Capitalist Lion Tamer’s Techdirt Profile

capitalisliontamer

About Capitalist Lion TamerTechdirt Insider

List of blogs started with enthusiasm, which now mostly lie dormant:

[reserved for future use]
http://5k500k.wordpress.com

[recently retired]
http://capitalistliontamer.wordpress.com

[various side projects]
http://cliftonltanager.wordpress.com/
http://bl0wbybl0w.wordpress.com/
http://thepenismadeoutofspam.wordpress.com/



Posted on Techdirt - 17 October 2017 @ 3:13am

The Cyber World Is Falling Apart And The DOJ Is Calling For Weakened Encryption

from the better-for-cops,-worse-for-everyone-else dept

It seemed like the (mostly) one-man War on Encryption had reached a ceasefire agreement when "Going Dark" theorist James Comey was unceremoniously ejected from office for failing to pledge allegiance to the new king president. But it had barely had time to be relegated to the "Tired" heap before Deputy Attorney General Rod Rosenstein resurrected it.

Rosenstein has been going from cybersecurity conference to cybersecurity conference raising arguments for encryption before dismissing them entirely. His remarks have opened with the generally awful state of cybersecurity at both the public and private levels. He says encryption is important, especially when there are so many active security threats. Then he undermines his own arguments by calling for "responsible encryption" -- a euphemism for weakened encryption that provides law enforcement access to locked devices and communications on secured platforms.

Considering recent events, this isn't the direction the DOJ should be pushing. Russian hackers used a popular antivirus software to liberate NSA exploits from a contractor's computer. Equifax exposed the data of millions of US citizens who never asked to be tracked by the service in the first place. Yahoo just admitted everyone who ever signed up for its email service was affected by a years-old security breach. Ransomware based on NSA malware wreaked havoc all over the world. These are all issues Rosenstein has touched on during his remarks. But they're swiftly forgotten by the Deputy Attorney General when his focus shifts to what he personally -- representing US law enforcement -- can't access because of encryption.

DAG Rosenstein needs to pay more attention to the first half of his anti-encryption stump speeches, as Matthew Green points out at Slate:

[A]ny technology that allows U.S. agencies to lawfully access data will present an irresistible target for hackers and foreign intelligence services. The idea that such data will remain safe is laughable in a world where foreign intelligence services have openly leveraged cyberweapons against corporate and political targets. In his speech, Rosenstein claims that the “master keys” needed to enable his proposal can be kept safe, but his arguments are contradicted by recent history. For example, in 2011 hackers managed to steal the master keys for RSA’s SecurID authentication product—and then used those keys to break into a slew of defense contractors. If we can’t secure the keys that protect top-secret documents, it’s hard to believe we’ll do better for your text messages.

Rosenstein is steering everyone towards his new term "responsible encryption" but there's nothing responsible about creating a set of encryption keys for lawful access. It may not necessarily be a backdoor -- a term Rosenstein is trying hard to distance himself from -- but it is a hole that wouldn't otherwise exist. And if keys are created and stored by manufacturers and platform providers, the chance malicious hackers can find them will always remain above 0%.

24 Comments | Leave a Comment..

Posted on Techdirt - 16 October 2017 @ 7:36pm

Court Tells Sheriff's Dept. Shackling Kids Above The Elbows Is Excessive Force

from the no-longer-enough-to-be-simply-inept;-one-must-also-be-brutal dept

You wouldn't think it would take a federal court decision to make this clear, but here we are.

A school resource officer in Kentucky who handcuffed young children acted unreasonably and violated the children's constitutional rights, a federal judge ruled this week.

Two children, ages 8 and 9, were handcuffed by Kevin Sumner, a school resource officer with Covington Independent Public Schools. They were cuffed behind their backs, and the cuffs were placed above their elbows because the restraints would have slipped off their wrists. Video of the handcuffing of the 8-year-old went viral after it was made public by the American Civil Liberties Union in 2015

The ruling [PDF] restates common sense, albeit in 33 pages of legalese. It is excessive force to restrain preteens who weigh less than 60 lbs. with handcuffs meant to keep full-grown adults from moving their arms. The procedural history notes school personnel are forbidden from using mechanical restraints on students by state law. This law, however, does not forbid law enforcement officers from using handcuffs on students.

In both cases, the students cuffed by a sheriff's deputy had been combative. School personnel turned both students over to the SRO once it became obvious they would not be able to calm the students down. The combativeness didn't stop once the deputy entered the picture. These would appear to be arguments in the deputy's favor but only if other factors weren't considered -- like the students' ages and sizes. Both children also suffered from behavioral disorders.

Nonetheless, this is what happened once Deputy Kevin Sumner took control of the situation:

Sumner handcuffed S.R. behind his back, placing the cuffs on S.R.’s biceps above the elbows. The video shows that S.R.’s arms are pulled tightly behind his back with what appears to be only approximately three or four inches between his elbows. Sumner testified that he checked the handcuffs for tightness and that, since the chain connecting the handcuffs was nearly as long as the width of S.R.’s body, he had no reason to believe it would cause him pain. The video clearly demonstrates, however, that the chain is not nearly as wide as S.R.’s body, and that his arms are extremely taut.

[...]

Sumner pulled L.G. off of Craig and tried to hold her physically for a few minutes, but she continued the same behavior. Sumner told L.G. that if she did not stop, he would handcuff her. L.G. continued to kick and hit, and Sumner placed her in handcuffs, above her elbows behind her back. Assistant Superintendent Wilkerson contacted L.G.’s mother, who came to school to get her. Her mother testified that when she arrived, L.G. was on her knees and Sumner was holding her arms up behind her above her head. Sumner then removed the handcuffs.

Sumner tried to argue the handcuffing was permitted because state law exempted law enforcement officers from the restriction on restraint methods. The court says that's all well and good, but it doesn't change the outcome. No matter which "hat" -- school personnel or law enforcement officer -- Sumner was wearing, the force used was excessive.

Applying the Graham factors, the severity of the “crime” committed by S.R. and L.G. — assault — weighs in their favor. While S.R. kicked a teacher and L.G. tried to and/or did hit a teacher, these are very young children, and their conduct does not call to mind the type of “assault” which would warrant criminal prosecution. Indeed, Sumner testified that “none of what they did was worthy of trying to file a criminal charge.”

The second factor, whether the children posed an immediate threat to themselves or others, weighs in S.R.’s favor. At the time he was handcuffed, S.R. had largely calmed down, Sumner had escorted him to the restroom without incident, and they had returned to the office. While Sumner testified that S.R. swung his elbow towards Sumner, such can hardly be considered a serious physical threat from an unarmed, 54-pound eight-year-old child.

This factor weighs less in favor of L.G., who was engaging in more physical abuse towards her teachers and Sumner. Nonetheless, the age and stature of these children is highly relevant to this analysis.

Even if the cuffing were deemed appropriate, the method deployed by Sumner was not.

Finally, the method of handcuffing that Sumner employed leads this Court to conclude that his actions were unreasonable and constituted excessive force as a matter of law. The video of S.R. shows that his arms were pulled tightly behind him, with only inches between his elbows. While Sumner testified that the chain between the cuffs was as wide as S.R.’s torso, the video belies that assertion. Where a witness’s version of the facts “cannot be countenanced based upon what the video shows,” the Court must adopt the video as fact.

Upon being cuffed in this manner, S.R. cried out, “Ow, that hurts.” It was thus immediately apparent that this method — which, it is undisputed, was the same method by which L.G. was cuffed — was causing pain. S.R. was left in this position to cry and squirm for fifteen minutes.

And there was no one willing to back up Sumner's claims the cuffing method was common or inexcessive -- not even those testifying on behalf of the deputy.

Plaintiff’s handcuffing expert, Robert Rail, testified that he does not know of any police instructor in the United States who would allow the elbow cuffing of children such as was used on S.R. and L.G., nor does he know of any program that teaches that method. (Rail Depo. 109-10).

Even defendants’ handcuffing expert, William A. Payne — who has been conducting handcuffing training for law enforcement for over 20 years — testified that he has never trained law enforcement to use handcuffs above the elbow. (Payne Depo. 37, 121). He further testified that he was not aware of any law enforcement agency that trains their officers to use such a technique.

The court finds the cuffing method -- not the cuffing itself -- excessive. Without any prior cases on point, Deputy Sumner is granted qualified immunity because he could not have reasonably known his handcuffing methods were excessive. This is disappointing, but the court has one surprise left. The county that employs Sumner can be held civilly liable for Sumner's actions.

Kenneth Kippenbrock was the SRO Coordinator for the Kenton County Sheriff’s Office at the time of these events. He testified that Sumner’s handcuffing of S.R. and L.G. was consistent with the policy of the sheriff’s department. He also testified that since the SRO program was initiated, more than ten children have been handcuffed by SROs in schools, and it is possible that the number is more than twenty-five.

Kenton County Sheriff Korzenborn also testified that Sumner acted in accordance with all applicable Kenton County policies in handcuffing S.R. and L.G. He has never asked Sumner whether Sumner has ever handcuffed other elementary children in the district, and he is not interested in knowing how often his deputies handcuff school children. Handcuffing children above their elbows behind their back is acceptable practice by his deputies.

[...]

Korzenborn further testified that he was not familiar with the Kentucky Administrative Regulations regarding the use of mechanical restraints in schools.

[...]

Korzenborn has not implemented any changes in the training of his SROs since these incidents.

Given this undisputed testimony, Kenton County is liable as a matter of law for Sumner’s unlawful handcuffing of S.R. and L.J.

School resource officers won't be able to handcuff students the same way in the future and expect to walk away from resulting civil lawsuits. The unanswered question -- is it ever appropriate to handcuff pre-teens on a school campus -- remains open. But the message sent here is pretty straightforward: there's almost zero chance the court will find it acceptable to use adult handcuffs on children, because the only way to keep them on tiny bodies is to deploy them in a fashion that is excessive in nature.

Read More | 34 Comments | Leave a Comment..

Posted on Techdirt - 16 October 2017 @ 10:44am

White House Cyber Security Boss Also Wants Encryption Backdoors He Refuses To Call Backdoors

from the torturing-words dept

Deputy Attorney General Rod Rosenstein recently pitched a new form of backdoor for encryption: "responsible encryption." The DAG said encryption was very, very important to the security of the nation and its citizens, but not so important it should ever prevent warrants from being executed.

According to Rosenstein, this is the first time in American history law enforcement officers haven't been able to collect all the evidence they seek with warrants. And that's all the fault of tech companies and their perverse interest in profits. Rosenstein thinks the smart people building flying cars or whatever should be able to make secure backdoors, but even if they can't, maybe they could just leave the encryption off their end of the end-to-end so cops can have a look-see.

This is the furtherance of former FBI director James Comey's "going dark" dogma. It's being practiced by more government agencies than just the DOJ. Calls for backdoors echo across Europe, with every government official making them claiming they're not talking about backdoors. These officials all want the same thing: a hole in encryption. All that's really happening is the development of new euphemisms.

Rob Joyce, the White House cybersecurity coordinator, is the latest to suggest the creation of encryption backdoors -- and the latest to claim the backdoor he describes is not a backdoor. During a Q&A at Cyber Summit 2017, Joyce said this:

[Encryption is] "definitely good for America, it's good for business, it's good for individuals," Joyce said. "So it's really important that we have strong encryption and that's available."

Every pitch against secure encryption begins exactly like this: a government official professing their undying appreciation for security. And like every other pitch, the undying appreciation is swiftly smothered by follow-up statements specifying which kinds of security they like.

"The other side of that is there are some evil people in this world, and the rule of law needs to proceed, and so what we're asking for is for companies to consider how they can support legal needs for information. Things that come from a judicial order, how can they be responsive to that, and if companies consider from the outset of building a platform or building a capability how they're going to respond to those inevitable asks from a judge's order, we'll be in a better place."

In other words, Joyce loves the security encrypted devices provide. But he'd love them more if they weren't quite so encrypted. Perhaps if the manufacturers held the keys… The same goes for encrypted communications. Wonderful stuff. Unless the government has a warrant. Then it should be allowed to use its golden key or backdoor or whatever to gain access.

Once again, a government official asks for a built-in backdoor, but doesn't have the intellectual honesty to describe it as such, nor the integrity to take ownership of the collateral damage. Neither the White House nor Congress seem interested in encryption bans or mandated backdoors. The officials talking about the "going dark" problem keep hinting tech companies should just weaken security for the greater good -- with the "greater good" apparently benefiting only government agencies.

This way, when everything goes to hell, officials can wash their hands of the collateral blood because there's no mandate or legislation tech companies can point to as demanding they acquiesce to the government's desires. Officials like Joyce and Rosenstein want all of the access, but none of the responsibility. And every single person offering these arguments think the smart guys should do all the work and carry 100% of the culpability. Beyond being stupid, these arguments are disingenuous and dangerous. And no one making them seems to show the slightest bit of self-awareness.

38 Comments | Leave a Comment..

Posted on Techdirt - 16 October 2017 @ 6:12am

DOJ Continues Its Push For Encryption Backdoors With Even Worse Arguments

from the let-us-save-you-from-your-security dept

Early last week, the Deputy Attorney General (Rod Rosenstein) picked up the recently-departed James Comey's Torch of Encroaching Darkness +1 and delivered one of the worst speeches against encryption ever delivered outside of the UK.

Rosenstein apparently has decided UK government officials shouldn't have a monopoly on horrendous anti-encryption arguments. Saddling up his one-trick pony, the DAG dumped out a whole lot of nonsensical words in front of a slightly more receptive audience. Speaking at the Global Cyber Security Summit in London, Rosenstein continued his crusade against encryption using counterintuitive arguments.

After name-dropping his newly-minted term -- responsible encryption™ -- Rosenstein stepped back to assess the overall cybersecurity situation. In short, it is awful. Worse, perhaps, than Rosenstein's own arguments. Between the inadvertently NSA-backed WannaCry ransomware, the Kehlios botnet, dozens of ill-mannered state actors, and everything else happening seemingly all at once, the world's computer users could obviously use all the security they can get.

Encryption is key to security. Rosenstein agrees… up to a point. He wants better security for everyone, unless those everyones are targeted by search warrants. Then they have too much encryption.

Encryption is essential. It is a foundational element of data security and authentication. It is central to the growth and flourishing of the digital economy. We in law enforcement have no desire to undermine encryption.

But “warrant-proof” encryption poses a serious problem.

Well, you can't really have both secure encryption and law enforcement-friendly encryption. Rosenstein knows this just as surely as Comey knew it. That didn't stop Comey from pretending it was all about tech company recalcitrance. The same goes for Rosenstein who, early on in his speech, plays a shitty version of Sympathy for the Tech Devil by using the phrase "competitive forces" as a stand-in for "profit seeking" when speaking about the uptick in default encryption.

The underlying message of his last speech was that American tech companies should spurn profits for helping out the government by unwrapping one end of end-to-end encryption. The same pitch is made here, softened slightly in the lede thanks to the presence of UK tech companies in the audience. The language may be less divisive, but the arguments are no less stupid this time around.

In the United States, when crime is afoot, impartial judges are responsible for balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns. That is how we obtain search warrants for homes and court orders to require witnesses to testify.

Warrant-proof encryption overrides our ability to balance privacy and security. Our society has never had a system where evidence of criminal wrongdoing was impervious to detection by officers acting with a court-authorized warrant. But that is the world that technology companies are creating.

I'm not sure what this "system" is Rosenstein speaks about, but there has always been evidence that's eluded the grasp of law enforcement. Prior to common telephone use, people still communicated criminal plans but no one insisted citizens hold every conversation within earshot of law enforcement. Even in a digital world, evidence production isn't guaranteed, even when encryption isn't a factor.

Going on from there, the rest of speech is pretty much identical to his earlier one. In other words: really, really bad and really, really wrong.

Rosenstein believes the government should be able to place its finger on the privacy/security scale without being questioned or stymied by lowly citizens or private companies. Even if he's right about that (he isn't), he's wrong about the balance. This isn't privacy vs. security. This is security vs. insecurity. For a speech so front-loaded with tales of security breaches and malicious hacking, the back end is nothing more than bad arguments for weakened encryption -- something the government may benefit from, but will do nothing to protect people from malicious hackers or malicious governments.

All the complaints about a skewed balance are being presented by an entity that's hardly a victim. Electronic devices -- particularly cellphones -- generate an enormous amount of data that's not locked behind encryption. The government can -- without a warrant -- track your movements, either post-facto, or with some creative paperwork, in real time. Tons of other "smart" devices are generating a wealth of records only a third party and a subpoena away. And that's just the things citizens own. This says nothing about the wealth of surveillance options already deployed by the government and those waiting in the wings for the next sell off of civil liberties

It also should be noted Rosenstein is trying to make "responsible encryption" a thing. He obviously wants the word "backdoor" erased from the debate. While it's tempting to sympathize with Rosenstein's desire to take a loaded word out of the encryption debate lexicon, the one he's replacing it with is worse. As Rob Graham at Errata Security points out, the new term is loaded language itself, especially when attached to Rosenstein's bullshit metric: "measuring success in prevented crimes and saved lives."

I feel for Rosenstein, because the term "backdoor" does have a pejorative connotation, which can be considered unfair. But that's like saying the word "murder" is a pejorative term for killing people, or "torture" is a pejorative term for torture. The bad connotation exists because we don't like government surveillance. I mean, honestly calling this feature "government surveillance feature" is likewise pejorative, and likewise exactly what it is that we are talking about.

Then there's the problem with Rosenstein deploying rhetorical dodges in his discussions about encryption, which presumably include a number of government officials. Alex Gaynor, who worked for the United States Digital Service and participated in the Obama Administration's discussion of potential encryption backdoors, points out Rosenstein's abuse of his position.

Mr. Rosenstein plainly wants to reopen the "going dark" debate that began under the previously administration, spearheaded by FBI Director Jim Comey. While I disagree vehemently with him, it's a valid policy position - and I have every reason to believe him that there are investigations in which encryption does hamper the Justice Department and FBI's ability to investigate. However, he is not entitled to mislead the public in order to make that point. And make no mistake. Attempting to use the spectre of familiar computer security challenges in order to make the argument that his policy is necessary, even though his policy has nothing to do with these challenges, is the height of intellectual dishonesty.

There's an endgame to Rosenstein's dishonest rhetoric. And it won't be tech companies being guilted into participating in his "responsible encryption" charade. It will be backdoors. And they will be legislated.

The Deputy Attorney General says that he is interested in "frank discussion". However, his actual remarks demonstrate he is interested in anything but -- his goal is to secure legislation akin to CALEA for your cellphone, and he doesn't care who he has to mislead to accomplish this. Mr. Deputy Attorney General, I expect better.

This is what the DOJ wants. But Rosenstein is too weak-willed to say it out loud. So he spouts this contradictory, misleading, wholly asinine garbage to whatever audience will have him. Rosenstein is obtuse enough to be dangerous. Fortunately, most legislators (so far) seem unwilling to sacrifice the security of citizens on the altar of lawful access.

45 Comments | Leave a Comment..

Posted on Techdirt - 13 October 2017 @ 1:39pm

DreamHost Wins Challenge Against DOJ's Overbroad Data Demands

from the the-Man-briefly-experiences-having-it-stuck-to-him dept

DreamHost has been fighting the DOJ and its breathtakingly-broad demand for information on all visitors to an anti-Trump website. This has gone on for a few months now, but the origin of the DOJ's interest in the DreamHosted disruptj20.org site traces all the way back to protests during Trump's inauguration.

Here's what the DOJ demanded DreamHost hand over:

a. all records or other information pertaining to that account or identifier, including all files, databases, and database records stored by DreamHost in relation to that account or identifier;

b. all information in the possession of DreamHost that might identify the subscribers related to those accounts or identifiers, including names, addresses, telephone numbers and other identifiers, e-mail addresses, business information, the length of service (including start date), means and source of payment for services (including any credit card or bank account number), and information about any domain name registration;

c. all records pertaining to the types of service utilized by the user,

d. all records pertaining to communications between DreamHost and any person regarding the account or identifier, including contacts with support services and records of actions taken.

These demands conceivably applied to every single one of the site's 1.2 million visitors. The DOJ scaled back some of its demands a week later, but also stated its attempt to "converse" (read: talk DreamHost into compliance) had been rebuffed, with the hosting company stating its desire to continue challenging the subpoena.

This demand for information would be in addition to a warrant it served to Facebook, seeking everything ever from the accounts of more than 6,000 users. This was served to Facebook, along with a gag order -- something the DOJ conveniently dropped the night before oral arguments, perhaps sensing it might be in for an unfavorable precedential ruling.

Chief Judge Morin of the DC Superior Court has issued a ruling on the DreamHost-targeting subpoena, and it's good news for everyone but the overreaching DOJ. DreamHost reports on the judge's order:

Under this order, we now have the ability to redact all identifying information and protect the identities of users who interacted with disruptj20.org before handing over any data to the court.

[...]

We are now required to hand over a drastically reduced amount of data to the government and will redact any identifying information from every scrap of it that relates to non-subscribers.

On top of that, the DOJ will have to submit search protocols and procedures to the court for approval before demanding further site visitor info and limit its requests to info it can show the court is linked to actual criminal activity (violations of DC's rioting statutes). The DC Superior Court will make final determinations on the validity of the government's data requests before any identifying information is released by DreamHost.

As the court notes in its order [PDF], it's not interested in assisting the government with its fishing expeditions.

Because of the potential breadth of the government's review in this case, the Warrant in its execution may implicate otherwise innocuous and constitutionally protected activity. As the Court has previously stated, while the government has the right to execute its Warrant, it does not have the right to rummage through the information contained on DreamHost's website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities.

And this still may not be the end of the DOJ's problems. Even if revised info demands are approved by the court, there are still a handful of potential investigation targets (site visitors and owners) readying their own challenges of the government's data requests. At this point, site visitors who've already attempted to challenge the subpoena obviously don't know if they're actually targeted by the DOJ. The court has dismissed their appeals without prejudice, which will allow them to refile if they make the government's final cut.

This is good news for everyone who avails themselves of third-party services (which is pretty much everybody). A little pushback sometimes goes a long way. Anyone seeking to keep their private info private should be taking note on who's willing to challenge the government's overreach and who's willing to act as little more than a data broker for law enforcement agencies.

Read More | 7 Comments | Leave a Comment..

Posted on Techdirt - 13 October 2017 @ 10:38am

Another Ridiculous Lawsuit Hopes To Hold Social Media Companies Responsible For Terrorist Attacks

from the from-an-alternate-reality-where-Section-230-doesn't-exist dept

Yet another lawsuit has been filed against social media companies hoping to hold them responsible for terrorist acts. The family of an American victim of a terrorist attack in Europe is suing Twitter, Facebook, and Google for providing material support to terrorists. [h/t Eric Goldman]

The lawsuit [PDF] is long and detailed, describing the rise of ISIS and use of social media by the terrorist group. It may be an interesting history lesson, but it's all meant to steer judges towards finding violations of anti-terrorism laws rather than recognize the obvious immunity given to third party platforms by Section 230.

When it does finally get around to discussing the issue, the complaint from 1-800-LAW-FIRM (not its first Twitter terrorism rodeo…) attacks immunity from an unsurprising angle. The suit attempts to portray the placement of ads on alleged terrorist content as somehow being equivalent to Google, Twitter, et al creating the terrorist content themselves.

When individuals look at a page on one of Defendants’ sites that contains postings and advertisements, that configuration has been created by Defendants. In other words, a viewer does not simply see a posting; nor does the viewer see just an advertisement. Defendants create a composite page of content from multiple sources.

Defendants create this page by selecting which advertisement to match with the content on the page. This selection is done by Defendants’ proprietary algorithms that select the advertisement based on information about the viewer and the content being. Thus there is a content triangle matching the postings, advertisements, and viewers.

Although Defendants have not created the posting, nor have they created the advertisement, Defendants have created new unique content by choosing which advertisement to combine with the posting with knowledge about the viewer.

Thus, Defendants’ active involvement in combining certain advertisements with certain postings for specific viewers means that Defendants are not simply passing along content created by third parties; rather, Defendants have incorporated ISIS postings along with advertisements matched to the viewer to create new content for which Defendants earn revenue, and thus providing material support to ISIS.

This argument isn't going to be enough to bypass Section 230 immunity. According to the law, the only thing social media companies are responsible for is the content of the ads they place. That they're placed next to alleged terrorist content may be unseemly, but it's not enough to hurdle Section 230 protections. Whatever moderation these companies engage in does not undercut these protections, even when their moderation efforts fail to weed out all terrorist content.

The lawsuit then moves on to making conclusory statements about these companies' efforts to moderate content, starting with an assertion not backed by the text of filing.

Most technology experts agree that Defendants could and should be doing more to stop ISIS from using its social network.

Following this sweeping assertion, two (2) tech experts are cited, both of whom appear to be only speaking for themselves. More assertions follow, with 1-800-LAW-FIRM drawing its own conclusions about how "easy" it would be for social media companies with millions of users to block the creation of terrorism-linked accounts [but how, if nothing is known of the content of posts until after the account is created?] and to eliminate terrorist content as soon as it goes live.

The complaint then provides an apparently infallible plan for preventing the creation of "terrorist" accounts. Noting the incremental numbering used by accounts repeatedly banned/deleted by Twitter, the complaint offers this "solution."

What the above example clearly demonstrates is that there is a pattern that is easily detectable without reference to the content. As such, a content-neutral algorithm could be easily developed that would prohibit the above behavior. First, there is a text prefix to the username that contains a numerical suffix. When an account is taken down by a Defendant, assuredly all such names are tracked by Defendants. It would be trivial to detect names that appear to have the same name root with a numerical suffix which is incremented. By limiting the ability to simply create a new account by incrementing a numerical suffix to one which has been deleted, this will disrupt the ability of individuals and organizations from using Defendants networks as an instrument for conducting terrorist operations.

Prohibiting this conduct would be simple for Defendants to implement and not impinge upon the utility of Defendants sites. There is no legitimate purpose for allowing the use of fixed prefix/incremental numerical suffix name.

Take a long, hard look at that last sentence. This is the sort of assertion someone makes when they clearly don't understand the subject matter. There are plenty of "legitimate purposes" for appending incremental numerical suffixes to social media handles. By doing this, multiple users can have the same preferred handle while allowing the system (and the users' friends/followers) to differentiate between similarly-named accounts. Everyone who isn't the first person to claim a certain handle knows the pain of being second... third… one-thousand-three-hundred-sixty-seventh in line. While this nomenclature process may allow terrorists to easily reclaim followers after account deletion, there are plenty of non-ominous reasons for allowing incremental suffixes.

That's indicative of the lawsuit's mindset: terrorist attacks are the fault of social media platforms because they've "allowed" terrorists to communicate. But that's completely the wrong party to hold responsible. Terrorist attacks are performed by terrorists, not social media companies, no matter how many ads have been placed around content litigants view as promoting terrorism.

Finally, the lawsuit sums it all up thusly: Monitoring content is easy -- therefore, any perceived lack of moderation is tantamount to direct support of terrorist activity.

Because the suspicious activity used by ISIS and other nefarious organizations engaged in illegal activities is easily detectable and preventable and that Defendants are fully aware that these organizations are using their networks to engage in illegal activity demonstrates that Defendants are acting knowingly and recklessly allowing such illegal conduct.

Unbelievably, the lawsuit continues from there, going past its "material support" Section 230 dodge to add claims of wrongful death it tries to directly link to Twitter, et al's allegedly inadequate content moderation.

The conduct of each Defendant was a direct, foreseeable and proximate cause of the wrongful deaths of Plaintiffs’ Decedent and therefore the Defendants’ are liable to Plaintiffs for their wrongful deaths.

This is probably the worst "Twitter terrorism" lawsuit filed yet, but quite possibly exactly what you would expect from a law firm with a history of stupid social media lawsuits and a phone number for a name.

Read More | 20 Comments | Leave a Comment..

Posted on Techdirt - 13 October 2017 @ 3:23am

Australian Police Ran A Dark Web Child Porn Site For Eleven Months

from the presiding-over-a-period-of-unprecedented-growth dept

Thanks to an investigation by Norwegian newspaper VG, a long-running child porn operation by Australian police has been (inadvertently) uncovered. An IT specialist at VG was monitoring forum activity and only stumbled on law enforcement's involvement on accident.

In comparison to the FBI's takeover of the Playpen site, the Taskforce Argos operation was epic. The FBI held onto the seized Playpen seizure for only a couple of weeks. The Australian police served as replacement administrators for eleven months.

The government's turn as child porn site administrators began with the arrest of two men in the United States, one of them a Canadian citizen. Both were apparently actively abusing children as well as running the dark web site. According to data gathered by investigators, Childs Play had more than a 1 million registered users by the time it was shut down. (Estimates suggest fewer than 5,000 accounts could be considered active, however.) Based on estimates from multiple countries now involved in the law enforcement action, the eleven-month hosting effort has resulted in nearly 1,000 suspects being identified. Some have already been arrested.

The article is worth a read (as is the Guardian's more succinct take), if for no other reason than the sheer amount of detective work performed by a few journalists. The ends are worthy -- the arrest and punishment of child abusers -- but, as in the FBI's child porn operations, the means are highly questionable.

Presumably Australian law enforcement used something similar to the FBI's malware to reveal identifying information about the forum's users. No details have been provided to VG, but there's a good chance details will begin to surface as cases proceed to trial.

But it is concerning law enforcement felt a need to continue to distribute child porn for eleven months before deciding to shut down the site. It also seems highly possible the site was only shut down was because the operation had been uncovered by VG's detective work.

While impersonating one of the arrested forum moderators, police had to provide a monthly update post to prevent the site's warrant canary from kicking in. One requirement was to include a child porn image with this update, under the assumption law enforcement officers wouldn't be legally allowed to distribute this contraband.

That leads directly to another problematic aspect of the investigation: the website was relocated for easier exploitation.

It is VG’s understanding that when WarHead surrendered access to Childs Play and Giftbox each forum was stored on servers in separate European countries. Police, lawyers and the suspects themselves refuse to say which.

Police in Australia and the European country saw obvious benefits to having the Australian police, rather than a European force, running the site.

Australian laws give the police unusually broad powers to monitor suspicious activities online.

By consolidating the operation under Australian jurisdiction, investigators now had legal latitude to distribute child porn. The police may not have distributed much directly, but during the eleven months the site operated under new ownership, business was booming. According to statistics compiled by VG's investigation, hosted images quadrupled during that period, from 3,000 to over 12,000 total image. And some of the uploaded images became incredibly popular.

On 25 October 2016, two weeks after Argos took over the site, an unidentified user created a discussion thread featuring images of an eight-year-old girl being raped.

By August of this year, the post had been viewed 770,617 times – all while the police were running the website.

Some victims of child sexual abuse interviewed by VG are upset their images were redistributed by law enforcement. Others are a bit more pragmatic about the investigators' actions. But the redistribution of child porn by law enforcement raises a bunch of questions no one in law enforcement seems interested in answering.

Carissa Byrne Hessick, a professor of law at the University of North Carolina, questions [investigator Paul] Griffith’s argument. She is one of the world’s leading legal experts on investigating such abuse.

"It sounds like the police tell one story about how damaging the images are when others share them, and another story when the police share them.

That’s a kind of hypocrisy I really don’t like. But this sheds light on the argument that any and all sharing of such an image is abuse. If the police say they’re only sharing images that have been shared before, it means the police do not think all sharing is harmful," says Hessick.

The counterargument, of course, is law enforcement commits illegal acts for the greater good. But the argument is somewhat hollow when child porn convictions come with restitution orders based on the number of images shared. Eleven months running a child porn site seems like overkill, especially when the two principal members were already in custody by the time investigators took over.

47 Comments | Leave a Comment..

Posted on Techdirt - 12 October 2017 @ 11:57am

Investment Fund Manager Tries To Bury Past Screwups With Sketchy Libel Suit Court Order

from the hold-my-beer dept

More libel-related bullshittery happening on the internet. And, again, Eugene Volokh is on top of it. Between him, Paul Levy of Public Citizen, and Pissed Consumer, we've seen a huge amount of shady-to-completely-fraudulent behavior by lawyers and rep management firms exposed. This is more of the same, although it doesn't appear anyone in the SEO business was involved.

Jordan Wirsz is an investment manager with a problem. He's previously gotten in trouble with state regulators for running investment schemes without a license. It's not a huge problem, but it's enough to make people think twice before trusting him with their money.

Faced with state regulator decisions cluttering up his search results, Wirsz has apparently opted to make his Google searches even less flattering. He took a commenter named "Richard" to court, alleging defamation based on the contents of comments "Richard" posted to sites like RipoffReport. He won a default judgment, which conveniently contained several URLs not linked to "Richard" or the alleged libel.

The list of URLs included, in the middle, three official Arizona government documents, which of course couldn’t have been posted by any “Richard”; their author isn’t an anonymous commenter, but rather the Arizona Corporation Commission, which Wirsz did not sue. Unsurprisingly, the material in the order is based on Phillips’s application for default judgment, which said that “Defendant posted” various statements, and that “such statements and similar statements have been posted at” various links, including the azcc.gov links — even though the azcc.gov links are actually quite different criticisms of Wirsz, which are not libelous and which are unrelated to “Richard.”

And that's not all. The default judgment a judge agreed to includes other URLs not related to "Richard" and his supposed libel.

Some of the other URLs in the default judgment (and the takedown request) were Scribd.com copies of various documents in this very case, such as an earlier court order granting a preliminary injunction against “Robert,” which were uploaded to Scribd by RipOffReport… Some other URLs pointed to other Scribd documents uploaded to RipOffReport that didn’t even mention Wirsz, except that Scribd’s other-recommended-document list at the bottom of the pages mentioned one of the Wirsz orders.

Volokh wasn't able to get anyone involved to comment on the court order. Wirsz is now represented by a different lawyer -- not the Brandon Phillips who obtained the court order, nor the Brian Dziminski who served the order to Google. Obviously, Wirsz hoped Google was as inattentive as the judge signing the order, but it appears Google didn't comply with the court order's demands it delist government agency URLs.

This bogus scrubbing of search results continues, but is certainly becoming much less of a sure thing than it used to be. One rep management company engaging in fraudulent libel lawsuit tactics is paying out $70,000 and may be out even more once the US Attorney's Office is done with it. Another rep management firm is facing two legal actions over its fraud on the court for the same bogus lawsuit v. bogus defendant tactics. With Google paying more attention to incoming court orders, the law of diminishing returns has finally been enacted.

6 Comments | Leave a Comment..

Posted on Techdirt - 12 October 2017 @ 9:27am

Emails Show ICE Couldn't Find Enough Dangerous Immigrants To Fulfill The Adminstration's Fantasies

from the Operation-Goalpost-Relocation dept

When you've got an official narrative to deliver, you need everyone to pitch in to keep it from falling apart. No one can say ICE didn't try. The Trump administration -- bolstered by supporting statements conjecture from DOJ and DHS officials -- has portrayed undocumented immigrants as little more than nomadic thugs. Unfortunately, there's hardly any evidence available to back up the assertion that people here illegally are more likely to commit serious criminal acts.

Back in February, shortly after Trump handed down immigration-focused executive orders, ICE went all in on arresting undocumented visitors and immigrants. Included in this push was a focus on so-called "sanctuary cities" like Austin, Texas, which had vowed to push back against Trump's anti-immigrant actions.

Emails obtained by The Intercept show ICE doing all it can to prop up Trump's "dangerous criminal" stereotyping. Unfortunately, despite all of its efforts, ICE failed to come across many dangerous criminals during its February sweeps.

On February 10, as the raids kicked off, an ICE executive in Washington sent an “URGENT” directive to the agency’s chiefs of staff around the country. “Please put together a white paper covering the three most egregious cases,” for each location, the acting chief of staff of ICE’s Enforcement and Removal Operations wrote in the email.

It's a good starting point, especially if the administration is relying on you to back up its assertions. ICE was willing to go the extra mile to do just that, apparently.

“If a location has only one egregious case — then include an extra egregious case from another city.”

This is an interesting ploy: cannibalizing nearby cities' reporting in order to present some semblance of an "egregious case" immigrant nightmare --one that would need to be stripped of redundancy before final presentation.

Unfortunately for ICE agents, you can't make something out nothing. Three cases per city proved to be almost impossible. Many raids failed to uncover even one egregious case. With the clock ticking down, some ICE offices decided to grab "egregious cases" completely unrelated to the current operation.

In February 11, an official responded to a colleague’s list of egregious cases by pointing out that they were unrelated to the ongoing operation. “The arrest dates are before any operation and even before the EO’s. What is up with these cases?” the official wrote.

What's up with those cases is there were almost zero new cases to report to the man upstairs. Hundreds of arrests were made, but many involved people with no prior criminal record. In the remaining arrests, most of the priors found were minor violations, with the worst being drunk driving.

Not exactly the "public safety threat" the Trump administration had promised. When it became clear the "egregious case" reports might total only a handful of serious criminal offenses from hundreds of arrests nationwide, ICE quickly applied its own spin.

As criticism escalated, ICE shifted to downplaying the operation as “no different than the routine,” telling reporters that the raids were the same “targeted arrests carried out by ICE’s Fugitive Operations Teams on a daily basis,” and suggesting off the record that claims to the opposite were “false, dangerous, and irresponsible.” As it became clear that dozens of individuals with no criminal history had been apprehended, ICE shifted gears and told reporters that in addition to targeting safety threats, the raids were always meant to target those whose only crimes were immigration-related, like re-entering the U.S. after deportation…

By spinning it this way, ICE can pay needed lip service to the administration's "dangerous immigrants" narrative and portray the lack of egregious cases as the result of the banal day-to-day work of immigration enforcement. But in doing so, it undercuts the narrative it's trying to serve. If there are so many dangerous criminals out there, why isn't ICE focused on them, rather than dozens of people whose only criminal act is a lack of documentation? ICE can't have it both ways. Neither can the White House.

69 Comments | Leave a Comment..

Posted on Techdirt - 11 October 2017 @ 11:57am

DOJ Says No One Has Any Right To Question The Adminstration's Handling Of Records, Not Even The Courts

from the inches-to-miles dept

Frequent FOIA requesters CREW (Citizens for Responsibility and Ethics in Washington) and NSA (National Security Archive) are trying to obtain a court ruling forcing the Trump administration to stop standing in the way of transparency and accountability.

Their complaint [PDF], filed earlier this year, accuses the Trump administration of not just serious impropriety, but of actually taking proactive steps to ensure there's no documentation of its questionable deeds.

From early on in this Administration, White House staff have used and, on information and belief, continue to use certain email messaging applications that destroy the contents of messages as soon as they are read, without regard to whether the messages are presidential records. Presidential statements made on Twitter sent from the President’s personal Twitter account, which are subject to federal record-keeping obligations, have been destroyed. The President also has implied that he is secretly tape-recording some or all conversations with Administration officials, and it is unclear if these tapes are being preserved. And there is at least one news report that, when the ongoing congressional and FBI investigations were disclosed, White House aides purged their phones of potentially compromising information. These practices violate the Presidential Records Act.

On top of that, the lawsuit alleges the White House is going even darker by consolidating power and forcing federal agencies to route as much as possible through administration staff to ensure as many records as possible could be considered exempt from FOIA requests.

The DOJ has filed its motion to dismiss [PDF]. And it's incredibly dismissive, as Eriq Gardner reports:

In a court filing Friday, not only do attorneys at the Justice Department say that courts can't review this, but they also argue that when it comes to laws pertaining to government record-keeping, judicial review would be inappropriate even if Trump deleted secret recordings with administration officials or even if his staff purged phone records because they expected to be subpoenaed in connection with various investigations.

Over the course of 36 pages, the DOJ tells the court the plaintiffs are wrong, the court is wrong… pretty the only entity entirely in the right is the President and his staff, who efforts cannot be questioned under the Presidential Records Act.

Courts cannot review the President’s compliance with the Presidential Records Act (“PRA”). As the D.C. Circuit has squarely held, “permitting judicial review of the President’s compliance with the PRA would upset the intricate statutory scheme Congress carefully drafted to keep in equipoise important competing political and constitutional concerns.” Armstrong v. Bush, 924 F.2d 282, 290 (D.C. Cir. 1991) (“Armstrong I”). Indeed, “Congress . . . sought assiduously to minimize outside interference with the day-to-day operations of the President and his closest advisors and to ensure executive branch control over presidential records during the President’s term in office,” and so “it is difficult to conclude that Congress intended to allow courts, at the behest of private citizens, to rule on the adequacy of the President’s records management practices or overrule his records creation, management, and disposal decisions.”

The DOJ's arguments are pretty blunt, considering they're spread over 30 pages. The DOJ flatly states the plaintiffs have no standing as they can allege no harm but possibly-thwarted FOIA requests at some point in the future. Even if the court somehow finds a way to grant standing, the DOJ states this won't help the plaintiffs' case at all.

Even if Plaintiffs had standing, the vast majority of their claims are precluded by the PRA. As noted above, the D.C. Circuit held in Armstrong I that private litigants may not bring suit to challenge the President’s compliance with the PRA. While the D.C. Circuit subsequently held that courts hearing FOIA cases may review the President’s PRA guidelines to ensure that he does not improperly treat agency records subject to FOIA as though they were instead presidential records subject to the PRA, see Armstrong v. Exec. Office of the President, 1 F.3d 1274, 1294 (D.C. Cir. 1993) (“Armstrong II”), D.C. Circuit law does not permit judicial review of whether the President is properly managing and preserving those records that are in fact subject to the PRA.

The DOJ likely has a point. Congress did give the President's office lots of leeway on how to handle records retention. It's the sort of thing that seems like a good idea when you're the party in power but not so much when things change hands. For everyone else on the outside, it's just another way the government insulates itself from accountability.

Read More | 16 Comments | Leave a Comment..

Posted on Techdirt - 11 October 2017 @ 9:24am

Deputy AG Pitches New Form Of Backdoor: 'Responsible Encryption'

from the laugh-and-the-world-laughs-with;-pull-this-crap-and-you're-on-your-own dept

The DOJ is apparently going to pick up where the ousted FBI boss James Comey left off. While Attorney General Jeff Sessions continues building his drug enforcement time machine, Deputy AG Rod Rosenstein is keeping the light on for Comey's prophesies of coming darkness.

Rosenstein recently gave a speech at the US Naval Academy on the subject of encryption. It was… well, it was pretty damn terrible. Once again, a prominent law enforcement official is claiming to love encryption while simultaneously extolling the virtues of fake encryption with law enforcement-ready holes in it.

The whole thing is filled with inadvertently hilarious assertions, like the following:

Encryption is a foundational element of data security and authentication. It is essential to the growth and flourishing of the digital economy, and we in law enforcement have no desire to undermine it.

Actually, Rosenstein has plenty of desire to do that, which will be amply demonstrated below, using his own words.

But the advent of “warrant-proof” encryption is a serious problem. Under our Constitution, when crime is afoot, impartial judges are charged with balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns.

The law indeed recognizes this and provides law enforcement access to communications, documents, etc. with the proper paperwork. What the law cannot do is ensure the evidence is intact, accessible, or exactly what law enforcement is looking for.

Rosenstein is disingenuously reframing the argument as lawful access v. personal privacy, when it's really about law enforcement's desires v. user security. The latter group -- users -- includes a large percentage of people who've never been suspected of criminal activity, much less put under investigation. Weakened encryption affects everyone, not just criminal suspects.

Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, especially when officers obtain a court-authorized warrant. But that is the world that technology companies are creating.

Our society has had plenty of systems where evidence was "impervious to detection." Calls, text messages, emails, personal conversations, passed notes, dead drops, coded transmissions, etc. have existed for years without law enforcement complaining about everything getting so damn dark. Law enforcement has never had 100% access to means of communications even with the proper paperwork in hand. And yet, police departments and investigative agencies routinely solved crimes, even without access to vast amounts of personal communications.

Rosenstein follows this loop a few times, always arriving at the same mistaken conclusion: law enforcement should be able to access whatever it wants so long it has a warrant. Why? Because it always used to be able to. Except for all those times when it didn't.

Since Rosenstein isn't willing to handle the encryption conversation with any more intellectual honesty than the departed James Comey, he's forced to come up with new euphemisms for encryption backdoors. Here's Rosenstein's new term for non-backdoor encryption backdoors.

Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization.

At worst, this means some sort of built-in backdoor, sort of what Blackberry uses for its non-enterprise customers. Nearly just as bad, this possibly means key escrow. These are the solutions Rosenstein wants, but he doesn't even have the spine to take ownership of them. Not only does the Deputy AG want tech companies to implement whatever the fuck "responsible encryption" is, he wants them to bear all expenses, cope with customers fleeing the market for more secure options, and be the focal point for the inevitable criticism.

Such a proposal would not require every company to implement the same type of solution. The government need not require the use of a particular chip or algorithm, or require any particular key management technique or escrow. The law need not mandate any particular means in order to achieve the crucial end: when a court issues a search warrant or wiretap order to collect evidence of crime, the provider should be able to help.

In other words, the private sector needs to build the doors and hold the keys. All the government needs to do is obtain warrants.

Rosenstein just keeps piling it on. He admits the law enforcement hasn't been able to guilt tech companies into backdooring their encryption. That's the old way. Going forward, the talking points will apparently portray tech companies as more interested in profits than public safety.

The approach taken in the recent past — negotiating with technology companies and hoping that they eventually will assist law enforcement out of a sense of civic duty — is unlikely to work. Technology companies operate in a highly competitive environment. Even companies that really want to help must consider the consequences. Competitors will always try to attract customers by promising stronger encryption.

That explains why the government’s efforts to engage with technology giants on encryption generally do not bear fruit. Company leaders may be willing to meet, but often they respond by criticizing the government and promising stronger encryption.

Of course they do. They are in the business of selling products and making money.

In other words, tech companies are doing it for the clicks. This is a super-lazy argument often used to belittle things someone disagrees with. (A phrase that has since been supplanted by "fake news.") This sort of belittling is deployed by (and created for) the swaying of the smallest of minds.

Having painted the tech industry as selfish, Rosenstein airlifts himself to the highest horse in the immediate area.

We use a different measure of success. We are in the business of preventing crime and saving lives.

The Deputy AG makes a better point when he calls out US tech companies for acquiescing to ridiculous censorship demands from foreign governments. If companies are willing to oblige foreign governments with questionable human rights records, why can't they help out the US of A?

It's still not a very strong point, at least not in this context. But it is something we've warned against for years here at Techdirt: you humor enough stupid demands from foreign governments and pretty soon all of them -- including your own -- are going to start asking for favors.

It would be a much better argument if it wasn't tied to the encryption war Rosenstein's fighting here. Comparing censorship efforts and VPN blocking to the complexities of encryption isn't an apples-to-apples comparison. Blocking or deleting content is not nearly the same thing as opening up all users to heightened security risks because the government can't get at a few communications.

Whatever it is Rosenstein's looking for, he's 100% sure tech companies can not only provide it, but should also bear all liability for anything that might go wrong.

We know from experience that the largest companies have the resources to do what is necessary to promote cybersecurity while protecting public safety. A major hardware provider, for example, reportedly maintains private keys that it can use to sign software updates for each of its devices. That would present a huge potential security problem, if those keys were to leak. But they do not leak, because the company knows how to protect what is important. Companies can protect their ability to respond to lawful court orders with equal diligence.

It's that last sentence that's a killer. This is Rosenstein summing up his portrayal of tech companies as callous, profit-seeking nihilists with a statement letting everyone know the DOJ will pin all the blame for any future security breaches on the same companies who got on board with the feds' "nerd harder" demands.

This is a gutless, stupid, dishonest speech -- one that deliberately misconstrues the issues and lays all the blame, along with all the culpability on companies unwilling to sacrifice users' security just because the government feels it's owed access in perpetuity.

65 Comments | Leave a Comment..

Posted on Techdirt - 11 October 2017 @ 3:21am

Treasury Department Wing Latest To Be Accused Of Domestic Spying

from the just-dipping-into-the-domestic-stream-until-someone-says-stop dept

Some more domestic spying taking place, this time by financial regulators. While the US Treasury Department is well within its legal wheelhouse to investigate domestic financial wrongdoing, its Office of Intelligence and Analysis is only supposed to monitor financial activity occurring outside of the US. The OIA has apparently been helping itself to domestic financial records, as Jason Leopold reports.

Over the past year, at least a dozen employees in another branch of the Treasury Department, the Financial Crimes Enforcement Network, have warned officials and Congress that US citizens’ and residents’ banking and financial data has been illegally searched and stored. And the breach, some sources said, extended to other intelligence agencies, such as the National Security Agency, whose officers used the Treasury’s intelligence division as an illegal back door to gain access to American citizens’ financial records.

The US Treasury Department has responded to the allegations raised by several anonymous sources, claiming Leopold's article is basically bullshit.

“The BuzzFeed story is flat out wrong. An unsourced suggestion that an office within Treasury is engaged in illegal spying on Americans is unfounded and completely off-base.”

The department claims any sharing of data between the domestic-focused Financial Crimes Enforcement Network (FinCEN) and the OIA is completely legal. The NSA made a similar claim about its perusing of domestic financial data. But those claims seem a little hollow now that the Treasury Department's Inspector General has announced an investigation into this information sharing.

In some cases, the information shared had been properly redacted. But officials claim OIA personnel simply found ways to obtain the blacked-out data.

Some sources have also charged that OIA analysts have, in a further legal breach, been calling up financial institutions to make inquiries about individual bank accounts and transactions involving US citizens. Sources said the banks have complied with the requests because they are under the impression they are giving the information to FinCEN, which they are required to do.

That's how the backdoor works. When identifying information is redacted, the OIA just calls up the financial institution and asks for more information about unnamed accounts until it has enough to nullify built-in minimization procedures.

And there's more. It appears OIA is passing along domestic banking data to other foreign-facing agencies like the CIA and Defense Intelligence Agency. According to Leopold's sources, this has gone on for years. It's only coming to light now because FinCEN officials have begun complaining about the apparent privacy violations.

This has drawn the attention of Sen. Ron Wyden, who is now demanding answers from the Treasury Department.

“If true, those allegations would represent a serious abuse of spying powers to gather Americans’ financial information,” Senator Ron Wyden’s spokesman, Keith Chu, said in a statement: “Sen. Wyden plans to get to the bottom of what happened and take a close look at whether the rules currently protecting the privacy of Americans are strong enough and adequately enforced.”

This is something Wyden does well: dogged pursuits of information pertaining to intelligence community misconduct. Unfortunately, the intelligence community maintains a pretty solid stiff arm, which tends to put years between Wyden's questions and their eventual answers. Throw in some national security concerns, and the agencies involved are likely to be permitted to go dark for as long as possible.

The years of infighting between FinCEN and the OIA appear to be causing collateral damage. Another Leopold report from a couple of weeks ago covers a bizarre incident at the Treasury Department as FinCEN analysts attempted to dig through financial data for anything of interest that might have helped investigators track down participants in the recent London terrorist attack.

When the officials got to their secure operations center in Northern Virginia that Saturday night, they discovered that everyone on duty had been blocked from the classified networks their response depended upon. They couldn't open links emailed by the FBI about the suspected terrorists they were supposed to be chasing. They couldn't begin following the threads connecting those suspects to the people who had been funding and supporting them.

The lack of access for personnel within the Financial Crimes Enforcement Network — never before reported — cost antiterrorism forces on both sides of the Atlantic crucial time in identifying and pursuing the people and networks around the attackers, according to sources and documents reviewed by BuzzFeed News.

One possible explanation for the lockout may be the ongoing feud between FinCEN and the OIA. The OIA grants access to FinCEN, which allows it to piece together paper trails from both domestic and foreign banking data. If the OIA wanted to keep FinCEN out, it easily could. The other explanation is human error: unrenewed network security keys.

Whatever is happening isn't pretty. Human errors like these can result in lost human lives. If there's a turf war happening, the latest claims about OIA malfeasance are only going to result in less cooperation during critical times which, again, will possibly result in the loss of lives.

9 Comments | Leave a Comment..

Posted on Techdirt - 10 October 2017 @ 7:55pm

Three Energy Bills Look To Increase Fourth Amendment Protections For Americans

from the walking-back-the-third-party-doctrine dept

Senator Ron Wyden has introduced a trio of energy bills for the Senate's consideration. The three bills each have their own area of focus.

One bill [PDF] would direct the Department of Energy -- along with state entities -- to upgrade the flexibility and reliability of energy grids, thus limiting disruption during natural disasters. The second bill [PDF] creates grant programs for consumer-level renewable energy, providing incentives for purchase and deployment of solar panels, electric vehicles, and energy-efficient appliances. The third [PDF] tasks the DOE with leading the way for renewable energy storage R&D in hopes of driving costs down and providing more affordable alternatives to non-renewable energy sources.

Beyond their renewable energy focus, these three bills all have one thing in common: law enforcement agencies aren't going to like them. Each bill contains language erecting warrant requirements for law enforcement access of consumer energy usage data.

In each bill, under the "Privacy, Security, and Resilience" heading, Wyden has inserted a clause limiting warrantless access to energy customer data to identifying info only

CONSUMER INFORMATION.—

A governmental entity may obtain from an electric utility, third party aggregator, or other nongovernmental entity under an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena the—

(A) name of an electric consumer;

(B) address of an electric consumer;

(C) length of service (including start date) of, and types of service used by, an electric con sumer; and

(D) means and source of payment for such service (including any credit card or bank account number) of an electric consumer.

Everything else would require a warrant.

ELECTRIC USAGE INFORMATION.—A governmental entity may only require the disclosure by an electric utility, third party aggregator, or other nongovernmental entity of information regarding the use of electricity by an electric consumer (including monthly usage data, data at a greater level of detail or specificity, and information about electric use by specific appliances) pursuant to a warrant issued based on probable cause, using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction.

No more pulling citizens' electric bills without some articulable reason for doing so. The bill would also limit notification delays on these warrants to 180 days (although that period could be extended by a judge) and provides for suppression of evidence derived from warrantless access to energy usage information.

This will be a tough sell, considering law enforcement is very used to gathering up everything it can possibly construe as a third party record. Energy customers definitely know the energy they use is being tracked by their service provider. Even so, that knowledge is not the same as making the assumption that anything known by your electric company can also be accessed by law enforcement with almost zero paperwork.

A warrant requirement isn't much of a hurdle for law enforcement. What this would do is prevent fishing expeditions utilizing electric bills in hopes of stumbling over someone maintaining a home grow operation. This could mean people who shop for gardening supplies won't be having their electric bills constantly accessed by officers who assume the only hobby gardeners left are those in the marijuana business.

Still, it's a good move by Wyden. The bills may not go forward with these clauses intact, but they'll at least get legislators talking about the wealth of personal information law enforcement has warrantless access to.

Read More | 22 Comments | Leave a Comment..

Posted on Techdirt - 10 October 2017 @ 12:00pm

ICE Demands Journalists 'Return' Snitch Hotline Data It Left Exposed For Three Days After Being Notified

from the people-are-awful,-and-ICE-is-no-better dept

Daniel Rivero and Brendan O'Connor of Splinter recently acquired documents pertaining to ICE's snitch program -- a "see something, say something" but for suspected undocumented aliens. What's contained in these documents is nasty, petty abuse of a crime victim hotline by Americans who don't mind turning the government into their own personal army.

This is part of new program started by the Trump Administration -- one presumably meant to pump up numbers for its weekly "Two Minutes Hate" reports, which document the criminal acts of people roaming the county without the proper papers.

Splinter didn't find much evidence backing up the administration's fervent belief that "undocumented" equals "hardened criminal." What it did find was Americans using the VOICE tip line to engage in a low-level variant on SWATting: sending ICE to round up people they just don't like.

In April, the Trump Administration launched what it called the Victims of Immigration Crime Engagement (VOICE) hotline, with a stated mission to “provide proactive, timely, adequate, and professional services to victims of crimes committed by removable aliens.” But internal logs of calls to VOICE obtained by Splinter show that hundreds of Americans seized on the hotline to lodge secret accusations against acquaintances, neighbors, or even their own family members, often to advance petty personal grievances.

[...]

Together, the logs are a grim running diary of a country where people eagerly report their fellow residents to the authorities, or seek to bring the power of the immigration police to bear on family disputes.

One man called to report his stepson, who he didn't like parking near his house. Another caller reported some in-laws. One claimed his ex-wife was undocumented. This is the sort of "intelligence" being gathered by the VOICE program. Unbelievably, those reports may be some of the better ones.

In the first two weeks of the program, from April 26 to May 10, the logs show that the call center handled 1,940 calls from across the country. Most were pranks, or in the bureaucratic words of the record keepers, “concerned citizens,” who unleashed streams of profanity or talked about green aliens until the operator hung up.

ICE should have expected this. While the tip line was supposed to be used to find assistance for victims of criminal acts by undocumented immigrants, it became a clearinghouse for BS complaints from "tipsters" hoping to have the government solve their personal problems.

But there's more to this story than the low-grade ugliness of certain Americans. ICE somehow managed to expose a whole lot of personal data while compiling the spreadsheets it turned over to Splinter. The information left out in the open contained details about callers and who those callers were reporting.

[A]fter conducting Google searches for some data in that spreadsheet, including local police report numbers provided by callers, we were able to find a second spreadsheet, covering April to mid-August, hosted on the ICE web site. That spreadsheet appears to have been partially redacted to prepare it for release under the FOIA, but two columns containing intimate personal details—names, cell phone numbers, alleged crimes, addresses, and Social Security numbers—of both callers and the alleged undocumented immigrants they were calling about remained completely unredacted and publicly available. In several cases, the details would make it possible for people to figure out who informed on them.

Why ICE moved a work-in-progress document into a publicly-accessible space is something ICE has yet to explain. The agency has refused to directly respond to queries about the exposed spreadsheet. Nor was it particularly interested in ensuring this personal data remained out of the public's hands. Splinter gave ICE three days' notice before publishing, but the document wasn't removed until several hours after the Splinter article went live.

ICE's official response has been overkill. It took its entire FOIA document library offline on October 4th. As of October 9th, it is still down. Ridiculously, ICE is now demanding Splinter "return" the partially-redacted spreadsheet the agency left exposed online.

On Wednesday, an ICE lawyer sent a letter to Jonathan Schwartz, the chief legal and corporate affairs officer of Splinter’s parent company Univision, demanding that we destroy or return the spreadsheet. The letter, which was sent to Schwartz via UPS as well as emailed to the two Splinter reporters who wrote the story, is the first official acknowledgement that ICE had accidentally published private and potentially dangerous information on its web site for anyone to download. ICE had previously declined to confirm or deny the breach.

I'm sure it's boilerplate, but the wording used suggests ICE wants Splinter to box up all the bits and send them back to ICE HQ. Even stupider, the letter warns Splinter of the consequences of exposing this information, as if it wasn't ICE that exposed the document in the first place.

Please note that any further use or disclosure of the information contained in these records could impede or interfere with law enforcement activities and violate the privacy rights and interests of the people whose information is contained in the records. Further, should you perpetuate the use of disclosure of any of this information, you may endanger the persons to whom the information pertains.

This sounds like ICE is hoping to blame Splinter for any fallout from the exposed data. But this is ICE's fault entirely. As is noted (again) in the follow-up post, Splinter informed ICE of the exposed data three days before publication. The spreadsheet wasn't removed until almost 8 hours after Splinter's post went live. The data has now been accessed by any number of people who won't be affected by ICE's very belated attempt to stuff Pandora's personal data back in the box.

And that brings us to one more salient point: if you're going to hand over personal info to the government, be aware it's repeatedly shown it can't be trusted to keep citizens' data protected. People who thought they were going to get away with turning in exes, stepkids, and in-laws now need to be worried about retaliation from those they snitched on. Others using the line for more legitimate reasons are in no better shape -- victims of crime exposed by the agency they turned to for help.

37 Comments | Leave a Comment..

Posted on Techdirt - 10 October 2017 @ 3:27am

Proposed Bill Would Exempt Customs And Border Protection From FOIA Compliance [Updated]

from the who-needs-laws-when-you-operate-in-the-constitution-free-zone? dept

[Update: Thanks to reporting by the Tuscon Sentinel, Rep. Martha McSally has stripped this exemption from the bill and added language clarifying the law should not be construed as exempting CBP from its FOIA duties.]

To build a wall, you've got to break a few laws. That's the message being sent by a new bill, which helps pave the way for the eventual construction of a border wall by exempting the CBP and US Border Patrol from a large number of federal laws.

H.R. 3548 [PDF] would give the CBP a free pass to ignore all sorts of federal restrictions when engaging in its enforcement activities. All the things citizens can't legally do on federal land, the CBP and Border Patrol would be allowed to. This would keep the federal government from getting in its own way in the event wall construction actually takes place, as well as keep CBP agents from worrying about polluting, killing endangered species, or violating sacred grave sites while pursuing undocumented aliens.

The authority is so broad that CBP and its officers are given exemptions from the requirements of 36 different federal laws, including but not limited to, the National Environment Policy Act, the Endangered Species Act, the Clean Water Act, the Clean Air Act, the Fish and Wildlife Act, the Eagle Protection Act, the Native American Graves and Repatriation Act, AND "Subchapter 5, and chapter 7 of title 5, United States Code (commonly known as the 'Administrative Procedure Act')."

The last one listed is why the American Society of News Editors is commenting on the bill. The Administrative Procedure Act covers federal FOIA law. If this goes through unaltered, it could easily be read to exempt the CBP and Border Patrol from responding to open records requests pertaining to their activities... pretty much everything these entities do. The bill covers everything from tactical infrastructure efforts to detainments to patrol efforts.

ASNE isn't quite sure what to make of this exemption being included, but knows there's no way the law should be passed with this part intact.

It's unclear whether this reading is accurate, or intended, but unless someone asks, we might not know until it is too late. Unfortunately, there has been little to no stated opposition to this bill, so it could very well pass the House Committee on Wednesday, and later the entire House, unchecked.

The risk of leaving this stone unturned is clear: The public and press would be in the dark with regard to CBP activities near the border. We wouldn't have access to records of arrests, injuries, deaths and other major incidents at the border or the costs of securing the borders, including the cost and other details of building a border wall.

It could have been a mistake with legislators wishing to exempt CBP from something else, but if it can be read as excusing ICE from its FOIA duties, you can be sure that's exactly how the agency will read it. Alerting representatives is the only way this will receive any attention, considering it's just a few words in the middle of a 102-page bill seeking expanded powers for the agency.

Read More | 18 Comments | Leave a Comment..

Posted on Techdirt - 6 October 2017 @ 11:53am

Sheriff, Deputies Indicted After Subjecting Entire High School To Invasive Pat Downs

from the bulk-violations dept

Earlier this year, the Worth County (GA) Sheriff's Department enraged an entire nation by subjecting the entire student body of a local high school to invasive pat downs. The reason for these searches? Sheriff Jeff Hobby believed drugs would be found on campus.

Invasive searches of students at Worth County High School in Sylvester are being investigated by the Atlanta-based Southern Center for Human Rights.

The Southern Center said Tuesday that hundreds of students at the South Georgia high school were subjected to a search conducted without a warrant. Some of the searches were “highly intrusive” and involved officers touching students’ genitals and breasts.

The Southern Center is raising questions about the legality of the search.

“The Sheriff’s search of Worth County High School students went far beyond what the law permits,” said SCHR attorney Crystal Redd. “The Sheriff had no authority to subject the entire student population to physical searches of their persons, and certainly none to search students in such an aggressive and inappropriate manner.”

The sheriff brought in drug-sniffing dogs and had his deputies frisk every single attending student. The sheriff claimed the searches were legal. And not just legal, but "necessary." The end result of the multiple invasions of personal privacy? Zero drugs, zero arrests.

No drugs were found in a search of Worth County High School Friday.

Perhaps Sheriff Hobby should have taken the results of a search performed a month earlier as indicative of future results.

The Sylvester Police Department did a search on March 17, and found no drugs.

Despite two negative search results, Sheriff Hobby still expressed a desire to search the school again.

When asked about that previous search that came up dry, Hobby said he didn't think that search was thorough, so he decided to do his own.

He said he believes there are drugs at the high school and the middle school, but also said that he will not do another search, due to response from community.

According to school policies, students may be searched if there's reasonable suspicion the student is in possession of an illegal item. The same rules apply to law enforcement, but they were ignored here. Sheriff Hobby claimed he could search any student he wanted to (in this case, all of them) simply because he was accompanied by a school administrator.

Hobby was wrong and is now facing some serious legal problems. First off, Hobby has been sued by several of the students frisked by his officers.

A federal civil rights lawsuit filed last week against a south Georgia sheriff offers new details of the bizarre school-wide search of hundreds of students where deputies allegedly touched girls’ breasts, vaginal areas and groped boys in their groins.

One of the nine Worth County High School students who filed the lawsuit, identified as K.P., told the AJC that the April 14 search was “very, very scary.” She said the incident was stuck in her memory and it colored the rest of her senior year.

The lawsuit also details how much time the Sheriff's Department wasted violating rights and failing to discover contraband.

[T]he sheriff and his deputies locked the high school down for more than four hours and conducted body searches of close to 800 students present in school that day...

This lawsuit is a problem for Sheriff Hobby, especially as it will be much more difficult for the sheriff and his deputies to avail themselves of immunity. Indictments have that sort of effect on immunity claims. [via Greg Doucette]

A south Georgia grand jury indicted Worth County Sheriff Jeff Hobby on Tuesday for sexual battery, false imprisonment and violation of oath of office after he ordered a school-wide search of hundreds of high school students. Deputies allegedly touched girls vaginas and breasts and groped boys in their groin area during the search at the Worth County High School April 14.

Two of Hobby’s deputies were also indicted Tuesday in connection with the case.

Somewhat ironically, the indicted sheriff's attorney is bemoaning the same grand jury system law enforcement loves when it's indicting civilians.

Under Georgia law, a police officer or sheriff accused of a crime related to their official duties can appear before a grand jury to give a statement. Private citizens facing criminal charges do not get this privilege. But the sheriff and his deputies chose not to invoke that privilege. All stayed out of the grand jury room. That’s at least in part due to a new law that curbed some of the unique privileges officers previously had to sway grand jurors.

Under a new law that took effect last year, officers would have been subject to cross examination and wouldn’t have been able to rebut statements made by prosecutors during that cross-examination.

“It’s not a balanced proceeding,” said Norman Crowe Jr., the sheriff’s attorney.

Well, of course it isn't. That's been obvious for years. But no one on the prosecutorial side has anything bad to say about it until they end up as grist for the grand jury mill.

Apparently, Sheriff Hobby is going to claim he's innocent because he didn't personally pat down any of the students. That may save him from the sexual battery charge, but it's not going to help him much with the other two: violation of oath of office and false imprisonment. Without the sheriff giving the orders, it's unlikely his deputies would have locked down a school and patted down 800 students.

Hobby's statements made in defense of the search -- all made pre-lawsuit and pre-indictment -- aren't going to help much either. He feels he's completely justified in performing en masse suspicionless searches of US citizens. They may have limited rights as minors and school attendees, but their rights do not vanish entirely once they walk on campus.

The whole debacle was an ugly abuse of Hobby's power. Preventing future abuses depends greatly on the judicial system's ability to hold the sheriff accountable for his actions. With Hobby in charge, the Worth County Sheriff's Department is unqualified to police itself. Whether or not he's convicted, he should be removed from office. His post-search comments show he's willing to violate rights of hundreds of people simultaneously to find contraband he swears exists, but has yet to actually discover.

80 Comments | Leave a Comment..

Posted on Techdirt - 6 October 2017 @ 9:33am

The Vegas Shooting Makes It Clear More Surveillance Isn't The Answer

from the neither-is-a-reduction-in-civil-liberties dept

The solutions proposed by legislators, law enforcement, intelligence agencies, and multiple direct beneficiaries of amped-up surveillance in the wake of acts of terrorism are always the same: more of the stuff that didn't prevent the last attack.

London is a thicket of CCTV cameras and yet it's suffered multiple attacks in recent years. The NYPD and New York's former mayor idolized the London system: cameras everywhere (but not on NYPD officers). Despite this, New York City's relative safety appears to based more on policing tactics than hundreds of passive eyes.

Considering the unshakable belief "more cameras = more safety," how do surveillance supporters explain the recent shooting in Las Vegas, perhaps the most heavily-surveilled city on the planet?

In 2013, Nevada outfitted the Strip's "real-time crime center" with an additional 37 pivot-and-zoom cameras with a $350,000 federal grant. And as a surveillance expert told the Sun, most casinos on the strip are running thousands of cameras already: "Casinos have 100 percent coverage of virtually every square inch," he said. In the highways around Vegas, there are still cameras every half-mile. "Loss-prevention" recording devices stalk the Strip's employees in the back-of-house.

And still, while the footage will be rewound and analyzed in the coming weeks, acquired by the press, and used to model future scenarios, none of those cameras stopped a man from walking into the Mandalay and stocking a small arsenal of automatic weapons in his hotel room.

More isn't better. This much is clear. The NSA's infamous haystacks have caused more problems for analysts, who are tasked with sifting through millions of communications in hopes of flagging something worth pursuing. Thousands of cameras are useless if there aren't thousands of eyes to watch them in real time. It may help investigators after the fact, but after-the-fact detective work is never preferable to preventing deadly attacks.

As Molly Osberg points out for Splinter, the proposed prevention efforts will likely include even more cameras. And these proposals will come with zero stats backing up claims of increased safety and security.

[L]ondon police estimated almost a decade ago that for every 1,000 security cameras installed, only one crime was solved.

Eliminating cameras isn't the answer. But neither is continuing to prop up the delusion that more = safer. The same goes for other surveillance methods. Grabbing millions of communications daily might seem like a good way to catch something relevant now and then, but hours are wasted on filtering out false positives and internet detritus that wouldn't be swept up in more targeted approaches.

The surveillance state hasn't failed. It's just enamored with compounding its existing problems by adding more capacity. The only thing really guaranteed is more failure.

86 Comments | Leave a Comment..

Posted on Techdirt - 6 October 2017 @ 3:25am

Hackers Grab More NSA Exploits, Possibly With Assistance Of Russian Antivirus Developer

from the three-strikes-program-in-effect dept

Yet another NSA breach is being reported -- this one linked to Russian antivirus developer, Kaspersky Lab. The Wall Street Journal broke the news, detailing the apparent exfiltration of NSA exploits via Kaspersky antivirus software by Russian hackers (likely paywall).

Given the US government's recent decision to ban the use of Kaspersky AV software, one might assume Kaspersky itself acted maliciously. But the details in the story -- along with analysis from other journalists and researchers -- suggests the AV software may have done nothing more than its job.

The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.

The incident occurred in 2015 but wasn’t discovered until spring of last year, said the people familiar with the matter.

The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S., these people said.

A few interesting details stand out:

First, the discovery of files via antivirus software was made easier by the way Kaspersky AV operates.

It’s basically the equivalent of digital dumpster diving,” said Blake Darché, a former NSA employee who worked in the agency’s elite hacking group that targets foreign computer systems.

Kaspersky is “aggressive” in its methods of hunting for malware, Mr. Darché said, “in that they will make copies of files on a computer, anything that they think is interesting.” He said the product’s user license agreement, which few customers probably read, allows this.

The combined guesswork of the Wall Street Journal's sources suggest snippets of NSA malware code were discovered on a contractor's personal computer. Kaspersky AV has been banned from use inside the NSA for years, but nothing prevents NSA contractors from installing it on their home computers. In this case, a contractor had files on their personal computer that never should have left the NSA. (Well… at least not in this fashion. Taking sensitive files off grounds can be a criminal offense. Deploying these files to compromise computers and devices around the world, however, is just the daily work of the NSA's Tailored Access Operations.)

The unanswered question appears to be how state-sponsored Russian hackers determined which computer to target. Some suspect Kaspersky employees informed the Russian government of their discovery, but the Journal article offers no clarifying statements.

As Marcy Wheeler points out, the NSA could have made this bad situation worse by "hacking back."

[N]one of the rest of the report explains how Kaspersky could have learned so much about NSA’s tools.

We now may have our answer: initial discovery of NSA tools led to further discovery using its AV tools to do precisely what they’re supposed to. If some NSA contractor delivered all that up to Kaspersky, it would explain the breadth of Kaspersky’s knowledge.

It would also explain why NSA would counter-hack Kaspersky using Duqu 2.0, which led to Kaspersky learning more about NSA’s tools.

The Wall Street Journal says the identity of the contractor whose laptop was compromised is still unknown. Not so fast, says Washington Post's Ellen Nakashima, who's been following these developments for a few years now.

The employee involved was a Vietnamese national who had worked at Tailored Access Operations, the elite hacking division of the NSA that develops tools to penetrate computers overseas to gather foreign intelligence, said the individuals, who spoke on condition of anonymity to discuss an ongoing case. He was removed from the job in 2015, but was not thought to have taken the materials for malicious purposes such as handing them to a foreign spy agency, they said.

One NSA figure who may not survive this third major breech is its boss, Mike Rogers. His head was on the chopping block for breaches under his command back when Obama was still in office. A third major breach of NSA security may be a breach too far.

In a few short years, the NSA has gone from "No Such Agency" to the world's best unofficial source of malware. It's something to keep in mind every time the agency pitches an expansion of surveillance powers. It can't keep an eye on its own backyard because it's too busy staring into everyone else's.

20 Comments | Leave a Comment..

Posted on Techdirt - 5 October 2017 @ 7:30pm

Hundreds Of Cases Dismissed Thanks To Baltimore PD Misconduct

from the perp-walkers dept

After years of listening to tough-on-crime legislators and the tough-on-crime lawmen that love to hear them talk about filthy criminals beating the system by getting off on technicalities, it's somewhat funny to discover lots of what's complained about is nothing more than good old-fashioned due process and/or the collateral damage of crooked, inept, or lazy cops.

We've seen a lot of en masse criminal case dismissals recently. Thousands of convictions and charges were dropped in Massachusetts as the result of a state crime lab tech's years of faked drug tests. All over the nation, cops are letting perps walk rather than discuss law enforcement's worst-kept secret: Stingray devices.

Add to that list several hundred cases being dropped by prosecutors in Baltimore -- all thanks to officer misconduct. [via Scott Shackford at Reason]

Hundreds of criminal cases are impacted by the questionable conduct of Baltimore police officers, the city's top prosecutor announced in a statement.

Baltimore State's Attorney Marilyn J. Mosby's office released the updated numbers Wednesday. She said the actions of eight officers indicted for racketeering have affected 295 cases, and three more incidents of questionable use of body-worn cameras have impacted a total of 569 cases. Overall, she said up to 338 cases have been or could be dismissed.

The body camera footage at issue was discussed here earlier. What looked like an officer planting evidence turned out to be an officer performing an improvisational reenactment of "discovering" evidence he had actually discovered earlier (but without his body camera turned on). While less malicious than framing someone, the end result is no less questionable: a cop stuffing drugs into an object for recorded "discovery" later. Either way, it's something no cop should be doing, especially when they're wearing body cameras they can activate at any time.

The numbers of dismissals will likely continue to grow. Moby's office counts up to 338 possible dismissals so far, but characterizes these totals as "preliminary." The Baltimore PD, however, is spinning these dismissals in a different -- but wholly expected -- direction. While promising to "work to address the concerns" raised by the racketeering and footage-faking, police spokesman T.J. Smith claims these multiple cases of footage manipulation (there are four in total) are not indicative of larger, unaddressed problems with officer accountability.

Smith pointed out the importance of separating the four incidents, as they are "unique and independent of each other," adding that while eight officers are in federal prison for their criminal conduct, "the cases involving body-worn camera footage is still being investigated and no criminal wrongdoing has been proven."

Well, "unique" and "independent" except for the fact they all involved members of the Baltimore PD. Only a fool (or a police union spokesman) would believe these are the only times Baltimore officers have massaged camera footage and that the hundreds of cases edging towards dismissal will be the end of the prosecutorial bleeding. Misconduct of this type -- especially misuse of recording equipment -- tends to be a department-wide problem, rather than a few "bad apples" rising to the top of the barrel to be plucked and tossed by prosecutors.

21 Comments | Leave a Comment..

Posted on Techdirt - 5 October 2017 @ 12:01pm

House Judiciary Committee Introduces Weak Surveillance Reform Bill

from the offering-very-little,-almost-too-late dept

Better late than never, there finally appears to be some Section 702 reform efforts underway in Washington DC. Tech companies have been oddly silent over the last several months, allowing the government to fill the void with demands for a clean, forever reauthorization.

The reform bill [PDF], titled the USA Liberty Act, allows for the renewal of Section 702 authorities, but with some minor alterations. First off, the bill codifies the NSA's voluntary shutdown of its "about" email collection. If passed intact, the bill would prevent the NSA from collecting "about" communications until 2023. It also adds some warrant requirements for searches of 702 content by law enforcement agencies, including the FBI.

The warrant requirement doesn't change anything for collection access for "foreign intelligence" reasons, but at least elevates law enforcement access requirements, bringing it in line with the more-stringent demands of wiretap applications. This will hopefully prevent the government from browsing harvested communications for evidence of minor criminal activity.

Agencies like the FBI will still have warrantless access to 702 metadata but, importantly, won't be able to use this metadata as the sole source of probable cause when requesting a warrant. Unfortunately, this access will have little to no oversight as the FBI won't be required to run its metadata search plans past a court first.

These make Section 702 access a bit more restricted but, as the ACLU points out, it doesn't completely close the government's backdoor search loophole.

The bill would still allow the CIA, NSA, FBI, and other agencies to search through emails, text messages, and phone calls for information about people in the U.S. without a probable cause warrant from a judge. Those worried that current or future presidents will use Section 702 to spy on political opponents, surveil individuals based on false claims that their religion makes them a national security threat, or chill freedom of speech should be concerned that these reforms do not go far enough.

There are a few more positive to the bill as written. It requires semi-annual reporting on incidentally-collected communications -- information the ODNI still hasn't turned over to oversight committees despite years of requests.

It also extends whistleblower protections to government contractors, something that has been pointed out repeatedly but ignored by legislators when crafting whistleblower bills.

On the downside, it increases the penalty for the unauthorized removal of sensitive documents to five years in prison (up from one year) and adds an additional charge for prosecutors to toss at whistleblowers and leakers: negligent removal of classified documents.

It's certainly better than the nothing legislators have been offering for months, but it needs more work before it can be considered anything more than a minor facelift. A warrant requirement is nice, but essentially meaningless when the FBI and other agencies can still access what they're looking for without having to speak to a judge.

Read More | 6 Comments | Leave a Comment..

More posts from Capitalist Lion Tamer >>