by Mike Masnick
Tue, Oct 8th 2013 3:09pm
by Mike Masnick
Tue, Oct 8th 2013 9:01am
from the get-away-from-my-email dept
Unfortunately, with Judge Koh unwilling to recognize this basic concept, it's now open season on email providers. A very similar lawsuit has now been filed against Yahoo, and I'm sure it won't be the last one.
The whole situation is screwed up beyond belief. Eric Goldman's comments on the original lawsuit against Google are completely on point here. Not only does this ruling show how totally screwed up ECPA (the Electronic Communications Privacy Act) is, but the whole thing may lead to making just about everyone a hell of a lot worse off. Goldman notes why Judge Koh's ruling is almost certainly incorrect under the law: algorithmic processing of content isn't considered interception under the law; the ruling could certainly apply to anti-spam/anti-virus/spell-checking services and more; email providers have been doing this for ages, so where's the statute of limitations; and what actual harm was caused to people who had their email scanned?
But he concludes it with this plea for sanity to the likes of Consumer Watchdog:
PLEASE PLEASE PLEASE don't take away my Gmail account. It has materially improved my life, and I hope and pray that I'm not downgraded into some second-rate email account due to this litigation.Indeed. It leaves me wondering what "consumers" Consumer Watchdog is looking out for, because it's not me, and it doesn't appear to be the many many millions of people who use a variety of different webmail services quite happily -- because it improves their lives. I don't want a group (especially one prone to blatantly misrepresenting reality) to break email for me. That's not being a watchdog, it's being an authoritarian dipshit, arguing that millions of people around the world should be worse off because this one group thinks it knows best.
by Mike Masnick
Wed, Sep 18th 2013 7:34am
from the poor-timing dept
To date, no holder of records who has received an Order to produce bulk telephony metadata has challenged the legality of such an Order. Indeed, no recipient of any Section 215 Order has challenged the legality of such an Order, despite the explicit statutory mechanism for doing so.This is hardly a surprise. We'd already pointed out that, while the internet companies had been very vocal about the NSA surveillance efforts, there had been a deafening silence from the likes of Verizon and AT&T. In fact, it later came out that the telcos actually volunteered to share this information, and when the tech companies reached out to get them to sign onto a letter asking the government to be more transparent, AT&T and Verizon refused to sign on.
Given all of this, it's hard to imagine any worse timing than the very same day that the FISC ruling was unclassified for a Verizon exec to finally speak out on this. Specifically Verizon Enterprise Solutions president John Stratton decided to talk about this... by mocking Google, Yahoo and Microsoft for "grandstanding" on this issue, and to pretend that Verizon had to just shut up and hand over the records for the sake of national security.
"I appreciate that the consumer-centric IT firms that you referenced [Yahoo, Google, Microsoft] that it's important to grandstand a bit, and waive their arms and protest loudly so as not to offend the sensibility of their customers," Stratton said.Of course, the internet companies have done more than issue press releases. Google, Yahoo and Microsoft are all currently suing the government concerning the gag order on Section 702 Orders. Yahoo fought back on a FISA Court order in 2008. Google is still in the process of fighting back against questionable National Security Letters, while Twitter, which turned down a request to be a part of the PRISM program has also fought hard against a so-called 2703(d) letter for info on its users.
"This is a more important issue than that which is generated in a press release. This is a matter of national security."
Stratton said the larger issue that failed to be addressed in the actions of the companies is of keeping security and liberty in balance.
"There is another question that needs to be kept in the balance, which is a question of civil liberty and the rights of the individual citizen in the context of that broader set of protections that the government seeks to create in its society."
And, yet, when faced with a much broader demand from the government, seeking info on every single phone call, neither AT&T nor Verizon lifted a finger in protest. And, contrary to Stratton's claims, as the FISC ruling makes clear, both AT&T and Verizon had a clear legal path to appeal to make sure that the privacy of their customers was being protected. But they didn't do that. And now Verizon wants to mock the internet companies? Stratton just couldn't help himself it seems:
Stratton said that as a company, Verizon follows the law, and those laws are set by governments.Again, one of those "obligations" is to protect the privacy of your customers, and as the court notes, Section 215 allows Verizon to challenge these orders and make sure they are appropriate. Verizon never did so. I agree that if it had challenged and then lost in court, Verizon would have had little recourse other than to hand over the info, but the facts remain that Verizon didn't even take that basic step. And now it mocks those who have, pretending that all they've done is send out press releases, when the evidence shows they've done what Verizon has refused to do: go to court, in an effort to protect the privacy of their users.
"The laws are not set by Verizon, they are set by the governments in which we operate. I think its important for us to recognise that we participate in debate, as citizens, but as a company I have obligations that I am going to follow."
Then there's this laugher:
"This is not a question that will be answered by a telecom executive, this is not a question that will be answered by an IT executive. This is a question that must be answered by societies themselves.And just how is "society" supposed to answer that question when the whole program is kept secret from the American public? And part of that secrecy is because Verizon failed to do what it is allowed to do by law, and challenge the Section 215 bulk data collection orders?
"I believe this is a bigger issue, and press releases and fizzy statements don't get at the issue; it needs to be solved by society."
Then he goes back to the bullshit talking points of the NSA:
"Verizon, like every communications company on the planet, operates in many jurisdictions, and our obligation in operating in those jurisdictions is to comply with the law in those places where we do business. So whether that be in the United States, in the United Kingdom, in Japan, whoever it is that we have a licence with to operate our business, we have these obligations," he said.No, it was not a vigorous process, in large part because of Verizon's own failure to challenge the Section 215 orders it got. In that case, at least there would have been an adversarial hearing. There hasn't been one because Verizon failed to do so. There's a difference between just "complying with the law" and "rolling over and submitting" when the government comes to you with a bogus request, which even explains exactly how to challenge it in court. Verizon chose to roll over.
"As it relates to the NSA — as has been discussed, the information was conveyed under a very rigorous process that had oversight by all three branches of the United States government."
Already, we've seen that the vaunted "oversight by all three branches" is simply not true. It's been revealed that Congress was not aware of large parts of the program, in part because some NSA defenders purposely kept their colleagues in the dark. The judicial system -- the FISC -- has admitted that it relies on what the NSA tells it, in part because of the lack of any adversary in court. And, once again, Verizon could have been that adversary, but instead, made the conscious decision not to do so.
"Verizon is not unique in the world in terms of its need to comply with the laws of the countries in which it operates. These requirements that are put upon it by governments, duly elected governments, are something that we are very careful about, very thoughtful about, and we work vigorously to protect the privacy of our customers data."A company that is "very careful" and "very thoughtful" and which works "vigorously to protect the privacy or our customer data" does not first volunteer to hand it over to the government, and then when given a broad order demanding every phone record choose to ignore the stated process by which it can challenge that order.
Perhaps this is why Verizon has been so quiet throughout all of this. When one of its execs opens his mouth, it just makes the company look worse.
by Mike Masnick
Thu, Sep 12th 2013 11:11am
Though Wrong About 'Treason', Yahoo's Marissa Mayer Shows Why It's Hard To 'Just Say No' When The NSA Comes Calling
from the that's-not-true dept
"Releasing classified information is treason. It generally lands you incarcerated," she said, clearly uncomfortable with the turn of the conversation.She repeated that claim again later, so it wasn't a one-off thing:
"I'm proud to be part of an organization that from the very beginning in 2007, with the NSA and FISA and PRISM, has been skeptical and has scrutinized those requests. In 2007 Yahoo filed a lawsuit against the new Patriot Act, parts of PRISM and FISA, we were the key plaintiff. A lot of people have wondered about that case and who it was. It was us ... we lost. The thing is, we lost and if you don't comply it's treason."First off, let's get this out of the way: she's wrong. It's not treason. Not by any stretch of the imagination. Treason is defined in 18 USC 2381, and revealing classified info isn't there:
Whoever, owing allegiance to the United States, levies war against them or adheres to their enemies, giving them aid and comfort within the United States or elsewhere, is guilty of treason and shall suffer death, or shall be imprisoned not less than five years and fined under this title but not less than $10,000; and shall be incapable of holding any office under the United States.Releasing classified information to the public is not covered. She is right that Yahoo fought a key FISA court lawsuit and lost -- and she's right that if Yahoo didn't comply, it (and its executives) would be in serious trouble, but not treason-level trouble.
That said: this does raise a serious question about what companies can do. I know that many don't trust any other process to get this information out there. And, like everyone else, I'm happy that some individuals such as Ed Snowden and Chelsea Manning had the courage to blow the whistle and reveal government misdeeds. And I'd likely support other individuals and companies that choose to take a stand and reveal government wrongdoing. But it's a step too far to claim that it's a requirement when it's not your life on the line. And, for many companies it's not hard to recognize that there are strategies that are likely to be much more effective than flat out breaking the law. Doing so would not just open them up to a lawsuit that would be expensive, but would also open them up to being tarred and feathered by a large portion of the population. And that would likely make any "statement" they were making much less effective.
Even Lavabit, which many of us respect for choosing to shut down in the face of a government order, has not revealed the nature of that order, knowing that doing so would be monumentally stupid in the long run and counterproductive.
Strategy involves thinking multiple moves ahead, not just making the one big move upfront. That's how you lose. These fights and the efforts to stop government surveillance will die an early death if companies just flat-out ignore FISA Court orders. First off, many of them are legit, even if some people don't want to recognize that. But, more importantly, there are multiple ways you fight back against these programs, and blowing the entire strategy upfront by publicizing a single request like that is almost certainly destined to backfire. Snowden didn't just reveal the first document he came across. He planned out a detailed strategy. Assuming companies should blow a ton of goodwill and the power to effect real change by revealing the first FISA Court order that comes along, even if it's legitimate, is a quick way to destroy the company, the lives of execs, and do little to create actual change.
Marissa Mayer is wrong to claim that it's treason, but she's right that there are limits to what a single company can do. Yes, we can hope that more companies fight back against more secret orders, but at some point reality has to be a part of the discussion.
by Mike Masnick
Tue, Sep 10th 2013 11:16am
from the doubtful-that-google-is-happy-about-that dept
in some cases GCHQ and the NSA appear to have taken a more aggressive and controversial route—on at least one occasion bypassing the need to approach Google directly by performing a man-in-the-middle attack to impersonate Google security certificates. One document published by Fantastico, apparently taken from an NSA presentation that also contains some GCHQ slides, describes “how the attack was done” to apparently snoop on SSL traffic. The document illustrates with a diagram how one of the agencies appears to have hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format.While some may not be surprised by this, it's yet more confirmation as to how far the NSA is going and how the tech companies aren't always "willing participants" in the NSA's efforts here. Of course, the real question now is how the NSA is impersonating the security certificates to make these attacks work.
Documents from GCHQ’s “network exploitation” unit show that it operates a program called “FLYING PIG” that was started up in response to an increasing use of SSL encryption by email providers like Yahoo, Google, and Hotmail. The FLYING PIG system appears to allow it to identify information related to use of the anonymity browser Tor (it has the option to query “Tor events”) and also allows spies to collect information about specific SSL encryption certificates.
by Mike Masnick
Mon, Sep 9th 2013 3:05pm
Internet Companies Argue A 1st Amendment Right To Correct False Reports On NSA Spying, Despite Gag Orders
from the fighting-the-fight dept
- The various public reports from The Guardian, The Washington Post (and others, including Gawker) are flat out wrong concerning the nature of these companies' involvement with the NSA.
- Because of the gag order on FISC orders under Section 702 of the FISA Amendments Act, the tech companies are barred from correcting the record, which is tremendously harmful to them and their business prospects.
- They have a First Amendment right to give out information on how many such requests they receive, and how many users those requests have impacted.
- Doing so would have no harmful impact on national security.
Google further requests that the Court hold oral argument on this amended motion and that the argument be open to the public.. A public argument would be consistent with this Court's rules, which state that "a hearing in a non-adversarial matter must be ex-parte and conducted within the Court's secure facility," suggesting, by negative implication, that a hearing in an adversarial matter shall be open..... It is also required by the First Amendment, which generally protects a right of public access to judicial proceedings.I imagine we'll be hearing about this case for quite some time....
by Mike Masnick
Mon, Sep 9th 2013 3:32am
from the well-this-is-getting-interesting dept
Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.That doesn't exactly sound like a willing partner in all of this. Still, part of the problem is that without any real transparency as to what the NSA is getting from companies, there are plenty of people who simply won't trust statements like this. Furthermore, the fact that last week's leaks revealed that the NSA actively recruits employees within companies to sabotage their security, suddenly it seems like even if some companies have the best of intentions, they now need to be on the alert for moles from the government within their companies. This is, frankly, insane. It's the kind of thing that wasn't supposed to happen in the US.
The move by Google is among the most concrete signs yet that recent revelations about the National Security Agency’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs.
Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information...
Indeed, both Microsoft and Yahoo have now spoken out about the revelations:
Microsoft said it had "significant concerns" about reports that the National Security Agency and its British counterpart, GCHQ, had succeeded in cracking most of the codes that protect the privacy of internet users. Yahoo said it feared "substantial potential for abuse".All of these responses still feel a lot weaker than they need to be, even recognizing that there may be gag orders involved. As we've said before, the potential downside for the US tech industry is huge, and they need to be doing more to stand up to the NSA, and that includes fighting back against these efforts and doing everything they can to reveal what they've been asked to do over the years.
by Mike Masnick
Fri, Aug 23rd 2013 8:11am
from the taxpayer-money dept
Either way, while many of the Snowden leaks have been a pretty big deal, this one seems like nothing new. It's never been a secret that tech companies were required to reveal certain information under court orders, or that the government pays the companies for the cost. The only thing here is that the companies had to change their systems to make sure that the NSA's collection effort was "in line" with what the FISA Court deemed to be Constitutional. If anything, that makes a lot of sense, as we should want the government to have to cover the costs of making sure that their surveillance efforts are Constitutional. Many of the leaks so far have been a big deal, but this one doesn't seem all that interesting.
by Mike Masnick
Tue, Jul 23rd 2013 7:03am
from the seems-a-bit-extreme dept
When we wrote about this case a year ago, it was under the context of one person, Kevin Heller, whose data was sought, and him successfully fighting back (with some help from the ACLU) getting Chevron to drop the request for his info. But, as for everyone else's info? Mother Jones alerts us to the news that a judge in NY recently said it was okay for Chevron to get all that metadata, in some cases going back nine years.
...a federal court granted Chevron access to nine years of email metadata—which includes names, time stamps, and detailed location data and login info, but not content—belonging to activists, lawyers, and journalists who criticized the company for drilling in Ecuador and leaving behind a trail of toxic sludge and leaky pipelines. Since 1993, when the litigation began, Chevron has lost multiple appeals and has been ordered to pay plaintiffs from native communities about $19 billion to cover the cost of environmental damage. Chevron alleges that it is the victim of a mass extortion conspiracy, which is why the company is asking Google, Yahoo, and Microsoft, which owns Hotmail, to cough up the email data. When Lewis Kaplan, a federal judge in New York, granted the Microsoft subpoena last month, he ruled it didn't violate the First Amendment because Americans weren't among the people targeted.Leaving aside the fact that the court thinks it's okay to do this even if it's just "non-Americans" who have their privacy violated here, Mother Jones points out that this claim that it only targeted non-Americans isn't, in fact, true. Pesky details.
This seems like a pretty big problem, given the rationale of the judge initially. Beyond that, just the basic chilling effects from finding out that a giant company could get access like this to so much metadata on a large list of its critics is fairly incredible. As the article notes, while subpoenas on people who aren't actually parties to a lawsuit are "routine," they're not supposed to be mass fishing expeditions, which they appear to be in this case.
Now Mother Jones has learned that the targeted accounts do include Americans—a revelation that calls the validity of the subpoena into question. The First Amendment protects the right to speak anonymously, and in cases involving Americans, courts have often quashed subpoenas seeking to discover the identities and locations of anonymous internet users. Earlier this year, a different federal judge quashed Chevron's attempts to seize documents from Amazon Watch, one of the company's most vocal critics. That judge said the subpoena was a violation of the group's First Amendment rights. In this case, though, that same protection has not been extended to activists, journalists, and lawyers' email metadata.
The Electronic Frontier Foundation (EFF) represents 40 of the targeted users—some of whom are members of the legal teams who represented the plaintiffs—and Nate Cardozo, an attorney for EFF, says that of the three targeted Hotmail users, at least one is American. Cardozo says that of the Yahoo and Gmail users, "many" are American.
And, of course, even the whole "well they're not Americans so the First Amendment doesn't apply" thing is highly questionable -- since many of the accounts are anonymous internet users, and the First Amendment does protect online anonymity and there's no way for Chevron or the judge to know if the anonymous users are Americans or not.
by Tim Cushing
Mon, Jul 22nd 2013 7:05am
from the look-how-furrowed-my-brow-is,-dammit! dept
"I'm going to try to regulate [insert concept or technology here] because I really have no idea how it works," said no politician ever. "Bad things are happening and we're going to do something about it!" said too many government officials to count.
UK Prime Minister David Cameron is at it again, fretting about child porn and saying grumbly things about holding search engines responsible for the actions of others. This is one of Cameron's favorite hobby horses: porn on the internet, both legal and otherwise. He's pushed for mandatory porn filtering on every new computer and insisted any business offering open wi-fi block access to the nasty stuff.
Child porn is the new focus, thanks to the recent high profile trial (and conviction) of Mark Bridger for the kidnapping and killing of a 5-year-old girl. Bridger's computer showed he had viewed pictures of child sexual abuse shortly before the kidnapping.
Despite the efforts already being made by search engines and ISPs (including Google's new child porn database that it's sharing with competitors and law enforcement), Cameron is insisting these just don't go far enough.
David Cameron will tell internet companies including Google they have a "moral duty" to do more to tackle child abuse images found by using their websites.Strange. I would have thought the "moral duty" lay with those creating and viewing the exploitative material, not the inadvertent go-between whose job it is to index web content. Complying with a blacklist seems like a good idea, but there are two problems with that idea: determined people will get around the blacklist and blacklists tend to inadvertently block legitimate searches.
In a major speech on Monday he will call for search engines to block any results being displayed for a blacklist of terms compiled by the Child Exploitation and Online Protection Centre (Ceop).
Why these search engines need to comply with the blacklist in Britain is a mystery, considering every major UK ISP already filters the web using this list, according to the head of the CEOP.
Jim Gamble, chief executive of the Child Exploitation and Online Protection Centre (CEOP), said the blacklist currently used to filter the vast majority of UK internet connections had been a "fabulous success".
At that point (2009), only small "boutique" ISPs had yet to adopt CEOP's filtering and the Home Office estimated roughly 95% of internet users were covered. But Cameron insists that more needs to be done, even as ISPs voluntarily comply with most government recommendations -- like "splash pages" that warn users they are attempting to view illegal material.
[T]he prime minister will call on firms to go further, with splash screens warning of consequences "such as losing their job, their family, even access to their children" as a result of viewing the content.Everything already in place just isn't good enough. Apparently, it all needs to be bigger and bolder and subject to brand new laws created in the climate of panic and paranoia that usually follows high profile criminal activity. Cameron won't be satisfied until he tames the Wild West.
"I'm concerned as a politician and as a parent about this issue, and I think all of us have been a bit guilty of saying: well it's the internet, it's lawless, there's nothing you can do about it.But, when Cameron says "responsibility," he means it in the governmental sense, which has nothing to do with personal responsibility and everything to do with the government acting as a national conscience and finding someone to hold responsible for the child porn problem. It won't be child pornographers or their audience, however.
"And that's wrong. I mean just because it's the internet doesn't mean there shouldn't be laws and rules, and also responsible behaviour."
"There is this problem ... that some people are putting simply appalling terms into the internet in order to find illegal images of child abuse.Do it or we'll make you do it.
[W]e need to have very, very strong conversations with those companies about saying no, you shouldn't provide results for some terms that are so depraved and disgusting...and that, I think, there's going to be a big argument there, and if we don't get what we need we'll have to look at legislation."
"So it's about companies wanting to act responsibly. If you think about it, there's really a triangle here. There are the people uploading the images. We've got to go after them. There are the people looking at the images. We've got to go after them. But there is also in this triangle the companies that are enabling it to happen, and they do need to do more to help us with this."Hi, I'm a seach engine. I index the web and bring you the results you ask for. I don't create child porn, nor do I consume child porn, but please, hold me responsible for the actions of others. The legal team at Google, Bing or any other search engine is always easier to locate than a child pornographer. It's the path of least resistance and taking on "tech giants" on "behalf" of the people makes government officials feel big. Win-win.
Cameron wants the search engines to return no results in response to CEOP's blacklisted terms. It seems like such a little thing to ask, and Cameron is certainly pitching it that way. They just need to "do more to help us." But what happens when law enforcement, intelligence agencies or the government itself decides other search terms are a problem, perhaps coming from an angle of "combating terrorism" or "preventing hate crime?" Almost everyone agrees those are "bad," but do they really want their search results censored and filtered and sorted according to secret blacklists? Probably not, but it likely won't matter. Agreeing to this allows the government to get a foot in the door.
On top of the collateral damage, there's the fact that filtering search engine results is going to make a lot of headlines but do very little to curb the trafficking of child pornography. Jim Gamble of CEOP feels we've already maxed out the effectiveness of web and search filters -- something he pointed out back in 2009.
At the frontline, web filtering is now viewed as a peripheral issue. Gamble agreed with the charities that filtering is useful, but added it was ineffective against "hardcore predators" who swap material over peer to peer networks and for whom "the internet has moved on".The pros don't bother with public web sites and search engines. They go P2P and circumvent every filter put into place by government intervention. Gamble realizes this and has already shifted the agency's focus to peer-to-peer networks. Unlike Cameron, Gamble doesn't waste time constructing stupid "triangles of responsibility" in order to pin the blame on the biggest, easiest target.
"I believe filtering is good to avoid inadvertent access that will disturb or damage a young person, or deliberate novice access," Gamble said.
Gamble, a former intelligence chief in the Police Service of Northern Ireland, was however keen to head off accusations of an attack on peer to peer technology itself. "We can't blame technology - it's people," he said.Maybe Cameron should spend a little time actually discussing his plans with CEOP before using the agency's name in vain in order to attack search engines for being search engines. CEOP seems to have a handle on the problem -- the real problem. It's too bad Cameron's more interested in publicly displaying how deeply concerned he is than making actual progress against child pornographers.
"Peer to peer is a valuable resource for the online community. Our focus is on child protection."