We have a new item to add to the list of things law enforcement finds suspicious. And not just "hmm, that's strange," but rather, "hmm, let's stop this vehicle and search everyone and everything in it." To date, a long list has been compiled of activities law enforcement finds inherently suspicious, many of which are contradictory or encompass the routine daily activities of millions of non-criminal US citizens.

People have been declared "suspicious" for being too calm or too nervous. For making eye contact and not making eye contact. Talking too much is suspicious. The same goes for not talking enough. Driving roads that connect major cities is suspicious because all major cities contain both buyers and sellers of drugs. Cops have argued that activities they've witnessed daily without affecting an arrest is suddenly suspicious when a traffic stop/fishing expedition results in a drug bust.

An officer with the Waterloo, Iowa police department is adding something new to this impossibly long list of dubious traffic stop justifications: driving with valid Iowa dealer's plates in Iowa. (via Brad Heath)

The traffic stop was initiated because officer witnessed something possibly suspicious two days earlier involving the vehicle officers pulled over two days later. A shooting was being investigated and appellant Joshua Rode was spotted exiting the vehicle in a gang-operated area. At the point the stop was initiated, Rode was presumably considered to be a possible gang member. But according to the officers' testimony, he was also "suspected" to have been the victim of the unreported shooting the officers were investigating.

Based on this weird connective tissue, Sergeant Kye Richter radioed Officer Diana Del Valle and suggested she initiate a pretextual stop of the vehicle. Del Valle needed a bit of outside prompting to find a traffic violation to trigger the stop. From the Eighth Circuit Appeals Court decision [PDF]:

When the BMW departed ten minutes later, Del Valle followed. She saw that the BMW had a dealer advertising plate instead of a rear license plate, which she had noticed two days earlier, and a temporary paper card taped to the inside of the left rear window. Del Valle radioed Richter and Sullivan she had seen “no violations yet.” They asked about the card in the back window. Del Valle said, “you can see a plate, but you can’t read what’s on it.” Officer Sullivan replied, “there you go.” Del Valle activated the lights on her police cruiser and made an “equipment stop.”

Probable cause for the stop? Officer Del Valle seemed to think so. But her own testimony shows no traffic violation had occurred.

She testified that she could first read the numbers on the temporary card when “I got to the trunk area.” She did not examine whether the temporary card was valid (it was) because “I already had the probable cause, which was a temporary tag. I wasn’t focused on whether that tag was valid or not at that time.”

But that was exactly the reason she stopped the vehicle. Sergeant Richter prompted the stop with "there you go," but Del Valle carried out the stop based on the completely wrong theory that possession of a dealer's plate was a traffic violation in and of itself. The district court disagreed and suppressed the weapon found during the ensuing search.

The government appealed, arguing that Del Valle's inability to read every piece of information contained on the temporary tag in the window gave her probable cause to stop the vehicle. The court disagrees. Temporary tags are required to contain certain information, but nothing in the law says all that info needs to be immediately visible to officers following vehicles in all weather at all times of the day.

Del Valle also did not identify what information she could not see that gave her (or Officer Sullivan) reasonable suspicion of a violation. If her reference to “letters or numbers” meant the unique vehicle registration letters and numbers on a license plate, which law enforcement officers often use to identify specific vehicles, then she had no reasonable suspicion at all, because § 321.25 only requires disclosure of “the registration number of the dealer from whom the vehicle was purchased and the date of delivery of the vehicle.” If she meant the dealer’s registration number, she did not explain why she needed to see that when she could plainly see a dealer’s advertising plate in the BMW’s license plate location. If she meant the expiration date -- and nothing in the record even hints at that -- neither Del Valle nor Richter testified as to their basis for believing that the requirement in § 321.25 that this information be “plainly stamped or stenciled” on the temporary card meant that, unless it is readable at night from a pursuing police cruiser, the vehicle is likely breaking the law.

Temporary tags must be visible and legible at all times from any distance is the government's argument. That's the corner it painted itself into with Officer Del Valle's testimony and its insistence on appealing the lower court's decision. The Appeals Court quotes the lower court's ruling, hammering home the fact the government should have known the stop was initiated without probable cause and should have cut its losses at the district level.

As the district court recognized, the government’s position in this case would mean that an Iowa police officer may stop a vehicle displaying a proper form of temporary registration card whenever the officer cannot read the dealer registration number and the card’s expiration date from inside the officer’s following police cruiser.

The Appeals Court refuses to grant the officer good faith, pointing out the government failed to raise this argument at the lower level. Even if it had, the Appeals Court wouldn't have allowed the government to use this escape hatch.

[E]ven if not forfeited, the argument that the officers made a reasonable mistake of Iowa law is without merit: (a) it is not reasonable to construe the requirement of “plainly stamped or stenciled” information in § 321.25 as meaning information that can be read from a pursuing officer’s police cruiser... On the other hand, if the government is arguing that Officer Del Valle (or Officer Sullivan) reasonably believed there was reasonable suspicion to make a traffic stop, “mistakes about the requirements of the Fourth Amendment violate the Fourth Amendment even when they are reasonable.”

As internet platforms are aggressively expanding their “moderation” of problematic content in response to increased pressure from policymakers and the public, how can we best hold them accountable and make sure that these private censorship regimes are fair, proportionate, accurate and unbiased?

As we wrote in our last piece for Techdirt at the beginning of the year, right before the first Content Moderation and Removal at Scale Conference in Santa Clara, there is a dire need for meaningful transparency and accountability around content moderation efforts in order to ensure that the new rulers of our virtual public squares–practically governments in their own right, with billions of citizens–are using their power to moderate speech responsibly. This need has only grown as the pressure on Facebookistan and Googledom to deal with the extremists, white supremacists, and fake news operations on their platforms has also grown, and as questions about whether they are abusing their power by not taking down enough content–or by taking down too much–have proliferated.

This trend was most evident in the recent Congressional hearings prompted by the Cambridge Analytica scandal, where some lawmakers rebuked Facebook CEO Mark Zuckerberg for not doing enough to keep certain content off the platform, while others raised concerns that Facebook had demonstrated political bias against the right when determining what content to take down. Similar concerns were voiced by Republicans at today’s hearing in the House Judiciary Committee focused on examining major internet platforms’ content moderation practices (despite the fact that claims of anti-conservative bias having been thoroughly debunked). Such concerns are not limited to the right wing, though–charges of racially-biased censorship have also been levelled from the left.

In response to these growing pressures–and in no small part thanks to years of consistent demands from free expression advocates–Google and Facebook this week both took major strides towards “doing the right thing” and promoting greater transparency around their content moderation practices, in ways that mirror what we were advocating for in our previous article.

First, on Monday afternoon, Google released the industry’s first detailed transparency report focused on content moderation, giving statistics about YouTube content removals based on violation of the service’s Community Guidelines. Among other things, the report highlights the total number of videos removed in the last quarter of 2017 (a staggering 8,284,039 videos), the percentage of videos flagged by human users versus YouTube’s automated flagging systems (the robots flagged four times as many videos as the humans), and a percentage breakdown of the different reasons human flaggers had flagged content (whether it was spam, sexual content, hate speech, terrorist content, etc.) This is the first time any company has published this sort of data at this level of detail–and now that YouTube has taken the first step, it certainly won’t be the last.

Soon after YouTube’s trailblazing transparency report, on Tuesday morning, Facebook made a trailblazing announcement of its own. The company published a much more comprehensive version of its Community Standards, including the detailed internal guidelines the company uses to make moderation decisions, and highlighting the “spirit” of their content policies in order to generate greater understanding about why and how the company removes content. In addition, for the first time, the company is giving users the ability to appeal takedown decisions made on individual posts. Posts that are appealed will be reviewed by a human moderator on the company’s appeals team within 24 hours. Prior to this announcement, users could appeal the removal of pages and groups, but the introduction of this process for individual posts is a valuable step towards providing users with greater agency over their content and more engagement in the moderation process.

Taken together, these moves have sharply increased both the quantitative transparency (Google’s numbers) and the qualitative transparency (Facebook’s explanations) around content takedowns, while also improving due process around those takedowns (Facebook’s new appeals). These are both critical first steps, but there is definitely more to be done. For example, although YouTube published a significant amount of data related to the types of objectionable content removed as a result of human flaggers, it does not produce similar data for content flagged by automated flagging systems, which is especially concerning since automated systems flagged the vast majority of objectionable content. Meanwhile, although Facebook’s introduction of an appeals process is a valuable step towards providing users with stronger due process, it currently only applies to hate speech, graphic violence, and nudity/sexual activity, which have been the most controversial categories of objectionable content. In order for this process to be truly impactful, it needs to apply to all forms of content that are being taken down–and the process needs to give impacted users a way to argue their case for why their content should stay up.

Going forward, Facebook and Google also need to take a page out of each other’s books. Like Google, Facebook needs to start reporting quantitative data on its takedowns and how they have impacted different categories of objectionable content, not only for itself but for its other products like Whatsapp and Instagram. Similarly, Google needs to provide users with greater qualitative insight into the guidelines that impact content takedowns, just as Facebook has. They should also expand their takedown reporting to include other Google products and services such as Google+ and the Google Play store. Doing so could help pressure Apple to similarly report on takedowns in the Apple Store, therefore further expanding transparency reporting in this space.

And that’s the real value of these new steps, beyond the transparency itself: Google and Facebook’s new efforts will hopefully push the rest of the industry to compete with them on transparency. Google’s first innovations around transparency reporting on government surveillance demands nearly a decade ago helped set the stage for a domino effect of widespread adoption once the Snowden surveillance scandal broke, as detailed in this timeline and case study on the spread of that reporting practice. In this political moment of “techlash” that has now been turbo-charged by the Cambridge Analytica scandal, the adoption of strong content moderation transparency practices may happen even faster–but only if policymakers and advocates keep demanding it. That includes voices that have been pressing on this issue for years such as the ACLU of Northern California, the Electronic Frontier Foundation, our own organization the Open Technology Institute, and the Ranking Digital Rights project (which just yesterday released its third annual ranking of how well tech companies’ are protecting users’ human rights. Spoiler alert: they’re not doing so great). And since we’re catching this practice at its beginning, perhaps with the right pressure we can not only get all the companies to issue reports but also get them to standardize their reporting formats. Otherwise we may end up with the same crazy quilt of formats that we have in other areas of transparency reporting, which makes it that much harder to meaningfully compare and combine data.

More than pressure, though, we’ll also need continued dialogue with the companies, to better understand how their content moderation and reporting processes do and don’t work, what their biggest challenges are when moderating at scale, and where they think the technology and practice of content moderation and reporting is heading. That’s why our organization along with many others is co-hosting the second Content Moderation at Scale Conference in Washington, DC on May 7, where representatives from a wide range of tech companies both big and small will be talking in detail and on the record about their internal content moderation processes (the conference will be livestreamed and Techdirt's Mike Masnick will be co-running a session on some of the challenges of content moderation).

We may see even more dominoes fall at that conference, with fresh new announcements about increased transparency and due process around content moderation on even more platforms. Let’s hope so, because internet users deserve to know more about exactly when and how their online expression is censored.

For the second time in two years, the Supreme Court has needed to weigh in and note that, of course, the US Patent Office can take another look at the crappy patents it already granted, recognize its mistake, and void the patents. A little less than two years ago, it looked at what standards could be used by the Patent Trial and Appeal Board (PTAB) using the Inter Partes Review (IPR) system created by the America Invents Act of 2010. The latest case was much more broad: challenging whether the IPR/PTAB process itself was Constitutional.

The basic idea behind the IPR process was an admission that the USPTO is historically bad at properly reviewing patents before granting them. It grants a lot of bad patents. The IPR process allows anyone to present evidence to the PTO that it made a mistake and granted a patent that should never have been granted. If the PTAB is convinced, it can invalidate the patent. Seems pretty straightforward. Except that the usual patent lovers (mainly patent trolls and big pharma) insisted that this was some sort of unconstitutional taking of property, without the review of a court. This is wrong for a whole bunch of reasons -- starting with the incorrect view of patents as traditional "property."

The Supreme Court ruled on the issue, in a case called Oil States Energy Services v. Greene's Energy Group, and basically said that of course the PTAB can invalidate patents this way. Justice Thomas wrote the majority opinion with a 7 - 2 split (Gorsuch and Roberts dissented). The key issue was whether or not invalidating patents is reserved only for the courts, and most of the Justices don't see any support for that. In short, the majority opinion says what the Patent Office gives, the Patent Office can take away...

This Court has recognized, and the parties do not dispute, that the decision to grant a patent is a matter involving public rights—specifically, the grant of a public franchise. Inter partes review is simply a reconsideration of that grant, and Congress has permissibly reserved the PTO’s authority to conduct that reconsideration. Thus, the PTO can do so without violating Article III.

The majority opinion points out that the Constitution doesn't require the Judicial branch to weigh in on the granting of patents, and thus it need not weigh in on the invalidating of those patents either.

Inter partes review is “a second look at an earlier administrative grant of a patent.” ... The Board considers the same statutory requirements that the PTO considered when granting the patent.... Those statutory requirements prevent the “issuance of patents whose effects are to remove existent knowledge from the public domain.” ... So, like the PTO’s initial review, the Board’s inter partes review protects “the public’s paramount interest in seeing that patent monopolies are kept within their legitimate scope,”... Thus, inter partes review involves the same interests as the determination to grant a patent in the first instance.

The court reasonably compares it to other administrative processes where the government can grant things, such as franchises, and later revoke or amend those franchises.

An important part of the ruling is that patents are not property in the traditional sense, and this isn't case of removing someone's property without the Judicial Branch. Specifically, the court says that patents are really more similar to a franchise right, than a traditional property right:

Patents convey only a specific form of property right—a public franchise.... And patents are “entitled to protection as any other property, consisting of a franchise.” Seymour, 11 Wall. at 533 (emphasis added). As a public franchise, a patent can confer only the rights that “the statute prescribes.” Gayler, supra, at 494; Wheaton v. Peters, 8 Pet. 591, 663–664 (1834) (noting that Congress has “the power to prescribe the conditions on which such right shall be enjoyed”). It is noteworthy that one of the precedents cited by Oil States acknowledges that the patentee’s rights are “derived altogether” from statutes, “are to be regulated and measured by these laws, and cannot go beyond them.”

And while Oil States points to some earlier rulings saying that only the courts can invalidate a patent, the Supreme Court correctly notes that the cases it points to were decided under the Patent Act of 1870 -- and under that Act, courts were necessary. But there is no Constitutional prohibition on Congress setting up different rules for the patent system, and since 2010 with the America Invents Act, Congress decided to allow for this administrative review.

Amusingly, the court also takes Oil States to school for a history lesson. The company had argued that historical principles have established that only a court could invalidate a patent, and points to cases decided in 18th century England. But, the Supreme Court, citing Mark Lemley, points out that Oil States not only gets its history wrong, but that the actual history shows that England had something quite similar to an Inter Partes Review process:

But this history does not establish that patent validity is a matter that, “from its nature,” must be decided by a court.... The aforementioned proceedings were between private parties. But there was another means of canceling a patent in 18th-century England, which more closely resembles inter partes review: a petition to the Privy Council to vacate a patent. See Lemley, supra, at 1681–1682; Hulme, Privy Council Law and Practice of Letters Patent for Invention From the Restoration to 1794, 33 L. Q. Rev. 63 (1917). The Privy Council was composed of the Crown’s advisers.... From the 17th through the 20th centuries, English patents had a standard revocation clause that permitted six or more Privy Counsellors to declare a patent void if they determined the invention was contrary to law, “prejudicial” or “inconvenient,” not new, or not invented by the patent owner. ... Individuals could petition the Council to revoke a patent, and the petition was referred to the Attorney General. The Attorney General examined the petition, considered affidavits from the petitioner and patent owner, and heard from counsel.... Depending on the Attorney General’s conclusion, the Council would either void the patent or dismiss the petition....

The Privy Council was a prominent feature of the English system. It had exclusive authority to revoke patents until 1753, and after that, it had concurrent jurisdiction with the courts.... The Privy Council continued to consider revocation claims and to revoke patents throughout the 18th century.

Just a note: if you're going to cite English legal history at the US Supreme Court to try to establish some sort of general and accepted rule, it's best if you don't skip out on the fact that the actual history supports the other side. Just saying.

The final argument from Oil States that the court rejects, is that the PTAB is a violation because it looks too much like an Article III court, without being an actual court. But the majority opinion basically says "so what?"

But this Court has never adopted a “looks like” test to determine if an adjudication has improperly occurred outside of an Article III court. The fact that an agency uses court-like procedures does not necessarily mean it is exercising the judicial power. See Freytag, 501 U. S., at 910 (opinion of Scalia, J.). This Court has rejected the notion that a tribunal exercises Article III judicial power simply because it is “called a court and its decisions called judgments.”

The dissent from Gorsuch (with Roberts signing on) is all over the place. They seem taken in by the myth of patent greatness, kicking off the dissent with the following:

After much hard work and no little investment you devise something you think truly novel. Then you endure the further cost and effort of applying for a patent, devoting maybe $30,000 and two years to that process alone. At the end of it all, the Patent Office agrees your invention is novel and issues a patent. The patent affords you exclusive rights to the fruits of your labor for two decades. But what happens if someone later emerges from the woodwork, arguing that it was all a mistake and your patent should be canceled? Can a political appointee and his administrative agents, instead of an independent judge, resolve the dispute? The Court says yes. Respectfully, I disagree.

But... that makes no sense. Congress, which has the power to set up the patent system to "promote the progress of the useful arts" has determined (reasonably) that since the Patent Office grants lots of bad patents, it can also review and invalidate its mistakes. That's not a "dispute that needs to be resolved." It's an administrative function that doesn't end once the patent is granted.

Gorsuch seems to think people will read the narrow ruling of the majority to more or less decimate the courts and move lots of disputes into administrative processes. That's silly. The majority opinion is quite clear that it is narrowly focused on the issue before it concerning Congress's authority to enable the Patent Office to invalidate patents. As for the history lesson mentioned above, Gorsuch claims it no longer applies because the English Privy Council stopped invalidating patents in the 18th Century. That's true, but meaningless. The whole reason English patent history is brought up in the first place was because Oil States tried to argue that it was the natural order of patents that only courts could remove them. What they really meant is that it was the natural order starting in the late 18th century... which is a lot less convincing if you're trying to argue a form of "we've always done it this way." The point is... we haven't.

This is a big and important win, protecting everyone from bad patents. The IPR process has been shown to be a tool that is at least somewhat effective in dumping bad patents. We should all strive for a situation in which the PTO doesn't grant bad patents in the first place, but given that it does, it should be able to acknowledge its mistakes and correct them.

Of course, that won't stop patent trolls and big pharma from flipping out. Even the site FiercePharma seems to be completely off its rocker in calling this ruling a "blow for pharma" and describing the IPR process as "hated." Except that's silly. IPR is only hated by those with junk patents. If pharma hates it, it's because they know their patents are junk.

As that article makes clear, though, the powerful Pharma lobby intends to pressure Congress to still kill the IPR process as quickly as possible:

In a statement, PhRMA spokesperson Nicole Longo said the "narrowly tailored decision" found only that IPRs are constitutional, not "efficient or fair." The arguments and a Tuesday ruling in another case—SAS Institute v. Iancu—mean it's "clear there are problems with the IPR process that need to be addressed," she added.

Amusingly, the article also notes that most of the big pharma companies have used the IPR process themselves to invalidate the patents of others, suggesting that maybe they don't actually "hate" it that much after all...

There have been ongoing debates for a while now about the stupidity of backdooring encryption, with plenty of experts explaining why there's no feasible way to do it without causing all sorts of serious consequences (some more unintended than others). Without getting too deep into the weeds, the basic issue is that cryptography is freaking difficult and if something goes wrong, you're in a lot of trouble very fast. And it's very, very easy for something to go wrong. Adding in a backdoor to encryption is, effectively, making something go wrong... on purpose. In doing so, however, you're introducing a whole host of other opportunities for many, many things to go wrong, blowing up the whole scheme and putting everyone's information at risk. So, if you're going to show up with a "plan" to backdoor encryption, you better have a pretty convincing argument for how you avoid that issue (because the reality is you can't).

For at least a year (probably more) the one name that has kept coming up over and over as one of the few techies who insists that the common wisdom on backdooring encryption is wrong... is Ray Ozzie. Everyone notes that he's Microsoft's former Chief Software Architect and CTO, but some of us remember him from way before that when he created Lotus Notes and Groove Networks (which was supposed to be the nirvana of collaboration software). In recent months his name has popped up here and there, often by FBI/DOJ folks seeking to backdoor encryption, as having some possible ways forward.

And, recently, Wired did a big story on his backdoor idea, where he plays right into the FBI's "nerd harder" trope, by saying exactly what the FBI wants to hear, and which nearly every actual security expert says is wrong:

Ozzie, trim and vigorous at 62, acknowledged off the bat that he was dealing with a polarizing issue. The cryptographic and civil liberties community argued that solving the problem was virtually impossible, which “kind of bothers me,” he said. “In engineering if you think hard enough, you can come up with a solution.” He believed he had one.

This, of course, is the same sort of thing that James Comey, Christopher Wray and Rod Rosenstein have all suggested in the past few years: "you techies are smart, if you just nerd harder, you'll solve the problem." Ozzie, tragically, is giving them ammo. But he's not delivering the actual goods.

The Wired story details his plan which is not particularly unique. It takes concepts that others have proposed (and which have been shown to not be particularly secure) and puts a fresh coat of paint on them. Basically, the vendor of a device has a private key that it needs to keep secret, and under some "very special circumstances" it can send an employee into the dark chamber to do the requisite dance, retrieve the code, and give it to law enforcement. That's been suggested many times, and it's been explained many times why that opens up all sorts of dangerous scenarios that could put everyone at risk. The one piece that does seem different is that Ozzie wants a sort of limitation on the possible damage his system does if it goes wrong (in one particular way), which is that under his system if the backdoor is used, it can only be used on one phone and then it disables that phone forever:

Ozzie designed other features meant to ­reassure skeptics. Clear works on only one device at a time: Obtaining one phone’s PIN would not give the authorities the means to crack anyone else’s phone. Also, when a phone is unlocked with Clear, a special chip inside the phone blows itself up, freezing the contents of the phone thereafter. This prevents any tampering with the contents of the phone. Clear can’t be used for ongoing surveillance, Ozzie told the Columbia group, because once it is employed, the phone would no longer be able to be used.

So, let's be clear. That piece isn't what's useful in "reassuring skeptics." That piece is the only thing that really appears to be that unique about Ozzie's plan. And it hasn't done much to reassure skeptics. As the report notes, when Ozzie laid this out at a special meeting of super smart folks in the field, it didn't take long for one to spot a hole:

The most dramatic comment came from computer science professor and cryptographer Eran Tromer. With the flair of Hercule Poirot revealing the murderer, he announced that he’d discovered a weakness. He spun a wild scenario involving a stolen phone, a second hacked phone, and a bank robbery. Ozzie conceded that Tromer found a flaw, but not one that couldn’t be fixed.

"Not one that couldn't be fixed." But it took this guy just hearing about the system to find the flaw. There are more flaws. And they're going to be catastrophic. Because that's how cryptogrpahy works. Columbia computer science professor and all around computer security genius Steve Bellovin (who was also at that meeting) highlights how Tromer's flaw-spotting shows why Ozzie's plan is a fantasy with dangerous consequences:

Ozzie presented his proposal at a meeting at Columbia—I was there—to a diverse group. Levy wrote that Ozzie felt that he had "taken another baby step in what is now a two-years-and-counting quest" and that "he'd started to change the debate about how best to balance privacy and law enforcement access". I don't agree. In fact, I think that one can draw the opposite conclusion.

At the meeting, Eran Tromer found a flaw in Ozzie's scheme: under certain circumstances, an attacker can get an arbitrary phone unlocked. That in itself is interesting, but to me the important thing is that a flaw was found. Ozzie has been presenting his scheme for quite some time. I first heard it last May, at a meeting with several brand-name cryptographers in the audience. No one spotted the flaw. At the January meeting, though, Eran squinted at it and looked at it sideways—and in real-time he found a problem that everyone else had missed. Are there other problems lurking? I wouldn't be even slightly surprised. As I keep saying, cryptographic protocols are hard.

Bellovin also points out -- as others have before -- that there's a wider problem here: how other countries will use whatever stupid example the US sets for much more nefarious purposes:

If the United States adopts this scheme, other countries, including specifically Russia and China, are sure to follow. Would they consent to a scheme that relied on the cooperation of an American company, and with keys stored in the U.S.? Almost certainly not. Now: would the U.S. be content with phones unlockable only with the consent and cooperation of Russian or Chinese companies? I can't see that, either. Maybe there's a solution, maybe not—but the proposal is silent on the issue.

And we're just getting started on how many experts are weighing in on just how wrong Ozzie is. Errata Security's Rob Graham pulls no punches pointing out that:

He's only solving the part we already know how to solve. He's deliberately ignoring the stuff we don't know how to solve. We know how to make backdoors, we just don't know how to secure them.

Specifically, Ozzie's plan relies on the idea that companies can keep their master private key safe. To support that this is possible, Ozzie (as the FBI has in the past) points to the fact that companies like Apple already keep their signing keys secret. And that's true. But that assumes incorrectly that signing keys and decryption keys are the same thing and can be treated similarly. They're not and they cannot be. The security protocols around signing keys are intense, but part of that intensity is built around the idea that you almost never have to use a signing key.

A decryption key is a different story altogether, especially with the FBI blathering on about thousands of phones it wants to dig its digital hands into. And, as Graham notes, you quickly run into a scaling issue, and with that scale, you ruin any chance of keeping that key secure.

Yes, Apple has a vault where they've successfully protected important keys. No, it doesn't mean this vault scales. The more people and the more often you have to touch the vault, the less secure it becomes. We are talking thousands of requests per day from 100,000 different law enforcement agencies around the world. We are unlikely to protect this against incompetence and mistakes. We are definitely unable to secure this against deliberate attack.

And, even worse, when that happened, we wouldn't even know.

If Ozzie's master key were stolen, nothing would happen. Nobody would know, and evildoers would be able to freely decrypt phones. Ozzie claims his scheme can work because SSL works -- but then his scheme includes none of the many protections necessary to make SSL work.

What I'm trying to show here is that in a lab, it all looks nice and pretty, but when attacked at scale, things break down -- quickly. We have so much experience with failure at scale that we can judge Ozzie's scheme as woefully incomplete. It's not even up to the standard of SSL, and we have a long list of SSL problems.

And so Ozzie's scheme relies on an impossibility. That you could protect a decryption key that has to be used frequently, the same way that a signing key is currently protected. And that doesn't work. And when it fails, everyone is seriously fucked.

Graham's article also notes that Ozzis is -- in true nerd harder fashion -- focusing on this as a technological problem, ignoring all the human reasons why such a system will fail and such a key won't be protected.

It focuses on the mathematical model but ignores the human element. We already know how to solve the mathematical problem in a hundred different ways. The part we don't know how to secure is the human element.

How do we know the law enforcement person is who they say they are? How do we know the "trusted Apple employee" can't be bribed? How can the law enforcement agent communicate securely with the Apple employee?

You think these things are theoretical, but they aren't.

Cryptography expert (and professor at Johns Hopkins), Matt Green did a fairly thorough tweetstorm debunking of Ozzie's plan as well. He also points out, as Graham does, the disaster scenario of what happens when (not if) the key gets out. But, an even bigger point that Green makes is that Ozzie's plan relies on a special chip in every device... and assumes that we'll design that chip to work perfectly and never get broken. And that's ridiculous:

Green and Graham also both point to the example of GrayKey, the recently reported on tool that law enforcement has been using to crack into all supposedly encrypted iPhones. Already, someone has hacked into the company behind GrayKey and leaked some of the code.

Put it all together and:

Suddenly the fawning over Ozzie's plan doesn't look so good any more, does it? And, again, these are the problems that everyone who has dug into why backdoors are a bad idea have pointed out before:

Green expanded some of his tweets into a blog post as well, which is also worth reading. In it, he also points out that even if we acknowledge the difference between signing keys and decryption keys, companies aren't even that good at keeping signing keys safe (and those are almost certainly going to be more protected that decryption keys since they need to be access much less frequently):

Moreover, signing keys leak all the time. The phenomenon is so common that journalists have given it a name: it’s called “Stuxnet-style code signing”. The name derives from the fact that the Stuxnet malware — the nation-state malware used to sabotage Iran’s nuclear program — was authenticated with valid code signing keys, many of which were (presumably) stolen from various software vendors. This practice hasn’t remained with nation states, unfortunately, and has now become common in retail malware.

And he also digs deeper into the point he made in his tweetstorm about how on the processor side, not even Apple has been able to keep its secure chip from being broken -- yet Ozzie's plan is based almost entirely on the idea that such an unbreakable chip would be available:

The richest and most sophisticated phone manufacturer in the entire world tried to build a processor that achieved goals similar to those Ozzie requires. And as of April 2018, after five years of trying, they have been unable to achieve this goal — a goal that is critical to the security of the Ozzie proposal as I understand it.

Now obviously the lack of a secure processor today doesn’t mean such a processor will never exist. However, let me propose a general rule: if your proposal fundamentally relies on a secure lock that nobody can ever break, then it’s on you to show me how to build that lock.

Update: We should add that the criticisms raised here are not new either. Back in February we wrote about a whitepaper by Riana Pfefferkorn making basically all of these same points that the folks quoted above are making. In other words, it's a bit bizarre that Wired wrote this article as if Ozzie is doing something new and noteworthy.

So that's a bunch of experts highlighting why Ozzie's plan is silly. But, from the policy side it's awful too. Because having Ozzie going around and spouting this debunked nonsense, but with his pedigree, simply gives the "going dark" and "responsible encryption" pundits something to grasp onto to claim they were right all along, even though they weren't. They've said for years that the techies just need to nerd harder, and they will canonize Ray Ozzie as the proof that they were right... even though they're not and his plan doesn't solve any of the really hard problems.

And, as we noted much earlier in this post, cryptography is one of those areas where the hard problems really fucking matter. And if Ozzie's plan doesn't even touch on most of the big ones, it's no plan at all. It's a Potemkin Village that law enforcement types will parade around for the next couple of years insisting that backdoors can be made safely, even though Ozzie's plan is not safe at all. I am sure that Ray Ozzie means well -- and I've got tremendous respect for him and have for years. But what he's doing here is actively harmful -- even if his plan is never implemented. Giving the James Comeys and Chris Wrays of the worlds some facade they can cling to to say that this can be done is only going to create many more problems.

The Essential ITIL Certification Training Bundle is a comprehensive study guide for essential ITIL certification exams. Start by preparing for the ITIL Foundations certification exam by learning the basics of ITIL services lifecycle, processes, ITSM's best practices, and the interactions of the ITIL lifecycle phases. The next two courses cover the essentials for both the ITIL Intermediate Service Operations certification exam and the ITIL Intermediate Service Transition certification exam. The bundle is on sale for $49 and you can save 30% more when you enter the code GETSMART at checkout.

Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.

When your fingerprint is your device's password, there's little you can do to prevent law enforcement from accessing its contents. In most cases, judges have sided with the government, opining that fingerprints are non-testimonial even if it results in the production of criminal evidence.

The Fifth Amendment offers little protection for those using fingerprints for device security. And the Fourth Amendment offers zero protection against law enforcement using your fingerprint to access locked devices after you've departed the corporeal plain.

"I just felt so disrespected and violated," said Victoria Armstrong, whose fiance, Linus F. Phillip, was shot and killed by a Largo police officer last month.

Armstrong, 28, happened to be at Sylvan Abbey Funeral Home in Clearwater the day two detectives showed up with Phillip’s phone, she said. They were taken to Phillip’s corpse. Then, they tried to unlock the phone by holding the body’s hands up to the phone’s fingerprint sensor.

Armstrong was killed by police officers following a quasi-traffic stop. He jumped back in his car and attempted to drive away when officers began searching him. The officers involved have since been cleared by the state attorney's investigation. For whatever reason, detectives decided they needed access to the dead man's device. Here's the excuse given for macabre undertaking.

Lt. Randall Chaney said it was an unsuccessful attempt to access and preserve data on the phone to aid in the investigation into Phillip’s death and a separate inquiry into drugs that involved Phillip, 30.

It's completely unclear as to how information on the dead man's phone would have aided an investigation into his being shot and killed by officers. The attachment of a vague "drug inquiry" doesn't do much to salvage the search and seizure.

But the Fourth Amendment doesn't apply to dead people or their belongings. And the only reason the officers have to deal with this backlash is because their timing worked out badly. They retrieved the phone but the body had already been released to the funeral home. The seizure/search they would have performed at the morgue unfortunately now had to take place in public.

Since the Fourth Amendment isn't implicated, no warrant was needed, meaning no judge looked over an affidavit and decided unlocking a dead man's phone would somehow aid in an investigation into his death at the hands of the same law enforcement agency now attempting to crack open his phone.

This leads to another problematic aspect of the search: dead men can't be criminally charged. So what's the point in digging for more dirt on the dead man? Even if there's a "drug inquiry" underway, it seems the more honorable approach would be to at least ask the family's permission, if not avoid it entirely by focusing on other, less-dead suspects.

But honorable is the enemy of efficiency. And whatever the law doesn't explicitly forbid will be deployed by law enforcement, no matter how much it negatively affects its relationship with the community it serves.

You'd be hard pressed to find a bigger telecom sector crony than Tennessee Representative Marsha Blackburn. From her attacks on net neutrality and consumer privacy, to her support of SOPA and AT&T-written protectionist state laws hampering competition, it's effectively impossible to find a subject where Blackburn didn't take the side of regional broadband monopolies over consumers. It's a major reason that as Blackburn tries to jump from the House to the Senate (to nab Bob Corker's seat) she's found herself notably behind in the polls in a state Trump won by 26 points.

Last week, Blackburn took time out of her busy schedule to participate in a show pony Senate hearing pushed by entrenched telecom operators. Its purpose: to try and sell the public and lawmakers on the idea that killing net neutrality and allowing things like "paid prioritization" (letting one company buy a network advantage over another) will actually somehow be a good thing.

Despite their "victory" on the net neutrality repeal, large ISPs like AT&T and Comcast are worried. They're worried that the FCC's clumsy repeal will be overturned by the looming court battle, and they're worried about how more than half the states in the nation are now pursuing their own net neutrality rules. That's why they've been pushing (with Blackburn's help) for a fake net neutrality law. One that pretends to nobly "put the issue to bed," but contains so many loopholes as to be useless. Its real purpose: pre-empt tougher state rules, and prevent the FCC's 2015 rules from being re-instated in the chance of a court loss.

To sell this policy turd, ISPs and loyal foot soldiers like Blackburn have been trying to make anti-competitive behavior sound sexy. Like here, when Blackburn tries to claim that ISPs should emulate the TSA and its pre-check program as they explore the prioritization of content:

"Many of you sitting in this room right now paid a line-sitter to get priority access to this hearing. In fact, it is commonplace for the government itself to offer priority access to services. If you have ever used Priority Mail, you know this to be the case. And what about TSA Precheck? It just might have saved you time as you traveled here today. If you define paid prioritization as simply the act of paying to get your own content in front of the consumer faster, prioritized ads or sponsored content are the basis of many business models online, as many of our members pointed out at the Facebook hearing last week."

So one, no competent person would suggest the TSA's security theater efforts are worth emulation. Two, quality net neutrality rules always ban anti-competitive paid prioritization deals for good reason. If an ISP lets, say, Disney buy a speed and latency advantage, that puts companies, startups and non-profits that can't afford to pay that same toll at unfair disadvantage. Such deals might be a great money maker for AT&T and Comcast and good for companies that can afford them, but it remains a terrible idea for anybody that wants the internet to remain relatively open and competitive.

Not coincidentally, Blackburn's proposed net neutrality law (likely written by AT&T) bans all of the ham-fisted things ISPs never really had much interest in (the outright blocking of websites, for example), but turns the other cheek on a laundry list of other potentially problematic behaviors like like paid prioritization.

ISPs and their loyal lawmakers like Blackburn have tried repeatedly to insist bans on paid prioritization hamstring innovative services and things like medical care. But that's never been true: the FCC's 2015 rules didn't ban prioritization (VoIP, health services), just anti-competitive paid prioritization. Worried that their repeal won't hold, ISP lobbyists are back again trying to conflate the two concepts (prioritization versus unfair paid prioritization), while insisting that screwing up the open internet will somehow be efficient, fun and productive.

It's no secret at all (though, they tried to hide it) that Hollywood and various MPAA front-groups were heavily involved behind the scenes in getting FOSTA/SESTA passed and signed into law. It all goes back to Project Goliath, the plan put together by the MPAA a few years back to use any means necessary to try to attack the fundamental principles of an open internet. While there have been all sorts of attempts, SESTA (i.e., misrepresenting the problem of sex trafficking as being an internet problem, and then pushing legislation that won't stop sex trafficking, but will harm internet companies) was the first to make it through.

But it's unlikely to be the last. Immediately on the heels of everyone now hating on Facebook, various MPAA front groups led by CreativeFuture and the Content Creators Coalition -- both of whom will consistently parrot complete nonsense about how the internet is evil (amusingly, sometimes using the very platforms they seek to destroy) -- have now sent a letter to lawmakers demanding more regulation of the internet and, in particular, more chipping away at intermediary liability protections that enable the free and open internet (the letter was first reported by TorrentFreak).

Most of the letter continues to play up the exaggerated moral panic around Facebook's actions. As we've noted many times, there are reasons to complain about Facebook, but so many of the complaints are on bad solutions, and that's absolutely true with this particular letter. Specifically, this letter presents three demands:

Last week’s hearing was an important first step in ensuring that Facebook, Google, Twitter, and other internet platforms must (1) take meaningful action to protect their users’ data, (2) take appropriate responsibility for the integrity of the news and information on their platforms, and (3) prevent the distribution of unlawful and harmful content through their channels.

On number one: yes, companies should do a better job protecting data, but the real issue is that companies shouldn't be holding onto so much data in the first place. Rather individual internet users should have a lot more control and power over their own use of data, which is very different than what these Hollywood groups are demanding. Besides, given Hollywood's history of being hacked and leaking all sorts of data, it certainly seems like a glass houses sort of situation, doesn't it?

As for number two: "take appropriate responsibility for the integrity of the news and information on their platforms." Really? This is Hollywood and content creators directly calling for censorship, which is truly fucked up if you think about it. After all, for much of Hollywood's history, politicians have complained about the kind of content that it puts out, and demanded censorship in response. Is Hollywood now really claiming to call for other industries to go through the same sort of nonsense? Should we apply the same rules to the MPAA studios? When they put out movies that are a historical farce, such as the very, very wrong propaganda flick Zero Dark Thirty, should Hollywood be required to "take appropriate responsibility" for spewing pro-torture propaganda? Because if they're insisting that internet platforms have to take responsibility for what user's post, it's only reasonable to say that Hollywood studios should take responsibility when they release movies that are similar nonsense.

And, finally, number three: preventing the distribution of unlawful and "harmful" content. Again, one has to wonder what the fuck happened to the legacy entertainment industry that it would now be advocating for some sort of legal ban on "harmful content." Remember, this is the same industry that has regularly been accused of producing "harmful" TV shows, movies and music. And now they're on record speaking out against harmful content? How quickly do you think that's going to boomerang back on Hollywood concerning its own content.

It's almost as if Hollywood is so focused on its hatred of the internet that the geniuses they brought in to run these front groups have no clue how their own arguments will end up shooting content creators right in the foot. I mean, if we're going to stop "harmful" content, doesn't that just give more fodder to religious groups attacking the legacy entertainment industry over "blasphemy," sex and drugs? Won't groups advocating against loosening morals use that to demand that Hollywood stop producing films that support these kinds of activities. Or what about violence, which Hollywood has glorified for decades.

Now, some of us who actually support free speech recognize that Hollywood should be able to produce those kinds of movies and TV shows and musicians should be able to record whatever music they want. But we also think that internet platforms should be open to decide what content they allow on their platforms as well. It's a shame that Hollywood seems to think free speech is only important in special circumstances when it applies to professionally produced content. Because that's exactly what this letter is suggesting.

The letter also includes this nonsense:

The real problem is not Facebook, or Mark Zuckerberg, regardless of how sincerely he seeks to own the “mistakes” that led to the hearing last week. The problem is endemic in a system that applies a different set of rules to the internet and fails to impose ordinary norms of accountability on businesses that are built around monetizing other people’s personal information and content.

This is... wrong. There isn't a "different set of rules." CDA 230 and DMCA 512 are both rules designed to properly apply liability to the party who actually breaks the law. Both of them say that just because someone uses a platform for illegal behavior it doesn't make the platform liable (the individual is still very much liable). That's not a different set of rules. And to argue that internet companies are not "accountable" is similarly ridiculous. We have a decently long history of the internet at this point, and we see, over and over again, when companies get too powerful, they become complacent. And when they do dumb things, competitors spring up, and the older companies fade away.

Hollywood, of course, isn't quite used to that kind of creative destruction. The major studios of the MPAA are 20th Century Fox (founded: 1935), Paramount (founded: 1912), Universal Studios (founded: 1912), Warner Bros. (founded: 1923), Disney Studios (founded: 1923) and Sony Pictures (which traces its lineage back to Columbia Pictures in 1924 or CBC Film Sales Corp in 1918). In other words, these are not entities used to creative upstarts taking their place. They work on the belief that the big guys are always the big guys.

And, really, at a time when many of Hollywood's biggest names are being brought down in "me too" moments, when it's clear that they had institutional support of their abuse going back decades, is it really appropriate for Hollywood, of all places, to be arguing that the tech industry needs to take more responsibility? This seems like little more than a hypocritical attempt by the usual MPAA front groups to kick Facebook while its down and try to use the anger over Facebook's mistakes to try to chip away at the internet they've always disliked.

More than two dozen hours of recordings and 600 pages of documents obtained by the Detroit Free Press have uncovered disturbing details of the senseless killing of 15-year-old Damon Grimes by Michigan State Trooper Mark Bessner last fall.

Lots of killings are senseless, including many of those committed by officers authorized to use deadly force. But this one was especially senseless. Trooper Bessner decided against all policy and reason to fire his Taser at Grimes while both he and Grimes -- riding an ATV -- were traveling at 35 mph down a residential street. To add to the insanity of his act, Bessner was the passenger in the cruiser. Having initiated the pursuit, Bessner decided to end it by tasing Grimes. The result was the complete, gruesome destruction of a human being.

Grimes had been driving about 35 mph on an ATV when Bessner — a passenger in a moving patrol car — fired his stun gun at the teen during a chase on Detroit’s east side.

Grimes slammed into the back of a parked truck and flew off his ATV. The impact of the crash ripped gashes into his forehead, both cheeks and upper lip and dislocated his skull. Doctors pronounced him dead on arrival at St. John Hospital.

Bessner is now facing murder charges. There's a good chance Grimes never knew he was being pursued. Earbuds were photographed at the scene of the fatal crash. No one involved in the pursuit has been willing to go on record as to whether they appeared to be in use at the time of death. Additionally, obtained footage shows the cruiser's emergency lights weren't activated until 24 seconds after the fatal crash.

What the Free Press has uncovered with this mountain of public records is staggering. Officers arriving at the scene expressed their disgust at Bessner's actions. One officer in particular registered her disbelief at what she was witnessing.

“His pulse is weakening because he was on that fuckin' thing, and you chased his ass,” Detroit Police officer Kimberly Buckner muttered to herself as she stepped out of her vehicle, her body camera recording every step and word.

As she walked toward Grimes, an unidentified Detroit police officer reached out his hand to cover the lens of Buckner's body camera quietly saying: "They fuckin' tased his ass while he was cruisin'."

Buckner showed more compassion than other officers, though. The unidentified officer she spoke with later stated police escorts for ambulances were reserved for injured officers not "bad-ass 15 [year olds]" who ran from the cops. The officer went on to state he had "no sympathy" for the dead teenager. Another unidentified officer is captured saying, "Don't run from the State Police. You'll get fucked up."

Unbelievably, Detroit PD officials had no idea this officer -- still unidentified -- had criticized the cooling corpse of a teen shot by an officer with a Taser while riding an ATV at 35 mph. Only at the prompting of the Free Press was an investigation instigated. The officer has been pulled from patrol duty while the investigation is underway.

The Michigan State Police have a lot to answer for, and reps aren't talking. A pending lawsuit is only part of the reason for its silence. The other part is likely due to its refusal to deal with a problem trooper until he was charged with murder.

Bessner has a history of using excessive force and has been reprimanded before for using his Taser inappropriately, including using the device on handcuffed suspects. The investigation into Bessner's conduct shows that over a four-year span ending in 2017, he had 40 use of force incidents, 17 pursuits and five car accidents.

If the Michigan State Police could be bothered to police themselves, this may have been prevented. Bessner was -- at best -- a lawsuit waiting to happen. This isn't normal behavior, no matter how his lawyer spins it. It appears Bessner is going to lean hard on the Supreme Court's Graham decision, if his lawyer's statements are any indication.

Bessner's attorney, Richard Convertino, agreed to an interview, but then didn't respond to requests to schedule it.

Convertino previously called Grimes' death tragic, noting the teen drove the ATV “recklessly and dangerously” and “actively resisted and evaded arrest.”

“During the pursuit, Trooper Bessner was forced to make a split-second decision under circumstances on the scene and at the moment which was tense, uncertain and rapidly evolving,” Convertino told the Free Press in the email, shortly after the crash.

If the wording in that last paragraph seems familiar, it's because it directly quotes a Supreme Court justice.

The calculus of reasonableness must embody allowance for the fact that police officers are often forced to make split-second judgments - in circumstances that are tense, uncertain, and rapidly evolving - about the amount of force that is necessary in a particular situation.

That statement in defense of Bessner's reckless actions is a bit too much on the nose. There was no need for this to be a 'tense, uncertain, and rapidly evolving" situation. A teen was riding an ATV and the cops were in cruisers. If the teen posed a risk to others, the solution was not to fire a Taser from a moving vehicle at an unprotected body traveling at 35 mph. That's just a good way to seriously injure someone. In this case, the injuries were fatal and the trooper whose best call under pressure was to commit an act almost every cop would find unreasonable is now behind bars awaiting trial. I'll bet he wishes he'd responded a bit more reasonably.

The State Police gave him every chance to show them what kind of officer he could be. And in the end, he showed them he could be even worse than he was in the four years leading up to his murder rap.

Well, it appears we can both confirm and acknowledge that lots and lots of people want to play the CIA's in-house training card game. As we announced on Monday, we've taken the available details of the internal CIA game Collection Deck, and are in the process of turning it a version you can actually play, which we're renaming CIA: Collect It All. To see if anyone else actually wanted it, we put it on Kickstarter and set what we thought was a fairly high bar: $30,000. And yet, we hit that in about 40 hours and we still more than three and a half weeks to go. We're a bit blown away by how many people are interested, and we're committed to making the game as awesome as we can possibly make it. We recently posted an update to the campaign concerning questions around international shipping, since that's been a big topic of conversation, so if you're interested in that, go check it out.

Either way, thanks to all of you who quickly jumped in and backed the campaign (and told others about it). As we've noted in the campaign, the idea here is to do this as a one shot deal, not to keep making the game. So, while anyone can download the FOIA'd release of the rules and make your own, if you want one of our versions, you'll need to back this campaign.