Capitalist Lion Tamer’s Techdirt Profile


About Capitalist Lion TamerTechdirt Insider

List of blogs started with enthusiasm, which now mostly lie dormant:

[reserved for future use]

[recently retired]

[various side projects]

Posted on Techdirt - 11 February 2016 @ 3:27am

Drug Dogs Don't Even Have To Be Right Half The Time To Be Considered 'Reliable' By The Courts

from the good-news,-K9s:-even-if-you-suck-at-your-job,-you-can-keep-your-job dept

All in all, this motion to suppress evidence worked out for the plaintiff, but it does little to address concerns that drug dogs are basically blank permission slips for inquisitive cops.

The defendant -- Emile Martin -- was in a vehicle driven by another person (simply referred to as "Montgomery" in the opinion). This vehicle crossed the centerline multiple times and was pulled over by Deputy Brandon Williams. The driver could not produce registration or proof of insurance, which led to the issuance of a citation… eventually. But the citation process was unnecessarily prolonged to provide the deputy with a chance to have a K9 unit brought in to sniff the car for drugs.

Based on its findings of fact, the court agrees that the stop was unduly prolonged in order to allow time for the canine and its handler to reach the scene. Prior to the point that the dog alerted, at 3:37 a.m., there was merely a hunch, but neither probable cause nor reasonable articulable suspicion, that criminal conduct was afoot. The lapse of 33 minutes from 3:04 a.m. to 3:37 a.m. for the stop in this case constituted a plainly unjustifiable seizure for that length of time under the Fourth Amendment. As noted above, when Deputy Williams returned to his cruiser with Montgomery’s driver’s license and the Grand Prix title at or shortly after 3:11 a.m., he had everything he needed to begin writing the traffic citations.

However, Williams did not begin writing the citations until 3:21 a.m., and had not completed them when Dul alerted on the vehicle following the open-air sniff at 3:37 a.m. While Deputy Williams spent some time awaiting confirmation from dispatch of the license’s validity and the results of the warrant search, that does not excuse his failure to even begin writing the citations until ten minutes after he could have done so. The stop here was unduly prolonged far beyond the time reasonably required to complete the stop’s mission.
Under the Supreme Court's Rodriguez decision, officers cannot artificially prolong traffic stops in hopes of stumbling across something "better" than a traffic violation. Once the stop's "mission" has reached its conclusion, drivers are free to go, no matter how many more questions -- or dog sniffs -- the officer might wish to pursue.

Still, a drug dog was brought in and it did alert during its "search" of the vehicle. This alert was also challenged, presumably in case the defendant's citation of Rodriguez failed to result in suppression. Data was obtained on the dog's ("Dul") "hit" rate. The data wasn't exactly a confirmation of Dul's superlative skills.
The defendant has not presented any evidence challenging the adequacy of Dul’s training and certification regimen. However, he questions Dul’s reliability based on a review of the dog’s performance record, both in training sessions and in the field. The defendant argues that Dul’s training and field performance records suggest a failure rate of up to 25%. The evidence offered on this phase of the motion is generally undisputed.
Considering law enforcement officers "ask" dogs for permission to effect warrantless searches, one would hope 75% wouldn't be an acceptable success rate. Of course, many arguments were presented by the government as to why being right only three-fourths of the time is nigh unto infallibility. According to law enforcement testimony, there are any number of reasons why a drug sniff might result in a false positive, but none of those are reasons to doubt a dog's assertions.
This is the case because officers are unable to confirm false negatives in the field (as no search is conducted), may fail to find drugs where a dog correctly alerts, and may not realize a dog has alerted based on a residual odor of drugs no longer present.
This would be one thing if law enforcement was alone in finding this acceptable. Unfortunately, the court also finds this lack of accuracy to be of little import when discussing the justification of a search. Dul may only be right 75% of the time, but the bar has been set so low by previous decisions that drug dogs whose intuition is worse than a coin flip are considered to be trustworthy generators of probable cause. (h/t Brad Heath)
Notwithstanding the dispute regarding Dul’s failure rate, the court is satisfied that in conjunction with his training and certification, his performance record amply supports the officers’ reliance on his alert to support probable cause to conduct a search. Dul’s performance record is superior to that of dogs which have been found to be reliable by other courts. See Green, 740 F.3d at 283-284 (affirming district court’s finding that dog with 43% success rate was reliable); United States v. Bentley, 795 F.3d 630, 636 (7th Cir. 2015) (accepting field detection rate of 59.5%); United States v. Holleman, 743 F.3d 1152, 1157 (8th Cir.) (57%).
The only upside here is that the Rodriguez decision will provide a remedy for those whose stops have been artificially extended to bring in drug dogs whose "alert" means nothing more than ¯\_(ツ)_/¯.

In this case, the extension of the stop resulted in suppressed evidence, not the drug dog's questionable reliability. At some point, drug dogs may start being mentioned in the same breath as other law enforcement pseudoscience -- like bite mark evidence or hair comparison. But until then, dogs that can't even manage a 50% hit rate will still be allowed to give officers permission to perform warrantless searches.

Read More | 15 Comments | Leave a Comment..

Posted on Techdirt - 10 February 2016 @ 11:23pm

Court Says 10 Weeks Of Warrantless Surveillance Is Perfectly Constitutional

from the dept

How long can the government surveill your property without a warrant? According to the Sixth Circuit Court of Appeals, pretty much indefinitely.

Rocky Houston appeals his conviction of being a felon in possession of a firearm in violation of 18 U.S.C. § 922(g)(1). At trial, the primary evidence against Houston was video footage of his possessing firearms at his and his brother’s rural Tennessee farm. The footage was recorded over the course of ten weeks by a camera installed on top of a public utility pole approximately 200 yards away. Although this ten-week surveillance was conducted without a warrant, the use of the pole camera did not violate Houston’s reasonable expectations of privacy because the camera recorded the same view of the farm as that enjoyed by passersby on public roads.
It's hard to fault the logic of this conclusion, even if it does seem the ATF's surveillance bumped up against the edges of the Fourth Amendment. What happened in aggregate was not a violation because no individual aspect of it crosses over the "expectation of privacy" line. An ATF agent with a camera filming from across the road wouldn't have violated Houston's privacy, even if the agent could only do so for a single 8-hour shift.

Ten weeks of surveillance is nothing more than 10 weeks of back-to-back, round-the-clock 8-hour shifts. US courts have often stated that rights violations cannot spring into existence on their own. The aggregate is a sum of smaller parts and if none of the "smaller parts" are a violation of Fourth Amendment rights, then 1,680 hours of surveillance by camera is no different than 8 hours of surveillance by an agent. Houston's property could be viewed from the road. The camera on the light pole may have been a bit higher than eye level, but it provided agents with nothing that could not have been observed by the naked eye at that height.

We've seen this same discussion in disputes over automatic license plate readers. Vigilant -- a producer of said cameras -- argued it had a First Amendment right to photograph license plates on vehicles travelling public roads. The courts certainly wouldn't deny an individual the right to do the same as there's no expectation of privacy afforded to vehicles on public roads. If a person can take a few hundred license plate pictures a day, then Vigilant is well within its rights to take millions of pictures a day, all over the country.

For that matter, there are any number of government-controlled cameras observing public areas and buildings -- generating weeks or years of surveillance that covers the comings and goings of far more people than the ATF's camera did here.

Over at Prawfsblawg, Jonathan Witmer-Rich poses a hypothetical question that seeks to tie this decision to the limitations of physical surveillance.
Metaphysical Fourth Amendment question: how long could a tiny ATF agent sit atop a telephone pole?

Today the Sixth Circuit handed down a notable opinion squarely addressing the question, reserved in United States v. Jones, 132 S.Ct. 945 (2012), of how many ATF agents can fit on the head of a telephone pole whether longer-term surveillance by law enforcement infringes on a reasonable expectation of privacy—thus triggering Fourth Amendment protection.
Witmer-Rich's arguments, like the defendant's, ties the Fourth Amendment violation to the length of the surveillance, rather than its nature. His hypothetical question about ATF agents on telephone poles isn't just a pithy turn of phrase. It's directly invoked in the majority's rejection of Houston's arguments.
Furthermore, the long length of time of the surveillance does not render the video recordings unconstitutionally unreasonable, because it was possible for law enforcement to have engaged in live surveillance of the farm for ten weeks. Although vehicles “[stuck] out like a sore thumb” at the property, the ATF theoretically could have staffed an agent disguised as a construction worker to sit atop the pole or perhaps dressed an agent in camouflage to observe the farm from the ground level for ten weeks.
The court also finds that just because it is possible for law enforcement to engage in "in person" surveillance, nothing about the law requires them to utilize this option, rather than install cameras without seeking warrants.
However, the Fourth Amendment does not require law enforcement to go to such lengths when more efficient methods are available. As the Supreme Court in United States v. Knotts explained, law enforcement may use technology to “augment[] the sensory faculties bestowed upon them at birth” without violating the Fourth Amendment. 460 U.S. 276, 282 (1983). The law does not keep the ATF agents from more efficiently conducting surveillance of Houston’s farm with the technological aid of a camera rather than expending many more resources to staff agents round-the-clock to conduct in-person observations. See id. at 282–84. Nor does the law require police observers in open places to identify themselves as police; police may view what the public may reasonably be expected to view.
No warrant was sought during the first ten weeks of surveillance, but one was after that, as a result of another Sixth Circuit decision in which the justices expressed "some misgivings" about long-term, warrantless surveillance.

Though the law does not require law enforcement agencies to bypass more efficient surveillance methods, the budging of the needle back towards Fourth Amendment protections suggests agencies should err on the side of caution. After all, if agencies can't come up with enough probable cause to acquire a warrant, it hardly seems reasonable they should be allowed to engage in something that looks more like a fishing expedition than an investigation. The ATF only found seven instances in which Houston displayed firearms he wasn't supposed to have in his possession in 10+ weeks of footage. The camera may have been more efficient in terms of cost and man-hours, but the end result hardly suggests Houston was worth "watching" for the better part of three months.

The dissenting opinion, written by Judge Rose, makes some good points but, unfortunately, it's not enough to overcome Fourth Amendment-related precedent. Rose dislikes the extended period of surveillance, which brings the ATF's actions very close to other actions courts have considered constitutionally questionable.
While United States v. Skinner, 690 F.3d 772, 780 (6th Cir. 2012), implies that the actual practicability of law enforcement observing activity from a public vantage point may not be relevant, this Court has also sifted from the panoply of opinions in United States v. Jones the concern that long-term non-human surreptitious surveillance “is worrisome because ‘it evades the ordinary checks that constrain abusive law enforcement practices: “limited police resources and community hostility.”
Rose also points to the Jones decision as indicative of the ATF's overreach. But the Supreme Court's decision in this case was less than definitive. No bright line conclusion was reached and the tentative wording in the opinion only suggested extended surveillance should be accompanied by a warrant. The court never specifically defined "long term." Further, the case was tied to loctation tracking rather than static observation and the installation of a law enforcement surveillance device on a private citizen's personal property (the suspect's car), rather than observance of an area (a yard visible from a public street) that has historically never been afforded a reasonable expectation of privacy.

Any suggestion -- like Witmer-Rich's proposed three day rule (warrants for anything beyond that) -- would be completely arbitrary and unable to be resolved with previous caselaw or the lack of a reasonable expectation of privacy in public areas. If such a limit was applied, it would be comparable to telling police officers they could look into someone's yard for three days in a row, but start averting their eyes on the fourth.

As much as I don't like the fact that the government can conduct warrantless surveillance of this type for an extended period of time, I don't see how this can be resolved without setting new standards based on nothing more than the feeling this is wrong.

Judge Rose makes more sense when calling out the majority's "warrants let the bad guys win" hyperbole.
Finally, I do not have the same concern that “if law enforcement were required to engage in live surveillance without the aid of technology in this type of situation, then the advance of technology would one-sidedly give criminals the upper hand.” Expediency in this particular situation is not our concern. It is for the police to work within constitutionally permitted means. Fortunately, no one proposes that law enforcement should “be powerless to thwart such behavior.” Law enforcement would have the power to obtain a search warrant, returning to them the upper hand.
While we'd certainly prefer law enforcement agencies seek warrants in edge cases like these, there's nothing in the Constitution -- as applied to the surveillance of a public area -- that requires one. A visible yard can be viewed by anyone for any length of time -- even a tiny ATF agent perched on top of a telephone pole for nearly three months.

Read More | 20 Comments | Leave a Comment..

Posted on Techdirt - 10 February 2016 @ 2:06pm

Federal Judge Not Amused By State Department's Continued Withholding Of Hillary Clinton's Emails

from the and-not-even-HE-can-force-it-to-work-faster dept

A federal judge has expressed his displeasure at the State Department's ongoing foot-dragging over the release of Hillary Clinton's emails.

US District Court Judge Rudolph Contreras told lawyers in a Washington, DC courtroom that "the government put me between a rock and a hard place" by failing to meet the deadline and asking for more time. Contreras didn't want the emails released without being properly vetted for sensitive information — State says it needs more time for the vetting process — but postponing the release was also to the detriment of the American public.

"To state the obvious, these documents have a lot of public interest, and the timing is important," Contreras said.
Contreras undersells the public interest -- which has been high ever since it was discovered Clinton had been conducting official (and sensitive) business using a private email server. Now that Clinton is a presidential candidate, the release of the emails could adversely affect her campaign.

I don't believe the State Department has a personal stake in Clinton's potential presidency, but it's operating in a way that would encourage people to come to that conclusion. Instead, this is likely business as usual for the agency.

For one, government agencies protect their own. Clinton's use of a private server makes the State Department look bad because no one with the power to do so ever made an effort to shut her down. Released emails show Clinton dealt with classified material, something that should never have been routed to a private email account. The State Department's lackadaisical handling of this matter would only be highlighted further by additional releases.

That's one aspect of it. The other is that the State Department is just generally terrible at handling FOIA responses. The agency's Inspector General released a report in January that showed the agency was more than just merely inept. Its FOIA response system is almost completely broken.
The report from State Department Inspector General Steve Linick points to a series of failures in the procedures the office of the secretary used to respond to public records requests, including a lack of written policies and training, as well as inconsistent oversight by senior personnel. The report also faulted the secretary’s office for a practice of not searching for emails responsive to FOIA requests unless the request specifically asked for emails or demanded “all records” on a topic.

“These procedural weaknesses, coupled with the lack of oversight by leadership and failure to routinely search emails, appear to contribute to inaccurate and incomplete responses,” the report says.


The report also points to extreme delays in other cases, such as an Associated Press request for Clinton’s schedules that was pending without substantive response for five years.
The outcome, however, is indiscernible from an active effort to shore up a candidate's presidential race. Judge Contreras is aware of this. He's attempting to set another hard deadline for the release of still-withheld emails, but there's only so much he can do when the State Department has casually rolled past other deadlines it's been given.
"Explain to me again why something that's gone through the legal reviews could not be posted until a week from Thursday," Contreras responded. "This seems like an unreasonably long period of time to post, or give access to, something that has already passed clearance."

The judge ordered State to provide "a very specific description" the following day of why the cleared files couldn't be released sooner. He also told State to consider alternative methods of disclosing the emails that might give VICE News access to them sooner, such as allowing the pages to be viewed on a screen without actually delivering them.
As it stands now -- even without malice aforethought by the State Department -- four states will have concluded their primaries before the agency has to produce the documents.

34 Comments | Leave a Comment..

Posted on Techdirt - 10 February 2016 @ 11:46am

Congressional Reps Submit Bill Banning Encryption Bans

from the [placard]-BAN-THE-BAN-[/end-placard] dept

Legislators in two states have proposed (largely unworkable) bans on the sale of encrypted phones, citing (of course) concerns about all the criminals who might get away with something if law enforcement can't have near immediate access to the entire contents of their phones.

In reaction to these stupid bills, national legislators have stepped up to offer their own counterpunch: a nationwide ban on encryption bans. The Daily Dot's Kevin Collier has the details.

Congressmen Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas) have introduced what they call the Ensuring National Constitutional Rights of Your Private Telecommunications (ENCRYPT) Act of 2016. It’s an attempt, Lieu and Farenthold wrote in a letter to their colleagues, to address “[c]oncerns over the privacy, security and technological feasibility of a ‘backdoor’ into encrypted devices for the government and law enforcement” by making encryption a federal issue and keeping individual states from trying to ban it.
Update: We've been informed that it's not just Lieu and Farenthold, but also Reps. Suzan Delbene and Mike Bishop. Not only would such bans/backdoors make device usage less safe for users, but the lack of unified stance on phone encryption would turn phone sales in the US into a logistical nightmare, to the detriment of all involved.
“We are deeply concerned,” Lieu told the Daily Dot in a phone interview, “that a patchwork system with different encryption requirements in every state would not only undermine national security—it would also threaten the competitiveness of American companies and dampen innovation.”
Lieu, as one of the few representatives with a background in computer science, is also one of the few who has been bold enough to refer to FBI director James Comey's ongoing anti-encryption efforts as "stupid."

Whether this will go anywhere remains to be seen. It would appear few legislators are willing -- at least as this point -- to tell the FBI to stop asking for backdoors or bans. Alarmingly, despite the ongoing discussion bringing more evidence to the surface that such actions are not only bad ideas, but pretty much impossible to implement without doing away with encryption entirely, it seems like more legislators are moving towards the FBI's line of thinking.

Unfortunately, that is often the nature of the political business, where fear nearly always trumps rational thinking. For too many, it's perfectly acceptable that thousands of phone users be left open to attacks than one criminal suspect go free.

Read More | 23 Comments | Leave a Comment..

Posted on Techdirt - 10 February 2016 @ 10:39am

Artist Sues Wu-Tang Clan Member, Martin Shkreli, Vice Magazine For Copyright Infringement

from the at-best,-plaintiff-will-lose-nothing-more-than-his-filing-fee dept

In the continually developing saga that is the Wu-Tang Clan's unexpected entanglement with the embodiment of everything that's wrong with the pharmaceutical industry, it is now apparently time for the bogus lawsuits to begin.

Artist Jason Koza, a Wu-Tang Clan fan, is suing Tarik Azzougarh, a rapper, producer and manager "associated" with the group, along with one of its members (RZA) and pharma supervillain Martin Shkreli, last seen pleading the smirk in front of a Congressional hearing.

Koza's story is as follows, in his own words, from his own filing [heavily edited for clarity and length]. (h/t The Hollywood Reader)

Mr. Koza has long admired the music of the Wu-Tang Clan, and in late 2013 and early 2014, he rendered original portraits of nine members who recorded the group’s first album.

The nine portraits are titled: “Ghostface Killa-Koza,” “GZA-Koza,” “Ol’ Dirty Bastard-Koza,” “Method Man-Koza,” “Masta Killa-Koza,” “Inspecta Deck-Koza,” “U- God-Koza,” “RZA-Koza,” “Raekwon-Koza” (hereinafter the “Wu-Tang Clan Portraits”)...

In or around late 2013 or early 2014, Mr. Koza saw a solicitation on the website stating as follows: “Every Thursday we will be posting up pics of Wu-Tang artwork from fans, artists and aliens. If you have artwork you would like to share, please email us at:”

Mr. Koza submitted digital images of his nine Wu-Tang Clan Portraits to the email address and the works were posted on the website.

The did not display any language or disclaimer granting the website a license for submitted works.

Mr. Koza did not grant an express license to the for the use of his Wu-Tang Clan Portraits, although he intended that they be used for the limited purpose of public display on that website.

Mr. Koza did not authorize the use of his Wu-Tang Clan Portraits outside of the implied license he granted for their display on the

Upon information and belief, prior to 2014, Defendants Diggs and Azzougarh began work on a new Wu-Tang Clan album.


Upon information and belief, in 2015, Mr. Diggs and Mr. Azzougarh completed production of a new Wu-Tang Clan album, which had been recorded secretly over the course of several years, titled “Once Upon a Time in Shaolin.”
Upon information and belief, the album was sold with a leather-bound book containing, inter alia, unauthorized copies of all nine of Mr. Koza’s Wu-Tang Clan Portraits.

Upon information and belief, Mr. Diggs and Mr. Azzougarh made, or caused to be made, the unauthorized copies of Mr. Koza’s Wu-Tang Clan Portraits that were included in the leather-bound book.

Upon information and belief, in 2014 or 2015, Mr. Diggs and Mr. Azzougarh engaged New York-based online auction house Paddle8 as their agent to sell and/or distribute the “Once Upon a Time in Shaolin” album, including the leather-bound book that contains the infringing copies of Mr. Koza’s artwork.
This $2 million album, along with the book of artwork allegedly containing Koza's portraits, is now in former Turing Pharmaceutical head Martin Shkreli's possession.

Koza may have a case against the unauthorized use of his work in the book sold to Shkreli. Nothing on the Wu-Tang fan site indicates Koza would have handed over his rights to his artwork by having it posted there. If those responsible for putting the book together used his work, then he may have a fairly solid infringement case.

However, Koza did not register his artwork with the US Copyright Office until February 1st of this year, which is well past the point in time the infringement allegedly occurred. (The album was sold in 2015 and the book of artwork was compiled before the sale.) This may cut him out of the statutory damages he's seeking as these fees are only retroactive if the registration occurs within 90 days of publication. In his own recounting of the events, Koza indicates the first publication (at the Wu-Tang fansite) occurred sometime prior to April 8, 2014 -- the point at which he was contacted by Azzougarh about the "one copy album" he and RZA were putting together. Koza's copyright filings occurred nearly two years later.

Despite Martin Shkreli doing nothing more than paying an exorbitant amount for an album packaged with a book of artwork he likely assumed was properly licensed, Koza wants to nail him for infringement as well.
Upon information and belief, the album was unique in that only one copy was produced and Mr. Shkreli is contractually prohibited from distributing further copies commercially for 88 years following the sale.

On January 29, 2016, Mr. Koza saw an article published by that included photographs of the leather-bound book that was included with the album.

The pictures in the article revealed that at least three of Mr. Koza’s Wu- Tang Clan Portraits were reproduced in the book: “Raekwon-Koza,” “Ol’ Dirty Bastard-Koza,” and “Inspecta Deck-Koza.”

Mr. Koza never gave his permission, express or implied, for any third party to copy, distribute, or publicly display copies of his works, other than his submission to the website for the limited purpose of displaying the works thereon.
The thing about purchased items is that "third parties" are mostly free to do what they want with their purchased goods, including displaying artwork they purchased. That this was "displayed" in an article at does nothing to implicate Shkreli or Vice. Shkreli has the Right of First Sale and has fair use -- even if Vice selected which pictures would be published. Koza's legal arguments in relation to this supposed infringement are pretty much nonsensical.
Mr. Shkreli has infringed Mr. Koza’s exclusive right of public display by permitting at least three of the nine Wu-Tang Clan Portraits to be displayed to the public in a news article without Mr. Koza’s permission or license.
Including "in a news article" in his claim pretty much guarantees's fair use defense will work, if a judge even lets the case get as far as requiring a response from the website. As for Shkreli, he's done nothing wrong, which is probably the first time that's been said about him since his ascension into the public eye.

Koza even tries to claim his truncated email exchange with Azzougarh -- combined with the fansite's nonexistent statement on who retains what rights to submitted artwork -- somehow coheres into a contract the defendants have violated.
The facts alleged regarding Mr. Koza’s submission of the nine Wu-Tang Clan Portraits to the website and the subsequent communications between Mr. Koza and Mr. Azzougarh give rise to an implied-in-fact contract for a license from Mr. Koza for use the nine Wu-Tang Clan Portraits in the album in exchange for payment from Defendants.
Once a judge reviews this mess of a lawsuit, it's very likely most of the defendants will be dismissed. On the sort of bright side, if the lawsuit makes it far enough, the exclusive book owned by Shkreli may be entered into evidence, giving Wu-Tang fans a chance to see at least nine pages of the multimillion dollar book.

But as far as legal assertions go, Koza's are at least as shaky as anything delivered to date by Wu-Tang members unhappy with their album being in the possession of the Most Hated Man in America (Corporate Division). But at least when one of them does it, it's far more entertaining. Calling Shkreli "the man with the twelve-year-old body" beats "somebody owes me money... probably" any day of the week.

Read More | 5 Comments | Leave a Comment..

Posted on Techdirt - 10 February 2016 @ 8:33am

Intelligence Director James Clapper Warmly Welcomes The Internet Of Things To The NSA's Haystacks

from the my-god...-it's-full-of-data dept

The NSA isn't too concerned about the use of encryption. Unlike the FBI, which continues to claim the sky is falling darkening thanks to the spread of math, the NSA is relatively comfortable with the march of technology in this direction.

For one thing, the NSA has made progress towards cracking some forms of encryption. On top of that, it maintains a unit that does nothing but stick implants into hardware that allows it to bypass protection schemes used by its targets.

There's no "going dark" fear at the NSA. The Director of National Intelligence -- James Clapper -- has just issued a "Worldwide Threat Assessment" and nowhere in it will you find an extensive discussion about encryption's supposed deleterious effect on national security. There is one small paragraph that notes it's likely a part of terrorists' efforts to hide their communications, but not the element that concerns his office the most.

Terrorists will almost certainly continue to benefit in 2016 from a new generation of recruits proficient in information technology, social media, and online research. Some terrorists will look to use these technologies to increase the speed of their communications, the availability of their propaganda, and ability to collaborate with new partners. They will easily take advantage of widely available, free encryption technology, mobile-messaging applications, the dark web, and virtual environments to pursue their objectives.
There are far too many options for those who'd like to keep the NSA out of their business, according to the report. There's no sense in decrying a single aspect of it -- especially one that also provides substantial security benefits to non-terrorists.

But the Internet giveth just as certainly as it taketh away. Echoing the sentiments of the recent report debunking the "going dark" fears of James Comey, certain legislators and a handful of smaller law enforcement agencies, Clapper points out that the Internet of Things will provide intelligence services with plenty of data to fill in their surveillance holes. (h/t Emptywheel)
Internet of Things (IoT). “Smart” devices incorporated into the electric grid, vehicles—including autonomous vehicles—and household appliances are improving efficiency, energy conservation, and convenience. However, security industry analysts have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of services. In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.
The tea kettle that talks to the thermostat that shares a signal with the fridge that exposes your emails to the wardriving criminal who just obtained your Wi-Fi password from the doorbell will all be sources of useful data for law enforcement and intelligence agencies. Considering much of the industry has opted to ship smart things with dumbass defaults most users will never change, the Internet of Eminently Crackable Things will be the informants government agencies always wished they had -- ones that can tell when suspects are home, what they're doing and opening up otherwise secured networks for easy intrusion.

Also worth noting is the highly dubious use of the future tense when referring to the surveillance of targets via their Smart Things. It's hard to believe the NSA isn't already on top of this. It's not as though it would need to alter its permission slips. Section 702 gives it the power to snake info from the internet from basically anywhere in the world and the government is busy arguing that people "know" their connected devices share tons of identification/location info with "the world," so there's really no expectation of privacy that might limit surveillance via smart objects.

While overseas terrorists may not be purchasing Nest thermostats in bulk at the moment, the march towards the interconnectedness of everything means it's likely one object or another will provide another surveillance vector for intelligence agencies in the near future.

Read More | 20 Comments | Leave a Comment..

Posted on Techdirt - 9 February 2016 @ 3:44pm

Government Lawyers Think Open Records Reform Proposal Hands Over Too Much Power To The People

from the more-darkness-and-denials,-please dept

The state of Massachusetts has some of the worst open records laws in the nation, which have not been updated since the 1970s. The main problem is the statutes provide no deterrence for abusive behavior by government agencies and very little in the way of recourse for public records requesters.

The laws -- as they stand now -- operate on the presumption of secrecy, which is completely antithetical to the purpose and spirit of the statutes. There's really no reason the state's public record laws should contain this much secretive bloat. Here's Allison Manning of detailing just one of the many problems with the laws.

Our public records laws are abysmal, especially compared to those elsewhere.

There are 19 pages of exemptions alone in the 60-page guide to Massachusetts public records. How does this supposedly progressive state have such backwards open government laws?
What hasn't been shielded from the public by existing exemptions has been given a fresh coat of opacity by government officials supposedly tasked with ensuring maximum public access.
[A]fter the Globe challenged State Police for withholding the arrest record of one of its troopers, [t]he state’s supervisor of public records, Shawn Williams, ruled in favor of the police, finding that police had “the discretion to withhold records” that were covered under rules meant to protect criminal rap sheets from being misused; such discretion meant that the Globe could not obtain the names of the five Massachusetts police officers charged with drunken driving. A far more rational interpretation of the criminal-records rule would protect information about criminal proceedings, not the arrest records themselves. After all, the criminal-records law was never intended to open up a memory hole to conceal unflattering information about the police.
The state has also withheld records from a 63-year-old murder case, claiming (via the Secretary of State) that the investigation was still ongoing, despite police representatives stating they weren't pursuing any new leads and the lead suspect having expired years ago.

The state's House pushed through a set of open records law reforms late last year. It was a decided improvement (what wouldn't be?), but advocates still expressed concern the legislation didn't go far enough. Like many reform efforts, it started out robust and full-figured but was hacked to death by legislators and agencies who preferred to operate in as much darkness as possible.
“This doesn’t fix the fundamental issues with the law,” Michael Morisy, founder of the open records site MuckRock, tells Boston magazine. “Records take forever to get back to people. There’s no mandatory awarding of attorney’s fees, so agencies really don’t care if people sue them because they know by the law there are no consequences even if they lose. And while this bill does offer judges to grant attorney’s fees, that’s entirely discretionary, and what we’ve seen is that when things are discretionary, when things are optional, typically they just don’t happen.”

“One thing that public records law in Massachusetts really needed was teeth, and this bill just doesn’t do that,” Morisy says.
The Senate has introduced its version of the reform bill, and it's already receiving complaints from government entities which feel it swings the needle too far in the direction of accountability. The Massachusetts Municipal Lawyers Association doesn't like much of the Senate's proposed legislation and has issued a five-page memo to its members detailing its concerns. (h/t Michael Morisy)

For one thing, the MMLA wants government agencies to be given the discretion to ignore filers if they believe someone is requesting records too frequently, or simply requesting too much.
S. 2120 provides no protection to a municipality from the frequent and harassing requestor. Considerable staff time is wasted in responding to overly broad and frequent requests. The municipality should not have to respond to someone abusing the system.
The memo does not detail how agencies would determine what constitutes "abuse" of the system, nor what they would have to offer as proof that they are being "harassed" by an open records requester. It appears the MMLA would prefer to have this left solely to the discretion of responding agencies, giving them one more way to refuse to hand over documents.

The MMLA also doesn't like the fact that the legislation would dial back the amount of money agencies can charge requesters or that it would make requests fulfilled in under a certain amount of hours automatically free. It believes all efforts made should be billed to requesters no matter what.

Considering state agencies are well-known for their extreme reluctance to respond to requests in a timely fashion, it's rather rich to see this government body demand that open records requesters have as little time as possible to pursue litigation over delayed responses or refusals.
There is no time period or statute of limitations within which the requestor must appeal to court. As in the House bill, there should be a 30-calendar day time period, from the date of receipt of the SPR’s order, within which a civil action must be filed, whether by the requester or by the municipality.
Statutes of limitations are generally in the one-year range. The MMLA wants one month. The singular purpose of this demand is to allow the state to dodge as much litigation as possible. Thirty days to engage representation and file a lawsuit is an incredibly tight time frame. Open records requesters had better hope everyone's schedule is clear. The MMLA may look like it's acting in fairness when it applies the same time limit to government agencies, but it doesn't point out the head start they'll have: in-house representation.

Other parts of the MMLA memo veer into sheer vindictiveness, as if open records requesters were a pestilence inflicted on honorable government employees. The Senate's bill -- having just been introduced and still sheltered from the carving knives of transparency opponents -- contains an automatic fee award for open records requesters who prevail in litigation against the government. In the interest of "fairness," the MMLA wants this to be a two-way street.
Reciprocity is necessary. If fees are to be mandated against municipalities, fees and costs should also be awarded to the municipality against frivolous and harassing requesters.
The MMLA's take on this conveniently ignores the truth of the matter: the only reason this stipulation exists is because state agencies have proven they cannot be trusted to comply with the law. The longstanding problem with open records laws everywhere in the nation has never been an epidemic of frivolous or overburdensome requests. It has been the ongoing exploration of the outer limits of open records laws by dozens of government agencies who have repeatedly refused to reply to requests in a timely manner. Agencies ignore requests, set up massive "paywalls," abuse exemptions, knowingly perform inadequate searches for records and otherwise do anything they can to avoid transparency.

The MMLA wants fee shifts to affect requesters -- a move that would do nothing to improve the state's horrendous laws or response track record. It's just a form of bullying being sold as fairness. The entity with deeper pockets and control of the records wants to have the right to smack around citizens for daring to ask for the "wrong" information.

Read More | 19 Comments | Leave a Comment..

Posted on Techdirt - 9 February 2016 @ 10:38am

Warner To Pay $14 Million In 'Happy Birthday' Settlement; Plaintiffs Ask For Declaration That Song Is In Public Domain

from the finally-put-all-this-litigious-BS-to-rest dept

A large settlement is on the way in the "Happy Birthday" lawsuit. Eriq Gardner of the The Hollywood Reporter has the news:

According to a court filing on Monday, music publisher Warner/Chappell will pay $14 million to end a lawsuit challenging its hold on the English language's most popular song, "Happy Birthday to You."
This is indeed a large payoff, one that indicates Warner/Chappell is not willing to test the merits of its case in front of a jury. The merits of the case, of course, are pretty much some random assertions with little documentation to back them up, but assertions that have, nonetheless, allowed Warner to obtain an estimated $50 million in licensing fees over the years. The $14 million Warner will pay is roughly in line with what it expected to make during the remaining years of the copyright term.
Warners was expecting to have "Happy Birthday" under copyright until 2030. An IP valuation expert retained by the plaintiffs estimated that the song was to reap between $14 million to $16.5 million in the next 15 years.
$4.62 million will be headed to the plaintiffs' attorneys with the rest being split among qualifying members of the class. But what's far more interesting is what the plaintiffs have asked the judge to approve.
The Settlement includes an express agreement by Defendants and the Intervenors to forego collecting any more fees for use of the Song, saving the Settlement Class millions of dollars. In addition, if approved by the Court, by declaring the Song to be in the public domain, the Settlement will end more than 80 years of uncertainty regarding the disputed copyright.
As it stands now, the ownership of the song is still up in the air. Warner doesn't own it but no definitive declaration has been made as to who holds the rights. Lots of people made the assumption that Warner's lack of ownership = public domain, but that's not what the court has determined to this point. If the court pursues this -- and the information compiled to this point points to this conclusion -- we could see "Happy Birthday" finally remanded to the public domain.

If the court decides this isn't going to be part of the agreement, the song will still reside in legal limbo. All anyone will know for sure is that Warner won't be coming after them for using the song. But the heirs of Patty and Jessica Hill -- the sisters who wrote the lyrics -- might. The charity run by the heirs has already entered a motion to intervene, claiming if Warner doesn't own, then it does. If the judge declares the song to belong to the public domain, that's $14-16 million the heirs won't be collecting. It might go the plaintiffs' way, considering the judge's decision suggested the Hill's abandoned the copyright years ago (and may not have actually written the lyrics, either). There's a substantial amount of money at stake here and it's highly unlikely the Hills' heirs will let it go without a fight -- even if it's nowhere near certain they have any claim to the copyright at all.

Read More | 34 Comments | Leave a Comment..

Posted on Techdirt - 8 February 2016 @ 3:34pm

Documents Show Chicago Cops Routinely Disabling Recording Equipment

from the deliberate-operator-'error' dept

When the dashcam footage of the shooting of Laquan McDonald was finally released by the city of Chicago, it was notably missing the audio. In fact, no surviving footage of the shooting contains any audio. It's 2016 and the Chicago PD is still producing silent films.

There's a reason for this. Turns out cops aren't fans of recordings. DNAInfo Chicago requested information on the police department's camera problems after the eerily soundless shooting video was released. The documents obtained showed the PD may have plenty of cameras, but they're rarely generating complete recordings… or in some cases, any recordings at all.

On the night Laquan McDonald was shot 16 times by a Chicago Police officer, at least three dashboard video cameras in squad cars at the scene didn't work. And the ones that did capture video did not record audio.
This complete failure was no statistical quirk.
In fact, 80 percent of the Chicago Police Department's 850 dashcam video systems don't record audio due to "to operator error or in some cases intentional destruction" by officers, according to a review by the Police Department.

Additionally, about 12 percent of dashcams experience "video issues" on any given day due to "equipment or operator error," police spokesman Anthony Guglielmi said.
Cameras are only a part of the accountability equation. Putting them into use is a step forward, but if there's no accountability built into the process itself, this is the result. A mechanically inoperative camera is rarely going to be considered a problem by either the cops in control of it or the management overseeing them. And if officers feel more "comfortable" with less documentation of their activities, it doesn't take much to render the cameras useless.

The documentation obtained by DNAInfo makes it clear missing footage or recordings are anything but accidental. The following cannot be explained away by coincidence.
Additionally, only three of 22 Chicago Police-involved shooting investigations forwarded to the Cook County State’s Attorney’s Office from the Independent Police Review Authority this year included dashcam video evidence. And none of those videos included audio recordings, state’s attorney spokeswoman Sally Daly said.
Neither can it explain the "errors" that led to the dearth of Laquan McDonald shooting footage.
The dashcam in police vehicle No. 8489, shared by officers Thomas Gaffney and Joseph McElligott the night of Laquan's shooting, recorded 37 “event videos” in October 2014, and had an operational dashcam the night of the shooting. But “due to disk error” no video was recorded at the shooting scene, according to police reports.


Police vehicle No. 8756 had a working dashcam that recorded 124 “event videos” in October 2014 without a single request for maintenance that month.

But on the night of Laquan's shooting, the vehicle assigned to Arturo Bacerra and Leticia Valez reportedly had a “power issue” and the dashcam was “not engaged.”
In both cases, equipment was inspected later and found to have no mechanical problems. And yet, mysterious malfunctions somehow presented themselves during this controversial incident -- an incident in which the surviving footage contradicted officers' reports.

So, even purely as an internal investigative tool, the "recordings" are mostly useless. Officers clearly don't want their superiors to see what they've been up to, much less the general public. DNAInfo's report of the epidemic of unusable/missing recordings was unsurprisingly greeted by the local police union as an unwarranted attack on the reputation of Chicago's finest.
The union president called the report and CPD's statement that the department will not tolerate officers maliciously damaging equipment "just more kicks to the morale and kicks to the people that are out there working every day."

"If there are individuals that are involved in purposefully damaging equipment, they will be cited for it," he said. "But, to cite someone because of a repair tag not being the most recent request for repair, I think that’s arbitrary and I think that’s part of the problem.”
The union president points to "thousands" of repair tickets and months-long waits for service as the real problem here. But his attempt to portray this as a hardware problem doesn't hold up when actual accountability measures are put in place.
“Supt. Escalante sent a very clear message and has held people accountable. And since we took that corrective action, we have seen a more than 70-percent increase in the amount of [video] uploads at the end of each tour … and that is being audited weekly with reports sent to the superintendent.”
If it was mostly a problem with non-functioning equipment and long waits for repairs, the amount of uploaded footage should have remained nearly unchanged, rather than increasing 70 percent.

And the union president's statement would be more believable if similar tampering hadn't occurred at other police departments. This indicates that covering up wrongdoing is the prevailing mindset, rather than just the actions of a few rogue officers determined to thwart accountability at every turn.

Cameras can't fix officer accountability if no one's willing to hold them accountable for missing or incomplete recordings. The problem never seems to get fixed until it's been made public. When agencies are only interested in reacting to issues rather than trying to head them off, they play right into the hands of officers who prefer to perform public duties completely unobserved.

36 Comments | Leave a Comment..

Posted on Techdirt - 8 February 2016 @ 2:09pm

Appeals Court Tells City It Can't Use Its Terribly-Written Zoning Laws To Censor Speech

from the the-aesthetic-value-of-shutting-someone-up dept

Here's a fun free speech win from the 4th Circuit Appeals Court. Well, it's at least a fun read, especially when the judges go after the city of Norfolk's highly-questionable claim that its completely inconsistent zoning statute isn't loaded with content-based restrictions.

First, though, here's a bit of background. Norfolk's Central Radio Company's building was on the list of places to be destroyed by the city to make way for an expansion of Old Dominion University. To protest this plan, it hung a large sign on the side of its building stating its opposition to eminent domain abuse.

It also protested the university's planned expansion by suing it, ultimately undoing the government's plan to demolish CRC's building.

The city, tipped off by an Old Dominion employee, decided to "investigate" the company's sign and, of course, found it to be in violation of city advertising statutes.

This prompted another lawsuit from the Central Radio Company, this time seeking to have the ordinance found unconstitutional. Unfortunately, it wasn't quite so lucky this time. The district court found the statute did not infringe on the company's First Amendment rights. The Fourth Circuit Court of Appeals agreed.

CRC petitioned the Supreme Court. Its timing was fortuitous. The Supreme Court had recently handed down a decision in a similar case (Reed v. Town of Gilbert). The decision reaffirmed that government entities cannot impose content-based restrictions without narrowly crafting the limitations to "further a compelling government interest."

The US Supreme Court booted the case back to the appeals court with instructions to apply its recent Reed decision. Taking this into consideration, the Appeals Court finds in favor of Central Radio Company and isn't too impressed with Norfolk's ill-advised attempt to censor content that didn't agree with its eminent domain plans.
Based on Reed, we hold that the City’s regulation was a content-based restriction of speech. The former sign code exempted governmental or religious flags and emblems, but applied to private and secular flags and emblems. In addition, it exempted “works of art” that “in no way identif[ied] or specifically relate[d] to a product or service,” but it applied to art that referenced a product or service. On its face, the former sign code was content-based because it applied or did not apply as a result of content, that is, “the topic discussed or the idea or message expressed.”
Because of the internal inconsistencies in the statute (which has since been rewritten), the government can't claim its restrictions aren't content-based. Those assertions have been undone by the city's inability to craft a coherent policy. The law was supposedly put in place to improve the city's aesthetics and cut down on distracted driving. According to the city of Norfolk, these two things were supposedly "compelling government interests." The court disagrees, finding it to be a badly-written law with severe Constitutional issues.
With respect to the City’s stated interest in preserving aesthetic appeal, for example, the flag of a private or secular organization was “no greater an eyesore” than the flag of a government or religion, id. (quoting City of Cincinnati v. Discovery Network, Inc., 507 U.S. 410, 425 (1993)), and works of art that referenced a product or service did not necessarily detract from the City’s physical appearance any more than other works of art. Yet, the former sign code allowed the unlimited proliferation of governmental and religious flags, as well as works of art that met the City’s dubious criterion, while sharply restricting the number and size of flags and art bearing other messages.


The City also has not shown that limiting the size and number of private and secular flags, as well as works of art that referenced products or services, was necessary to eliminate threats to traffic safety. There is no evidence in the record that secular flags were any more distracting than religious ones, or that a large work of art displaying a reference to a product threatened the safety of motorists any more than any other large, exempted pieces of artwork.
A workable, Constitutional policy wasn't handed down by the city until well after its original statute proved to be a problem. Because the policy has been altered since the filing of the suit in 2012, the court finds no need to issue an injunction. Even if the city wasn't directly trying to censor critical speech (although it certainly appeared to be doing exactly that), the statute was so badly written that it couldn't help but trip over itself. Worse, it put the government in the position of deciding what was or wasn't "approved" art, and implied that art and commerce were mutually exclusive expressions.

"Nominal damages" are on the way to the Central Radio Company, which managed to not only save the building where it has spent the last half-century from destruction, but managed to get a bad law rewritten in the process.

Read More | 7 Comments | Leave a Comment..

Posted on Techdirt - 8 February 2016 @ 11:43am

Bandai-Namco Blows Money On DRM Rather Than Fixing Its Terrible PC Port Of Tales Of Symphonia

from the to-nail-down-a-$20-game-that-was-cracked-within-hours dept

When console games are ported to the PC platform, the end result is often merely adequate. Some ports are amazing because the software developer actually knows and cares about the platform their game is being ported to. Others are just quick cash-ins, relying on name recognition to bring in sales the end product hasn't earned.

Some turn out well. Some turn out bad. And some are Tales of Symphonia, a twice-ported title that originally appeared on Nintendo's Gamecube back in 2004. Tales has landed on PC with all the grace of limbless cat with an inner ear disorder.

Here's a NeoGAF forum member's list of everything that's wrong with the port.

The games resolution is locked internal at 720p, no matter what resolution you choose.

The different languages are broken, since they used a wrong font and some words dont even show up. And some things havent even been translated into other languages.

The game is locked at 30fps

It has new typos

It still partially uses Ps3-Button-controls

Random crashes (including when using alt-tab to switch programs)

Only 6 save slots.

Opening the config and save menu can take 30 seconds to load.
Then there's this:
It uses a DRM thats called VMProtect, that creates a new *.exe everytime the game starts.
How cool is that. Every time the game is played, the DRM dumps another .exe on the user's hard drive. Why? Because DRM is stupid. In this case, the DRM runs the whole game in a "virtual machine with non-standard architecture." Sure, storage is cheap and no one's really in danger of filling up their drives with "fake" .exes, but is that the gold standard of DRM? One that creates its own bloatware while you play?

And why is the DRM even needed? Namco-Bandai is utilizing top-of-the-line DRM for a PC port of an eleven-year-old game that's selling for $20. Now, it has a lot of pissed off PC gamers on its hands, wondering why they were handed a fourth-rate piece of crap, rather than a port that shows the manufacturer cares for its games or its customers. A game with this many problems doesn't need DRM weighing it down (and shedding .exes every time the program is accessed).

Game modder Peter Thoman, in his review for PC Gamer, absolutely nails how effed-up Namco-Bandai's priorities are.
Namco-Bandai cannot afford even the very minimal changes required to support arbitrary resolutions or superficially QA their product, but they can afford a completely ineffective DRM system. An ineffective DRM system for a game which people, if they were so inclined, have been able to pirate freely for over a decade.

That is apparently the quality of the decision making processes within this company. Their fans—and PC gamers—deserve better

28 Comments | Leave a Comment..

Posted on Techdirt - 8 February 2016 @ 3:22am

UK Investigative Agencies Want To Be Able To Send Warrants To US Companies

from the lots-of-'solutions,'-all-of-them-terrible-in-different-ways dept

Because citizens are localized but their data isn't, things aren't going to get any less weird as time progresses. Or any less legally troublesome. Ellen Nakashima and Andrea Petersen of the Washington Post have seen a copy of a draft negotiating document between UK and US representatives that would allow MI5 (and presumably other agencies) to access data and communications held on US servers.

The transatlantic allies have quietly begun negotiations this month on an agreement that would enable the British government to serve wiretap orders directly on U.S. communication firms for live intercepts in criminal and national security investigations involving its own citizens. Britain would also be able to serve orders to obtain stored data, such as emails.
UK agencies would still be locked out of obtaining information or data on US persons and it would take legislation to actually make this access a reality, but it's apparently being considered, as UK officials feel this issue is standing in the way of investigations/counterterrorism efforts.

As it stands now, UK agencies must make formal diplomatic requests which rely on a Mutual Legal Assistance Treaty -- a process that can take months. That's not good enough, apparently. Everyone wants instant access, including UK agencies, and a strong streak of entitlement (the same entitlement guiding FBI director James Comey's one-sided "debate" on encryption) runs through the arguments for this expansion of the UK's legal powers.
“Why should they have to do that?” said the administration official. “Why can’t they investigate crimes in the U.K., involving U.K. nationals under their own laws, regardless of the fact that the data happens to be on a server overseas?”
Why indeed? Why comply with existing laws or territorial restrictions? After all, the FBI is working toward the same end, pushing for the right to hack servers located anywhere in the world when pursuing criminals.

Several issues need to be addressed before UK agencies can be granted permission to demand communications and data from US companies. For one thing, a warrant issued in the UK is not exactly the same thing as a warrant issued in the US. The legal standards may be similar, but they're still a long ways from identical.
The negotiating text was silent on the legal standard the British government must meet to obtain a wiretap order or a search warrant for stored data. Its system does not require a judge to approve search and wiretap warrants for surveillance based on probable cause, as is done in the United States. Instead, the home secretary, who oversees police and internal affairs, approves the warrant if that cabinet member finds that it is “necessary” for national security or to prevent serious crime and that it is “proportionate” to the intrusion.
Note the "silence" on the differences between the legal standards. It appears no one involved in this discussion is interested in digging into these disparities.
A second administration official said that U.S. officials have concluded that Britain “already [has] strong substantive and procedural protections for privacy.” He added: “They may not be word for word exactly what ours are, but they are equivalent in the sense of being robust protections.”

As a result, he said, Britain’s legal standards are not at issue in the talks. “We are not weighing into legal process standards in the U.K., no more than we would want the U.K. to weigh in on what our orders look like,” he said.
That's great. Both countries won't examine each other's legal standards because they don't want to upset the reciprocity implicit in the draft agreement. The UK can ask for stuff from US companies and vice versa, with neither country playing by the other country's rules. In between all of this are citizens of each respective countries, whose data and communications might be subjected to varying legal standards -- not based on where the data is held, but who's asking for it.

Of course, the alternatives are just as problematic. If an agreement like this fails to cohere, overseas governments will likely demand data and communications generated by their citizens be stored locally, where they would be subject only to local standards.

Then there's the question of what information these agencies already have access to, thanks to the surveillance partnership between the NSA and GCHQ. Although neither agency is supposed to be focused on domestic surveillance (although both participate in this to some extent), the NSA is allowed to "tip" domestic data to the FBI for law enforcement purposes. Presumably, GCHQ can do the same with MI5. The tipped info may not be as comprehensive as what could be obtained by approaching a provider directly, but it's certainly more than the black hole the current situation is being portrayed as. (Especially considering GCHQ already has permission to break into any computer system located anywhere in the world...)

No matter what conclusion the parties come to, legislation addressing it is likely still several months away, if it ever coheres at all. Congress -- despite its occasional lapses into terrorist-related idiocy -- is likely not interested in subjecting US companies to foreign laws, no matter the stated reason for doing so. But if it doesn't oblige the UK (and others who will jump on the all-access bandwagon), it's safe to assume the British government will move towards forcing US companies to set up local servers and segregating communications and data by country of origin.

31 Comments | Leave a Comment..

Posted on Techdirt - 5 February 2016 @ 12:46pm

Prosecutors Argue Cell Site Location Data Is Something Every User Shares With 'The Rest Of The World'

from the no-expectation-of-privacy-in-things-we-insist-everyone-knows dept

The state of Maryland's defense of the Baltimore PD's warrantless use of Stingray devices continues, taking the form of a series of motions unofficially titled Things People Should Know About Their Cell Phones.

The last brief it filed in this criminal prosecution claimed "everyone knows" phones generate location data, therefore there's no expectation of privacy in this information. As commenters pointed out, people may know lots of stuff about records they're generating, but that doesn't mean law enforcement should have warrantless access to those records.

Everyone Knows… That my Doctors generate medical data about patients, so how about we get their medical records on public display without warrants!
With no expectation of privacy, there's no need for a warrant. And with no warrant requirement, there's no chance of having evidence tossed. That's a win Maryland needs, considering the Baltimore PD alone has deployed IMSI catchers several thousand times without obtaining warrants. Everything runs through pen register orders, which both lower the burden of proof and (in many cases) obscure the technology actually being used.

Now, it's back with its response to the defendant's motion to dismiss and it's again claiming People Know Stuff, therefore no expectation of privacy. (h/t Brad Heath)

After dismissing the defendant's arguments about police use of location tracking devices as "dystopian fantasies," the state argues it's time for the accused (not just this one, but any others facing prosecutions predicated on warrantless cell phone tracking device usage) to stop pretending they don't know how much data their phones are coughing up.
While cell phones are ubiquitous, they all come with "off" switches. If a cell phone is turned on, it is receiving signals from cell towers, and sending signals back out to cell towers. The cell site simulator used in this case took advantage of that fact in order to locate Andrews's phone. Because Andrews chose to keep his cell phone on, he was voluntarily sharing the location of his cell phone with third parties. Under the doctrine set forth by the Supreme Court in Smith, supra, he cannot claim a Fourth Amendment privacy right in this case.
The "Smith" the state refers to is 1979's Smith v. Maryland, which law enforcement loves to use in cell phone surveillance cases, because:

a) it's incredibly outdated, and
b) it provides a very broad and favorable reading of the Third Party Doctrine as it relates to phone usage.

The state says it's the defendant's own fault he was located. After all, he had a choice. And he chose badly.
Andrews complains that the police "invaded" a "constitutionally protected area," and therefore this search triggered Fourth Amendment protections under United States v. Karo, 468 U.S. 705 (1984) and Kyllo v. United States, 533 US. 27 (2001). But in Karo, the suspect was unaware that he had brought a police transponder into his home, and in Kyllo, the suspect was unable to prevent grow-lights (or his body) from emitting heat. Andrews, by contrast, was quite aware that he was bringing his own cell phone into the house. And he was quite capable of turning it off
The government's argument, while technically solid when used in conjunction with these precedent-setting decisions (Smith's outdated view of phones notwithstanding), but it becomes completely disingenuous when it describes the "sharing" of identifying phone data.
Just as the telephone company in Smith used transmitted phone numbers in a way quite distinct from the way in which the police used them, so, too, Andrews's cell service provider used the ID number broadcast by his cell phone in ways quite distinct from the way in which the police used it. The way in which the information was used does not alter the "expectation of privacy" in the information itself. Smith controls here. Andrews's addition of the adjective "exact" to the noun "location" does not alter that fact. The issue is not whether Andrews was aware that the police could find the location of his cell phone to within 20 yards. The issue is whether Andrews can claim an objectively reasonable expectation of privacy in information which he was voluntarily broadcasting to third parties at all times. Under Smith, the answer is no.

There is no Fourth Amendment right to evade a valid arrest warrant. Andrews was wanted on multiple counts of attempted murder. A life "on the lam" may require some inconveniences, such as not staying in one's home, and turning one's cell phone off when not in use. There is no constitutional right to avoid being arrested for one's crimes, and nothing unreasonable about the police using the same information that Andrews was sharing with the rest of the world to apprehend him.
The "rest of the world?" Really? Andrews may have been able to talk his cell phone provider into turning over a copy of all the data his phone had generated, but it's not as though the general public has access to this information, expectation of privacy or no. Just because law enforcement can access this information with warrants or (more likely) pen register orders does not make it information "shared" with "the rest of the world." It is not shared indiscriminately and it's only because cell providers are legally compelled to cooperate with law enforcement (CALEA, etc.) that cops can obtain this information with a pen register order, rather than a warrant.

And, in this case, the information was not obtained with a court order. There may be a court order on record that would give the impression the BPD would approach a telco for phone records, but the actual collection of Andrews' location info was done with a Hailstorm cell tower spoofer. The state claims the request specified the use of a cell tower spoofer but there's no indication the presiding judge had any idea how much information these devices can obtain. A pen register order refers to a targeted phone number. A cell tower simulator gathers information from everyone in the area.

This isn't just a fight over this particular prosecution. This is the state safeguarding its thousands of Stingray deployments. If it's going to be able to keep those prosecutions from falling apart -- now that the BPD's devices are an open secret -- it needs the court to agree there's no expectation of privacy in cell phone location data. And in order to do that, it apparently needs the court to believe everyone using a cell phone is sharing all sorts of information with "the rest of the world."

Read More | 49 Comments | Leave a Comment..

Posted on Techdirt - 5 February 2016 @ 11:39am

Another Cop Treats Sexting Teens Like Child Pornographers

from the teen-would-have-been-better-off-engaging-in-sexual-activity dept

More sexting stupidity, this time in Michigan.

A Three Rivers, Michigan, teenager is both the victim and perpetrator of a sex crime. He might land on the sex offender registry, and face criminal charges, all because he took an inappropriate photo—of himself.

The boy is unnamed in local news reporters, which note that he is under 15 years of age. He allegedly took a nude photo of himself on a girl’s cell phone. That girl sent the picture to another girl, who sent it to another. Preliminary charges are pending for all three—the boy was charged with manufacturing child porn, and the girls with distributing it. A prosecutor is still weighing whether to pursue the charges.
Hopefully, the prosecutor will realize that pursuing the suggested charges could ruin a few teens' lives. The police detective working the case seems to want to destroy these kids' lives… for the good of other teens, or something.
Police Detective Mike Mohney told that sexting is a serious crime because it leads to “bullying,” and “real severe things like people committing suicide or violent crimes against others because they're so embarrassed about it.”
As Reason's Robby Soave points out, Detective Mohney is a walking contradiction. Apparently, it's never occurred to him that bringing child porn charges against these young teens might result in bullying and suicide. Nothing makes the future look dim and hopeless like a long stint on the sex offender registry. Nothing destroys someone's reputation faster than being listed alongside criminals who manufactured actual child porn, rather than just took a photo of their own adolescent body.

For that matter, the preliminary charges make this teen's decision to photograph his own body and send it to another teen a far worse crime than if he'd simply showed up at the girl's house, stripped off his clothes and proceeded to engage in sexual activity with her.

Taking off his clothes at her house would have been nothing more than indecent exposure, a misdemeanor. More importantly, unless the person has been convicted for other sexual-related crimes, there's no sex offender registration tied to the charge.

Even if he'd pursued sexual contact with the other teen, it still would have been a better outcome than being branded a child pornographer. Michigan has no "Romeo and Juliet" law, so any contact between teens -- no matter their closeness in age -- could trigger statutory rape charges. (Obviously, if the sexual activity was not consensual, this would be actual rape, but there's no reason to believe a [possibly] unsolicited naked photo rises to the level of aggravated sexual assault.)

If the activity was consensual, the worst charge would be statutory rape, which does not require sex offender registration for teens.
[P]eople who are convicted of criminal sexual conduct based on consensual sexual conduct with children over the age of 13 who are not more than four years older than their victims are not required to register.
And, if the sexual contact contained no penetration, no criminal charges would be brought at all.
[A] 17-year-old who engages in consensual petting with a 14-year-old could not be prosecuted for a crime. However, if the parties engaged in oral sex, the 17-year-old could face prosecution.
So, this so-very-concerned detective has taken a digital photo -- taken by a teen of his own body -- and turned it into something worse than actual in-person nudity and/or sexual contact. That's a pretty fucked up way to show concern for sexting teens. Treating photos taken by minors and distributed to other minors as child porn is the worst possible way to handle a situation that, in all reality, should be left to the discretion of the teens' parents.

71 Comments | Leave a Comment..

Posted on Techdirt - 5 February 2016 @ 10:32am

Enigma Software Decides The Best Way To Deal With A Negative Review Is To Sue The Reviewer

from the ungracious,-ESPECIALLY-in-defeat dept

Nothing pushes a negative review of your product out of the public eye faster than a lawsuit, am I right? That's the line of thinking Enigma Software has chosen to entertain. It recently filed a lawsuit against BleepingComputer, alleging that its 2014 "review" (actually a forum post detailing Enigma's SpyHunter history as "rogue" software and the deceptive business practices the company has deployed) is defamatory.

What would seem to be a mixture of opinion and fact-based assumptions (backed by links to other sources) is portrayed by Enigma as a malicious attempt by BleepingComputer to damage its reputation so the site can push readers to affiliate partners and advertisers.

Enigma Software claims in its lawsuit that BleepingComputer has the negative SpyHunter review because it takes part in an affiliate advertising program which grants BleepingComputer a commission for redirecting users to Malwarebyte’s site. The Enigma Software Group claims, “Bleeping not only has unlawfully benefited from its smear campaign to the detriment of ESG, it has damaged the reputation of ESG by refusing to take down its false and misleading statements which have been reposted numerous times on other anti-spyware related forums and websites.”
Other computer security sites have already leapt to BleepingComputer's defense. Malwarebytes has donated $5,000 to the site's legal fees and points out that BleepingComputer is not some fly-by-night operation that solely acts as a funnel to preferred vendors.
The content is provided by the volunteer efforts of security professionals and the more than 700,000 registered users who ask and answer all questions presented on the site. To summarize, Bleeping Computer is a valuable resource in the efforts to help users live in a malware free world.
Over at CSO's Salted Hash, Steve Ragan points out the reputation Enigma claims BleepingComputer is destroying has already been severely damaged by the company's own actions over the years.
[T]he lawsuit says, "Bleeping has a direct financial interest in driving traffic and sales to Malwarebytes and driving traffic and sales away from ESG."

While that claim is true at face value, the affiliate programs used by Bleeping Computer help keep the website online and they use affiliate links for a number of vendors, not just Malwarebytes.

Also, most of the comments that are critical of Enigma Software and SpyHunter exist because the company has gained a bad reputation over the years due to spam, as well as questionable detection rates.
Ragan then runs down Enigma's history, including the high number of refunds it's had to hand out to maintain its A+ BBB rating, as well as the years it spent being blacklisted as a security risk by respected anti-virus firms.

He also notes, as BleepingComputer did in its disputed forum post, that SpyHunter has never been classified as malware or targeted for removal by competing anti-virus products, but that's apparently largely due to Engima's past litigious efforts, rather than Enigma dropping the more questionable "features" of its product -- like automatic renewals, suspicious scan results and its "pay-to-clean" pricing. (The scan is free. The removal requires a six-month subscription, which will be automatically renewed by Enigma in perpetuity unless otherwise instructed.)

The lawsuit is already off on the wrong foot, what with it clearly being filed solely to shut down criticism. While Enigma may find New York's lack of a universal anti-SLAPP statute useful (the current version only protects speech related to the discussion of public permits, and even then, it only protects certain people [bloggers, non-traditional journalists] from SLAPP lawsuits brought by government entities), it's now facing Marc Randazza, who has taken up BleepingComputer's defense.

Adding to this is the fact that the specific statements Enigma claims are false and defamatory aren't even directly quoted from the posted review. They're rephrased to put words in the mouth of the forum moderator who posted it. This low-level deception might have made sense if Enigma hadn't included a screenshot of the post it's misquoting as an exhibit in the filing.

Here are Enigma's claims, followed by the actual wording used by BleepingComputer.
In these posts, Bleeping makes the following assertions falsely and without any reasonable basis to believe that the statements were true when made:

That SpyHunter 4 or ESG engage in "deceptive advertising which violates several consumer protection laws in many states";
[The "quoted" statement does not actually appear in this post, or in any of the ones following it in the thread.]
ES: That SpyHunter 4 or ESG has a "history of employing aggressive and deceptive advertising";
BC: SpyHunter by Enigma Software Group USA, LLC is a program that was previously listed as a rogue product on the Rogue/Suspect Anti-Spyware Products List because of the company's history of employing aggressive and deceptive advertising.
[This claim is backed up by a footnote linking to an outside source that reinforces BC's claim.]
ES: That SpyHunter 4 is a "rogue product";
BC: SpyHunter by Enigma Software Group USA, LLC is a program that was previously listed as a rogue product on the Rogue/Suspect Anti-Spyware Products List…

BC: SpyHunter is not classified as malware or rogue security software and other antivirus and antimalware vendors do not target it for removal.
ES: That SpyHunter 4 or ESG have not cooperated in submitting their program for testing "most likely due to the program's ineffectiveness and high rate of false positives?";
[Again, this "quoted" phrase does not appear in the post, or in any the moderator's posts in the same thread. The moderator notes it has not been tested by other AV firms to determine its effectiveness, but does not make any related claim about false positives or ineffectiveness. The closest thing to it is this sentence, which is clearly an opinion.]
In my opinion SpyHunter is a dubious program with a high rate of false positives.
[This is backed up by a link to supporting information from an outside source.]
ES: That SpyHunter 4 or ESG engage in deceptive pricing;
BC: While there are mixed reviews for SpyHunter, some good and some bad, my main concern is the reports by customers of deceptive pricing, continued demands for payment after requesting a refund, lack of adequate customer support, removal (uninstall) problems and various other issues with their computer as a result of using this product. For example, some users are not aware that when purchasing SpyHunter, they have agreed to a subscription service with an automatic renewal policy.
[Again, these statements are supported by links to information sources. The addition of "my main concern" clearly shows the moderator is making a statement of opinion based on available information. And the connecting phrase "reports by customers" makes it clear he's making an inference based on statements by others.]
ES: That most users of SpyHunter 4 "are not aware that when purchasing SpyHunter, they have agreed to a subscription service with an automatic renewal policy"; and
[See the above quote and note, again, that multiple links in the review direct readers to outside sites backing up this statement, like the numerous complaints about this practice found at ComplaintsBoard and the Better Business Bureau.]
ES: That SpyHunter 4 is "malware" or "rogue security software" despite not being classified as such by security vendors.
BC: SpyHunter by Enigma Software Group USA, LLC is a program that was previously listed as a rogue product…

BC: SpyHunter is not classified as malware or rogue security software and other antivirus and antimalware vendors do not target it for removal.
[These two directly contradict the assertion being made by Enigma in its lawsuit. The author of the post never states that SpyHunter is "malware" or "rogue security software."]

Enigma doesn't have much of a case. But it has just enough of one to be troublesome. It's forced others to bend to its will in the past by aggressively litigating, and it can drain BleepingComputer of time, energy and money just by forcing it to defend itself from ridiculous claims.

Read More | 18 Comments | Leave a Comment..

Posted on Techdirt - 5 February 2016 @ 6:23am

TV Station Educates Public On Dangers Of Teen Sexting By Exposing 14-Year-Old's Name... And Penis

from the an-hero dept

According to a recently-filed lawsuit, the media is apparently every bit as "helpful" as law enforcement when it comes to the responsible, logical handling of teens and sexting. Confusing "hurting" with "helping," Colorado's KOAA allegedly exposed not only the name of a teen involved in a sexting incident, but also the part that puts the "sex" in "sexting."

The station, KOAA TV, aired footage of the boy’s erect penis during a news report that was put together after his father’s girlfriend approached producers about an alleged blackmail attempt, according to a complaint filed Friday in U.S. District Court.

Producers were told on Feb. 24 by the woman that someone had tried to blackmail the teen, now 16, using sexually explicit material. That same day they arrived at the family house in Pueblo, Colorado to investigate the claims and interview the boy’s father, Elijah Holden. While on assignment, the suit alleges that the news team collected screenshots from the teen’s Facebook page, as well as images from the YouTube page where the blackmail video had been uploaded, to be used in their coverage.

The plaintiff and his father both asked that the name “be kept confidential through any report presented by Defendant KOAA,” attorney Matthew Schneider said in the filing.
Since law enforcement largely seems to feel sexting = child porn, the station should have found itself under investigation for distributing child porn. Instead, the only negative result of its allegedly terrible editorial practices so far is Holden's lawsuit.

Holden is seeking damages related to the outing of his name and sexual organs, with damages sought clearing the $1 million mark. In its defense, the station had this to say:
“Through a series of stories during the last several years, KOAA has informed its viewers about the dangers of sexting and cell phone security,” KOAA president and general manager Evan Pappas said in a statement to Courthouse News, where the suit was first reported on Tuesday this week. “At the specific request of the victim’s father, we ran a story two years ago about his son being blackmailed over a cellphone video.”
Well, I guess nothing better illustrates the dangers of sexting more than irresponsibly splashing a minor's name and penis all over the TV screen. Of course, considering these were tied to blackmail allegations by an adult, it would seem more -- much more -- discretion would have been in order. Instead, the TV station went the other way, displaying the name of the minor involved over a screen cap of his penis and topped it off by dragging his social circle into the mess.

The station claims the allegations are unsubstantiated, but there's really no excuse for using a minor's name -- even if the guardian gave permission to the news outlet to do so. But going past that, how does the station hope to explain its use of an explicit photo of a minor in a publicly-broadcast news report? According to the lawsuit, something that could be considered child pornography somehow made its way past internal censors and ended up on the evening news.
Defendant KOAA aired the thumbnail image of the YouTube video depicting Plaintiff's erect penis and his name as a part of the story shown on February 24th 2014.
While journalists have played an important part in exposing ridiculous prosecutions of sexting teens, there's no denying the lurid nature of the subject matter is also beneficial to the entities covering the stories. The implicit suggestion that YOUNG NAKED TEENS lie just beyond the next commercial break attracts additional viewers. This additional motivator might explain the apparent lack of discretion on the part of KOAA.

As of now, what we have is a news agency that claims it broadcasts these stories to educate the public on the dangers of sexting while apparently feeling compelled to drive that point home through its own actions.

Read More | 52 Comments | Leave a Comment..

Posted on Techdirt - 5 February 2016 @ 3:21am

Software Company Asks Users For Input On DRM; Goes Ahead And Institutes It Anyway Over Their Objections

from the by-'listening,'-we-meant-nodding-thoughtfully-while-moving-forward-with dept

Nothing does more damage more quickly to your community than deciding to place your fear of piracy over the the concerns of those who've already paid for your product. DRM is rarely, if ever, the answer. And yet, it remains an inexplicably popular "solution."

Daz 3D, which produces 3D art software as well as assets for use with third party software, has decided to do something about its perceived piracy problem. Last November, it had this to say:

[W]e feel the best way to fight piracy is make the convenience of doing something legally more so than the inconvenience of pirating. That is why we made finding, downloading, installing, and loading content in Studio as streamlined and easy as possible while making getting a pirate-able copy of the original product harder.
The solution to the problem, according to Daz 3D, was to have the software "phone home" at least once to obtain a key for content/software files, which would only arrive in encrypted form. Supposedly, this would be limited to once per computer but the new, encrypted files would pose problems for existing users.

Those on older versions of Daz's software would be unable to access any new content. Transferring old data could also result in problems -- something Daz acknowledged in a later post, noting that scripts and tools might not work with unencrypted content.

At the time of the announcement, no plan was in place to provide offline users with authentication keys, nor would it be possible to purchase new content without running through Daz's "Connect" service, which not only authenticates users but "assembles" newly purchased content for use with Daz software.

Daz did the right thing and put its proposals up for discussion. This generated dozens of pages of comments, many of which were from users opposed to the addition of DRM. Some were concerned about the Daz Connect DRM breaking content they'd already paid for. Others simply didn't like being treated like pirates when they'd actually paid for software and add-ons.

Daz's representatives were active in forum discussions and very straightforward about their reasons for looking into instituting DRM. The company is hoping a few extra installation hoops and another layer of authentication would deter casual pirates, leaving them only the diehard crackers interested in "capturing" a niche "market."

The willingness to listen and participate in the discussion separates Daz from many other companies who've added DRM to their products. Unfortunately, it appears the discussion had little effect on Daz's final decision. The post may be titled "You've been heard," but the content contained in it indicates the listening was little more than a formality. Daz will be moving ahead with its original plan, despite customers making it clear they'd rather have a product that doesn't introduce compatibility problems. Nor do they want to be limited to a single distribution system. And they're less than thrilled about the "phone home" requirement.

The new post, delivered four months after the original announcement, changes nothing about the DRM structure. While it does add some fail-safe measures (like third-party escrow that will prevent users from being locked out of their purchases if Daz goes out of business), the end result is still the same. DRM is coming to Daz and there's nothing users can do about it.
Currently Daz Connect gives customers the ability to install (among other things) encrypted content. Daz Connect also lets customers retrieve a Key to decrypt their content. Customers have raised the concerns of:

What if Daz is not available to provide the keys anymore, chooses not to, or starts charging an additional fee to get a key for previously purchased content?

Solution: We have developed and fully tested a utility which will decrypt, and save in non-encrypted formats, Daz products on a customer’s computer. We are also working out details with a software escrow company who will provide this utility to the public free of charge in the event that Daz is no longer in a business position to, or is unwilling to continue offering this as a free service. This will also be added to the Daz EULA to ensure customers of our commitment to enable them to always be able to use content that they have purchased a license for.
Obviously this does not address other issues such as scripts and tools that work on un-encrypted content. But those are solved in other ways. We are working (and will continue to work) with developers who have this need, in order to show them how to do it with encrypted content.
Apparently, "hearing" actually means ignoring concerns people expressed, including portability from older versions of Daz's software. And, as is nearly always the case when DRM to added to a previously DRM-free product, the company is presenting it as a win for paying customers.
Is the encryption associated with Daz Connect essentially Digital Rights Management (DRM)?

We strive to add great benefits to being connected while limiting the impact to the user experience. Although we have included file encryption to protect our artist community, the primary target is to provide a better experience for our users. Daz Connect delivers and updates products more efficiently but relies on the fact that files are in a location and format that is maintained by the application. In this sense, Daz Connect provides some measure of digital rights management.
So, Daz is thinking of its customers while simultaneously willing to ignore those customers to institute something it thinks will decrease piracy. While I can appreciate the fact Daz wants to protect its bottom line, it needs to be aware that instituting these new restrictions will result in actual lost sales -- something that may ultimately prove more harmful than the theoretical lost sales Daz attributes to piracy.

40 Comments | Leave a Comment..

Posted on Techdirt - 4 February 2016 @ 11:41am

Russia Blocks Another Archive Site Because It Might Contain Old Pages About Drugs

from the block-bloc dept

The Russian block party continues. The government agency in charge of censoring the internet is still working its way backwards, hoping to erase the collective memories of the web… or at least, keep Russian citizens from seeing certain bits of the archived past.

Last summer, Russia blocked the Internet Archive's "Wayback Machine," an extremely useful tool that allows users to see historical snapshots of websites. The government may only have intended to block a single page, but because the Internet Archive utilizes HTTPS, the only practical way for ISPs to block the targeted pages was to block it at the domain level.

The same thing is now happening to, another useful tool that allows users to archive pages they feel might be altered or disappear altogether at some point in the future. (via Google Translate and an anonymous TD reader)

Roskomnadzor introduced service to Internet resources registry, prohibited by the law of the Russian Federation.

On the site supervisory authority pointed out that entered in the register by order of the Federal Service for Drug Control 28 January 2016.

Service continues to work as usual, but for many Russian customers of providers it is no longer available.
The problem here is the Russian's take on the War on Drugs. Because it's illegal to discuss drug use/abuse/sales, Roskomnadzor has disappeared another archive that might contain copies of pages it's blocked in the past. That the service would be of use to Russian citizens for non-drug related purposes appears to be of no concern to the Russian government.

And again, it's the use of HTTPS that's resulted in the entire site being blocked. Targeted pages can't be targeted if the connection is encrypted. So, down goes the entire site and, of course, no one in the web censorship body seems to be bothered by the collateral damage.

8 Comments | Leave a Comment..

Posted on Techdirt - 4 February 2016 @ 9:25am

Napolitano Says She's Always Wanted To Talk About The Secret Surveillance She Hasn't Talked About Since Last August

from the it's-all-just-a-big,-opaque,-pitch-black,-secretive-misunderstanding! dept

A Techdirt reader has sent us a copy of former DHS head/current University of California President Janet Napolitano's official response to the outcry over the secret surveillance of UC staffers -- surveillance she personally approved.

Napolitiano's letter to UC-Berkeley employees immediately ties the secretive surveillance implementation to the UCLA Medical Center cyberattack, just in case anyone (and it's a lot of anyones) feels the effort was unwarranted.

A group of faculty members at the Berkeley campus has articulated concerns regarding some of the security measures we adopted in the wake of the UCLA cyberattack last year. The concerns focus on two primary issues: whether systemwide cyber threat detection is necessary and whether it complies with the University’s Electronic Communications Policy (ECP); and why University administrators failed to publicly share information about our response to the cyberattack.
If your privacy is being compromised, the real villains here are the people behind the cyberattack. As for the secrecy surrounding it, Napolitano seems to indicate she'd like to discuss it, but immediately abandons that line of inquiry to blame disgruntled staffers and the media for misrepresenting her snooping initiative.
The Berkeley faculty members have shared their concerns with colleagues at other campuses and with various media outlets. Unfortunately, many have been left with the impression that a secret initiative to snoop on faculty activities is underway. Nothing could be further from the truth.
Please explain.
I attach a letter from Executive Vice President and Chief Operating Officer Nava explaining the rationale for these security measures.
Great, except that Nava's letter arrived five months after the program was implemented and two months after a university official said the program would be shut down -- a statement which itself preceded (by a month) the news that the program has actually been allowed to continue uninterrupted.

Napolitano claims there was no secrecy.
As you know, leadership at all levels, including The Regents, Academic Senate leadership, and campus leadership, has been kept apprised of these matters, including through the establishment and convening of the Cyber Risk Governance Committee (CRGC). The CRGC, comprises each campus’s Cyber Risk Responsible Executive (CRE), as well as a representative of the University’s faculty Senate, the General Counsel, and other individuals from this office with responsibility for systemwide cybersecurity initiatives.
Yes, look at all the people who were informed! And were apparently informed they could not pass this information on to anyone else!

From our earlier post on the subject -- directly from some of those on Napolitano's "approved" list.
UCOP would like these facts to remain secret. However, the tenured faculty on the JCCIT are in agreement that continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.


For many months UCOP required that our IT staff keep these facts secret from faculty and others on the Berkeley campus.
This assertion directly contradicts Napolitano's depiction of the events.
I have from the beginning directed my staff to make every effort to actively engage with all stakeholders and to minimize to the extent possible the amount of information that is not shared widely.
This seems highly unlikely, considering no one began publicly talking about this secret surveillance until just recently. If the information had been widely disseminated (as Napolitano's claims she directed), the backlash would have begun months ago.

And, of course, Napolitano is all about that privacy.
Personal privacy and academic freedom are paramount in everything we do. But we cannot make good on our commitment to protect individual privacy without ensuring a sound cybersecurity infrastructure. While we have absolutely no interest in the content of any individual’s emails or browsing history, we must accept that active network monitoring is a critical element of a sound cybersecurity infrastructure and the interconnectedness of the University and all of its locations requires that such monitoring be coordinated centrally.
School officials -- at least those allowed to see email content/web browsing history -- may claim they have "no interest" in seeing it, but that doesn't change the fact that any of them can access it without fear of repercussion. Not only that, but a third party has access to this same data -- a third party Napolitano won't identify.

She closes her official "this is all fully justified because cyber" letter with the same assertion so many officials make when secret goings-on are dragged out into the sunlight: "I've always wanted to have this discussion I'm now being forced to have!"
I invite further robust discussion and debate on this topic at upcoming meetings of the CRGC and COC.
That's just disingenuous. Don't extend an invitation to a conversation you can no longer avoid.

As the TD reader who sent this over explains, they're not exactly thrilled the former DHS head is using a privacy breach to further undermine UC staffers' privacy.
This sort of thing, by the way, is exactly the reason that everyone had the "say what?" reaction when Napolitano was appointed. This is why people were concerned.

P.S. I'm one of the people whose information was compromised in the UCLA Med Center hack, and don't appreciate their screw-up then being used as an excuse to screw us over now.

Read More | 25 Comments | Leave a Comment..

Posted on Techdirt - 3 February 2016 @ 11:36am

Former DHS Boss Puts University Of California Employees Under Secret Surveillance

from the you-didn't-see-anything-so-you'd-better-not-say-anything dept

Former DHS boss Janet Napolitano -- who once stated she "doesn't use email" (for many reasons, but mainly to dodge accountability) -- is now showing her underlings at the University of California why they, too, might not want to "use email": someone might be reading them over their shoulders.

UC professor Christopher Newfield has the inside details of the recently-exposed monitoring system secretly deployed by the University of California (and approved by school president Napolitano) to keep tabs on the communications, web surfing and file routing of its employees. The SF Chronicle has an article on the secretly-installed spyware behind its paysieve [try this link], but Newfield has the internal communications.

The installation of the third-party monitoring software was so secretive that even the university's campus information technology committee was forbidden from discussing it with other staff. The committee has now decided to go public.

UCOP would like these facts to remain secret. However, the tenured faculty on the JCCIT are in agreement that continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.

Some salient facts:

- The UCOP had this hardware installed last summer.

- They did so over the objections of our campus IT and security experts.

- For many months UCOP required that our IT staff keep these facts secret from faculty and others on the Berkeley campus.

- The intrusive hardware is not under the control of local IT staff--it sends data on network activity to UCOP and to the vendor. Of what these data consists we do not know.

- The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus, and has enough local storage to save over 30 days of *all* this data ("full packet capture"). This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus.
The official excuse for the installation of intrusive spyware is "advanced persistent threats" possibly related to a cyberattack on the UCLA Medical Center last summer. How monitoring staff emails plays into the thwarting of "threats" hasn't been explained. Now that the secret's out, the university is claiming it's all good because policies prevent the university from using any intercepted information/communications for "nonsecurity purposes."

The university may have a policy forbidding this activity, but that's not really the same thing as guaranteeing abuse of this surveillance will never happen. Its belated not-an-apology offers no contrition for keeping this a secret from a majority of its staff. And the statement does not name the third party in charge of the collection and monitoring.

While it certainly isn't unusual for employers to monitor employees' use of company computers and devices, it's normally clearly stated in policy manuals, rather than installed surreptitiously and cloaked in deep secrecy.

As Newfield points out, no one was apprised of the monitoring until after it was underway. Some heard a few weeks after the monitoring was put in place (August of last year) when the university updated its security policies following the medical center breach. Many more heard nothing until the first week of December. Following the wider exposure, staffers were assured by the school's vice president that the monitoring would cease and the software would be removed.

The VP said one thing and the school did another.
On Jan. 12, 2016, The Berkeley Joint Committee on Campus Information Technology (JCCIT) met with Larry Conrad and others. The committee was informed that contrary to the Dec. 21, 2015 statements, UCOP had decided to continue the outside monitoring and not disclose any aspects of it to students or faculty.
At this point, the decision was made to go public. A letter was drafted and sent to school administration. It was also sent to the New York Times. This prompted the generation of bullshit from the Executive VP's office.
On Jan. 19, 2016, UCOP Exec. VP and COO Rachael Nava sent a letter to those who signed the Jan. 15, 2016 letter. The original version was marked "CONFIDENTIAL: DO NOT DISTRIBUTE" and invoked "Attorney-Client privilege". After several recipients responded to her via email questioning who is the client and why her letter must be kept secret, a revised version of the letter was sent the next day removing that language, stating: "All: Please accept my apologies with regard to the confusion on the attorney client privilege language on the letter. It was a clerical error and was not intentional. Please find a revised version of the letter with the language removed."
The full letter contains some truly incredible statements.
With respect to privacy, the letter and structure of the University’s Electronic Communications Policy (ECP) reflect the principle that privacy perishes in the absence of security. While the ECP establishes an expectation of privacy in an individual’s electronic communications transmitted using University systems, it tempers this expectation with the recognition that privacy requires a reasonable level of security to protect sensitive data from unauthorized access.
Privacy does not "perish" in the absence of security. This conflation of the two is ridiculous. If a malicious party accesses private communications, that's a security issue. If an employer accesses these communications, that a privacy issue. Claiming to value privacy while secretly installing monitoring software (and then lying about removing said software) only serves to show the university cares for neither. By adding a third party to the monitoring process, the university has diminished the privacy protections of its staff and added an attack vector for "advanced persistent threats." It has effectively harmed both privacy and security and, yet, still hopes to claim it was necessary to sacrifice one for the other.

The other statement, tucked away as a footnote, absurdly and obnoxiously claims the real threat to privacy isn't the school, but people making public records requests.
Public Records Act requesters may seek far more intrusive access to the content of faculty or staff records than what the ECP permits for network security monitoring. The limits on the University’s own access to electronic communications under the ECP do not apply to Public Records Act requests.
Meanwhile, the school's tech committee has pointed out its IT staff is more than capable of handling the privacy and security of the network and, quite obviously, would show more respect for their colleagues' privacy while handling both ends of the privacy/security equation.

It's perfectly acceptable for entities to monitor employees' use of communications equipment. But you can't do it this way. You can't install the software secretly, swear certain employees to secrecy, not tell anyone else until the secret is out in the open, promise to roll it back and then secretly decide to do the opposite, etc. And when challenged, you can't play fast and loose with "security" and "privacy" as if they were both the same word spelled two different ways.

[Update: a TD reader has given us a copy of Janet Napolitano's response to the outcry over the school's secret surveillance efforts. A new post on that letter is on the way. If you'd like a head start, it's embedded below.]

Read More | 38 Comments | Leave a Comment..

More posts from Capitalist Lion Tamer >>