A major reform of the EU data protection rules has been grinding through the system for over three years now, subject to some of the fiercest lobbying yet seen in Europe. The original European Commission proposal was amended and accepted by the European Parliament in 2014, but leaked documents obtained by the European digital rights group EDRi show that the Council of the EU, which is made up of the member state governments, is trying to sabotage the new rules (pdf):

Since 2012, the European Commission and the European Parliament both have produced a text that, while not being perfect, would greatly benefit citizens and businesses, establishing a common set of rules for the whole EU and guaranteeing high standards for personal data protection. Unfortunately, within the Council of the EU, Member State governments are working to undermine this reform process. For more than three years, the Council has not only failed to show support for this reform and negotiations, but is now proposing modifications to the text that would lower down the existing level of data protection in Europe guaranteed by the Directive 95/46 and even below the standards required to be in line with the EU treaties.

That's taken from a detailed analysis of the documents by EDRi, Access, Panoptykon Foundation, and Privacy International. It provides a very clear explanation of the five main areas where the Council of the EU is seeking to undermine much of the hard work done over the last two years. Here's a summary of the issues:

According to the leaked proposals, crucial privacy protections have been drastically undermined, including the right to be asked for consent, the right to know how your data are used and the right to object to your data being used, minimum standards of behaviour for companies exploiting individuals' data. In several places, the text would not likely pass judicial scrutiny under Europe’s human rights framework.

This is a really disappointing development, and one that might prove hard to undo, as EDRi explains:

The Council is trying to complete its work by the summer, before negotiating with the Parliament on a compromise. Unless something is done urgently, the Council will simply complete its agreement, at which stage only an absolute majority of the European Parliament would be the only way of saving Europe's data protection reform.

And so the saga of the EU's new data protection rules continues.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Intrusive surveillance programs -- especially domestic surveillance programs -- are sold to wary legislators with promises of stringent oversight and periodic reporting. That's how they're sold. The reality is nowhere near as assuring.

The warrantless acquisition of Canadian ISP subscriber information was so thoroughly exploited by law enforcement that by 2011, subscriber data was being requested every 27 seconds. The recent addition of a warrant requirement has slowed these requests to a comparative crawl and resulted in cases being dropped by the Royal Canadian Mounted Police (RCMP). With this information no longer available on demand, law enforcement is apparently having to prioritize its cases. You know a system has gone off the rails when agencies would rather cherry pick enforcement efforts than deal with something so "onerous" as a warrant application.

No matter what the process entails, there's supposed to be oversight in place to prevent abusive behavior and/or civil liberties violations. In Canada, the oversight body is willing, but the law enforcement body is weak… and riddled with massive holes.

Last fall, Daniel Therrien, the government’s newly appointed Privacy Commissioner of Canada, released the annual report on the Privacy Act, the legislation that governs how government collects, uses, and discloses personal information. The lead story from the report was the result of an audit of the Royal Canadian Mounted Police practices regarding warrantless requests for telecom subscriber information.

The audit had been expected to shed new light into RCMP information requests. Auditors were forced to terminate the investigation, however, when they realized that Canada’s national police force simply did not compile the requested information. When asked why the information was not collected, RCMP officials responded that its information management system was never designed to capture access requests.

So, there is no audit. And without a periodic audit, there can be no oversight. There may be an entity in place to collate reported data, but what's being reported is incomplete and inaccurate. And not in any small way. The problem appears to be systemic, ingrained and possibly deliberately misleading. Some meaningful details have been redacted from the memo, but the mostly intact closing paragraph is far from comforting.

In conclusion, based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.

And the oversight entity? Apparently, almost as untrustworthy. Michael Geist points out that crucial wording was omitted from the Privacy Commissioner's official report.

The incident highlights the limits of Canadian oversight over law enforcement and surveillance activities. The use of the privacy commissioner’s audit power is frequently lauded as a mechanism to ensure that government does not run afoul of the law. Yet despite identifying inaccurate and incomplete data on a high profile privacy issue, the public audit report does not use the terms “inaccurate” or “incomplete.”

The commissioner may have kept these damning terms (temporarily) out of the public's eye in the official report, but even the more hedged version deployed there does nothing to instill confidence in the RCMP's ability to handle this access responsibly or to submit to any form of accountability.

Ultimately, our efforts to review files, combined with our interviews with RCMP personnel, did not allow us to determine whether the RCMP, as a whole, was compliant, or non-compliant, with the provisions of the Privacy Act with respect to the collection of subscriber information without a warrant. Moreover, other than through a manual review of all case files stored, the RCMP does not have a means to demonstrate its compliance in this regard.

Even if the Privacy Commissioner is unwilling to say it, the conclusions speak for themselves. The RCMP is "non-compliant." Stringent procedures that were implemented to ensure accountability have been largely ignored. The RCMP tries to claim it's really just a "software program," but that assertion doesn't explain why more than four years down the road from the cited 2010 report, nothing has changed.

There is a likely explanation for this lack of careful reporting by the RCMP. For one, it helps obscure the paper trail. It also makes the possibility of mounting a legal challenge on its domestic data-gathering a much more daunting prospect. The RCMP may be unable to show what it's doing right, but its lack of proper documentation helps ensure it will be equally as hard to prove it's doing anything wrong.

The genes that make humans distinct from other animals are being narrowed down. We have a lot in common with other mammals and especially other primates, but relatively tiny differences in a set of genes could explain how human language and intelligence evolved and developed. Understanding the complexity of human intelligence and genetics will likely take decades or longer -- and we may never fully understand every aspect of consciousness. However, we're making some progress and creating some smarter mice along the way. Check out a few of these experiments.

• Injecting human astrocytes (the most abundant cells found in the brain) into a mouse brain actually makes mice measurably smarter. This isn't exactly the beginnings of the rats of NIMH, but the researchers are going to try rats next.... [url]
• Activating a certain gene called HARE5 ("human-accelerated regulatory enhancers") leads to the development of bigger brains in humans -- and perhaps other mammals like mice and chimpanzees. A mouse embryo treated with a human HARE5 sequence developed a 12% larger brain than a mouse embryo with a chimpanzee HARE5 gene. [url]
• Hundreds of mice have been genetically engineered to express the human version of the FOXP2 gene -- a gene linked to speech and language. The resulting mice were able to learn a maze faster than control mice. And are you pondering what I'm pondering? [url]
• The ARHGAP11B gene could be a unique gene for developing modern humans' massive neocortex. Adding this gene in mice gave them larger neocortices and brain folds (mice brains are usually tiny and smooth) -- but the mice weren't necessarily more intelligent. [url]

If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Dennis Toeppen of Suburban Express is still deploying his highly-peculiar brand of "customer service" -- something that includes doxxing unhappy customers, suing unhappy customers, suing unhappy customers, suing unhappy customers and being arrested for "harassment through electronic communications."

Nothing has changed. Toeppen is still a lawsuit fan who believes negative reviewers or anyone who doesn't fully appreciate how hard it is to run a shuttle bus service should be forced to pay $500 (at least) in "liquidated damages." Now, he's looking to pave himself a downhill slope for his future lawsuit filing. Techdirt reader Kionae sends over this article from the University of Illinois' campus newspaper which contains a small detail that shows just how far Toeppen is willing to go to get his $500.

Suburban Express recently changed its “Terms & Conditions” so any legal action arising on the online transaction of tickets should take place in Ford County, roughly 30 miles north of Champaign.

In a statement on its website, the company said it chose Ford County “because of high availability of court dates, efficient court operation, excellent staff work ethic, low costs for both parties, easy parking, and other factors.”

This has nothing to do with "efficient court operations" and has everything to do with making it economically unfeasible for sued college students to fight back. Taking the action 30 miles away strips students of the following protection:

According to the Student Legal Services Operational Plan, Student Legal Services can only represent eligible students who have cases in or originating in Champaign County.

Toeppen's change of venue is carefully calculated to extract the most money/misery from the situation. That situation, of course, is Toeppen's inability to run a business and field criticism at the same time. In Toeppen's defense, he'll say he's never wrong and it's these spoiled brat students with overactive mouths who are to blame. (What? Did you think I was going to half-heartedly defend any aspect of Toeppen's behavior?)

With students forced to pay for their own defense against Toeppen's frivolous, vindictive lawsuits, the needle moves towards a higher default judgment rate. That's what Toeppen wants, considering his legal arguments are mostly indefensible. This should see his lawsuit-filing rate approaching the stratospheric highs of 2012-13, a two-year span in which Suburban Express filed 126 lawsuits. Toeppen is misusing the judicial system. Hopefully, the judges there will recognize his venue-shifting for what it is and push cases back to the proper courts.

While net neutrality justifiably received a ton of press attention last week, we were quick to point out that the FCC's other major decision -- to start attacking protectionist state broadband laws -- may just be a bigger deal. These twenty or so laws, as we've explored in detail, are written and lobbied for by incumbent ISPs and prohibit towns and cities from deciding for themselves what they should be able to do regarding local telecom infrastructure. If you realize that neutrality violations are just a symptom of a lack of competition, the FCC's decision to start dismantling the onerous parts of these laws strikes much deeper at the root of the problem.

Make no mistake: these laws are the worst sort of protectionism. And despite ISP attempts to make this a partisan issue, most municipal broadband deployments are being approved by Republican voters in Conservative areas. Similarly, Democrats and Republicans alike realize that letting AT&T or Comcast write a law that tells you what you can or can't do (and in some cases even eliminates eminent domain rights) only benefits AT&T and Comcast. Municipal broadband is an organic, community reaction to the telecom market failure they're "enjoying" on a daily basis.

That's why it's been amusing to see Marsha Blackburn rushing to the defense of the ISPs and these bills, breathlessly trying to argue that she's just terribly, terribly concerned about states' rights. Almost immediately after the FCC's vote to limit the reach of such laws in Tennessee and North Carolina, Blackburn and Senator Thom Tillis introduced the "States' Rights Municipal Broadband Act of 2015 (pdf)," which would amend the Telecommunications Act to strip back FCC authority over states when it comes to timely broadband deployment.

Both Blackburn's and Tillis' states have passed laws that have prevented municipal broadband deployments from expanding and encroaching on the territories of companies like AT&T, CenturyLink, Time Warner Cable and Comcast. EPB Broadband (in Tennessee) and Greenlight (in North Carolina) petitioned the FCC for help in removing state-level barriers to deployment after a decade of FCC apathy to the issue. According to a statement on Blackburn's website, she's not blindly protecting her state's broadband duopoly, she's protecting locals from the FCC's vile assault on their freedom:

"I’m pleased to be working with Senator Tillis on this important issue. As former state legislators, we strongly believe in States’ rights and will fight the FCC’s liberal agenda. Chairman Wheeler’s regulatory appetite appears to know no bounds and is seeping dangerously into the lives of Americans. It is time for Congress to assert itself and protect States once again from unelected Washington bureaucrats."

Just so we're clear: letting AT&T and Comcast write awful state law that strips away "states' rights" to the sole benefit of their monopoly revenues is perfectly fine. But the FCC using its legal authority to restore those same rights -- is a frontal assault on states' rights? Blackburn and Tillis are actually trying to dress up duopoly protectionism as some form of noble ethos in a particularly blistering wave of nonsensical hubris.

Blackburn's effort is unlikely to go anywhere, in part because even the ISPs that write these laws don't want to be publicly associated with them. You'll notice that while many large ISPs felt free to complain about net neutrality rules, most of them remained mute on the FCC's municipal broadband decision -- largely because buying protectionist state law is nearly impossible to coherently defend (as Tillis and Blackburn so deftly illustrate). Both Comcast and AT&T have mergers awaiting FCC review, so any full-throated support for keeping U.S. broadband uncompetitive will have to remain the purview of disingenuous intermediaries.

As you know, last week the FCC made a somewhat historic move, to vote to reclassify broadband internet access as a "Title II" telecommunications service, which allows the FCC to implement specific open internet rules that disallow things such as paid prioritization and blocking. This move has been rightly celebrated by many people. However, it is also being attacked by many others. Some of that is nothing more than spewing big broadband companies' talking points. Some of it is merely partisan bickering, as the "net neutrality" fight became ridiculously partisan, even though a vast majority of voters in both parties support net neutrality.

That said, there are some legitimate concerns. They're not the ones that you're likely to hear about (other than on the margin), but rather fall under the fact that this is just one battle in a war that is far from over. So, let's take a look at some of the reasons to still remain quite vigilant in protecting a free and open internet:

1. The details: Yes, as you may have heard, the fully detailed rules are not yet public. This is ridiculous and stupid, but it's the way the FCC operates. If it had released the detailed rules prior to the vote, it would have delayed the entire process. And, while dissenting commissioners Ajit Pai and Michael O'Rielly have been screaming about the travesty that the rules haven't yet been released publicly, what they conveniently leave out is that currently they are the sole reason for the delay. The FCC can't publish the final rules until the FCC has incorporated their dissents, and neither Pai nor O'Rielly have handed in their dissents.
   
   And, yes, there may be some devils in the details. One particular concern is the "general conduct rule." As the folks at EFF have warned, a vague "general conduct" rule allows the FCC to more or less reserve the right to examine practices of ISPs to see if they're "harmful to consumers." While that may sound good in practice, the vagueness of the rule could subject all sorts of perfectly reasonable practices to long and drawn out legal fights with the FCC. It's good that the FCC wants to be able to stop practices that are harmful to consumers, but if it's going to do that it should lay out directly what it believes to be harmful, rather than leaving things open to interpretation.
   
   There are some other unclear details as well: exactly how will the fight play out over "interconnection" which isn't directly a "net neutrality" issue (which is just focused on the last mile from the broadband provider to your home), but rather a way that the big ISPs accept traffic from service providers. The big broadband providers deliberately allowed those interconnection points to clog up in order to pressure service providers like Netflix to pay up. The new rules are likely to try to address that issue somewhat, but it's not entirely clear how. Another area of concern is how it deals with "zero rating" plans, whereby broadband providers let some traffic not count against a data cap. While the broadband providers argue that this is a consumer benefit, that ignores that they put the data cap on in the first place. Exempting users from your own anti-consumer practices isn't really consumer friendly. It sounds like the new rules will deal with these situations on a "case by case" basis as well, and that can be problematic.
   
   How worried should you be? Moderately worried, though the details still very much matter. While anti-net neutrality types are blathering on about tariffs and rate regulations that aren't happening, this is a legitimate concern that could tie up perfectly reasonable practices in uncertainty.
   
   Should you blame the new rules? Yup. This one is on the FCC. It sounds like the rules got a lot of stuff right, but this may be a push too far. It could have been much worse, but we should still be concerned about some possible problems with the rules and be vigilant about how they are interpreted and applied.
   
   
2. The lawsuits: As you may have heard, pretty much everyone knows that someone is going to sue about the new rules. Last time around, Verizon sued (which was silly because it helped create the incredibly weak rules it sued over, and its "victory" in that case has resulted in these new stronger rules), and either it will sue again or AT&T or Comcast or some combination will sue this time. This will at least create some uncertainty over whether or not the rules will stick, and if the courts toss out these rules too, then we're back to square one -- and in a situation where it may be even tougher to protect net neutrality.
   
   How worried should you be? Moderately worried. While some anti-net neutrality folks insist that because the FCC lost lawsuits concerning its last two attempts to craft net neutrality rules, this time is pretty different. The court ruling in the last one more or less laid out this path. The reason it rejected the last rules was because it said the FCC was trying to introduce "common carrier" rules without classifying broadband as a common carrier. The new rules classify it as a common carrier, so it appears to be following the court's instructions. And, if it goes up to the Supreme Court, you can't tell for sure, but the court's earlier rulings have suggested that on this particular question it gives the FCC wide leverage in classifying broadband. And, in what may not make many Republican anti-net neutrality folks happy, Antonin Scalia was the most vehement in an earlier case arguing (in dissent) that broadband was obviously a Title II common carrier service. But... nothing is ever certain in the judicial process, and cases can come out with strange and surprising rulings. So it's entirely possible that we'll be back for another sort of battle three or four years from now.
   
   Should you blame the new rules? No. Verizon had indicated early on that it was likely to sue over any rules. While it backed down from that position after other broadband providers started stage whispering "shut up, Verizon..." it's still likely that some broadband provider somewhere would have sued over the new rules no matter what. So the legal uncertainty would have lingered. And, again, last year's ruling in the Verizon case more or less said that if you're going to issue these kinds of rules, you need to reclassify. It's likely that some of the legal challenges will argue that the FCC didn't follow the proper procedures in reclassifying, but that's a long shot given earlier rulings.
   
   
3. Congress: Again, it's not at all clear why this has become a partisan issue when the public is all for net neutrality, but it is, in fact, now a partisan issue. And the party that is against net neutrality, the Republicans, has a majority in both houses of Congress. There is already an effort underway by Congress to modify the Telecommunications Act to put in place different "net neutrality" rules that are really just a smokescreen to simply strip the FCC of pretty much all authority to protect consumers against questionable broadband provider practices. Separately, Republicans in Congress have already started to make moves to delay the implementation of the new rules, including demanding that FCC boss Tom Wheeler show up for a hearing to explain himself (seriously).
   
   In theory, it would be better to have a clearer law drafted by Congress, rather than having the FCC make the final decision on this thing, but that theory relies on a competent Congress that obeys the will of the people, rather than special interests. Stop laughing. And, of course, you never know how everything will get twisted around later. As Tim Lee at Vox recently noted, it was the Republicans who rewrote the Telecommunications Act in 1996 that pretty clearly intended for broadband to be classified as a Title II service, which they're now freaking out about.
   
   How worried should you be? Moderately worried. The new rules have certainly shifted the baseline in one direction such that it would be difficult for Congress to completely undermine an open internet in new rules without setting off massive public backlash. But it can still do some damage. That's perhaps more difficult with an open internet supporter in the White House, but it could flip.
   
   Should you blame the new rules? No. The new rules have actually been helpful here. Even if the current proposed change to the Telecommunications Act is a joke, it's much, much, much more friendly towards an open internet than what was being talked about just a few months ago. Furthermore, Congress can change as well and can pass new laws at another time also. There's always the risk that Congress will propose a rewrite to the Telecommunications Act, with or without these rules. But with these new rules in place, it actually may be more difficult to get Congress to completely shift things away from a more open internet.
   
   
4. The next FCC: One of the key talking points among anti-net neutrality types is that if this FCC can just make this decision to reclassify, the next one (especially under a Republican president, in which the balance of the FCC would shift to 3 to 2 Republicans to Democrats as commissioners) could just flip it back. Current Republican commissioner Ajit Pai's big filibuster of a speech at the open meeting last week appeared to be his pitch to become the next head of the FCC. And, of course, there's the argument in the other direction, which is that a new FCC with a Democratic majority might go even further with the new rules, and bring back all the "bad stuff" in Title II like rate regulations and tariffs.
   
   How worried should you be? Not that worried. Despite what some say, it's not that easy to just flip this switch. Note that this process alone has taken basically a year. The FCC has to propose the rules and allow for the slew of comments and then go through this entire process again before it can switch the rules again. It could happen, but by the time it does we'd already be under the existing rules for some time, and when the predicted "harms" of the new rules don't come to pass, the scare stories from anti-net neutrality types won't be even remotely believable. As for the idea that a new FCC might bring back rate regulations and tariffs, that seems ridiculously unlikely. At this point you have basically no one who supports such an idea -- either on the FCC or in the public. The FCC would have to go through a whole new proposal/comment period on such an idea, and it would be so astoundingly unpopular that it's difficult to see it getting anywhere at all.
   
   Should you blame the new rules? Nope. The FCC is going to flip flop back and forth based on the party in the White House anyway, and all the talk claiming the FCC has become "more partisan" is a lot of bunk. There have long been fights along party grounds on certain issues, and that won't change.
   
   
5. The lack of competition: This probably remains the largest ongoing issue in the fight for an open internet. For years we've been arguing that the attack on net neutrality is really just a symptom of the lack of competition in the market, and that's still true today. Beyond the new rules, if we want to really protect an open internet, we need much more competition. It's notable that the new rules do not (as some wanted) include unbundling requirements, which would have made infrastructure providers let other service providers buy access wholesale to resell, creating competition at the service level (rather than at the network level). Many other countries have this type of unbundling, and it's resulted in a much more competitive broadband market in those places.
   
   This is also why the FCC's other vote last week may turn out to be the bigger deal. This was the FCC's decision to preempt state laws (generally written by the broadband providers themselves) that blocked municipalities from offering up municipal broadband. Municipal broadband is not a panacea, and there have been some notable failures. However, there are plenty of success stories as well, including some impressive ones in which communities join together to create a strong broadband offering where the giant legacy players have failed to keep up.
   
   Separately, we're finally starting to see third parties jump into the market. Lots of people point to Google Fiber, but that's just one of a few new and growing entrants. And many of those smaller providers have both embraced the FCC's new rules and pointed out that with those new rules, they may be able to deploy their services more widely, since it will help them get access to things like telephone poles that were blocked in the past. On top of that, while in the past, alternative means of broadband were more hype than reality, the technology for air-based broadband (from wireless systems, satellites, drones, balloons and blimps) is getting rapidly better and may offer a legitimate third-party option. Those technologies are all getting a lot cheaper as well, so it's entirely possible that we could get more significant competition in the future -- especially if there's more open spectrum available.
   
   How worried should you be? Absolutely worried. The lack of competition is the real travesty in all of this, and while you can be hopeful about some of the things coming down the road that should add to the competitive market, for many of us, there are almost no competitive choices for broadband.
   
   Should you blame the new rules? Nope. Some anti-net neutrality types are trying to argue that the new rules will reduce competition, but it's hard to find any evidence to support that. Enough small, independent and third-party broadband providers have come out in support of the new rules that it's difficult to take seriously the complaint that it will discourage those competitors from entering the market. They seem to be arguing exactly the opposite.
   
   
6. The games Comcast/Verizon/AT&T will play: When it became clear that there were going to be open internet rules of some sort on the last mile, all of the big broadband providers played the interconnection trick, letting their interconnection points with Netflix clog up in order to get the same result it wanted in the first place: get the internet companies to pay extra to reach its users, even as everyone is already paying for their own bandwidth. And, lately, there have been various games around "zero rating" in which the broadband players (mainly on the wireless side) pretend that they're offering a "consumer benefit" by exempting certain traffic from the unnecessary data caps that the broadband providers themselves set up.
   
   It seems quite likely that even with the new rules, the big broadband providers will look for loopholes and other tricks to try to chip away at an open internet, allowing it to put toll booths into the internet stream. That's been their focus for a decade now, and it's unlikely that they're going to give up now. The big broadband providers simply hate the idea of just being "dumb pipes" and feel like they need to extract extra money for all of the activity happening on those pipes. It's not clear how they'll plant to get around the rules, but it seems inevitable.
   
   How worried should you be? Somewhat worried. The big broadband players are incredibly crafty at trying to figure out loopholes and ways through the rules. The interconnection and zero rating cases are just two examples, and both were pretty clever. The zero rating one was particularly clever in that they could pretend to be "consumer friendly" by protecting you from the anti-consumer rules that they themselves set up. It's kind of brilliant in how evil it is. The problem here is that we just don't know what form this attack is likely to take, but it's definitely going to happen.
   
   Should you blame the new rules?: No. The big broadband players have been playing these games for ages, and the new rules actually do make it much more difficult for them to play at least some of these games. That's why last week was a victory for the open internet.

It should be noted that some net neutrality critics are running around and claiming that these new rules mean the death of the internet, and will lead to the government deciding what content and services are allowed on the internet. If true, that would be an attack on the open internet, but it's simply not true. Don't worry too much about it. That's just FUD.

The reality is that last week was a victory, but it's hardly the end of the fight to protect the open internet. There are some legitimate concerns about both the rules that were passed, as well as the actions that others (including Congress, the FCC and broadband players) may take in the future. And we need to be vigilant about all of this in order to make sure that the internet remains open and free.

So the whole Hillary Clinton email story is getting worse and worse for Clinton. We already noted that there was no way she couldn't have known that she had to use government email systems for government work, as there was a big scandal from the previous administration using private emails and within the early Obama administration as well. This morning we discovered that Clinton also gave clintonemail.com email addresses to staffers, which undermines the argument made by Hillary's spokesperson that it was okay for her to use her own email address because any emails with staffers would still be archived by the State Department thanks to their use of state.gov emails. But that's clearly not the case when she's just emailing others with the private email addresses.

As we noted yesterday, there are two separate key issues here, neither of which look good for Clinton. First, is the security question. There's no question at all that as Secretary of State she dealt with all sorts of important, confidential and classified information. Doing that on your own email server seems like a pretty big target for foreign intelligence. In fact, Gawker points out, correctly, that Hillary's private email address was actually revealed a few years ago when the hacker "Guccifer" revealed the inbox of former Clinton aide Sidney Blumenthal. So it was known years ago that Clinton used a private email account, and you have to think it was targeted.

Anonymous State Department "cybersecurity" officials are apparently shoving each other aside to leak to the press that they warned Clinton that what she was doing was dangerous, but couldn't convince her staff to do otherwise:

“We tried,” an unnamed current employee told Al Jazeera. “We told people in her office that it wasn't a good idea. They were so uninterested that I doubt the secretary was ever informed.”

The AP has a somewhat weird and slightly confused article detailing the setup of the email system, but seems to imply things that aren't clearly true.

It was unclear whom Clinton hired to set up or maintain her private email server, which the AP traced to a mysterious identity, Eric Hoteham. That name does not appear in public records databases, campaign contribution records or Internet background searches. Hoteham was listed as the customer at Clinton's $1.7 million home on Old House Lane in Chappaqua in records registering the Internet address for her email server since August 2010.

The Hoteham personality also is associated with a separate email server, presidentclinton.com, and a non-functioning website, wjcoffice.com, all linked to the same residential Internet account as Mrs. Clinton's email server. The former president's full name is William Jefferson Clinton.

While Eric Hoteham may be a mysterious non-entity, as Julian Sanchez points out, an early Clinton staffer was named Eric Hothem. Of course, Stanford cybersecurity guru Jonthan Mayer also notes that Hillary's old home server is still online and running Windows Server 2008 R2. However, the AP reports that the email has moved around a bit over the past few years:

In November 2012, without explanation, Clinton's private email account was reconfigured to use Google's servers as a backup in case her own personal email server failed, according to Internet records. That is significant because Clinton publicly supported Google's accusations in June 2011 that China's government had tried to break into the Google mail accounts of senior U.S. government officials. It was one of the first instances of a major American corporation openly accusing a foreign government of hacking.

Then, in July 2013, five months after she resigned as secretary of state, Clinton's private email server was reconfigured again to use a Denver-based commercial email provider, MX Logic, which is now owned by McAfee Inc., a top Internet security company.

That likely means the email was much more secure after July of 2013, but it certainly raises questions about how secure it was for years before that.

Though, we do know that it was secure from one thing: FOIA requests. That is the second of the two big issues raised by this whole thing. By using her own email setup, she was clearly able to hide important documents from FOIA requests. In fact, as Gawker notes, her staff's defense of the use of her private email, actually now confirms emails as legit that the State Department denied existed back when Gawker made a FOIA request years ago.

That's because following that Guccifer hack, Gawker filed a FOIA for those emails and was told they don't exist. Yet, now Clinton staffers point to that old Gawker article to suggest that the private email address is "old news," thus confirming that the emails were legit, even though the State Department denied them.

The Clinton camp’s claims about the email account being above-board is also contradicted by the State Department’s response to Gawker’s inquires two years ago. After we published the story about Blumenthal’s correspondence with Clinton, we filed a FOIA request with the agency for all correspondence to date between Hillary Clinton and Sidney Blumenthal, specifically including any messages to or from the hdr22@clintonemail.com account. The screenshots and other documents released by Guccifer—which have now been validated by Clinton’s spokesman—confirmed that such messages existed.

But the State Department replied to our request by saying that, after an extensive search, it could find no records responsive to our request. That is not to say that they found the emails and refused to release them—it is conceivable, after all, that the State Department might have attempted to deny the release of the Clinton-Blumenthal correspondence on grounds of national security or Blumenthal’s own privacy. Instead, the State Department confirmed that it didn’t have the emails at all.

Which is exactly why Clinton used a non-State Department email server to conduct her official business.

According to the NY Times, the State Department says that it won't go back to correct the FOIA requests that it responded to in the past, saying that such records didn't exist. Instead, it will only now search the emails that have been turned over by Clinton's staff. That is another 50,000 emails, but no one knows what emails the staff removed or refused to turn over.

Either way, there are two huge problems here. Clinton likely exposed her emails to foreign spies, while keeping them away from the American public.

As you may have heard, the law enforcement and intelligence communities have been pushing strongly for backdoors in encryption. They talk about ridiculous things like "golden keys," pretending that it's somehow possible to create something that only the good guys can use. Many in the security community have been pointing out that this is flat-out impossible. The second you introduce a backdoor, there is no way to say that only "the good guys" can use it.

As if to prove that, an old "golden key" from the 90s came back to bite a whole bunch of the internet this week... including the NSA. Some researchers discovered a problem which is being called FREAK for "Factoring RSA Export Keys." The background story is fairly involved and complex, but here's a short version (that leaves out a lot of details): back during the first "cryptowars" when Netscape was creating SSL (mainly to protect the early e-commerce market), the US still considered exporting strong crypto to be a crime. To deal with this, RSA offered "export grade encryption" that was deliberately weak (very, very weak) that could be used abroad. As security researcher Matthew Green explains, in order to deal with the fact that SSL-enabled websites had to deal with both strong crypto and weak "export grade" crypto, -- the "golden key" -- there was a system that would try to determine which type of encryption to use on each connection. If you were in the US, it should go to strong encryption. Outside the US? Downgrade to "export grade."

In theory, this became obsolete at the end of the first cryptowars when the US government backed down for the most part, and stronger crypto spread around the world. But, as Green notes, the system that did that old "negotiation" as to which crypto to use, known as "EXPORT ciphersuites" stuck around. Like zombies. We'll skip over a bunch of details to get to the point: the newly discovered hack involves abusing this fact to force many, many clients to accept "export grade" encryption, even if they didn't ask for it. And it appears that more than a third of websites out there (many coming from Akamai's content delivery network -- which many large organizations use) are vulnerable.

And that includes the NSA's own website. Seriously. Now, hacking the NSA's website isn't the same as hacking the NSA itself, but it still seems notable just for the irony of it all (obligatory xkcd): But the lesson of the story: backdoors, golden keys, magic surveillance leprechauns, whatever you want to call it create vulnerabilities that will be exploited and not just by the good guys. As Green summarizes:

There’s a much more important moral to this story.

The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today.

This might be academic if it was just a history lesson — but for the past several months, U.S. and European politicians have been publicly mooting the notion of a new set of cryptographic backdoors in systems we use today. This would involve deliberately weakening technology so that governments can intercept and read our conversations. While officials are carefully avoiding the term “back door” — or any suggestion of weakening our encryption systems — this is wishful thinking. Our systems are already so complex that even normal issues stress them to the breaking point. There's no room for new backdoors.

To be blunt about it, the moral of this story is pretty simple:

Encryption backdoors will always turn around and bite you in the ass. They are never worth it.

Let's repeat that last line, because it still seems that the powers that be don't get it:

Encryption backdoors will always turn around and bite you in the ass. They are never worth it.

Whether it's creating vulnerabilities that come back to undermine security on the internet decades later, or merely giving cover to foreign nations to undermine strong encryption, backdoors are a terrible idea which should be relegated to the dustbin of history.

(Former?) dentist Stacy Makhnevich utilized a shady firm's (Medical Justice) legal documents to force a patient to sign over his copyright to any future reviews of her service. When he posted negative comments about her services, she followed this up by billing him $100/day for the Yelp review he supposedly no longer controlled.

This censorious behavior resulted in two things: a class action lawsuit being brought against the dentist by Public Knowledge and a severe Streisanding that saw Makhnevich's personal and professional reputation torn to shreds by internet denizens, most notably at the same site she attempted to silence.

Shortly thereafter, Makhnevich simply… disappeared. She filed a motion to dismiss the class action suit, but received only sharp criticism from the judge for her "ridiculous" arguments. That was pretty much the last anyone saw of the disgraced dentist, something that makes plaintiff Robert Allen Lee's win somewhat bittersweet.

According to the default judgement [PDF] by a U.S. District Court in NYC last week, the judge concurs, saying that the prohibition against negative criticism, along with the use of copyright claims to prevent these reviews from being seen “constitute breaches of fiduciary duty and violations of dental ethics and are subject to the equitable defenses of unclean hands, and, as to such assignment and assertion, constitute copyright misuse.”

The very short decision points out that Makhnevich was wrong about pretty much everything before awarding presumably uncollectable damages to Lee.

The Court declares as follows:

A. Notwithstanding the claim of defendants Stacy Makhnevich, Aster Dental, Chrysler Building Dental Association, North East PC, South East Dental Suite, Lincoln Square Dental Arts, Lincoln Square Dental Arts of Manhattan, and Chrysler Dental (collectively, "defendants") to ownership of the copyright in writings by plaintiff Robert Allen Lee about them, Robert Allen Lee's posting of public comments about defendants' services ("Lee 's Commentary") is a non-infringing fair use pursuant to Section 107 of the Copyright Act;

B. Obtaining the promise by plaintiff Robert Allen Lee in the Mutual Agreement to Maintain Privacy (the "Agreement') not to publish criticism of defendants, the Agreement's purported assignment of copyrights, and the assertion of copyright claims by defendants for the express purpose of preventing the dissemination of Lee's Commentary, constitute breaches of fiduciary duty and violations of dental ethics and are subject to the equitable defenses of unclean hands, and, as to such assignment and assertion, constitute copyright misuse;

C. Robert Allen Lee's assignment and promise in the Agreement not to publish criticisms of defendants are null and void for lack of consideration;

D. Robert Allen Lee's assignment and promise in the Agreement not to publish criticisms of defendants are null and void for unconscionability;

E. The Agreement is a deceptive act or practice in violation of Section 349(a) of the New York General Business Law; and

F. Lee' s Commentary is not actionable defamation under New York common law.

Plaintiff Lee is awarded $4,766 in damages against defendants, jointly and severally, for their breach of contract, together with his costs of suit.

The other upshot of the lawsuit is that Medical Justice has ceased offering the legally-dubious forms deployed by Makhnevich, albeit in a rather begruding fashion.

"While we believe these agreements are honest, ethical, and legal, we are going to use this situation as an opportunity to retire these written agreements used since 2007," MJ CEO Jeffrey Segal told Ars on Wednesday. He claims that MJ will recommend to doctors that they stop using the agreements, and that patients will not be asked to sign any such agreements in the future.

The worst thing you can do about bad reviews is pretty much everything Makhnevich did: misuse copyright law, fire off cease-and-desist orders and bogus DMCA takedown requests, and bill unhappy customers to the tune of $110,000. Disappearing was probably a wise choice, but it does tend to result in default judgments. Lee may find it hard to collect what he's owed from the missing dentist, but the court's short but thorough dismantling of her every move should serve as a warning to future business owners who think it's wise to deploy the nuclear option when criticized.

A few Florida legislators are looking to do some serious damage to both free speech and the internet.

This week, the Florida state legislature is considering a bill that would make it illegal to run any website or service anonymously, if the site fits a vague category of “disseminat[ing]” “commercial” recordings or videos—even the site owner’s own work. Outlawing anonymous speech raises a serious First Amendment problem, and laws like this one have been abused by police and the entertainment industry.

The bill (Senate and House versions) seems to be catering directly to the entertainment industry and could give local law enforcement City of London Police-esque powers to act as de facto copyright cops. And its potential stripping of anonymity not only requires disclosure to law enforcement, but everyone else on the web.

A person who owns or operates a website or online service dealing in substantial part in the electronic dissemination of commercial recordings or audiovisual works, directly or indirectly, to consumers in this state shall clearly and conspicuously disclose his or her true and correct name, physical address, and telephone number or e-mail address on his or her website or online service in a location readily accessible to a consumer using or visiting the website or online service.

Do-it-yourself doxxing! What could possibly go wrong? Handing over your personal information to complete strangers always works out so well. The bill seems only concerned with giving rights holders easier access to potential infringers (still problematic), completely ignoring the unintended consequences of forcing certain site owners to hand out their personal information proactively, rather than only by law enforcement subpoena or court order.

On top of that, there's the vagueness of the language. "Directly or indirectly" can mean a lot of things -- like links to alleged infringement elsewhere on the web. And it would potentially force any number of site owners worldwide to give up their anonymity. The bill isn't limited to sites/site owners residing in Florida. All it says is "electronic dissemination… to consumers in this state." If a website can be accessed from Florida, it conceivably falls under the jurisdiction of this proposed law.

This would give the Grady "Showboat" Judds of Florida law enforcement all the reason they need to send ad hoc anti-piracy task forces all over the US to shut down infringing sites. Even if the damage was solely confined to Florida, it would still be a bad idea.

Similar “true name and address” laws in other states have been used to justify police raids on music studios. In 2007, a Georgia police SWAT team (with RIAA employees in tow) raided the studio of DJ Drama and DJ Cannon, makers of influential “mixtapes” that record labels used to promote their artists. The police arrested the DJs and confiscated their CDs and equipment. Their justification wasn’t copyright law (which is a federal law) but a more limited version of the same law Florida is considering, one that applies only to physical goods. If Florida expands on Georgia’s law by including websites, we could see similar police raids against music blogs or other avenues of online speech. And the works on the site might even be in the public domain, as long as some “owner, assignee, authorized agent, or licensee”—perhaps a broadcaster—complains.

If there is a bright side to this proposed law, it's that it doesn't gut Section 230 protections and contains the smallest of nods towards Fair Use. But that's it. Otherwise, it's a mess -- a bill designed to expedite the pursuit of infringers at the expense of free speech and online anonymity.