Mercedes Goes To Court To Get Background Use Of Public Murals In Promotional Pics Deemed Fair Use

from the mural-victory dept

The unsettled nature of how copyright law applies to public works of art like murals continues to be frustrating in the extreme. We've already seen examples of how this becomes an issue with mural artists whose work briefly appears in unrelated works, such as music videos, as those works are filmed in public. You guys remember public, right? It's that place we all get to coexist and enjoy together without constantly stomping on each other's necks over intellectual property rights. Except we don't anymore, as far too many artists believe that they can imprint their art in full view of the public and then disallow any commercial depiction of that public space.

And if that doesn't sound idiotic to you, you need psychological care.

This is once again at issue, as Mercedes has asked a court to make it clear that murals appearing on public walls in the background of a few promotional photos of their vehicles is fair use. This is in response to the very threatening noises made by four mural artists to their murals appearing in the background of some Instagram images. To be clear, Mercedes is suing only to ask for a court to declare images, like the following, fair use, not to attack the artists themselves.

That partial mural in the background is one of the murals in dispute by the four artists. The mural is not the focus of the photo. It's not the subject of the photo. It's just that Mercedes took pictures of its vehicle driving around in public and those murals are in the background, partially depicted. Whatever that is, it sure doesn't sound like copyright infringement, and sure does sound a hell of a lot like fair use. Which is exactly what Mercedes is asking the court to declare.

Mercedes has filed lawsuits against four artists after they accused the car company of infringing upon their copyright by including graffiti murals in the backgrounds of car photos posted to Instagram.

The Detroit News reports that in its lawsuits filed on March 29th, Mercedes is asking a federal judge to rule in its favor against claims being made by artists Daniel Bombardier, James “Dabls” Lewis, Jeff Soto, and Maxx Gramajo.

It was only a year after the photos were published that the artists began accusing Mercedes of copyright infringement. All that harm must have really been delayed, I suppose. As a symbol of their artistic dedication, even after Mercedes took the photos down from Instagram due to the complaints, those same artists continued to demand Mercedes pay them for the images. In its suit, the car company is arguing both that its use was fair use and that the murals are exempt from copyright as a matter of law.

Mercedes argues that its inclusion of the murals was fair use and that the murals are exempt from copyright protection under the Architectural WorksCopyright Protection Act since they’re permanent parts of the architecture.

Which seems like a bit of a stretch. Permanent is not the word I would use for graffiti, having seen it, you know, removed before. The fair use argument is much stronger, given the limited nature of the use, the fact that it wasn't the subject of the larger use, and the damned fact that all of this is in full view of the public. Mercedes was using Detroit to sell its cars, not these murals. Calling this copyright infringement would make no more sense than a restaurant across the street from the murals being accused of replicating a public performance by putting in patio seating in full view of the mural.

So let's hope the courts get this right and we get some caselaw to do with public murals.

Filed Under: advertising, fair use, murals, panorama, public, vara
Companies: mercedes

Marcus Hutchins -- The Guy Who Stopped Wannacry -- Pleads Guilty To Conspiracy Charges

from the enjoy-your-hollow-victory,-DOJ dept

Almost two years after Marcus Hutchins, a.k.a. MalwareTech, was detained by the FBI at the airport as he left a security conference in Las Vegas, the government finally has finally gotten its man.

Charges were stacked and restacked over the past couple of years, as the government brought pressure to bear on Hutchins, who maintained his innocence right up to the point he signed the plea agreement [PDF]. Faced with possibility of spending several years in jail -- and evidence of his past, somewhat shadier exploits continuing to surface -- the man who saved the world from the Wannacry ransomware has pleaded guilty to two conspiracy charges. This means the government will be dropping the other eight charges against Hutchins, which will hopefully keep the researcher from spending several years in jail.

The defendant voluntarily agrees to plead guilty to Counts One and Two of the superseding indictment.

The defendant acknowledges, understands, and agrees that he is, in fact, guilty of the offenses described in paragraph 4. The parties acknowledge and understand that if this case were to proceed to trial, the government would be able to prove the facts in Attachment A, as well as the facts set forth in Counts One and Two of the superseding indictment, beyond a reasonable doubt. The defendant admits that these facts are true and correct and establish his guilt beyond a reasonable doubt. The information in Attachment A is provided for the purpose of setting forth a factual basis for the plea of guilty. It is not a full recitation of the defendant's knowledge of, or participation in, the offenses.

The agreement says both counts carry a possible five-year sentence each, but it seems unlikely it will ask the judge to depart upward from the guidelines. Marcy Wheeler's back-of-the-envelope math puts this at about six months per charge, given Hutchins' lack of criminal history. It may end up being more than that if the DOJ pitches something longer as some twisted form of payback for Hutchins exercising his right to defend himself against criminal charges. That's not exactly unheard of.

Hutchins has also posted a short message at his personal website, admitting guilt and apologizing for the damage he may have caused.

As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.

Hutchins' plea brings an end to a dubious DOJ prosecution -- one that makes the unproven assertion that creating and selling malware is a criminal act, whether or not Hutchins himself engaged in illegal acts using this malware. And it only further blurs the lines security researchers operate in, increasing the chance that research -- which often includes the creation and deployment of malware -- will be treated as criminal activity.

Filed Under: conspiracy, doj, fbi, guilty plea, malware, malwaretech, marcu hutchins, wannacry

How Landmark Technology's Terrible Patent Has Survived

from the stupid-patent-of-the-decades dept

Stupid Patent of the Month

There’s an increasing insistence from the highest echelons of the patent world that patent abuse just isn’t a thing anymore. The Director of the U.S. Patent Office, Andre Iancu, has called patent trolls—a term for companies that do nothing but collect patents and sue others—mere “monster stories,” and suggested in a recent oversight hearing that it was simply name-calling. 

But whatever you call them—trolls, non-practicing entities, or patent assertion entities—their business model, which involves stockpiling patents to sue productive companies rather than making goods or services, continues to thrive. It’s not hard to find examples of abusive patent litigation that make clear the threat posed by wrongly-issued patents is very real.

Take, for instance, the patents that Lawrence Lockwood owns. These patents have been used to sue companies, large and small, for nearly 20 years now. Through his company Landmark Technologies and his earlier company PanIP, more than 100 lawsuits have been filed against businesses—candy companies, an educational toy maker, and an organic farm, to name a few. Because these companies engage in “sales and distribution via electronic transactions,” or use an automated system “for processing business and financial transactions,” Landmark says they infringe one of its patents.

Those lawsuits don’t account for the other companies that have received licensing demands, but have not been sued in court. The numerous threats made with Lockwood’s patents are made clear both by news accounts of Lockwood’s activity, as well as the several small business owners that have reached out to EFF after being targeted by Lockwood’s patents. 

Patent Office records show Lockwood first applied for a patent in 1984, but his litigation ramped up after he acquired U.S. Patent No. 6,289,319 back in September 2001. The document describes an “automatic business and financial transaction processing system,” which Lockwood has interpreted to give him rights to demand licensing fees from just about any web-based business. Upon receiving that patent, Lockwood promptly sent 100 letters to various e-commerce businesses, demanding $10,000 apiece. When that didn’t work, he started filing lawsuits.

For more than 15 years now, some companies have been paying thousands of dollars to license Lockwood’s patents rather than pay the legal fees required to defend themselves. Hiring attorneys to fight the patents would have cost far more, and Lockwood was keenly aware of this leverage.

“Do they really want to spend $1 million and two years of their life to invalidate a patent they can license for a couple thousand dollars?” Lockwood said in 2003, speaking to a Los Angeles Times reporter about his lawsuits. “People get divorced over this stuff. They have strokes over this.”

Sixteen years and more than 100 lawsuits later, stress and the expenses continue to mount for Lockwood’s targets. Through Landmark, Lockwood continues to demand money from businesses that provide basic e-commerce, although his price has gone up. Companies targeted by Landmark Technology patents in recent years have shown demand letters [PDF, PDF] indicating the company now demands around $65,000 to avoid a lawsuit. 

Not a single court has ever weighed in on the merits of Lockwood’s patent claim, according to court papers [PDF] filed in 2017 by one of his targets. 

Despite some court rulings that have helped cut back patent trolling over the years, nothing has slowed down Lockwood’s broad assault on Internet commerce. This year, through a newly created company called “Landmark Technology A,” Lockwood’s patent no. 7,010,508—related to the ‘319 patent that came before it—has been used to sue two more companies: a specialty bottle-maker in south Seattle, and an Ohio company that sells safety equipment. 

Based on Landmark’s history, it’s unlikely these two lawsuits will be the last. 

Continuations and Consequences

How did this happen, and how does it continue? Lockwood applied for his first solely-owned patent in 1984, getting it two years later. It describes a network of “information and sales terminals” that could “dispens[e] voice and video information, printed documents, and goods,” accepting credit card payments. There’s no evidence Lockwood developed any such network or even had the ability to do so. In fact, Lockwood, a former travel agent, reportedly admitted during a deposition that he had never used a personal computer “for any length of time,” according to the 2003 Los Angeles Times profile.  

In the mid-90s, Lockwood sued American Airlines for patent infringement, seeking to collect royalties on its SABRE flight reservation system, which he claimed infringed three of his patents. He lost that case when, in 1997, an appeals court agreed with the district court that his patent claims were not infringed and were invalid.

That wasn’t the end of Lockwood’s efforts to make money through patent litigation, though. He continued to get more patents, acquiring Patent No. 6,289,319 in 2001, and 7,010,508 in 2006. Both patents have been used in more than 85 lawsuits, according to the LexMachina legal database. He was able to get those patents despite the fact that they were based on a patent that had been found invalid. Even better for Lockwood, he was allowed to use the “priority date” of the earlier patent. That means the only prior art that could be used to invalidate the patent would have to be from earlier than that priority date—May 24, 1984. 

Led by a family-owned chocolate shop, a group of small businesses banded together to share legal costs and fight Lockwood’s PanIP. When they put up a website about PanIP’s abuse of the system, Lockwood sued the owner of the chocolate shop for defamation and trademark infringement.

The ‘319 patent, which is richly deserving of our “Stupid Patent of the Month” award, was issued because of a problem we’ve spoken about before—abuse of the continuation process.

The Patent Office allows applicants to file “continuation” applications with new claims, as long as they’re based on what was disclosed in previously-filed applications. This creates opportunities for applicants to game the system and get patents on advances they could not have developed. For example, even though Lockwood applied for the ‘319 patent in 1994, it’s a continuation of the original 1984 application—which means that only prior art from 1984 or earlier can be used to invalidate it. 

Landmark’s complaints demand money from operating businesses, claiming that because their systems process “business and financial transactions between entities from remote sites,” they infringe the ‘319 patent. Their recent complaint [PDF] against Illinois-based Learning Resources, Inc. includes a claim chart [PDF] explaining the alleged infringement, which is a 42-page detailed chart that describes using a computer to order a toy on the defendant’s website. 

That chart makes clear that Landmark’s patent doesn’t claim any particular technological advance—just the basic idea of transmitting data between networked computer terminals.  

This patent should be invalid under Section 101 of the patent laws for failing to claim an actual invention. At best, it describes basic computer technology—like an “on-line means for transmitting said information, inquiries, and orders”— to exchange information, and respond to orders. That is a ubiquitous and essential part of e-commerce, not a patent-eligible invention.

Right now, lobbyists are pushing for a wholesale re-write of Section 101, which is the best chance of stopping patents like this one early enough in a case to avoid spending hundreds of thousands of dollars on lawyers and expert witnesses. Drastic alterations to Section 101 could leave targets of Landmark in an even worse position—in order to get out of a multi-million dollar lawsuit, they’ll have to find published, pre-1984 prior art describing the precise, nearly indefinable contours of Lockwood’s “invention,” and invest huge sums on prior art investigations as well as expert witness reports. 

Before lawmakers distort Section 101 so that it’s nearly useless, they should consider campaigns like Landmark’s. It involves an “inventor” who’s long been focused on litigating patents, not creating new innovations—and who admits to leveraging the high cost of litigation defense against small businesses. Lowering the bar for patent-eligibility even further will do far more to threaten innovation than encourage it.

Reposted from EFF's Stupid Patent of the Month series.

Filed Under: lawrence lockwood, patent trolls, patents, websites
Companies: landmark technology, panip

Universal And Warner Block Time Live Streaming Its Time 100 Event Because Copyright Censors

from the but-filters-work,-right? dept

You know how supporters of Article 13 in the EU keep insisting that just because Article 13 (now Article 17) says not to take down non-infringing content that any worries about taking down non-infringing content are misplaced? About that... This week there's been a lot of fuss about the whole "Time 100" thing that purports to highlight the 100 most influential people in the world. This bit of backslapping among the famous starts off with glowing magazine profiles, followed by a big party, the Time 100 Gala and the Time 100 Summit, which is the conference version of the backslapping. Time Magazine livestreamed the Summit yesterday via YouTube.

As Manish Singh pointed out, it appears that both Warner Music and Universal Music Group got the video pulled on copyright grounds.

It's not clear exactly why this happened, though lots of people are talking about Taylor Swift performing, and she's now on Universal, so that's one possibility. Except she performed at that Gala, and it appears that it's the Summit that got blocked. It's possible that the venue music that likely plays in between speakers could have tripped up ContentID as well.

Either way, it's yet another demonstration of how filters are terrible at this kind of thing, and why laws like the EU Copyright Directive will inevitably lead to censorship of perfectly legal material, rather than "piracy."

Now, some will respond that under the EU Copyright Directive, YouTube may just choose to officially license all music uses, and then no longer have to block incidental uses such as this, but that highlights the other problem we've discussed: almost no one other than YouTube can do that. And thus, even if that were the case, YouTube would then become the only player anyone could ever use for livestreaming events like this if they don't want them blocked. For all the talk of how we needed the EU Copyright Directive to take down Google and Facebook's power, the fact that it might just lock them into their dominant positions seems like it should be a concern.

Filed Under: censorship, contentid, copyright, filters, live streaming
Companies: time, universal music group, warner music

Federal Agent: Using A Taped Box To Send Stuff Overnight Via FedEx Is Suspicious Behavior

from the nothing-more-evil-than-a-convenient-shipping-option dept

Here's how we're fighting the War on Drugs. Lots of stuff going on, but not much seems to be happening in terms of actually, you know, keeping drugs from ending up in buyers' hands. The byproduct of the problem -- the cash -- is all anyone seems interested in.

As Brad Heath points out in his tweets referencing this in rem complaint, federal agents camp out at major air traffic hubs looking for nothing but cash. As we've covered here earlier, the DEA is actually paying TSA agents to search for cash and alert officers if any amount worth seizing rolls through checkpoints.

The same thing is happening in FedEx hubs. In this case, officers from the DHS, Indiana State Police, Indiana Metro PD all combined to stop some cash from traversing the country from Ohio to Arizona.

The filing lets us know what the government finds suspicious in terms of packaging and sending stuff around the country: everything. If you like using FedEx and their new boxes, but apply a bit too much tape, you might be a drug dealer. From the complaint [PDF]:

Based on information and experience, task force officers can easily identify suspicious packages with indicators, such as newly-bought boxes bought from the shipping company, overnight shipping, and excessive taping at the seams of the box.

Boxes, tape, and overnight shipping are literally what FedEx is known for. Yes, these officers uncovered a lot of suspicious stuff once they were IN the boxes -- packages of cash wrapped in fabric softener sheets -- but they needed something to justify the search of the boxes in the first place. I'm sorry, but "information and experience" asserting little more than what hundreds of FedEx customers do every day just doesn't cut it.

Sure, they ran a dog around the boxes and it alerted, but cash will probably prompt alerts anyway, given how much of it has circulated close to drugs or has been used as a drug delivery device. (A "blind" drug sniff is mentioned later, suggesting the dog and boxes were tossed into the room without a handler. It's a nice control but doesn't mean much when there's already been an alert with the handler present. If the dog had "failed" to detect drugs without the handler present, this simply would have been omitted from the warrant.)

The only other link to suspicion was the fact that the package was being shipped to Arizona from Ohio, but both the "To" and "From" labels contained the same Arizona address. God forbid you ship anything to or from Arizona -- not if any drug interdiction teams are in the area:

Parcels 6920 and 7068 drew attention for other reasons: they were heavily taped and being shipped to Arizona, known by law enforcement as a source for illegal controlled substances…

This is same assertion made about several states and major cities. Everything has a drug nexus if you're in the business of drug warring. The thing is, there's a lot of innocent activity going on in these same cities and states, but it all looks suspicious through a drug interdiction lens.

In total, there's a $108,000 being forfeited as suspected drug proceeds. The final nail in the evidentiary coffin is the background check on the package's recipient. Not sure how it all adds up to drug dealing, but I guess all crimes are gateway crimes or whatever.

Richard Reyes has a criminal history for theft, assault causing bodily injury, and criminal mischief. In 2003, Richard Reyes was found guilty of one count of theft in case number M-0111051 (Tarrant Criminal County Court, Texas). In 2003, Richard Reyes was also found guilty of one count of assault causing bodily injury and one count of criminal mischief in case numbers 0610831 and 0610832 (Travis County Court, Texas).

I'm not saying Reyes isn't a drug dealer. I'm saying this is pretty thin connective tissue if someone's trying to prove the money came from the sale of drugs. But the evidentiary bar is so low law enforcement is probably going to get to keep this cash.

Then there's the presence of a DHS agent. This allows Indiana law enforcement to profit from suspected criminal activity occurring outside of its jurisdiction. The package was sent from Ohio to Arizona but intercepted in Indianapolis. Dragging a federal agent along keeps the money from going into the coffers of coppers in the two states where drug dealing may actually be occurring. Handy that.

This is just one of dozens of similar litigation filed every year in the federal court system to take cash from people the government has no interest in arresting or charging. Somehow, seizing cash is supposed to cripple drug cartels. Seeing as civil forfeiture has experienced no serious income dips over the past 30 years, it's safe to say this process is doing nothing but enriching government agencies who prefer cash to preventing crime.

Filed Under: 4th amendment, dhs, indiana, indiana metro pd, indiana state police, probable cause, shipping, tape, war on drugs
Companies: fedex

Daily Deal: The Complete DevOps E-Degree Bundle

from the good-deals-on-cool-stuff dept

By merging development and operations teams into one, DevOps-savvy professionals empower companies to create better products with faster delivery and greater efficiency, which is why they're such hot commodities on the job market. This DevOps E-degree Bundle contains 6 courses and over 80 hours of instruction. On top of the included courses and materials, this collection also comes with labs, quizzes, projects and exams to guide you on this path to learning. Take your first step with this DevOps Foundations course and begin to master the technical concepts and tools behind DevOps. It's on sale for $25.

Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.

Filed Under: daily deal

Guy In Charge Of Oil Well Safety Gave Out His Cell Phone Number, Now Help Us Figure Out Who Called Him

from the drain-the-swamp dept

Last November, John Oliver had a fun episode of his show discussing whether or not President Trump had fulfilled his promise to "drain the swamp" (spoiler alert: he did not). Part of that episode focused on the story of Scott Angelle, who Trump appointed to run the Bureau of Safety and Environmental Enforcement, an organization within the Department of the Interior, whose sole focus is supposed to be on enforcing safety standards for offshore oil drilling. The organization was created in the wake of the BP Deepwater Horizon spill, after people realized that there was a conflict of interest in the existing government agency in charge of enforcing safety, the Minerals Management Service, because it was also in charge of collecting revenue from those very same oil companies. So the BSEE was set up solely to focus on safety. Except, as a NY Times profile made clear, when Scott Angelle took over, he seemed much more focused on using the position as a business opportunity for oil companies -- perhaps not surprising, given that Angelle had very close ties with the industry, including getting $1 million to sit on the board of a pipeline company. In the report, which talked about just how often Angelle seemed to be meeting with oil execs, it noted:

Mr. Angelle’s speeches often center on helping the oil and gas industry cut costs and grow their businesses. And agency documents suggest moves he has already made could save the industry more than $1.3 billion in compliance costs over the next decade.

John Oliver and his team went further, highlighting speeches where Angelle directly seemed to cozy up with oil industry execs, including one where he (a) gives out his cell phone number, (b) tells industry execs to call him rather than text to avoid having their text messages released under FOIA, and (c) telling them that it was "a business opportunity" for those execs to "engage with" him. Oliver played the video, in which Angelle gives out his personal cell phone number: 571-585-3730.

That got me interested. So I filed a FOIA request asking for his phone bills, which would reveal who was calling him. The Department of the Interior actually sent me Angelle's phone records back in February -- though I wasn't quite sure what to do with them.

Now, Muckrock (the service I used to file the FOIA request) has set up a crowdsourcing campaign, asking people to go through Angelle's phone records to see if there's anything interesting in the 58 pages worth of phone calls listed there. There's a special page on the Muckrock site that anyone can go to, view the phone bills and enter details about exactly who is calling Scott Angelle.

For what it's worth, Muckrock also points out that another user successfully FOIA'd Angelle's calendar as well, so you can see some of whom he was meeting with.

Please help us "drain the swamp" by figuring out who was calling Scott Angelle. And who knows, perhaps John Oliver will feature what you find on a future episode.

Filed Under: bsee, john oliver, phone records, scott angelle, swamp

Why The Hell Are States Still Passing ISP-Written Laws Banning Community Broadband?

from the ill-communication dept

We've long talked about the more than 750 towns, cities, and counties that have responded to US broadband market failure by building their own broadband networks. We've also talked at length about how data has shown these networks often offer better service at lower, more transparent prices than their purely private sector counterparts (usually natural monopolies), whose apathy and political power has only grown in the wake of limited competition.

We've also talked at great length about how instead of derailing these efforts by offering better, cheaper service (aka competition), industry giants like AT&T and Comcast have found a cheaper solution: they've quite literally paid state lawmakers to pass protectionist laws in dozens of states that ban or hinder towns and cities from even exploring the option. These bills are widely opposed by the public, but a new study says the phenomenon is growing all the same:

"A new report has found that 26 states now either restrict or outright prohibit towns and cities from building their own broadband networks. Quite often the laws are directly written by the telecom sector, and in some instances ban towns and cities from building their own broadband networks—even if the local ISP refuses to provide service.

The full report by BroadbandNow, a consumer-focused company that tracks US broadband availability, indicates the total number of state restrictions on community broadband has jumped from 20 such restrictions since the group’s last report in 2018.

So why are these bills expanding if they're so unpopular among the public? Because they're often shoveled through the legislative process in an underhanded manner, like AT&T did when it tried to pass community-broadband killing rules into an unrelated Missouri traffic bill. Most of the time though, ISPs simply write these bills in cooperation with ALEC, who then shovels the legislation on to financially-compromised lawmakers who are happy to pass the bills with little real fact check or debate.

Sometimes the bills ban such networks outright, other times they more cleverly restrict how and where such projects can be funded or grow, something experienced by Chattanooga's utility-run EPB:

"In Tennessee, for example, state laws allow publicly-owned electric utilities to provide broadband, “but limits that service provision to within their electric service areas.” Such restrictions have made it hard for EPB—the highest rated ISP in America last year according to Consumer Reports—to expand service into new areas.

“During the 2017 legislative session, a bill considered by state lawmakers would have enabled municipalities to expand broadband infrastructure to residents,” the report notes. “Instead, lawmakers passed a bill that offers $45 million in subsidies to private Internet service providers to build the same infrastructure."

ISP lobbyists, loyal lawmakers, and the ocean of dollar per holler consultant, academics, and think tankers they employ have spent years trying to vilify these community broadband efforts as guaranteed taxpayer-funded boondoggles. But such efforts are like any business plan and highly dependent on the competency of the crafter and the underlying business model. These criticisms also ignore that US telecom ideology has generally focused at throwing unchecked billions at private monopolies who then fail repeatedly to actually deploy the fiber they promise, which actually is a taxpayer-funded boondoggle.

Even if you're opposed to your town or city getting into the broadband business, that doesn't mean Comcast and AT&T lobbyists should be pushing laws that quite literally strip away your democratic right to decide local infrastructure issues for yourself. That's a concept that's grotesque across political and economic ideologies. It's pure protectionism, and a violation of local democratic rights.

We've noted repeatedly how these towns and cities aren't getting into the broadband business because they're "socialists" or because they think it's fun. They're doing it because of decades of market failure, leading to historically awful customer service, sky high prices, slow speeds, and patchy availability. US broadband is a web of dysfunction thanks to growing natural cable broadband monopolies, corruption, and regulatory capture. Letting natural monopolies literally write protectionist laws banning creative, local, niche solutions only makes the over-arching problem that much worse. And yet here we are.

Filed Under: broadband, competition, monpoly, muni-broadband, protectionism, states

The French Govt's Hand-Rolled Encrypted Messaging Service (Briefly) Allowed Anyone To Pretend They Were A Government Official

from the inauspicious-debut dept

Early last year, news leaked out the French government was building its own encrypted messaging service. This seemed a bit disingenuous when this same government was routinely calling for backdoors in encryption for everyone else. The potential upside of the government rolling its own is that it would push government officials off third-party services and onto a platform where they might not be compromised along with everyone else if or when these privately-run platforms were hacked/backdoored.

The problem with rolling your own encryption is it's a more daunting task than those asking for it imagine it will be, as Mike Masnick pointed out in last year's post.

However, doing encrypted messaging well is... difficult. It's the kind of thing that lots of people -- even experts -- get wrong. Rolling your own can often get messy, and you have to bet that a government rolling its own encryption for government officials to use is going to be a clear target for nation-state level hackers to try to break in. That's not to say it can't be done, but there are a lot of tradeoffs here, and I'm not sure that the best encryption is going to come from a government employee.

So far, this warning has proven true. The best encryption hasn't come from a government employee. At least, not yet. As Sean Gallagher writes for Ars Technica, the government's handmade messaging service, Tchap, has already been broken by a security researcher.

The name servers set up by the departments and ministries of the French government running Matrix's code were parsing email addresses submitted for new accounts to check against existing email addresses within their directory services. After doing code analysis on the Tchap package posted to Google's Play store, [researcher Baptiste] Robert used the Frida proxy tool to alter a Web request for a new account from the app to pass a crafted email address value that grafted his own address onto a known account on the targeted directory server—presidence@elysee.fr, the official email address of the Élysée, the official residence of France's president. The value sent to the server used an @ symbol to separate the two addresses (anaddress@protonmail.com@presidence@elysee.fr).

Because of the way the directory service validated the email address, it matched the address in the second half of the pair with the known address. But the code that parsed the address for the validation email on the server side, which was built with the Python email.utils module, trimmed off everything after the first valid address. That means Robert got an email back for verification of the account, and the server thought the address was an official government account.

Not only was Robert able to get his faux account validated within two hours of downloading the app, he was also able to obtain plenty of info linked to other government account profiles. On the bright side, the team behind the app reacted quickly to notification of the security flaw and suspended account creation until it could be patched. The French government has also instituted a bug bounty program for Tchap, which will hopefully result in further flaws being addressed before they're exploited by criminals or state-sponsored hackers.

To be fair, Tchap is still in its "beta" stage. But that's not much comfort considering it was rolled out for use in this state, exposing government employees' personal account info and allowing any outsider to take a seat at the Tchap table just by exploiting the system's less-than-robust validation process.

Filed Under: encryption, france

Good News From The EU For A Change: A Strong Directive To Protect Whistleblowers

from the time-to-get-leaking dept

A lot of bad stuff has been coming out of the EU lately, notably the awful Copyright Directive with its upload filters. So it makes a pleasant change to report on the passing of strong legislation to protect whistleblowers revealing breaches of EU law, a move which the Pirate MEP Julia Reda describes as "One of the greatest successes of this mandate!". Its scope is wide. Areas covered include public procurement, financial services, money laundering and terrorist financing, product safety, transport safety, environmental protection, nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection, and -- of particular interest to Techdirt readers -- privacy, data protection and security of networks and information systems. Two key components of the new directive are "safe reporting channels" and "safeguards against retaliation", as the European Parliament's press release explains:

To ensure potential whistle-blowers remain safe and that the information disclosed remains confidential, the new rules allow them to disclose information either internally to the legal entity concerned or directly to competent national authorities, as well as to relevant EU institutions, bodies, offices and agencies.

In cases where no appropriate action was taken in response to the whistle-blower's initial report, or if they believe there is an imminent danger to the public interest or a risk of retaliation, the reporting person will still be protected if they choose to disclose information publicly.

The law explicitly prohibits reprisals and introduces safeguards to prevent the whistle-blower from being suspended, demoted and intimidated or facing other forms of retaliation. Those assisting whistle-blowers, such as facilitators, colleagues, relatives are also protected.

Member states must ensure whistle-blowers have access to comprehensive and independent information and advice on available procedures and remedies free-of-charge, as well as legal aid during proceedings. During legal proceedings, those reporting may also receive financial and psychological support.

There is now one final vote by EU ministers, expected to proceed without the drama that accompanied the similar vote for the Copyright Directive. Once passed, there will be a two-year period during which EU Member States need to implement the directive in their national legislation.

The general consensus among activists in the digital sphere seems to be that the new directive is probably as good as it could be given the past resistance of some governments to the idea of protecting those who reveal their wrongdoing. It is particularly welcome against the background of the Copyright Directive's upload filters, which will create a convenient mechanism on the main Internet services for blocking documents obtained by whistleblowers. What we need now are the creation of more online sites that are not subject to the Copyright Directive -- because they are not for profit, for example -- willing to host material from whistleblowers encouraged to act by the legal protection afforded by the new EU directive.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: eu, protections, transparency, whistleblowers