and early March. DuPont has performed poorly on Wall Street lately, but the company is a major supplier of desperately needed personal protective gear as the global pandemic strains hospital and first responders.

So, to recap: they sold somewhere in the range of $20 million worth of mostly stock market and retail companies -- and bought into videoconferencing and protective health gear. All while telling the public that the government she's a part of has everything under control.

Filed Under: congress, covid-19, fbi, insider trading, investigation, kelly loeffler, richard burr, stock trades

New Inspector General's Report Finds Even More Problems With The FBI's FISA Surveillance Applications

from the demanding-the-best-people-but-demanding-nothing-from-them dept

The FBI's inability (or unwillingness) to craft factual FISA court affidavits was exposed late last year by an investigation by the DOJ's Inspector General. During the FBI's surveillance of former Trump advisor, Carter Page, information known by the agency was omitted to allow agents to continue its interception of Page's communications. Despite having obtained info showing Page was likely not acting on behalf of a foreign power, the FBI continued its surveillance for months by hiding this key finding from the FISA court.

The fallout from this report continues. The FISA Court banned the FBI agent who lied on the warrant applications. The court also instructed the FBI to start cleaning up its Carter Page mess, including tracking down where any other info it might have illegally collected in this case might have gone, in order to prevent further violations by other agencies in the future.

Current and former DOJ/FBI officials made it clear the FBI's questionable actions in this case were only the agency's most current violations. The skirting of internal guidelines and the truth itself was a common practice dating back nearly 20 years.

The Inspector General's findings in the Page investigation were the tip of the unexpected iceberg. The IG is now looking at the rest of the FBI's FISA work. And the office is finding even more to be concerned about.

The finding of broader failings in the Foreign Intelligence Surveillance Act program came in a review launched by Justice Department Inspector General Michael Horowitz after an earlier inquiry found numerous errors in applications to monitor former Trump campaign foreign policy adviser Carter Page. In a bid to assess whether the faults in the Page’s surveillance process were an aberration or a chronic problem, Horowitz’s audit team zeroed in on 29 applications for surveillance of U.S. citizens or green-card holders over a five-year period.

Horowitz found an average of 20 errors in each of the applications.

It's impossible to say how many of these errors were accidental or deliberately induced. But an average of 20 errors per application is breathtaking, considering the FISA court's national security focus. This is where the government should be the most careful and the FBI clearly isn't. And if this is where the FBI's top agents end up, you have to wonder how many errors normal, non-FISA applications contain.

There's a specific set of policies the FBI is supposed to adhere to when asking the FISA court for permission to engage in domestic surveillance. Even the most minimal conditions of the Woods Procedures aren't being followed by agents. The Procedures say the FBI must compile and retain supporting documentation to ensure FISA applications are "scrupulously accurate." We already know the applications aren't accurate. The report [PDF] points out at least one reason why:

[W]e could not review original Woods Files for 4 of the 29 selected FISA applications because the FBI has not been able to locate them and, in 3 of these instances, did not know if they ever existed…

The system appears to be broken from the ground up. The applications contain errors. The supporting information isn't accurate when it isn't missing completely. Interviews with agents and supervisors by the IG reveal this has been an ongoing problem for years now. And no one up top is doing anything to fix it.

FBI and NSD officials we interviewed indicated to us that there were no efforts by the FBI to use existing FBI and NSD oversight mechanisms to perform comprehensive, strategic assessments of the efficacy of the Woods Procedures or FISA accuracy, to include identifying the need for enhancements to training and improvements in the process, or increased accountability measures.

Every 90 days, the FBI is supposed to justify continued surveillance to the FISA Court. It did this multiple times during the Carter Page investigation, continuously omitting facts that would have resulted in its surveillance being terminated. The FBI does this in multiple cases, apparently. A mixture of malice, stupidity, and laziness has resulted in the mess observed by the Inspector General.

[B]ased on the results of our review of two renewal files, as well as our discussions with FBI agents, it appears that the FBI is not consistently re-verifying the original statements of fact within renewal applications. In one instance, we observed that errors or unsupported information in the statements of fact that we identified in the initial application had been carried over to each of the renewal applications. In other instances, we were told by the case agents who prepared the renewal applications that they only verified newly added statements of fact in renewal applications because they had already verified the original statements of fact when submitting the initial application. This practice directly contradicts FBI policy.

The FBI agrees with the IG's assessment that it's terrible at following its own policies. But the response attached to the IG report -- crafted by the Deputy FBI director -- says things will be fine because… the FBI is creating more policies!

[T]he FBI has been intensely focused on implementing these remedial measures with the goal of ensuring that our FISA authorities are exercised with objectivity and integrity. Among many other changes, we revised FISA request and verification (Woods) forms, developed a new confidential human source checklist, developed and released training on this checklist, developed and provided new training on revised FISA forms, and developed new FISA process rigor training. The revised Woods form now requires agents and supervisors to attest to their diligence in re-verifying facts from prior applications. All Woods forms, both for initial applications and renewals, must now be scanned and maintained in the electronic case file. These already-implemented changes will drive accountability, accuracy, and completeness in the FISA process.

All of this new paperwork doesn't mean anything if the FBI isn't going to make sure agents follow it. The problems seen in 2002 still exist nearly 20 years later, and that's after the implementation of additional policies following every successive reaming from the Inspector General and the FISA Court. If the FBI isn't going to start engaging in serious oversight -- including meaningful discipline of agents who fail to follow policies -- the problems will continue. The only change will be the length of oversight reports, which will contain details of all the new ways the FBI is ignoring its own protocols.

Filed Under: 4th amendment, carter page, doj, fbi, fisa, fisa court, fisa warrants, fisc, inspector general, surveillance

Daily Deal: The Comprehensive Beginner's Guide To Cybersecurity Bundle

from the good-deals-on-cool-stuff dept

The Comprehensive Beginner's Guide to Cybersecurity Bundle has 4 courses to give you a foundation level introduction to cybersecurity. These courses will walk you through basic cybersecurity terminologies, concepts, and protocols and move on to hacking methods, malware types, and the processes employed by cybersecurity professionals to defend networks and systems from attacks. It's on sale for $30.

Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.

Filed Under: daily deal

Senator Blumenthal Is Super Mad That Zoom Isn't Actually Offering The End To End Encryption His Law Will Outlaw

from the also-should-acquaint-himself-with-the-1st-amendment dept

Richard Blumenthal has been attacking internet services he doesn't understand since before he was even a US Senator. It has carried over into his job as a Senator, and was abundantly obvious in his role as a co-sponsor for FOSTA. His hatred of the internet was on clear display during a hearing over FOSTA in which he flat out said that if smaller internet companies couldn't put in place the kind of infrastructure required to comply with FOSTA, that they should go out of business. Blumenthal's latest ridiculous bit of legislation lose your Section 230 protections. And while Blumenthal likes to pretend that the EARN IT Act doesn't target encryption, he also lied about FOSTA and insisted it had no impact on CDA 230 (which it directly amended).

But Blumenthal has now taken his ridiculousness up a notch. Following the (legitimately concerning) reports that the suddenly incredibly popular videoconferencing software Zoom was not actually providing end-to-end encrypted video chats (despite its marketing claims), Blumenthal decided to step in and play the hero sending an angry letter to the company, while linking to the Intercept's original story about Zoom's misleading claims about encryption:

The letter highlights a number of recent claims that have been made about Zoom's security and privacy practices -- some of which are very significant (and a few that aren't as big a deal) -- including the end to end encryption claims:

Does Zoom provide end-to-end encryption, as the term is commonly understood by cybersecurity experts, for video conferences? Please describe when end-to-end encryption is available for users and how the personal data is encrypted?

And this is a legit question and I think it's good that a Senator is asking that. I just think that this particular Senator is the wrong messenger, given his active role in trying to make it impossible for companies like Zoom to offer end-to-end encryption in the first place, as Riana Pfefferkorn (the Associate Director Surveillance & Cybersecurity at Stanford's Center for Internet and Society) pointed out:

And it gets worse. As Pfefferkorn also points out, Blumenthal's claims to be so concerned about cybersecurity and privacy ring hollow when just last month he straight up claimed that you have no right to privacy online:

This was in a weak attempt to "respond to concerns" raised about the EARN IT Act. In one of the responses, concerning government mandates for scanning content and how that interacts with the 4th Amendment, Blumenthal, quoting Neil Gorsuch, claims that there's no reasonable expectation of privacy for any content you put online:

In the Ackerman opinion cited by tech companies as raising Fourth Amendment concerns, Gorsuch suggested that the third-party doctrine will protect evidence of CSAM found by a company that privately searched. When a company has terms and conditions that enable it to privately search, there is no Fourth Amendment violation because users lose their reasonable expectation of privacy. Gorsuch stated that “The [Supreme] Court has, after all, suggested that individuals lack any reasonable expectation of privacy and so forfeit any Fourth Amendment protections in materials they choose to share with third parties.”

Of course, as Pfefferkorn further points out, Blumenthal's broken analysis of the Ackerman opinion leaves out some important information. But, still, Blumenthal seems to constantly be talking out of both sides of his mouth. He doesn't believe in an expectation of privacy for content posted online, but he also wants to slam a company for not keeping information private. He doesn't want companies to have end-to-end encryption, but he's angry at Zoom for not having end-to-end encryption.

And that's not the end of the problems with Blumenthal's approach here. While some of the privacy concerns he raises are legit, he lumps them in with ones that are not. For example, for reasons that make no sense at all, he seems to think the relatively new practice of Zoombombing -- in which (often racist trolls from the worst parts of the internet) find publicly linked Zoom events and pop in to be total assholes -- is on par with the other (often legit) security questions raised by Zoom's security practices. Right after his question about end-to-end encryption he asks:

What measures has Zoom put into place to detect and prevent Zoombombing -- intrusions and abuse targeting Zoom meetings? What are the policies governing such abusive behavior, what detection mechanisms are in place, how can users report abusive intrusions, and how quickly does Zoom respond to such incidents?

While there are plenty of questions about how companies can deal with such things, this is not an issue that is under the government's purview. Indeed, as annoying as Zoombombing is, and as quickly as I'm sure Zoom has been working on technology tools to allow meeting hosts to deal with the issue, most Zoombombing is still 1st Amendment protected speech, and a Senator has no business insisting that Zoom silence such activities. And yet, that seems to be exactly what he's focused on doing:

In that tweet he says: "I am calling on Zoom to take urgent & aggressive action to stop the racists, trolls, & peddlers of hate that are silencing & bullying communities." Yeah, the 1st Amendment (the one you swore to defend) might want to have a word with you about that, Senator. I'm all for Zoom coming up with tools for users of its service to help prevent such trollish behavior, but seriously, these kinds of stunts are not at all new on the internet and have been around for literally decades. That doesn't make the juvenile behavior any less annoying or problematic, but it's not the role of any government official to insist that a company censor people for protected speech, no matter how trollish.

Separately, of course, this ignores that Zoom had already put in place a detailed plan for how to stop Zoombombing over a week before Blumenthal sent the letter. The company still could do more, and it's worth noting that it has since released a detailed plan to deal with the newly raised security and privacy concerns, including a 90 day freeze on all feature development to have the engineering team focus on privacy and security issues. That didn't take Senator Blumenthal's grandstanding -- and, of course, if Blumenthal's EARN IT Act passes, that would make Zoom's job that much more difficult.

I know that Senator Blumenthal loves to grandstand over tech issues, but it might help if he understood the technology, the law, and the Constitution before making such a fool of himself. Unfortunately, for over a decade he's shown a decided lack of interest in doing any of those things, and I guess he has no intention of starting now.

Filed Under: earn it, encryption, fosta, free speech, privacy, richard blumenthal, section 230, security, trolls, zoombombing
Companies: zoom

Teleconferencing Company Zoom Pitching End-To-End Encryption That Really Isn't End-To-End

from the some-sort-of-magic-happens-at-both-ends-so-probably-good-enough dept

As Karl Bode wrote what feels like a decade ago on March 19, 2020, privacy and encryption will be more important than ever during this pandemic and the future that succeeds it. Plenty of governments have been sacrificing citizens' privacy for better virus tracking and plenty of governments were already throwing shade at encryption well before the pandemic became a pandemic. That includes our government, which has been agitating against encryption for several years now and fighting against our privacy in federal courts for decades.

An influx of remote workers makes encryption and privacy even more important, as there's plenty of sensitive company business being done over open networks with minimal protections. The beneficiaries of this new normal are responding quickly to the unexpected demand, but protection of work-at-home employees and their employers seems to have been forgotten.

The field is crowded with lots of telecommuting software providers. Standing out is key if you're going to take advantage of the current health crisis. Video conference software developer Zoom, however, is playing fast and loose with terminology in an attempt to scoop up more market share. As Micah Lee and Yael Grauer report for The Intercept, words don't seem to mean what they normally mean when they're being used by Zoom.

Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app.

Sounds comforting, but Zoom is apparently using a proprietary definition of "end-to-end encryption." Zoom explained that phrase means something else when used in marketing materials or when users hover over the green padlock on their session screens that delivers a pop-up saying "Zoom is using an end to end encrypted connection."

This is what "E2EE" means when Zoom says it:

[W]hen reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

Well, if it's not possible to do the thing people think you're doing when you say "end to end encryption," maybe you should stop saying you're using end-to-end encryption. All Zoom is doing is encrypting the endpoints, much in the way sites using HTTPS do. This protects you from outsiders wishing to eavesdrop on your internet connection. But it doesn't mean Zoom can't access the content of teleconferencing sessions. And it means anyone that can find a way to access what Zoom can access is going to be able to do access possibly-sensitive communications.

One offering is actually encrypted end-to-end: Zoom's text chat. But that's not a standout feature. There are plenty of encrypted messaging apps. There's been no increase in demand for those. But when privacy and security matter most, Zoom is misleading users about what it's doing to protect them.

Update: Zoom has since put out two fairly detailed blog posts, the first one much more clearly explaining the encryption issue, and then a more important one explaining what the company is doing to respond to recent security concerns, including freezing all feature development to focus solely on "trust, safety, and privacy issues." It remains to be seen how that plays out in practice, but it's much better than the typical defensive response that most companies have.

Filed Under: encryption, end-to-end, privacy, security, video conferencing
Companies: zoom

Court Manages To Get NBA2K Tattoo Copyright, Trademark Case Exactly Right

from the he-shoots-he-scores dept

Somehow, it's been nearly four years since a tattoo company, Solid Oak Sketches, decided to sue 2K Sports, the studio behind the renowned NBA 2K franchise, claiming that the game's faithful representation of several stars' tattoos was copyright infringement. The company claimed to own the copyright on the design of several players' tattoos, including most famously LeBron James, Kobe Bryant, and DeAndre Jordan. The claim in the suit was that 2K's faithful depiction of the players, whom had collectively licensed their likenesses via the NBAPA, somehow violated Solid Oak's IP rights.

Put another way, it could be said that by branding the player with Solid Oak's designs, the company seems to think it can control the players' ability to profit off of their own likenesses. That this draws the mind to very uncomfortable historical parallels apparently was of no issue to Solid Oak.

Well, while 2K Sports failed to get the court to dismiss the case back in 2018, it has more recently won the case on summary judgement, with the court quite helpfully getting everything right and declaring the depiction of tattoos in video games in this manner to be Fair Use.

The defendants have sought to dismiss the plaintiff’s complaint because “Plaintiff cannot prove its claim because Defendants’ use of the Tattoos is de minimis and Plaintiff is this unable to prove the key substantial similarity element of its cause of action.” They state their use of the tattoos and images “was pursuant to implied authorization granted prior to Plaintiff’s acquisition of any rights in the Tattoos.”

The court has granted the summary judgment dismissing the infringement claim because “no reasonable trier of fact could find the Tattoos as they appear in NBA 2K to be substantially similar to the Tattoo designs licensed to Solid Oak.” Additionally, the tattoos “only appear on the players upon whom they are inked, which is just three out of over 400 players.” Therefore, the odds are against one of those Players with their tattoos being selected. Additionally, because Defendants had a license for the game, they had implied license for the tattoos as part of the players’ likeness and the Players allowed Defendants to use their likeness.

The full filing, embedded below, goes into far more detail. And, frankly, it's quite nice to see a court get this so right. It's clear the court in this case took care and time to go through the material brought by both parties and carefully weigh the claims against Fair Use. Given such careful examination, the conclusions were fairly obvious. In addition to the rationale above, the court notes that the tattoo artists in this case, despite claiming copyright infringement for the de minimis reproduction of tattoos in the game, couldn't even reproduce them themselves given the likeness rights of the players.

Solid Oak has neither licensed the Tattoo designs nor sold merchandise depicting the Tattoos. (Def. 56.1 ¶¶ 107-08.) Solid Oak’s owner, Matthew Siegler, testified that he would “need permission from the players . . . to not infringe on their right of publicity,” in order to move forward with a business selling “dry wick apparel” bearing the Players’ tattoos. (Cendali Decl., Ex. A at 389.) Solid Oak does not have a license to use the Players’ publicity or trademark rights. (Def 56.1 ¶ 102.) Solid Oak has not proffered any evidence indicating that it has a prospect of obtaining such rights.

And so ends one of the most annoying video game IP lawsuits of all time. The shame of it, really, is that it took the system four years to reach the only logical conclusion: someone getting a tattoo doesn't somehow destroy their ability to profit off of their own likeness.

Filed Under: basketball, copyright, deandre jordan, fair use, kobe bryant, lebron james, nba 2k, tattoos, video games
Companies: 2k sports, solid oak sketches

Security And Privacy In A Brave New Work From Home World

from the security-from-home dept

We have moved to a radically remote posture, leaving a lot of empty real-estate in corporate offices and abandoning the final protections of the digital perimeter. For years, we’ve heard that the perimeter is dead and there are no borders in cyberspace. We have even had promises of a new and better style of working without being bound to a physical office and the tyranny and waste of the commute. However, much like the promise of less travel in a digital age or even the total paperless office these work-life aspirations never had a chance to materialize before COVID-19 forced us to disperse and connect over the Internet. This has massive implications on corporate culture and productivity. More immediately, the surge in use of remote work capabilities has consequences from a security and privacy perspective that cannot be ignored.

For some, working from home isn’t new. This is especially true for those in sales and field marketing across many industries or for knowledge workers, such as federal government employees that are familiar with their telecommuting contract. The day after the “stay home” order is given, the rest of the company suddenly find themselves doing the math on how to stay productive, whether they are the 20% of largely general and administrative or management staff who are always in the office for a young tech startup or the 80% of all employees at a big blue chip company. Some already have a laptop that they bring with them everywhere and are used to bringing home, but for others it’s time to spark up the family computer or get a hastily issued company laptop and try to get it running without an IT technician parked at their elbow to help. Others will grab a tablet or a smartphone, once relegated to mostly personal use, and repurpose it to attend to professional needs. Any way you look at it, the enterprise footprint just grew and radically changed in a 24 hour period.

From a security perspective, the basics are critical. This is true whether a company is a mature security shop or not—risk management is the lodestar. It starts with a risk analysis and dialog. You’ll need to first create a master list of security essentials and rank them in order of sensitivity, likelihood and impact. The reality is that you can do anything, but you can’t do everything; and ultimately this is a triage game.

High on the list are concerns about misinformation, weaponized information and social engineering. While companies can’t control machines that they don’t own, they have to try to get the most secure endpoints they can and ensure identity integrity. This means emphasizing what channels are appropriate or not for employees and their families for information: news networks, websites and the like. But COVID-19 is our new common watering hole, and malicious actors are manufacturing phishing attacks, devilish spear-phishing campaigns, rogue applications and more. Regular, short, routine communications to remind people of the basics, to gain a pulse on the organization and to provide clear policies are essential.

Also at the highest level of concern is securing the connection to the network and back into the environment. This requires VPN connections, strong authentication and endpoint prevention and detection controls. In the back office generally and in the security operations center specifically, baselines from which anomalies are normally noted for focus will be in flux; everything will look like an anomaly for a while in the brave new remote world.

Which brings us to the most difficult of topics: privacy.

Did employees bring notes and data home before the office closure? Are they creating IP and data protected by privacy laws and regulations as they continue to do business? Who is in the immediate environment physically? These are some of the critical questions. In some cases you may never know the answers to these questions or you may not have a right to know the answers but must appreciate others’ living situations and assume some worst case scenarios.

There are still more questions. Should cameras be on for conference calls when employees might be embarrassed of their personal space being seen by colleagues? Should they use headsets when a life partner might work for another company or even a competitor or perhaps a roommate might simply overhear sensitive information? Do we encourage them to care for a child when they are crying or do workers feel the need to hide their families? While many companies have previously developed “work from home” policies now we are beginning to understand what is really needed for remote, working employees. Now is the time to take a fresh look at privacy in your work from home policy.

Finally, we must understand the adversary is moving into a new normal as well. They may not be able to immediately exploit all weaknesses or even any given weakness. They too will pursue the lowest hanging fruit while investing in some longer term R&D to develop new attacks specifically for the home environment. Threat actors may be purchasing tools from cybercriminals, mining existing botnets to see what IP is on those already-compromised machines or targeting home automation, printers and routers after triangulating IP addresses and digital locations for targets. In the weeks ahead, targeting new dimensions of technical diversity and innovating to develop new attack vectors will be the name of the game for the bad guys.

The future is very much a moving target for security and privacy professionals. Here is where the ongoing maintenance on an ongoing basis is critical: watching vulnerabilities in the new battery of enterprise applications for remote productivity, moving to the next order of vulnerabilities and so on. This might involve extending IT support and patching advice to home users on how to secure their home network, how to configure Amazon or Alexa devices or new tools and services for secure note-taking, collaboration, use of newly available standard operating environment systems and so on. In short, the game of security and privacy will be about rates of adaptation between asymmetric opponents.

The brave new work from home world would be best if it was short lived, but the genie won’t go back in the bottle. While the economy will adapt and move on at some point, it’s too early to tell what percentage of current remote workers will continue to work from home permanently in a post COVID-19 world or if we will return to the tyranny of the commute. Regardless, the lasting effect of innovation on both attack and defense will persist. As has been said, never waste a good crisis: let’s hope that IT, corporate culture, security and privacy all benefit from the current situation to make a more productive and humane cyber world when we return to a more normal epidemiological world.

Sam Curry is Chief Product and Security Officer at Cybereason.
Ari Schwartz was Special Assistant to President Obama for Cybersecurity and Is Managing Director for Cybersecurity Services at Venable.

Filed Under: cybersecurity, privacy, security, work from home