Could The DOJ Be Violating SESTA/FOSTA?

from the quite-possible dept

Last week, Gizmodo’s Dell Cameron has a great report on how the DOJ’s Amber Alert site was configured so stupidly that it could be used to redirect people to any website (this was also true of and the National Oceanic and Atmospheric Administration). And it was being used. To redirect people to hardcore porn. Basically, the sites were designed such that just by knowing the right URL and adding a new URL to the end, it would redirect to those sites. Porn sites used this for a couple of reasons: first, since they’d now be getting referrals from high ranking sites, it can help their Google ranking. Second, because the primary URL would come from a trusted source again, it would help their Google ranking. And, finally, the links may look much more legit to people doing searches (though that would be more true of scam sites than porn sites).

Redirect scripts like this used to be fairly common, but they died off long ago. Except in the federal government. From Cameron’s article:

?This is like the 1990s called and wants its vulnerable redirect script back,? said Adriel Desautels, founder of the penetration testing firm Netragard.

But, here’s the thing: does this mean that the DOJ (and the NOAA) could be violating SESTA/FOSTA? It’s possible! And that just goes to show how poorly drafted the law is. Remember, under the law, it is now illegal to “participate in a venture” that “knowingly” is “assisting, supporting, or facilitating” a violation of sex trafficking laws. So, if someone were to create a DOJ Amber Alert redirect to a sex trafficking website (or just an escort site, since people keep insisting those serve little purpose other than sex trafficking) would the DOJ be in violation?

The obvious response is that the DOJ isn’t “knowingly” doing this. But… is that true? As Cameron’s article notes, every time you hit one of those Amber Alert redirects, the DOJ gives you a nice little parting message:

Is that enough to “knowingly” participate? Maybe. I would bet that if non-governmental websites popped up similar messages, SESTA/FOSTA supporters would argue it’s proof of knowledge. After all, Rep. Cathy McMorris Rodgers claimied that merely “turning a blind eye” was enough to prove “knowledge.” And here, clearly, the DOJ must be logging those exit pages. Is it ignoring them? Is that turning a blind eye? Does that count as knowledge?

Maybe it’s a stretch, but the fact that the language of the bill even makes this a possibility just demonstrates how poorly drafted the bill is, and shame on all the politicians who refused to step up and fix it.

Filed Under: , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Could The DOJ Be Violating SESTA/FOSTA?”

Subscribe: RSS Leave a comment
Anonymous Coward says:

to "participate in a venture" that "knowingly" is "assisting, supporting, or facilitating" a violation of sex trafficking laws

I seem to recall there were serious concerns about the binding of the words. In particular, does the law bind as follows:

  • To participate in a venture
  • That the venture knowingly is assisting, …

If structured as such, then the "knowingly" qualifier only applies to whether the venture knows it is doing those things, but not to whether the defendant knew (or even reasonably should have known) that the venture was doing those things. Put another way, suppose a bus driver operates a public bus (that is, open to anyone who pays the fare). Suppose one of the riders is a criminal, such that the criminal is aware of his crime (but no one else on the bus is aware). With the bindings above, the bus driver is participating in the venture (moving people about the city) and some of those people are knowingly committing crimes, so – the bus driver is "participat[ing] in a venture" (driving the bus, collecting fares) that "knowingly" (the criminal knows what he did) is "assisting, supporting, or facilitating" a violation of some law (because the criminal cannot commit his crimes without the bus transporting him around the city). We generally agree that if a reasonable person (in this case, the bus driver) had no reason to suspect his unknowing involvement in the crime, then he should not be charged, but that’s not how the law seems to be written here.

Roger Strong (profile) says:

Re: Re:

Technology sets up even worse examples:

A month ago it was reported that the Bitcoin blockchain contained child abuse imagery, making it potentially unlawful in many countries. Someone could add sex trafficking website links to the blockchain, making those storing copies or transmitting of it illegal under SESTA/FOSTA.

In your example the bus driver isn’t "knowingly" participating. But once the word is out about illegal links in the blockchain, all those who don’t erase their Bitcoin are "knowingly" participating.

Anonymous Coward says:

Seriously doubt it

There’s plenty of plausible ways the people at DOJ IT would never know without being informed first. First of all, they may not even be logging redirects. You can scoff all you want, but once you’re off their servers they may not log where the redirect went. Logging isn’t monolithic. Administrators choose what level of information collection they want. Too much and you end up with a lot of useless chaff. Not enough and you could miss something like this.

Second, most people don’t read raw log files line by line. There’s too much information there for trafficked websites like this. Administrators will be looking for certain known patterns when they filter logs which could miss things like this because no one is looking. You can’t just assume that because it’s potentially in the logs that it’s automatically going to be noticed. You have to be looking for it.

As for the law itself, politicians name laws like this exactly so they can nail opposition next election cycle. You think any politician in our society is going to want to have ads run against them that decry them for “supporting prostitution”, “exploitation of women”, “not opposing sex and human trafficking”, “not protecting our children from sexual predators”, and any other resonant issues that’s bound to stir up Average Law Abiding Joe? Average Law Abiding Joe doesn’t know, and probably doesn’t care, that the law was badly written, all he’s going to see is that their Congressman didn’t stand up against sexual deviancy and loose morals. He won’t care till he gets caught in the gears and by then it’s too late.

Michael (profile) says:

Re: Seriously doubt it

“First of all, they may not even be logging redirects.”
Since they have a “good bye” page, this is less likely and actually not fully a redirect issue anymore. Their page listed the URL and courts have found liability in linking.

“most people don’t read raw log files line by line”
That is not necessarily important for the “knowledge” standards. It is still up in the air as to whether or not “could have known” , “should have known”, or “knew” fits the definition. There is a lot of risk in these as they tend to encourage not logging and making it impossible to know, and that is the point. Laws that make it safer to not retain laws make it harder for law enforcement to work with sites that have bad actors using them.

“politicians name laws like this exactly so they can nail opposition next election cycle”
While I am no fan of US politicians, that is a broad statement that is almost certainly, overwhelmingly false. Most US laws are written with good intentions. Some have bad side-effects. It really is unlikely that these laws were written with as much political motivation as you seem to be attributing.

Anonymous Coward says:

Re: Re: Seriously doubt it

Most US laws are written with good intentions.

Considering that the MPAA and RIAA got behind this law, and they would love to see all content on the Internet approved before publication, I doubt that good intentions come into it. Third party liability is a way of forcing third parties to control the use of their websites, and this law is a big step in that direction.

That One Guy (profile) says:

It gets better

It’s worth remembering that one of the big problematic aspects of the law is that it’s retroactive, so if one of the sites they linked to qualified then they’d be on the hook, even if they currently aren’t linking to said site.

Of course this assumes that the DOJ would ever prosecute… ah yes, ‘the DOJ’, so I doubt anyone in the agency is losing any sleep over the possibility.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...