by Mike Masnick
Mon, Jul 1st 2013 3:30pm
by Mike Masnick
Fri, Jun 21st 2013 7:37am
Accessing A Public Website Is Not A Crime, And Craigslist Should Back Away From Its Lawsuit Claiming Such
from the bad-legacy dept
Specifically, the EFF is (quite reasonably) concerned about the court's ruling that said because Craigslist sent a cease and desist letter to 3taps, and 3taps changed its IP address and continued visiting Craigslist's site, that it had violated the CFAA -- even though the website was freely available to the public.
The CFAA does not and should not impose liability on anyone who accesses information publicly available on the Internet. Because the CFAA and Penal Code § 502 imposes both civil and criminal liability, it must be interpreted narrowly. That means information on a publicly accessible website can be accessed by anyone on the Internet without running afoul of criminal computer hacking laws. In the absence of access, as opposed to use, restrictions, Craigslist cannot use these anti-hacking laws to complain when the information it voluntarily broadcasts to the world is accessed, even if it is upset about a competing or complementary business.EFF points out, both in its blog post and in its filing, how much Craigslist itself benefits from an open internet, and why it's not good that it's now fighting against that very principle.
But benefits to this openness remain and Craigslist itself is a notable example of these benefits. Craigslist provides a popular and wide reaching classified advertising service, allowing people to post mostly free classified ads that can be seen by anyone anywhere in the world without charge. Craigslist claims that 60 million people use Craigslist in the United States each month, that 100 million classified ads are posted each month and that the site receives 50 billion page views per month. It receives 2 million new job postings a month, supports advertisements posted in 13 different languages and has more than 700 local sites in 70 countries. It is one of the 25 most visited websites in the United States.Hopefully the court recognizes the troubles of its earlier ruling, and Craigslist also recognizes the folly of this approach.
Craigslist’s enormous success is a result of its openness: anyone anywhere can access any of its websites and obtain information about apartments for rent, new jobs or cars for sale. Its openness means that Craigslist is the go to place on the web for classified ads; it users post on Craigslist because they know their ads will reach the largest audience.
But what Craigslist is trying to do here is to use the CFAA’s provisions to enforce the unilateral determinations it has made concerning access to its website, an Internet site that it has already chosen to open up to the general public, attempting to turn a law against computer hacking into a new tool. But prohibiting access to an otherwise publicly available website is not the type of harm that Congress intended to be proscribed in the CFAA, and nowhere in the legislative history is there any suggestion that the CFAA was drafted to grant website owners such unbridled discretion.
by Mike Masnick
Wed, Jun 19th 2013 7:12am
from the doing-it-wrong dept
One reason for this trend is that the U.S. government has become so reflexive about classifying information, much of which is not nearly as sensitive as an NSA spying program, that clearance are required even for totally banal work.As many people have pointed out, both Ed Snowden and Bradley Manning were relatively "low level" employees, but had access to all sorts of classified materials. While some spin around and attack them, given just how many people have top secret clearance and access to these materials, it's quite likely that this information has already spread widely -- including to foreign governments. I'd much rather these things be discussed in public and via the press, than finding out later that they were just passed along to foreign governments. If the content of these classified files is really so secret and sensitive to national security, then the government needs a better way of handling that information.
One effect of this classification of nearly everything, and subsequent granting of clearances to nearly everyone, is that all it takes is one or two loose cannons among those 4 million clearance-holders to spill out government secrets.
As it stands, the overclassification of files leads to more people needing top secret clearance, and that means about 4 million with such clearance, including all sorts of low level employees, doing basic office work, including "packing and shipping." And, rather than keeping that material secret, by exposing it to so many more people, this overclassification is almost guaranteeing that the content is less secret.
by Glyn Moody
Thu, Jun 13th 2013 12:57am
from the clear-as-mud dept
Justice minister Ivo Opstelten on Tuesday refused to comment on claims the Dutch security service AIVD works together with the US secret services in collecting information from email and social media traffic.Some pretty dramatic claims are being made:
Dutch security service AIVD has also received information on email and social media traffic via US spy system PRISM, the Telegraaf reports on Tuesday.
If the AIVD lists an American address as suspicious, it is supplied all the information within five minutes, a source told the paper. The source worked for the department which monitored potential Dutch Muslim extremists, the paper said.There are a few points to note here. First, this is a report about a story in the Dutch newspaper Telegraaf, which draws on unnamed sources. So the chain of information is quite long, and it's likely that details have been lost or mischaracterized along the way. It's also worth noting that PRISM is not the only system mentioned here for gleaning information about people. That's probably muddying the waters yet more, as sources reveal tantalizing information about other spying initiatives that then get subsumed under the general heading of PRISM, simply because it's in the headlines at the moment.
Dutch companies also cooperated with the US authorities' request for information, the source said, claiming that 'there are agents ready to deal with requests for information inside companies and institutions.'
'There are a couple of those secret programmes like Prism active in the Netherlands,' the source is quoted as saying.
That's not to minimize the shocking nature of these revelations -- the idea that spies around the world may be accessing within minutes any private information they want, is troubling -- merely to note that the picture we have of what is going on remains frustratingly vague. And that, of course, is an argument for more transparency from the authorities, both in the US and elsewhere, about what is really happening to our personal information when we go online, and who has access to it.
by Mike Masnick
Mon, Jun 3rd 2013 8:52am
from the over-and-over-and-over-again dept
So: it was available online, easy to watch, no marginal cost (if you had the subscription) and available on multiple platforms without limitation (i.e. no "you must watch within 24 hours").
The bizarre thing is that so many of the efforts by the entertainment industry seem to be designed to make things less convenient. They don't make it available online. They require you to have a cable account. They have added costs per episode or show. There are requirements about how long you have to watch it. And then they wonder why there's so much infringement?
If you offer a good product, that focuses on access and convenience, people are clearly willing to pay. This has been the lesson for well over a decade. It's amazing that it still needs to be repeated.
by Glyn Moody
Wed, Apr 17th 2013 7:44am
from the now-that-would-be-interesting dept
Even though they don't figure much in the US legal landscape, moral (non-economic) rights such as the right of attribution are an important aspect of copyright law in many other countries. Intellectual Property Watch has a fascinating account of a case from Argentina, where a judge decided that an individual's moral rights could be overridden by the rights of the community.
The tale is rather complicated, so you'll need to read the original article to follow all the twists and turns, but it concerns the works of Roberto Fontanarrosa, a cartoonist and writer who died in 2007. His widow signed a contract with a publishing house to bring out a posthumous collection of his unpublished short stories, but Fontanarrosa's son by a previous marriage objected on the grounds that his father's moral rights were being harmed:
he argued he was not sure his father was actually the author of the work subject to the publishing agreement and his motivation was to avoid damaging his father's reputation by allowing the print of a work of an unknown author under his name.
The judge was therefore asked to decide whether the publication should go ahead or not.
In the end, the judge in charge of the Court of First Instance, Fabián Bellizia, decided the contract signed between the publisher and the widower was valid, thus authorising the publication of the work. Moreover, he deemed the moral rights argued by the son of the author were abusive. The judge stated that the tension between author's copyright and community interest and explicitly favoured the latter over the former.
As the Intellectual Property Watch post notes, this is perhaps the first time that an Argentine court has limited the exercise of moral rights of an author by taking into account the interest of the community in gaining access to unpublished works. Moreover, the judge arrived at that remarkable decision that in some circumstances moral rights could be "abusive", not by reference to Argentina's Copyright Act, as might be expected, but to international treaties:
the American Convention on Human Rights, also known as the Pact of San José de Costa Rica, Art. 21, subsection 1 (the law can subordinate individual rights to social interests, i.e., the so-called doctrine of the social function of property), and the International Covenant on Economic, Social and Cultural Rights (adopted by the United Nations General Assembly on 16 December 1966), Art. 15, subsection 1 (right of every person to take part in the cultural life).
That judgement is not yet definitive, since the Argentinian Appellate Court now needs to consider the case. But it would set a remarkable precedent for considering the impact of copyright in a wider social contract, and weighing the rights of the creator against those of the community:
It seems this decision is a reaction against the perceived misbalance between incentive and access trade-off in contemporary copyright law. In any case, the ruling opens the door to many challenging interpretations. If the rights of the heir, as successor of the author, can be deemed abusive in a court of law, could the moral rights of a living author be considered abusive as well?
Now there's a thought.
by Leigh Beadon
Tue, Mar 26th 2013 5:55am
from the with-great-reservation dept
Slowly but surely, HBO seems to be softening on that whole "internet" thing that everyone keeps asking them to look into. We recently noted that they've acknowledged the need to make shows like Game of Thrones more widely available online for the international market, and now Reuters reports rumblings of corollary realization: offering HBO Go as a standalone service without a cable package might be a good idea. Or at least it's crossed their minds.
"Right now we have the right model," [HBO Chief Executive Richard] Plepler told Reuters on Wednesday evening at the Season 3 premiere of HBO's hit TV show "Game of Thrones." "Maybe HBO GO, with our broadband partners, could evolve."
Plepler said late Wednesday that HBO GO could be packaged with a monthly Internet service, in partnership with broadband providers, reducing the cost.
Customers could pay $50 a month for their broadband Internet and an extra $10 or $15 for HBO to be packaged in with that service, for a total of $60 or $65 per month, Plepler explained.
"We would have to make the math work," he added.
The folks at HBO seem intent on letting the world know that they know these demands exist—they're not stupid or blind, they just happen to be making a lot of money with things the way they are, thank you very much. But while there's often a lot of sense to the if-it-ain't-broke-don't-fix-it mentality, the record and film industries serve as illustrative examples of why it may not be a great approach for content companies faced with new technologies. It's easier to experiment when you've got money, and HBO could be using these successful times to start piloting and ultimately launching an online-only service that is superior to the competition, both legitimate and otherwise. If they wait until the growing cable-cutter movement actually necessitates the shift, they could end up like those other industries—dragging their heels until someone else steps in to do the hard work (iTunes, Netflix), or offering ersatz late-to-the-game products of their own (Ultraviolet, Hulu).
Still, it's good to know that it's occurred to them. As for the idea of bundling it with ISP subscriptions, while it makes less sense than offering something to everyone who wants it, it's actually not a bad first step for a company that relies so heavily on partnerships with cable providers (who also happen to be ISPs). However, depending on how such a plan was implemented, it could raise a lot of issues around net neutrality, and could lead to a bundling problem that's just as bad as exists now with cable—especially if it's successful at first, and the providers try to pile on with all kinds of other content subscriptions. Since HBO is obviously going to take its sweet time with any online-only strategy, hopefully it at least realizes that solving the cord-cutting problem is a better goal than renewing and postponing it.
by Tim Cushing
Mon, Feb 11th 2013 2:48pm
Providing Electronic Access To Public Records Is 'Expensive' And Other Government Excuses For PACER Fees
from the well,-if-you're-not-going-to-give-it-away,-i-guess-we'll-just-have-to-go dept
As Mike noted in 2011, the fees to electronically access PACER records continue to rise, even as costs drop, leaving most Americans locked out by prohibitive fees (and a less-than-intuitive user interface). Schultze notes that not only are these fees excessive, they very likely are illegal.
[L]et’s review the law. 28 U.S.C. 1913 (note) says:To that end, Schultze has drafted a bill entitled the Open PACER Act, which provides for "free and open access to electronic federal court records." The draft bill is dedicated to the memory of Aaron Swartz (whose "abuse" of a limited-time free access offer greatly helped give the RECAP project momentum) and is open for comment at openpacer.org. (Schultze himself assisted Swartz in this venture, putting together the Perl script for automating the PACER downloads. Shultze had plans for a "thumb drive corps" of volunteers to hit multiple libraries and utilize the free access to download millions of documents. However, Swartz struck out on his own, scraping PACER via Amazon cloud servers, leading directly to his first contact with the FBI.)
"The Judicial Conference may, only to the extent necessary, prescribe reasonable fees… to reimburse expenses incurred in providing these services."
Upon passing the E-Government Act of 2002, Congress noted its intent for the “only to the extent necessary” language:
The Committee intends to encourage the Judicial Conference to move from a fee structure in which electronic docketing systems are supported primarily by user fees to a fee structure in which this information is freely available to the greatest extent possible. For example, the Administrative Office of the United States Courts operates an electronic public access service, known as PACER, that allows users to obtain case and docket information from Federal Appellate, District and Bankruptcy courts, and from the U.S. Party/Case Index. Pursuant to existing law, users of PACER are charged fees that are higher than the marginal cost of disseminating the information.
The current fees are unquestionably greater than the cost of providing the services. Since passage of the E-Government Act, the cost of storing and delivering bits of data over the Internet has continued to fall precipitously, and the cost of PACER access has gone up by 42 percent.
Now, we all know why we think these documents should be freely available. Now, it's time to hear from the judicial system. Schultze runs through the many reasons the government thinks we should keep on paying, summarized from a
Excuse #1: “PACER is cheap”10 cents per page might sound like a standard library charge for printouts or copies, but we're talking about electronic access, where accessing 1,000 pages has no discernible effect on the "cost" of retrieving the documents. And charging per page or search results or docket listings? That's like having a surcharge added to your restaurant check for "accessing" the menu before ordering. The ridiculous search results charge is even more insulting considering how poorly PACER's search function performs.
Whether or not PACER is subjectively inexpensive is immaterial. The law says that the fees can only reimburse for the expense of the service, and the courts are charging more than that. End of story. Nevertheless, PACER is — subjectively — expensive. Although it costs “only 10 cents per page,” the system charges not only per page for documents, but per “page” of search results, and per “page” of docket listings. It is easy to quickly run up a huge bill unless you are looking for one particular thing and you know exactly how to find it.
Excuse #6: “You can always go to the courthouse”lol
This is a good one. The Administrative Office will tell you that you can go to your local courthouse to access PACER records for free. Well, maybe not “local,” but you can go to the district, bankruptcy, or circuit courthouse and access PACER. Of course, you can only access records for that particular court. You can’t access other PACER records. You also can’t download the records. You can only view them. If you want to print them, that will be 10 cents per page. That’s not legal.
No. Seriously. Dry-as-straight-vermouth-in-the-Sahara "lol," the sort of laugh hastily assembled from equal parts of disbelief and disgust that inadvertently escapes you blindsided with the least helpful advice ever. Citizen: "I wish to electronically access several public records for free." Administrator: "Do you own a car?"
Not only is this suggestion utterly worthless, it's the height of bureaucratic obtuseness. Equating "a drive to the courthouse" with "electronically accessing the total of the PACER system on my schedule" is the sort of logic only deployed by someone who wishes to appear helpful but not actually help anybody. To top it off, you can only search that specific location's documents and then MEMORIZE ALL PERTINENT INFORMATION or you're back to 10 cents a page. No downloading allowed. Beautiful.
Excuse #8: “There is a high cost to providing electronic public access”No one's denying there are costs associated with providing electronic access. But a majority of those costs flatten dramatically once the documents are uploaded. Compare that to "driving down to the courthouse," which ties up however many employees it takes to get you up and running on their local PACER service, not to mention staffers taking phone calls from those unwilling to cough up 10 cents a page for an updated docket listing.
Here is how the PACER system architecture works: every court runs its own local PACER server, with local support staff and a private leased network link to Washington, DC. Are you a system administrator? Are you an average citizen who has heard the word “cloud” in the past five years? Does this system architecture seem insane? It is. It is even more offensive in light of the fact that the GSA has had, for years, a streamlined government procurement system for cloud hosting. This system is certified at FISMA level 2 security, and is hosted in a “private cloud” for the government, which is good enough for the Department of Homeland Security. It is provided by companies like Amazon at only a fraction higher cost than their commercial offerings. The courts could host all of the PACER services in the cloud — tomorrow — for under $1 million per year. They could allow all of these local system administrators to control their own PACER installations. They could obtain greater cost savings (and security) by further consolidating PACER hosting and system administration. Of course, they feel no pressure to do so when they interpret the law to allow them to charge whatever they deem necessary.
Not only is the complaint about costs ridiculous, but taxpayers are being double-dipped for some of these fees. Taxpayers fund the generation of the documents, and as Schultze points out, PACER's largest users are also government entities. In 2009, the DOJ alone paid over $4 million in PACER fees. That's public money transferring from one government entity to another, while the taxpayer supports both the one handling "Accounts Payable" and the one handling "Accounts Receivable."
Public access is a noble goal, but the PACER system as it stands now locks out many members of the public with escalating fees and an intimidating, counterintuitive interface. The priority has shifted from public access to making money. Hopefully, another push towards free availability will get the ball (re)rolling. After all, Joe Lieberman (of all people) asked this very same question all the way back in 2009. Four years later we're still waiting for an answer. And the longer we wait, the more we pay.
by Mike Masnick
Mon, Feb 4th 2013 1:56pm
from the locking-up-culture dept
According to the French publication, Numerama, Hadopi (the agency in charge of stamping out infringement in France), has published an opinion in which it suggests that content creators give the French National Library (Bibliothèque Nationale de France or BNF) works without any DRM on them. As they quite rightly note, in order to better make sure that the culture is preserved and that future archives are accessible, a lack of DRM makes much more sense. They even note that just providing a DRM'd copy with the keys to decrypt it, or with circumvention tools, really isn't sufficient for proper archiving.
That said, the report also then appears to fret about the BNF leaking these unprotected works out into the world. The suggestion seems to be that (wait for it...) the BNF then create its own DRM to lock up the unprotected works that it needs to keep them from getting locked up. In other words, the whole plan is pretty useless anyway.
This is just an opinion, and not binding in any way. So apparently the French government is still considering what sorts of requirements it intends to put on submissions to the BNF, but once again it seems like an overly aggressive "fear of piracy" may actually lead to some bad technical decisions for the sake of "protecting" some works against infringement.
by Mike Masnick
Wed, Jan 23rd 2013 12:13pm
from the here-we-go dept
Two other recent skirmishes show the same sorts of things happening in slightly different contexts. A few months ago, we wrote about the case of Andrew Auernheimer, the security researcher who's been convicted and likely to face a long period of time in jail for exposing a blatant security hole from AT&T that allowed him (and anyone else) to gather personal data on the owners of any iOS device. Remember, AT&T set up some stupid security, making all of this data public via its own API. Now about to be sentenced, Auernheimer was asked to write up a "statement of responsibility" for the court, and chose to do a blog post in which he calls out what a farce the whole situation is:
The facts: AT&T admitted, at trial, that they “published” this data. Their words. Public-facing, programmatic accesses of APIs happen upwards of a trillion times per day. Twitter broke 13 billion on their API ages ago. This is something that happens more than the entire population of Earth, daily. The government has no problem with this up until you transform the output into something offensive to important people. People with “disruptive” startups, this is your fair warning: They are coming for you next.Meanwhile, up in Canada, there's been a fair bit of talk about how Dawson College computer science student Ahmed Al-Khabaz was expelled for discovering a security hole in a system used across many Canadian colleges to store personal data of students. In his case, part of the problem was that, after alerting people to the hole, he went back a few days later to run a script to see if they had closed the hole. This caused the company that managed the system to accuse him of criminal activity:
The other one of my prosecutors, Zach Intrater, said that a comment I made about Goatse Security, my information security working group, starting a certification process to declare systems “goatse tight” was evidence of my intent to personally profit. For those not in on the joke: Goatse is an Internet meme referencing a man holding open his anus very widely. The mind reels.
I can’t survive like this. I am happy to be hitting a prison cell soon. They ruined my business. The feds get approval of who I can work for or with: they rejected one company because the CEO had a social network profile with an occupation listed as “hacker.” They prohibit me from touching any computer that isn’t federally monitored. I do my best to slang Perl code on an Android device to comply with my bail conditions. It isn’t pretty.
“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”Even with the signed agreement, Dawson expelled him. While Dawson stands by its decision, the company Skytech says that it's now offered to hire him part time.
Yes, in all three of these cases you can make a case that what the individual did went further than others would go. Some might call it discourteous. Swartz downloaded a lot more than the system intended, even though the network was open and the terms allowed for unlimited downloads. Auernheimer didn't just find the hole, but he scraped a bunch of data and sent some of it off to a reporter. Al-Khabaz didn't just find the security hole, but he also went back and probed the system again later. But, in the context of someone who lives in this kind of world and understands technology, all three represent completely natural behavior. If the technology allows it, why not probe the system and see what comes out? It's the natural curiosity of a young and insightful mind, looking to see what information is there. When it's made available, how do you not then seek to access it?
But there is a fundamental disconnect between an older, non-digital generation who doesn't get this. They think in terms of walls and locks, and clear delineations. The younger generation, the digital native, net savvy generation looks at all of this as information that is available and accessible. The limitation is merely what they can reach with their computer. But this isn't a bad thing -- this is how we discover new things and build and learn. Treating that as criminal behavior is insane and backwards. It's trying to apply an analog concept to a digital world, and then criminalizing exactly what the system allows and what we should be encouraging people to do -- to push the network, to explore, to learn and to access information.
This is a culture clash, of sorts, but it represents a real problem, when we're criminalizing the most curious and adept computer savvy folks out there.