Posted on Techdirt - 29 July 2016 @ 2:30pm
Law enforcement officers are pretty used to being able to stop nearly anyone and demand to know who they are and what they're doing. Sure, there are plenty of laws that say they can't actually do that, but the public is generally underinformed about their rights, and this works in cops' favor. As a recent Appeals Court decision pointed out, citizens are "free to refuse to cooperate with police before a seizure."
Obviously, this perfectly legal act of noncompliance just won't do, and it certainly won't be cops pointing out to citizens the rights they have available to them. New York City legislators thought they could force this transparency on the NYPD.
The bills, known as the Right to Know Act, require officers to identify and explain themselves when they stop people, and to make sure people know when they can refuse to be searched. These are timely, sensible ideas, echoing recommendations made by President Obama’s task force on 21st-century policing. Though the Right to Know Act has been bottled up in the Council for two years, it has broad support among Council members and community organizations, and sponsors say it would pass easily if it ever came to a vote.
It may have "broad support," but it didn't have support where it counts. Police Commissioner Bill Bratton expressed his displeasure with the idea of his officers having to respect the rights of citizens.
Mr. Bratton has denounced the Right to Know Act as an “unprecedented” intrusion into his domain.
As Scott Greenfield points out, Bratton could have dialed back his righteous indignation and applied these changes on his own.
Of course, there is nothing to prevent New York Police Commissioner Bill Bratton from telling his cops to do this anyway. But he didn’t. He won’t. It’s not as if he serves at the pleasure of New York’s most progressive mayor ever. But the big issue for Bratton isn’t that the ideas incorporated in the law are so dangerous and counterproductive, but cops just don’t like being told what they have to do.
"Broad support." "Would pass easily." None of this matters. The person in charge of routing pending legislation made this decision for the rest of the legislators who support the bill in its unaltered form.
But there has been no vote. The Council speaker, Melissa Mark-Viverito, essentially derailed it this month. She told members that she had quietly struck a compromise with the Police Department to adopt some, but not all, of the act’s reforms administratively. Under the deal, officers who want to search people but have no legal basis to stop them must ask permission and wait to hear “yes” or “no.” They have to explain that a person can refuse to be searched, and give a business card to people who are searched or stopped at a checkpoint or to anyone who asks.
Waiting for the NYPD to "adopt" reforms is like waiting to adopt a child. Days become weeks become months become years. Three years after Judge Shira Scheindlin ordered the NYPD to alter its unconstitutional stop-and-frisk program, officers still weren't fully informed of the new guidelines. The NYPD's "quiet adoption" of the agreement is more in line with dumping it into a foster home run by negligent caretakers.
The government has long depended on the ignorance of the citizens to maintain control. The killing of this legislation -- and Bratton's agreement to make it watered-down internal policy rather than actual law -- is more of the same. The less the public knows about what the police can or cannot demand from them, the more often this ignorance will be exploited by people with power.
16 Comments | Leave a Comment..
Posted on Techdirt - 29 July 2016 @ 3:51am
Nothing says "Please
stop keep talking about the bad stuff we do" quite like a bogus defamation lawsuit. Citizen Lab, which has reported on a great number of tech companies that are less than discriminating in their selection of customers (think Hacking Team), has been served with a lawsuit by a purveyor of internet censorship software.
On January 20, 2016, Netsweeper Inc., a Canadian Internet filtering technology service provider, filed a defamation suit with the Ontario Superior Court of Justice. The University of Toronto and myself were named as the defendants. The lawsuit in question pertained to an October 2015 report of the Citizen Lab, “Information Controls during Military Operations: The case of Yemen during the 2015 political and armed conflict,” and related comments to the media. Netsweeper sought $3,000,000.00 in general damages; $500,000.00 in aggravated damages; and an “unascertained” amount for “special damages.”
Netsweeper apparently was less than amused by Citizen Lab's insistence on reporting facts, including the nasty one about it supplying internet filtering software to a country whose government has been blacklisted by the United Nations. You know, things like this:
The research confirms that Internet filtering products sold by the Canadian company Netsweeper have been installed on and are presently in operation in the state-owned and operated ISP YemenNet, the most utilized ISP in the country.
Netsweeper products are being used to filter critical political content, independent media websites, and all URLs belonging to the Israeli (.il) top-level domain.
These new categories of censorship are being implemented by YemenNet, which is presently under the control of the Houthis (an armed rebel group, certain leaders and allies of which are targeted by United Nations Security Council sanctions).
Netsweeper was given a chance to defend itself against Citizen Lab's allegations before the report was made public.
We sent a letter by email directly to Netsweeper on October 9, 2015. In that letter we informed Netsweeper of our findings, and presented a list of questions. We noted: “We plan to publish a report reflecting our research on October 20, 2015. We would appreciate a response to this letter from your company as soon as possible, which we commit to publish in full alongside our research report.”
Netsweeper never replied.
Rather than meet the situation head on, Netsweeper chose to hang back and lob a lawsuit at Citizen Lab after it published its report. Fortunately for the security researchers, Netsweeper has chosen to drop its lawsuit entirely, possibly because pursuing the questionable defamation claims would have put it up against Ontarios's version of anti-SLAPP laws: the Protection of Public Participation Act.
The world of security research is still a dangerous place. When researchers aren't being arrested for reporting on their findings, they're being sued for exposing security flaws and highly-questionable behavior. It's a shame there aren't more built-in protections for researchers, who tend to receive a lot of legal heat just for doing their job.
24 Comments | Leave a Comment..
Posted on Techdirt - 28 July 2016 @ 11:48pm
Roughly eight years after information about law enforcement use of Stingray devices began slowly making its way into the public sphere, positive changes are being made. While the government has often argued it can be the "Third Party" in "Third Party Doctrine" by inserting itself warrantlessly between people's cell phones and their carriers' towers, its assertions are being met with increased judicial skepticism.
Two judges -- one state, one federal -- have reached the same conclusion in recent months: using a cell tower spoofer to locate suspects by dragging information out of their phones is a search under the Fourth Amendment. Warrants are required.
A few state legislatures have gotten into the act as well, proposing laws that create a warrant requirement for Stingray deployment. Illinois is the latest to do so (and the law actually passed), creating a new set of guidelines for law enforcement Stingray device use, including limits on data retention. It doesn't go quite so far as to mandate warrant acquisition, but it does force law enforcement to specify the equipment used in their applications, which also serves to create a paper trail that can be examined by defendants and members of the public.
This is the new quasi-warrant requirement recently signed off on by the governor.
Provides that an application for a court order to use a cell site simulator device, including an emergency application under the Freedom From Location Surveillance Act, must include a description of the nature and capabilities of the cell site simulator device to be used and the manner and method of its deployment, including whether the cell site simulator device will obtain data from non-target communications devices. Provides that an application for a court order to use a cell site simulator device, including an emergency application under the Freedom From Location Surveillance Act, must also include a description of the procedures that will be followed to protect the privacy of non-targets of the investigation, including the immediate deletion of data obtained from non-target communications devices.
The presentation of probable cause basically makes it a warrant requirement, even if the word "warrant" appears nowhere in the legislation.
The other positive here is that very strict controls on the use and retention of non-hit data are being instituted as well.
Provides that if the cell site simulator device is used to locate or track a known communications device, all non-target data must be deleted as soon as reasonably practicable, but no later than once every 24 hours. Provides that if the cell site simulator device is used to identify an unknown communications device, all non-target data must be deleted as soon as reasonably practicable, but no later than within 72 hours of the time that the unknown communications device is identified, absent a court order preserving the non-target data and directing that it be filed under seal with the court.
An additional nice touch is that requests and orders aren't considered "sealed" by default and that any seal request granted only lasts six months, and extension requests must be accompanied by a certification indicating the documents are part of an ongoing investigation or a "showing of exceptional circumstances." The last one is a little worrying as it could be used to maintain seals indefinitely if the court is inclined to believe law enforcement claims about "exposing law enforcement means/methods."
This show of "support" from local law enforcement indicates the law isn't as far-reaching as privacy activists might have hoped, but it isn't exactly just a bundle of concessions to LEO interests either.
The Illinois State Police has taken a neutral position on the law and the Chicago Police Department did not take a position.
Expect this trend to continue. More courts and legislators are going to realize that tracking a person's location by forcing their cell phone to connect with law enforcement technology is in no way analogous to gathering phone records with a pen register order or subpoenaing historical cell site data from third-party carriers.
8 Comments | Leave a Comment..
Posted on Techdirt - 28 July 2016 @ 2:38pm
The Director of National Intelligence's office (ODNI) has just released three Section 702 compliance reports covering December 2012 - May 2014. Considering the six-month lag time between the period covered and the reports' release, this is very likely as up to date as it can be at this point.
The ODNI is (almost) justifiably proud of its awkward embrace of government openness.
Consistent with the transparency principles, ODNI coordinated an extensive interagency review process to ensure the greatest transparency while protecting national security information, in order to enhance public understanding of the government’s implementation of Section 702.
Bravo and all that, but that doesn't really explain why we're still missing a handful of older transparency reports. This release covers reports 10, 11, and 12. Reports 1-3 are also available at the ODNI's Tumblr, but the list is still missing reports 4-8.
These aren't really oversight documents, per se -- at least not in terms of independence. They're composed by the agencies involved with the collection and retention of data gathered by the Section 702 program. They appear to be a collaboration between the DOJ and the ODNI, rather than the product of independent auditors or the involved agencies' Inspectors General.
That being said, the NSA still unfortunately erroneously obtains information it shouldn't.
As noted in the Section 707 Report, there were a total of [redacted] compliance incidents that involved noncompliance with the NSA targeting or minimization procedures and [redacted] involving noncompliance with FBI targeting and minimization procedures; for a total of [redacted] incidents involving NSA and/or FBI procedures.
Thanks to the redaction, it's difficult to say how often happen compliance incidents happen, but letter spacing suggests it might be as high as three digits' worth. Overall, it's only a small percentage of the total haul: 0.32%. More than half of the incidents involved tasking or detasking of "facilities" (which may be nothing more than an email address, as the NSA has argued that a "facility" can be anything that "facilitates" communications).
Tasking problems mostly arise from that all-too-common human error: typos.
Over the time periods covered in the above chart, the tasking and detasking incident compliance rate has varied by fractions of a percentage point as compared to the average size of the collection. Tasking errors cover a variety of incidents, ranging from the tasking of an account that the Government should have known was used by a United States person or an individual located in the United States to typographical errors in the initial tasking of the account that affect no United States persons or persons located in the United States.
Detasking, however, doesn't seem to be as prone to keyboard fumbling.
On the other hand, detasking errors more often involve a facility used by a United States person or an individual located in the United States, who may or may not have been the targeted user.
It would seem that being unable to determine whether a target is or isn't a target would result in more errors. And perhaps it does, but either way, the number of errors compared to the total number of targeted facilities is little more than a rounding error. Information provided earlier in the report suggests most detasking issues arise from a lack of communications between agencies. (The FBI and CIA both contribute -- and partake of -- the NSA's 702 collections.)
The report also reminds us how integral the FBI is to the NSA's bulk collection programs and how reliant the NSA is on a mainly-domestic agency to justify its overseas data hauls.
FBI fulfills three separate roles in the implementation of Section 702. First, FBI is authorized under the certifications to acquire foreign intelligence information [redacted] from electronic communication service providers, by targeting facilities that NSA designates for such acquisition (hereinafter “Designated Accounts”). [Redacted] must be conducted pursuant to FBI’s targeting procedures. Second, FBI conveys [redacted] from the electronic communications service providers [redacted] for processing in accordance with the agencies’ FISC-approved minimization procedures. Similarly, FBI also provides [redacted]. Third, FBI may receive [redacted] unminimized Section 702-acquired communications. Such communications must be minimized pursuant to FBI’s Section 702 minimization procedures. Like CIA, FBI has a process for nominating to NSA new facilities to be targeted pursuant to Section 702. During this reporting period, FBI continued to expand this nominating process to its FBI field offices.
So, the FBI not only obtains FISA orders in its name (with the NSA actually taking possession of the collection upon receipt [so to speak…], but it also can tell the NSA what to look for when it sends the FBI back to the FISA court to obtain another order.
The report also points out that incorrect searches don't always contain typos. Sometimes they contain search terms that can significantly broaden the search results.
For example, an overbroad query can be caused when an analyst mistakenly inserts an “or” instead of an “and” in constructing a Boolean query, and thereby potentially received overbroad results as a result of the query.
And, although the number of tasking issues remains low, a large percentage of those are the result of agencies moving ahead without a sufficient amount of suspicion.
In the current reporting period, approximately 20% of the compliance incidents involve initial targeting decisions based upon insufficient information to support a determination that a target was a non-United States person reasonably believed to be located outside the United States. Many of these incidents involve process issues in which the error was a failure to consider the totality of relevant circumstances…
But, on the other hand, it was rarely US persons being inadvertently targeted, so no harm, no foul.
[I]n the vast majority, but not all, of the cases, there is no indication that the individual targeted actually was in the United States or a United States person.
As is to be expected from reports like these, lots of potentially interesting stuff has been redacted completely and anything pertaining to the total number of errors has been excised. Still, after years of never showing its work to the general public, the ODNI's release of these reports in a somewhat timely manner suggests the ODNI is at least trying to make small talk with transparency, if not completely ready to engage in a full embrace.
Read More | 2 Comments | Leave a Comment..
Posted on Techdirt - 28 July 2016 @ 11:54am
Yelp -- both a frequent target of misguided lawsuits and the host of many, many targets of similarly-misguided lawsuits -- has instituted a nifty new flag that lets readers and reviewers know which businesses are issuing legal threats or filing lawsuits over negative reviews. The warning -- pictured below -- first showed up in May after Prestigious Pets went legal over a review it didn't care for.
The warning has surfaced again at the page for Dr. Nima Dayani, a New York Dentist. Apparently, Dayani's not a fan of criticism and has initiated legal proceedings against an unhappy customer, as Leticia Miranda of Buzzfeed reports.
Dayani, who says he gets plenty of positive and negative feedback on Yelp and is comfortable with both, says the claims by Rohs weren’t simply a negative review. He alleges her comments amount to defamation, and he sued Rohs two days after the review was posted. It’s an accusation the dentist has levied against at least four previous patients who have written negative reviews about his practice, according to a BuzzFeed News review of court records.
Dayani said false negative reviews like Rohs’ have harmed his practice over time. He said he laid off one part-time staff member because of a drop in business.
“[Rohs] accused me of malpractice by saying I didn’t diagnose her,” he said. “When you are publicly accusing someone of malpractice, you are damaging their reputation.”
This is an odd claim, considering Rohs never once uses the word malpractice in her review, or even alleges anything to that effect. She says she endured a very long wait to see Dr. Dayani and, when he finally did see her, he was "curt and dismissive."
Dr. Dayani was curt and dismissive, and seemed annoyed with the way I answered his questions. But he did seem to be genuinely interested in finding out what was causing my pain, and how it can be helped. However, it was an absurdly long wait. After about an HOUR, I was finally seen (my appt was at 11AM). Then after speaking with him for about 5-10 minutes, he left me for "just a second" to deal with another patient... I didn't see him for another half hour. Of the total TWO HOURS FIFTEEN MINUTES I was there, I think I was speaking to Dr. Dayani for about 30 minutes of that whole time. The rest was spent in his chair, without being offered a water or a magazine. And at the end of it all, he couldn't help determine what was bothering me. I left with a mouth full of pain and a recommendation to see my dentist for a possible cavity.
Four lawsuits against four unhappy patients is no way to run a business. Dayani may claim he only goes after those posting "false" information, but his summation of Rohs' complaint against him is so far off-base, it makes one wonder what he considers to be "false."
But more disturbing than his tendency to sue negative reviewers is the offer he made to Buzzfeed News, as pointed out by Adam Steinbaugh.
Dayani insists that he only goes after online reviewers who post false information. He offered BuzzFeed News the opportunity to visit his office and review records related to the cases where he has sued patients to prove their allegations are false. BuzzFeed News declined.
When a medical professional offers to potentially violate HIPAA privacy protections to protect his reputation, it's a pretty good sign the medical professional doesn't have much reputation left to burn. This indicates -- along with the lawsuits -- that Dr. Dayani isn't quite as receptive to criticism as he claims.
The upshot is that Yelp is now publicly calling out businesses who use legal threats and litigation to manage their reputations. It serves as a counterweight to those whose ratings might seem suspiciously high and serve as a warning to those who might be unhappy with their experience, but not quite ready to retain a lawyer.
14 Comments | Leave a Comment..
Posted on Techdirt - 27 July 2016 @ 2:36pm
The FBI's surreptitious recording devices -- scattered around three California courthouses -- raised a few eyebrows when the recordings were submitted as evidence. The defense lawyers wondered whether the devices violated the conversants' expectation of privacy, admittedly a high bar to reach considering their location near the courthouse steps -- by every definition a public area.
The defense team cited a Supreme Court decision involving phone booths, hoping to equate their clients' "hushed tones" with closing a phone booth door. Small steps like these -- used by everyone -- are attempts to create privacy in public areas, but courts are very hesitant to join defendants in erecting privacy expectations in public places.
A judge presiding over one the cases (involving alleged bid rigging for auctioned property) thought there might be something a bit off about the location of the FBI's devices.
Although Breyer held off on ruling, he expressed at least gut-level discomfort with the notion of government agents listening at the courthouse door.
"Let's say I was out of that courthouse that day, I used the staff entrance and I turned my law clerk," the judge said. "I wouldn't know [about that recording], would I, unless the government turned it over?"
Judge Phyllis Hamilton, in her denial [PDF] of a motion to suppress the recordings, is similarly hesitant to condone the FBI's eavesdropping, but can't find enough of a reasonable expectation of privacy to prevent the recordings from being admitted as evidence. (via FourthAmendment.com)
First off, the conversations captured during these particular recordings showed the defendants made very little effort to speak in the "hushed tones" suggested by their defense team.
The recordings at issue intercepted defendants’ communications that were made at a normal conversational volume level, not in hushed or whispering tones. Many conversations were conducted by participants in loud voices, sometimes laughing out loud. In particular, the audio recording of a conversation among a group of about eight to ten men on August 17, 2010, at the Fallon Street bus stop, which was played for the grand jury during the indictment presentation in United States v. Florida, et al., CR 14- 582 PJH, reflects that the participants had to project their voices and yell to be heard over the sound of a nearby jackhammer…
In the video footage accompanying many of the audio recordings, including the video clip that was played for Witness 1 and the grand jury, the participants are not seen appearing to whisper or covering their mouths when having audible conversations that can be heard on the recording.
The judge goes on to point out that these conversations could be overheard by many passersby, including the steady traffic of law enforcement personnel to and from the building. And when efforts were made to speak in quieter tones, the FBI's microphones were apparently unable to obtain audible recordings of these discussions.
However, the judge agrees that the location of the devices is somewhat questionable.
While the court agrees with defendants that it is at the very least unsettling that the government would plant listening devices on the courthouse steps given the personal nature of many of the conversations in which people exiting the courthouse might be engaged, it is equally unrealistic for anyone to believe that open public behavior including conversations can be private given that there are video cameras on many street corners, storefronts and front porches, and in the hand of nearly every person who owns a smart phone.
Given the facts of this case -- that the defendants apparently made little to no effort to prevent their conversations from being overhead -- this conclusion is likely the right one. But it goes on to suggest that no private conversation held in a public place can be considered to have an expectation of privacy, no matter what steps conversants might take to prevent being overheard. If even a slim possibility exists that someone other than those engaged in the conversation might be able to hear it, then there is no expectation of privacy.
Read More | 30 Comments | Leave a Comment..
Posted on Techdirt - 27 July 2016 @ 1:03pm
Law enforcement is still trying to break into iPhones and still using the All Writs Act to do so. A sex trafficking prosecution involving the ATF has resulted in a suspect being ordered to cough up his, um, fingerprint, in order to allow investigators to access the contents of his phone. Matt Drange of Forbes has more details [caution: here there be ad-blocker blocking]:
Prosecutors hoped that the search, conducted on an iPhone 5s by special agent Jennifer McCarty of the Federal Bureau of Alcohol, Tobacco, Firearms and Explosives, would help them piece together evidence in an alleged sex trafficking case involving a man named Martavious Keys. Keys had the iPhone with him when he was arrested on May 19, according to recently unsealed court filings. A week later, on May 26, prosecutors asked the judge in the case to force Keys to open the device with his fingerprint, unlocking a potential trove of information including emails, text messages, contacts and photos stored on the device that could be used as evidence.
While courts generally agree that a fingerprint is non-testimonial -- despite its ability to unlock all sorts of testimonial stuff -- there aren't too many courts willing to extend that coverage to passwords. There are exceptions, of course, but items held in someone's mind are given a bit more deference than those at their literal fingertips.
And that's likely why the All Writs-compelled fingerprint access hasn't allowed the ATF inside Keys' phone. The feds can force Keys to place his finger on the iPhone screen all they want, but it likely won't unlock the device. Apple's security requires a passcode as well as a fingerprint if it's been more than 48 hours since the phone was last unlocked. The time elapsed between when the phone was seized and the order obtained for Keys' fingerprint added another layer of security to the phone -- one not so easily defeated with All Writs orders.
Keys is no one's idea of a sympathetic party. He allegedly forced two teen girls, aged 14 and 15, to have sex with men for several hours a day by drugging them into submission. Whether or not his phone contained more evidence is unknown. It's unclear from the recently unsealed documents whether federal investigators found another way into the device after the application of Keys' fingerprint failed to unlock the phone.
And that's sort of a problem. The government is using All Writs orders for a great many things these days, often during sealed cases and with little to no transparency. The fact that Congress apparently authorized this as a fill-in for things warrants couldn't necessarily reach has made the use of All Writs requests both indispensable and easily-abused. The fact that Congress authorized this in 1789 -- with no conceivable idea of the form "papers" would take over the next 200+ years -- usually seems to work in the government's favor.
A bit more transparency would go a long way to assuage concerns about abuse, but overuse/abuse of the 1789 Act is likely the reason there isn't more transparency. If the court decides it's going to compel Keys to turn over his passcode as well (assuming the phone hasn't already been cracked), at least it won't have to toss him in jail if he doesn't. Keys is already behind bars awaiting trial for his sex trafficking indictment. On one hand, that lowers the coercive value of imprisonment. On the other hand -- if he refuses and is hit with a contempt order -- he'll remain in jail indefinitely, even without having been found guilty of anything more than contempt of court.
26 Comments | Leave a Comment..
Posted on Techdirt - 27 July 2016 @ 9:34am
How do we know the CFAA is a terrible law? Because even "civilians" abuse it. Or at least try to.
Back in April, the Colorado Republican Committee's (CRC) Twitter account tweeted out something a bit concerning after Ted Cruz nailed down all 34 delegates at a committee assembly in Colorado Springs.
If you can't see the tweet, it says:
We did it. #NeverTrump
The tweet was taken down minutes later and the official Twitter account explained that someone with "unauthorized access" had posted the tweet and it was not a reflection of the Colorado GOP's official stance.
This led to a brief internet wildfire, where CRC reps were interviewed by reporters about the tweet and enraged Trump supporters [also: 4chan] -- believing the fix was in -- began posting threatening messages to and about Colorado GOP leaders. So far, so internet.
The CRC took this a step further though, attempting to sue the "Doe" with allegedly "unauthorized access" for breaching the "threat to public health or safety" clause of the CFAA. The original complaint [PDF] shows the CRC is perhaps far better at electioneering than investigating.
Over the next three weeks, the CRC conducted an investigation into the origin of the tweet. CRC was able to confirm that the fraudulent tweet was sent using the Twitter for iPhone app, but was not able to determine the identity of the responsible individual.
Armed with info that anyone else could have obtained in seconds rather than weeks, the CRC decided it could mass email the perp into turning themselves in:
On April 19, 2016, the CRC sent an e-mail to all individuals who had at one point been authorized to access to the @cologop account asking that they identify themselves by 5:00pm on Wednesday, April 20, 2016 if they were responsible for the fraudulent tweet.
Unsurprisingly, this failed to uncover the perpetrator. It also made it clear that, until this point, the keepers of the official Twitter account never considered that telling formerly authorized users not to use the account is way less effective than actually revoking their access by changing the password.
The court was unimpressed with the original complaint and ordered the plaintiffs to show cause or GTFO. The amended complaint [PDF] contains much more detail, including the supposed expenses incurred as a result of the short-lived tweet. Apparently, everyone involved in the "investigation" spent "hours" determining that someone used an iPhone to send the tweet.
CRC’s internal staff spent hours communicating with its past and present thirdparty vendors to ascertain if any of their personnel accessed CRC’s Twitter account.
CRC’s internal staff also spent hours communicating to Twitter over the phone and through emails.
CRC’s officers and staff spent time responding to the press over the tweet.
Some of those hours were billable, so to speak.
At least 70 percent of Kohli’s time for the week following the assembly and convention and at least 25 percent of the following week was spent responding to the aftermath of the tweet, including making numerous phone calls and emails about CRC’s progress in identifying the anonymous tweeter, determining who had access to the @cologop Twitter account, and answering media requests. This resulted in a loss to CRC of at least 70 percent of his time for one week and 25 percent of him time for another week. Since his annual salary is $65,000, this loss totals at least $1,187.50.
Internet molehill having been sufficiently mountained, the amended complaint goes on to detail the threats received by CRC officials before trying to claim these threats were somehow induced by a tweet that, itself, was not threatening in any form.
Defendant’s conduct in sending the fraudulent tweet caused damage to CRC in the form of death threats to its officers and employees, closure of its offices, and harm to its reputation.
The threats received by the CRC, its officials, and personnel constituted a threat to public health or safety within the meaning of 18 U.S.C. § 1030(c)(4)(a)(i)(IV).
And there's the CFAA tie-in.
Even with certain deficiencies addressed, the CRC still can't assemble a claim that the court can move forward with. The judge has dismissed the complaint in its entirety, pointing out that just because certain things happened after another thing happened doesn't mean the first thing that happened (the bogus tweet/"unauthorized access") is directly responsible for statements made by a bunch of other internet denizens. (h/t Raul)
CRC argues that its Amended Complaint cures the defects addressed in the Court's Order to Show Cause, specifically: (i) it identifies time spent by its staff investigating the unauthorized access as the "loss" that it suffered under 18 U.S.C. § 1030(e)(11), (g); and (ii) that the "threat to public health or safety" required by 18 U.S.C. § 1030(c)(4)(A)(i) and (g) is satisfied by allegations that it was reasonably foreseeable that the publication of the unauthorized message would induce third parties to respond with threats of harm to CRC officers. Although the Court accepts the first proposition, it finds the second to be deficient as a matter of law.
In the Order to Show Cause, the Court previously addressed why 18 U.S.C. § 1030(g)'s "involves" language requires a plaintiff to allege that the unauthorized computer access itself poses a risk to public health or safety, and that the requirement is not satisfied by an allegation that the unauthorized access indirectly caused such a risk to emerge from another source. CRC's response cites to various cases that have used the term "caused" in discussing other provisions of the Act.
The Court finds these cases to be off-point and unpersuasive.
Fortunately, the court takes the CFAA's public health and safety clause and presents a narrow reading of it -- somewhat of a rarity in CFAA-related cases.
As discussed previously, the threat requirement might be met if the unauthorized access disables computers or deletes data essential to providing medical treatment, public utilities, or emergency response services, but not where the unauthorized access has a benign primary effect but induces others to harmful acts. For example, a user who hacks into the social media account of a classmate and encourages him or her to commit suicide might be liable for engaging in conduct posing a risk to health and safety, but a user who hacks into the same classmate's account and merely taunts the classmate for being unattractive cannot be said to have engaged in conduct threatening public health and safety even if the now-despondent classmate reacts to the taunting by committing suicide. Such example entails the user specifically employing the unauthorized access to bring about the risk to public health, and in such circumstances, the use of a predominantly criminal statute to afford civil relief might be proper. The latter example draws upon the complex, wide-ranging, and sometimes attenuated principles of tort causation, importing that sprawling and imprecise inquiry into a statute that was clearly intended to have a narrow, focused reach.
While the fallout of the bogus tweet may have been inconvenient and surrounded by threats from irate GOP members (oh, and 4chan...), the tweet itself was not threatening nor did it call for threats to be made. That one led to the other is undeniable, but it was in no way definitely foreseeable that the tweet would have this effect.
The CRC's complaint is, at best, an expensive windmill tilt, tossed into court solely for the purpose of exposing the "unauthorized" tweeter to angry CRC officials. It has nothing to do with CFAA violations -- which were apparently added to make a federal case out of the CRC's failure to address its own operational security issues until it was too late.
Read More | 10 Comments | Leave a Comment..
Posted on Techdirt - 25 July 2016 @ 3:23am
Yahoo's in the middle of another national security-related courtroom battle, albeit somewhat inadvertently. Its response to a discovery order in a drug dealer's trial has left the defense wondering exactly how the hell it complied with it. Joseph Cox of Motherboard has more details.
Defense lawyers in the case claim that six months of deleted emails were recovered—something which Yahoo's policies state is not possible. The defense therefore speculates that the emails may have instead been collected by real-time interception or an NSA surveillance program.
United States Magistrate Judge Maria-Elena James, from a San Francisco court, granted the defense's motion for discovery in an order filed on Wednesday.
Russell Knaggs, the accused drug dealer, apparently utilized a Yahoo email account to hook up suppliers in Colombia with buyers in Europe. To add to the difficulty level, Knaggs did this while serving time for another drug bust. The method used was not all that uncommon. Everyone shared a single email account and composed draft messages. Each party would log into the account, read the draft message left for them, and compose a draft of their own in response. No emails were sent. All drafts were then deleted from both the "Draft" folder and the "Trash."
According to Yahoo, there was no way for Yahoo to retain these messages. Except that it did and turned them over to law enforcement, suggesting ongoing surveillance, rather than the recovery of communications from the account.
After receiving requests from UK police and the FBI in September 2009 and April 2010, Yahoo created several “snapshots” of the email account, preserving its contents at the time—and revealing the messages. But the defense alleges there should have been nothing for law enforcement to find.
Yahoo's explanation is that the recovered emails were copies created by the email service's “auto-save” feature, which saves data in case of a loss of connectivity, for example. The company has filed several declarations from a number of its staff, but the defense said some of those contradicted each other, and it wants more information.
Here's what the defendant's tech expert had to say in his testimony [PDF].
With regard to Yahoo‟s “snapshot” and its process of “retriev[ing emails] from the servers because their auto-save function systematically preserved edits made over time,” Abramson says the descriptions Yahoo gives of its auto-save feature are inconsistent, contradictory, and furthermore “do not align with [Abramson‟s] understanding of such programs.” Abramson contends Yahoo‟s statements “do not in fact agree with common technical principles. The timing of e-mail data saved between 2 minutes and several seconds is not consistent.” Abramson Rpt. at 8. He asserts that “[a] more plausible explanation for the e-mail information provided to law enforcement is that the e-mail account of Mr. Knagg‟s [sic] was under surveillance and through the immediate efforts of surveillance, Yahoo was able to capture the email information and provide it to law enforcement.”
The defense wants several things from Yahoo, including source code, in hopes of sussing out the methods used to capture and preserve these draft messages. Yahoo would rather not give this information up. The judge, while somewhat sympathetic to Yahoo's arguments, also notes it's the company's own inconsistent explanations that have led to this situation.
The Court agrees with Yahoo that Petitioner's requests are somewhat broad; however, the Court also agrees that Yahoo‟s seemingly conflicting responses up to this point create a situation where Petitioner cannot be certain he understands the process of information gathering he seeks to challenge. While Yahoo believes that Petitioner seeks information that is cumulative given its interrogatory responses, it would appear that the requested discovery would not necessarily be cumulative, but might instead provide clarity to Petitioner regarding Yahoo‟s data-gathering methods. Additionally, since the documents Petitioner requests are potentially the same ones that helped Chan “clarify” her previous statement and better understand the data-gathering process, it would appear that these documents could help Petitioner gain a better understanding of the system as well, and could help to prove or disprove one of the grounds of his appeal, as is the purpose of his discovery request. The Court also notes that Chan‟s responses up to this point do not provide the sort of personal knowledge or foundational information for the Court or Petitioner to be able to adequately assess her responses. Consequently, Petitioner's request for documents and a 30(b)(6) deposition is appropriate rather than ordering further interrogatory responses.
The list of items the defense wants has been scaled back by the judge, but what remains will still provide a glimpse into Yahoo email's inner workings, including any evidence of targeted or bulk surveillance methods put into place by the company. Whether or not we'll get to see it is another matter, as the judge will consider instituting a protective order if the information produced is deemed too sensitive.
What it sort of looks like is possibly illegal surveillance being covered up with parallel construction. The problem with this theory is that Yahoo has been more than a little resistant to broad surveillance requests. That doesn't completely rule out complicity, but it would definitely be a risky move for a private company to cover for government wrongdoing. When (and if) more details are provided, we'll know more. If nothing else, it may indicate draft messages are indiscernible from sent messages, at least when it comes to Yahoo's servers.
Read More | 31 Comments | Leave a Comment..
Posted on Techdirt - 22 July 2016 @ 6:15pm
Judge Alex Kozinski pointed out the obvious in a Ninth Circuit Appeals Court decision:
There is an epidemic of Brady violations abroad in the land. Only judges can put a stop to it.
Brady evidence -- possibly exonerating evidence that prosecutors are required to turn over to the defense -- is far too frequently withheld and/or buried. The punishments for violating this requirement are almost nonexistent. The prosecution hates to see wins become losses. And the government in general -- despite declaring fair trials to be the right of its citizens -- hates to play on a level field.
A federal judge withdrew from a forensic evidence committee because the government told him it wasn't his job to point out the severely-flawed pre-trial forensic evidence discovery procedures deployed by prosecutors. Judge Rakoff called the government out in his resignation letter.
The notion that pre-trial discovery of information pertaining to forensic expert witnesses is beyond the scope of the Commission seems to me clearly contrary to both the letter and the spirit of the Commission’s Charter… A primary way in which forensic science interacts with the courtroom is through discovery, for if an adversary does not know in advance sufficient information about the forensic expert and the methodological and evidentiary bases for that expert’s opinions, the testimony of the expert is nothing more than trial by ambush.
"Trial by ambush" will continue unabated. Prosecutors will shrug off the minimal punishments for withholding evidence. The DOJ will continue to argue that it's allowed to erect as many roadblocks as it wishes in front of defendants.
The DC Appeals Court has allowed the DOJ to retain another aspect of its "trial by ambush" strategy, as reported by Mario Machado of Fault Lines.
The D.C. Court of Appeals declared that the federal government will not have to disclose the contents of a guide that determines when its prosecutors should disclose evidence to the accused. The Department of Justice’s “Blue Book” stays in-house, at least for the time being.
The "Federal Criminal Discovery Blue Book" was crafted after DOJ prosecutors were blasted by a judge for their actions in the prosecution of Senator Ted Stevens.
In nearly 25 years on the bench, I have never seen anything approaching the mishandling and misconduct I have seen in this case.
Brady material was withheld from the defense, something that would have never been discovered without an FBI whistleblower stepping forward. The new guidelines were supposed to make things better. Very little seems to have changed since its introduction. And no one on the defense side of the fight has any idea what prosecutors are required to do under these guidelines.
The National Association of Criminal Defense Lawyers (NACDL) tried asking the government for a copy. This was denied. So, it filed a FOIA request for the "blue book." This, too, was denied, with the government claiming its internal guidelines for ensuring a fair fight were not subject to FOIA requests. From the DC Appeals Court decision [PDF].
The Department refused to disclose the Blue Book, invoking the Freedom of Information Act’s Exemption 5, which exempts from disclosure certain agency records that would be privileged from discovery in a lawsuit with the agency. The Department maintained that the Blue Book fell within the attorney work-product privilege, and therefore Exemption 5, because it was prepared by (and for) attorneys in anticipation of litigation.
This claim is laughable. Of course it's for litigation. But it's not for any specific litigation. It's for use in all DOJ prosecutions, which makes it more aligned with general information, rather than a narrow slice of "attorney work-product." The NACDL pointed this out.
The NACDL argued that the Blue Book fell outside the work-product privilege because it had a non-adversarial function, to wit: the training and education of the DOJ’s vaunted prosecutors. It also argued that its disclosure was fair game because it was not drafted with a specific litigation in mind, but ultimately the Court sided with the federales, who fought tooth and nail to keep the book under wraps.
One part of the judicial system has seen the contents of the "blue book" (other than DOJ prosecutors): the district court. An in camera presentation to both the lower court and the appeals court has allowed both to reach the decision they have. But will it result in the courts holding the DOJ to their own super-secret standards? Of course not.
Judges are presented with evidence obtained through discovery. They have no idea whether all of it is present or if the DOJ followed its own instructions for handing over Brady material to the defense. The judges' viewing of this internal document will not result in greater accountability.
Handing these guidelines over to defense lawyers, however, would give them more avenues to challenge withheld evidence and other perceived violations in disclosure. The government doesn't like this idea and claims that a more level playing field would severely hamper its prosecutions. One is inclined to agree with the DOJ's claim about hampered prosecutions, although not for the reasons it states.
DOJ thus argues that disclosing the Blue Book would “essentially provide a road map to the strategies federal prosecutors employ in criminal cases.” Id. It contends that disclosure would afford anyone who wanted to read the Blue Book (including opposing counsel) “unprecedented insight into the thought processes of federal prosecutors.” Disclosure thus would “undermine the criminal trial process by revealing the internal legal decision-making, strategies, procedures, and opinions critical to the Department’s handling of federal prosecutions.” In addition, it would “severely hamper the adversarial process[,] as DOJ attorneys would no longer feel free to memorialize critical thoughts on litigation strategies for fear that the information might be disclosed to their adversaries to the detriment [of] the government’s current and future litigating positions.”
In other words, the fight might be slightly fairer, and the government won't be having any of that. The DC Circuit is now completely complicit in the government's "trial by ambush" plans.
Read More | 18 Comments | Leave a Comment..
Posted on Techdirt - 22 July 2016 @ 2:33pm
The administration's brief flirtation with converting occupying forces back into police departments is apparently over. In the wake of the Ferguson protests, the administration announced its plan to rein in police departments which had been availing themselves of used military gear via the Defense Department's 1033 program. This itself was short-lived. A year later, the administration mustered up enough enthusiasm for another run at scaling back the 1033 program, but it has seemingly lost some steam as Obama heads for the exit.
The images of police greeting protesters with assault rifles, armored vehicles, grenade launchers, and officers who appeared to mistake the Midwest for downtown Kabul apparently was a bit too much. It looked more like an occupation than community-oriented policing -- something every administration has paid lip service (and tax dollars) to over the past few decades while simultaneously handing out grants that turned police officers into warfighters.
That's all off the table now. Two recent shootings of police officers have effectively dismantled the dismantling of militarized police forces.
The White House will revisit a 2015 ban on police forces getting riot gear, armored vehicles and other military-grade equipment from the U.S. armed forces, two police organization directors told Reuters on Thursday.
Shortly after the recent shooting deaths of police officers, President Barack Obama agreed to review each banned item, the two law enforcement leaders said.
That could result in changes to the ban imposed in May 2015 on the transfer of some equipment from the military to police, said Jim Pasco, executive director of the Fraternal Order of Police, and Bill Johnson, executive director of the National Association of Police Organizations.
The law enforcement lobbyists met with the President and Vice President, and it appears Obama has sent the administration's chief legal counsel to "review" the ban. The law enforcement organizations claim police need greater protections now, even though the recent clustering of officer deaths doesn't put the nation on track for anything more than an average year of on-duty deaths.
But, while the chance of being killed in the line of duty remains steady, agencies are pushing for a return to pre-2015 levels of military gear, including tracked vehicles and grenade launchers "to deal with riots." It doesn't appear that any words were wasted discussing the underlying causes of the protests officers are now facing -- none of which will be resolved with increased police militarization. Put someone in war gear and they're going to be pretty sure they're in a war, rather than serving the public as a trusted member of the community.
35 Comments | Leave a Comment..
Posted on Techdirt - 22 July 2016 @ 1:04pm
Yet another politician can be added to the list of people who think police officers just don't have enough protections as is. Following in the footsteps of legislators in New Jersey and Minnesota -- along with Rep. Ken Buck (CO) -- Texas governor Greg Abbott has decided it's time to treat attacking officers as a "hate crime."
Texas Gov. Greg Abbott (R) wants the targeted killing of a police officer to be deemed a hate crime in Texas and urged lawmakers to send him such a bill to sign during next year’s legislative session.
Abbott announced Monday his plan to lobby for adding his Police Protection Act to Texas law. Along with extending hate-crime protections to law enforcement, the measure would also increase criminal penalties for any crimes in which the victim is a law enforcement officer and “create a culture of respect for law enforcement by organizing a campaign to educate young Texans on the value law enforcement officers bring to their communities,” according to a statement from Abbott’s office.
Nothing "creates a culture of respect" like handing beneficiaries of a host of "extra rights" even more protection in the form of stiffer penalties just because the victim was wearing a certain uniform. As Fault Line's JoAnne Musick points out, "hate crime" laws are generally enacted to provide greater protections for historically underprotected classes, not those already in positions of power.
Are police an otherwise vulnerable group? Is violence against an officer intended to hurt or intimidate the entire police community? Are crimes against officers underreported and in need of encouragement to prosecute them? Plain and simple, the answers are no. Police are not particularly more vulnerable. In fact, they are better trained and greater equipped to protect each other and themselves. Crimes against police are rarely underreported. They are most definitely heavily prosecuted – as they should be. So, why is there a need to create a special class?
The Dallas shooting that left five officers dead is the only reason this call for legislation even exists. It's a kneejerk reaction that shifts even more power to the powerful. It's sure to gather support from legislators because who could possibly be opposed to punishing cop killers? Add to that the further consolidation of power it represents and there's very little chance someone won't run this up the legislative flagpole. After all, the governor himself is calling for legislation, so it's guaranteed to become law if it hits his desk. That's an easy win -- something legislators like almost as much as jingoism and "tough on crime" posturing.
Rather than address the issues that have led to this (seeming) flashpoint (despite the recent murders of police officers, numbers are still on track for another "normal" year in on-duty officer deaths), politicians like Abbott have decided to give law enforcement yet another tool to use to significantly harm anyone who doesn't immediately comply with their commands. And this is in a state that already adds years to sentences if the crime victim is a police officer.
[A] simple assault is a class A misdemeanor carrying a punishment of up to one year in jail; however a simple assault against a police officer is a third degree felony punishable up to 10 years in prison.
That's the current law. Abbott wants something above and beyond this. Simple assault, under current Texas law, includes simply threatening someone or "provocatively" making physical contact. Push back when being arrested? That's assault. Accidentally bump an officer's elbow while attempting to comply with a frisk? Assault. The law already encourages prosecutors to pile on. This would make it even worse.
The underlying issues, which have prompted a horrifically violent reaction, aren't going to be mitigated by giving law enforcement and prosecutors even more leverage. Greg Prickett -- a 20-year veteran of law enforcement -- points out that the current miserable state of affairs can't be blamed on anything other than law enforcement's own actions over the past few decades. According to Prickett, this is what's prompted the shooting of law enforcement officers.
It’s simple, really. It is militarization of the police coupled with a lack of accountability for their actions.
Law enforcement has shifted away from being an integral part of the communities they serve and opted instead to view themselves as an occupying force in a war zone. The weapons and vehicles are repurposed military gear. Officers' training goes heavy on force deployment. Very rarely are tactics like de-escalation or actual community-oriented policing given any priority. While there's no condoning the actions of people who kill cops, the reality is that law enforcement itself has shown over the years that its preferred method of communication is violence. It's the only thing it truly understands.
Governor Abbott may think he can reverse this course by throwing more prison time at certain criminals, but it's not going to stop people from killing cops. All it's really going to do is give officers and prosecutors a way to inflict maximum pain for the most minimal injury or perceived slight.
32 Comments | Leave a Comment..
Posted on Techdirt - 22 July 2016 @ 11:58am
Last week's one-sided "hearing" on encryption -- hosted by an irritated John McCain, who kept interrupting things to complain that Apple hadn't showed up to field false accusations and his general disdain -- presented three sides of the same coin. Manhattan DA Cyrus Vance again argued that the only way through this supposed impasse was legislation forcing companies to decrypt communications for the government. The other two offering testimony were former Homeland Security Advisor Ken Wainstein and former NSA Deputy Director Chris Inglis.
Not much was said in defense of protections for cellphone users. Much was made of the supposed wrongness of law enforcement not being able to access content and communications presumed to be full of culpatory evidence.
But one of the more surprising assertions was delivered by a former government official. Wainstein's testimony [PDF] -- like Vance's -- suggested the government and phone makers start "working together." "Working together" is nothing more than a euphemism for "make heavy concessions to the government and prepare to deliver the impossible," as Patrick Tucker of Defense One points out. Wainstein says phone manufacturers must do more than theorize that weakened encryption would harm them or their companies. They must hand over "hard data" on things that haven't happened yet.
Kenneth L. Wainstein, a former assistant attorney general for national security at the Department of Justice, told lawmakers that the burden is on technology companies and privacy advocates to show how backdoors would harm user security, rather than on law enforcement to prove that altering the encryption scheme would be safe.
“For the tech industry and civil liberties groups, this means laying out technically specific support for the contention that a government accommodation would undermine the integrity of default encryption. They should provide hard data that demonstrates exactly how—and how much—each possible type of accommodation would impact their encryption systems. It is only when Congress receives that data that it can knowledgeably perform its deliberative function and balance the potential cybersecurity dangers posed by a government accommodation against the national security and law enforcement benefits of having such an accommodation in place,” he said.
The only thing harder than proving a negative is proving how badly things might go if backdoors are inserted or companies are required to retain encryption keys.
As usual, the "smart guys" are ahead of the curve on this bizarre demand. Last year, multiple encryption experts collaborated on a research paper [PDF] that laid out the problems that would result from government-mandated access.
In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates. We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today's Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today's Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws.
So, if Wanstein is looking for answers, he already has them. So does James Comey. So does Cyrus Vance. (Although, to be fair, Vance hasn't really feigned much concern for tech companies or their customers.) They just don't like the answers they've received. This is why they continue to claim that a perfectly safe, government-mandated encryption backdoor is just a "smart guy" breakthrough away. Any day now, someone at Apple or Google will shout "Eureka" and hand over the unicorn Comey, et al insist must exist.
Read More | 67 Comments | Leave a Comment..
Posted on Techdirt - 22 July 2016 @ 9:41am
Welcome to Bordertown, USA. Population: 200 million. Expect occasional temporary population increases from travelers arriving from other countries. Your rights as a US citizen are indeterminate within 100 miles of US borders. They may be respected. They may be ignored. But courts have decided that the "right" to do national security stuff -- as useless as most its efforts are -- trumps the rights of US citizens.
Wall Street Journal reporter Maria Abi-Habib - a US-born citizen traveling into the States with her valid passport -- discovered this at the Los Angeles International Airport. Her Facebook post describes her interaction with DHS agents who suddenly decided they needed to detain her and seize her electronics.
The DHS agent went on to say she was there to help me navigate immigration because I am a journalist with The Wall Street Journal and have traveled to many dangerous places that are on the US' radar for terrorism.
It's generally a good idea to be wary when government employees suddenly offers to "help."
But after pushing me to the front of a very long line at immigration, she then escorted me to the luggage belt, where I collected my suitcase, and then she took me to a special section of LAX airport. Another customs agent joined her at that point and they grilled me for an hour - asking me about the years I lived in the US, when I moved to Beirut and why, who lives at my in-laws' house in LA and numbers for the groom and bride whose wedding I was attending.
Abi-Habib was very cooperative. She answered all of the agent's questions and remained calm despite this interaction being far from ordinary. It didn't matter. The DHS decided to flex its "our border, our rules" muscle.
[T]hen she asked me for my two cellphones. I asked her what she wanted from them.
"We want to collect information" she said, refusing to specify what kind.
"Collect information." That's intrusion and surveillance that serves no discernible purpose. The DHS was obviously hoping Abi-Habib would remain as cooperative as she had during the previous questioning. But Abi-Habib disappointed the DHS agent by suggesting she should talk to the phones' owner about her search plans, rather than just hope a lengthy, suspicionless detention would prompt Abi-Habib to relinquish consent.
"You'll have to call The Wall Street Journal's lawyers, as those phones are the property of WSJ," I told her, calmly.
She accused me of hindering the investigation - a dangerous accusation as at that point, they can use force. I put my hands up and said I'd done nothing but be cooperative, but when it comes to my phones, she would have to call WSJ's lawyers.
She said she had to speak to her supervisor about my lack of cooperation and would return.
Obstruction is an actual crime. This wasn't an empty threat. I mean, it was an empty threat in the way that government officials hand out threats they have no intention of following through with as a means of coercion, but it was not empty as in "without enforceable consequences." It was meant to make Abi-Habib more receptive to granting the DHS permission to search the phones. But behind the threat is an actual criminal statute that could have turned this from a detention to an arrest. And all because the DHS didn't want to obtain consent for its search from the phones' actual owner.
Abi-Habib called the DHS agent's bluff. The DHS relented.
The female officer returned 30 minutes later and said I was free to go.
Abi-Habib's post closes by noting she doesn't fit any terrorism profile and offers security tips for those traveling in and out of the US -- like leaving everything behind that could be searched/seized, or travel with a recently-wiped phone.
The DHS's actions here are disturbing. It suggests agents dig through devices on a regular basis, even when there's a complete lack of suspicion. Laws and court rulings confirm there is a lowered expectation of privacy at US borders, but the agency's refusal to follow through with a search of the devices makes it clear agents are looking to hassle people they think won't fight back -- either during the detention, or after the fact with lawsuits and/or public discussions of their treatment. It's incidents like these that show many public security efforts by government agencies are almost entirely ornamental. It's the illusion of security, rather than an actual protective effort. Border agents dig around in people's stuff just because they can, not because they need to.
60 Comments | Leave a Comment..
Posted on Techdirt - 21 July 2016 @ 4:18pm
An interesting ruling out of Georgia states that an unconventional method to determine a cell phone's owner is not a search under the Fourth Amendment. The appeals court decides [PDF] that the information obtained has no expectation of privacy.
Because Hill had no reasonable expectation of privacy in the information at issue – his own name, date of birth, and phone number – we agree with the state there was no search under the Fourth Amendment, and accordingly we reverse.
The background is this: James Brandon Hill exited a taxi cab without paying, leaving his phone behind. The cab driver reported this to the police and an officer dialed 911 to obtain the owner's info. The court doesn't touch the issue of abandonment -- which would likely have made the search legal. But its decision that the method used to obtain this info isn't a search seems to be a bit off.
While the information received may have had no expectation of privacy, an officer accessing a cell phone without a warrant is questionable under the Supreme Court's Riley decision. As noted above, the warrantless search still likely would have survived a motion to suppress as the phone was abandoned in the cab. In fact, Hill does not challenge the seizure of the phone -- only the search.
The Third Party Doctrine is in play here, what with this information being handed over to a service provider in exchange for phone service. The opinion quotes Orin Kerr in support of its Third Party Doctrine assertions.
Consistent with this distinction, we have held in a case involving a landline phone that the Fourth Amendment “protects only the content of a telephone conversation and not the fact that a call was placed or that a particular number was dialed.” Stephenson, supra, 171 Ga. App. at 939 (citation and punctuation omitted). See generally Orin S. Kerr, Applying the Fourth Amendment to the Internet: A General Approach, 62 Stan. L. Rev. 1005, 1019 (II) (A) (2010) (originating telephone number is non-content information analogous to return address on envelope).
But that applies only to phone call routing info, not the user's personal information. It's a good thing this citation isn't a direct comparison because Orin Kerr doesn't agree with the court's decision on the search issue.
Held: Calling 911 from a phone is not a “search” because it only obtains non-content information about the phone that is not protected under Smith v. Maryland.
I don’t think that reasoning works, as it’s mixing up two different questions: (1) whether calling from the phone is a search of the phone, and (2) whether, once the call is placed, receiving the number dialed at 911 is a search of the number. I think calling 911 is a search because of (1), not because of (2). Calling 911 pushes out the number from the phone, and I think that forced revealing of the number should count as a search of the phone.
The decision's implications go much further than this one-off case where an abandoned phone was discovered and "forced" to reveal user info by a law enforcement officer. Think Stingrays. From the opinion:
The fact that it was a law enforcement officer, rather than Hill, who placed a call from the phone does not change our conclusion that the information obtained was not subject to Fourth Amendment protection. Cases from other jurisdictions illustrate this point. In United States v. Skinner, 690 F3d 772, 777-778 (II) (A) (6th Cir. 2012), for example, the United States Court of Appeals for the Sixth Circuit held that law enforcement agents could take action to cause a cellular phone to emit information from which they could track it without running afoul of the Fourth Amendment, because the defendant did not have a reasonable expectation of privacy in the location data emitted from the phone.
If this isn't a search, then the use of an IMSI catcher isn't a search, even though it involves the manipulation of a person's phone by law enforcement to obtain information otherwise not immediately obtainable.
As for the Riley decision, the court decides use of the phone is not the same as accessing the phone's contents.
Here, in contrast to Riley, the officer did not access any files on Hill’s phone, which was protected by a passcode. He “did not attempt to retrieve any information from within the phone,” United States v. Lawing, 703 F3d 229, 238 (II) (A) (ii) (4th Cir. 2012), but instead used the phone in a manner that caused it to send Hill’s telephone number to a third party, the 911 dispatcher. We do not construe Riley to prohibit an officer in lawful possession of a cellular phone from placing a call on that phone in an attempt to obtain identifying information about its owner. Moreover, we do not construe Riley to recognize a legitimate expectation of privacy in identifying, non-content information such as the person’s own phone number, address, birthdate, simply because that information was associated with a cellular phone account rather than a landline phone account or a piece of physical mail.
While historical cell site location info is generally considered to be free of expectations of privacy under the Third Party Doctrine, real-time access of this same information is still under discussion in several courts. Making the argument that law enforcement manipulation of a person's cell phone to extract information not otherwise immediately obtainable suggests that this particular court would look favorably on the use of Stingray devices to locate cell phones. After all, the phone's location is a third-party record, even though it's not a third-party record that isn't normally obtainable as it's being generated.
It's a limited ruling from a state appeals court, but it still shows advances in surveillance tech will be granted a lot of leeway by judges because of a decision nearly four decades old at this point (Smith v. Maryland, 1979). Had the court come to the conclusion it was a search, it wouldn't have saved Hill (because he abandoned his phone), but it at least would have recognized it's one thing to obtain third-party records from a third party. It's quite another when the government uses a closed loop to obtain the same info.
Read More | 41 Comments | Leave a Comment..
Posted on Techdirt - 19 July 2016 @ 4:13pm
A bizarre case comes out of the Texas court system -- landing squarely in the middle of a legal Bermuda Triangle where illegal searches meet civil asset forfeiture… and everything is still somehow perfectly legal. (via FourthAmendment.com)
The facts of the case: police officers arrested Miguel Herrera and seized his 2004 Lincoln Navigator. An inventory search of the vehicle uncovered drugs and the state moved to seize the vehicle itself as "contraband" using civil (rather than criminal -- this is important) asset forfeiture. Herrera argued that the stop itself was illegal and anything resulting from it -- the drugs and the civil seizure of the vehicle -- should be suppressed.
The Supreme Court of Texas examines the facts of the case, along with the applicable statutes, and -- after discarding a US Supreme Court decision that would have found in Herrera's favor -- decides there's nothing he can do to challenge the seizure. He can't even move to suppress the evidence uncovered following the illegal stop -- the same search that led to the state seizing his vehicle under civil forfeiture statutes.
The presiding judges spend several pages (including two concurrences) discussing the aspects [PDF] of this case in detail, but cannot bring themselves to exclude the evidence obtained from the illegal search, much less return Herrera's vehicle to him.
First, the court decides that the deterrent effect of suppressing the evidence is outweighed by the cost to society.
In this case… the exclusion of admittedly relevant evidence imposes a substantial social cost. Here, the vehicle and the evidence found within it are indisputably relevant—if the state shows by a preponderance of the evidence that the vehicle was “used or intended to be used in the commission of” a felony under the Controlled Substances Act, then it is “contraband.” If it qualifies as contraband under Chapter 59, then it “is subject to seizure and forfeiture.”
Additionally, applying the exclusionary rule here ostensibly results in returning a vehicle “used or intended to be used” in the commission of drug crimes to its owner. See CODE CRIM. PROC. art. 59.01(2)(B)(i). Applying the rule to Chapter 59, therefore, would likely have the undesirable effect of politely handing such vehicles—or computers, money, weapons, or whatever else—back to those who might put them to criminal use.
The court moves on to dismiss the Supreme Court's 1965 decision (One 1958 Plymouth Sedan v. Pennsylvania), suggesting not only that things have changed too much over the past 50 years to consider it relevant, but also -- unbelievably -- that the seizure of a person's assets via civil forfeiture is not a form of punishment.
[T]he legal and jurisprudential landscapes have changed significantly since Plymouth Sedan was decided in 1965, weakening some of the opinion’s underpinnings. For one thing, Plymouth Sedan was decided at “a time when [the Supreme Court’s] exclusionary-rule cases were not nearly so discriminating in their approach to the doctrine,” yet more recently the Court has “abandoned the old, ‘reflexive’ application of the doctrine, and imposed a more rigorous weighing of its costs and deterrence benefits.” Thus, the Court’s more recent jurisprudence, and its now well-established cost-benefit analysis, controls our analysis. And, as discussed, the “deterrences against [illegal searches] are substantial—incomparably greater than the factors deterring warrantless entries when Mapp [and Plymouth Sedan] [were] decided.”
Finally, in Plymouth Sedan, the forfeiture proceeding’s “object, like a criminal proceeding, [was] to penalize for the commission of an offense against the law.” See 380 U.S. at 700. Chapter 59 forfeitures, on the other hand, are expressly civil and non-punitive; indeed, “[i]t is the intention of the legislature that asset forfeiture is remedial in nature and not a form of punishment.”
It's hard to see how civil asset forfeiture isn't a form of punishment. Without having to prove an asset was illegally obtained or used in criminal activity, the state can simply take cars, money, houses, etc. away from citizens simply by providing a limited amount of evidence suggesting these might have been related to criminal activity. And if the state is wrong, it's still a long, uphill battle for anyone seeking to have their property returned. This is even admitted by the court in the same paragraph.
While this provision certainly relates to criminal activity, it does not require any proof that a person committed a crime—it only requires that the state prove by a preponderance of the evidence that the property is contraband.
The court then concludes that neither the Fourth Amendment nor the state's civil forfeiture statutes provide a remedy for Herrera -- at least not one the court is willing to grant.
Even if the state is not statutorily empowered to unlawfully seize contraband, (and it is not), what is the remedy for failure to comply with article 59.03(b)? Herrera argued in his motion to suppress—and argues now—that the remedy is exclusion. Yet what is the source of this exclusionary remedy? As discussed above, it is not the Fourth Amendment. The constitutional rule applies only when its deterrence benefits outweigh its heavy social costs, and that is not the case here. Nor does Chapter 59 provide for exclusion. To start, article 59.03(b) deals with seizure of the property to be forfeited; it does not concern itself with other evidence that might be used to prove property is subject to forfeiture. Thus, we reject Herrera’s argument that evidence found during the seizure should be excluded under article 59.03(b).
Moreover, while article 59.03 appears to limit officer conduct as to seizure of property subject to forfeiture, it does not provide a remedy—much less exclusion—for a violation of that apparent limitation. Articles 59.03(a) and (b) provide for how property subject to forfeiture may be seized. Article 59.03(c) requires the peace officer who seized the property to provide the attorney representing the state with a sworn statement including, among other things, “a list of the officer’s reasons for the seizure.” In the forfeiture proceeding, that attorney must then “attach to the notice [of seizure and intended forfeiture] the peace officer’s sworn statement.” See CODE CRIM. PROC. art. 59.04(b). Yet, despite providing fairly detailed notice requirements such as these, Chapter 59 never mentions excluding or suppressing property subject to forfeiture, even if such property is unlawfully seized…
By finding no remedy workable or worthwhile in the face of societal cost, the Texas Supreme Court has given law enforcement another way to salvage evidence obtained by illegal searches: simply seize the "container" (house, car, boat, etc.) the evidence was discovered in.
As defense attorney John Wesley Hall notes in his post on the case, this decision will also encourage more questionable asset forfeitures because the court here has declared it's unwilling to entertain notions of deterrence when dealing with "non-punitive" civil seizures.
I disagree with the lack of deterrence because the seizure for forfeiture is immediate, before booking, and it’s part and parcel of the police arsenal to punish the defendant before trial; that along with a high bail. Besides, the police help finance their drug enforcement operations with forfeitures, even when there’s no prosecution. It’s contingent fee law enforcement.
It's a state Supreme Court decision, so it's precedential. That's the bad news. The (potentially) good news is that it touched on an issue previously handled by the US Supreme Court, so it could be pushed up the judicial ladder back in the direction the ignored decision emanated from. Of course, this Supreme Court has been very inconsistent on Fourth Amendment issues and seems particularly willing to punt on issues it would rather not address directly.
Read More | 90 Comments | Leave a Comment..
Posted on Techdirt - 19 July 2016 @ 2:27pm
Section 230 is not completely screwed! A California appeals court decision has upheld Yelp's immunity to defamation claims, running contrary to findings in two other lawsuits recently decided that state. Eric Goldman has the background on the case.
The lawyer-plaintiff is Lenore Albert. Her Yelp page. She claims a former employee orchestrated a social media attack on her business, including posting fake disparaging reviews on her Yelp page plus this image (which she claims isn’t clearly demarcated as user content instead of Yelp-sourced content)...
Albert also claims that Yelp further screwed up her page when she refused to advertise with it. She sued Yelp for defamation, tortious interference and intentional infliction of emotional distress. The lower court granted Yelp’s anti-SLAPP motion. The appeals court affirmed.
After deciding that posted reviews were not commercial speech (which would not be covered by the state's anti-SLAPP statute) and of public interest (the plaintiff being a lawyer involved in foreclosure proceedings), the court moves on [PDF] to solidly stake out the extensive coverage of Section 230 protections for service providers.
Since Yelp is an internet service provider, it is immunized, under section 230 of the Telecommunications Act of 1996, for defamation contained in any third party reviews on a Yelp page pertaining to a given business. The case law on this point is conclusive…
All doubt is removed when we examine two of the most extreme cases illustrating the immunizing effect of section 230, Barnes v. Yahoo!, Inc. (9th Cir. 2009) 570 F.3d 1096 (Barnes) and Carafano v. Metrosplash.com, Inc. (9th Cir. 2003) 339 F.3d 1119. These cases involved more than simple defamatory third party comments. Rather, in both cases third parties were able to use a website to cast the plaintiff in a decidedly negative false light. In Barnes, the ex-boyfriend of the plaintiff posted revenge porn on the website. The court held the website itself was still immune under section 230. (Barnes, supra, 570 F.3d at p. 1103 [to hold the website responsible would be to treat it like a publisher in contravention of section 230].) And in Carafano, the court held a dating website could not be held responsible for a third party’s virtual impersonation of an actress on the site. Of course, section 230 certainly does not immunize third parties who actually write defamatory posts to a website. (E.g., Bentley Reserve LP v. Papaliolios (2013) 218 Cal.App.4th 418 [former tenant could be liable for postings on Yelp about landlord]), but the website itself is unreachable.
The court also dismisses several other accusations by Albert, noting that Yelp has never solicited defamatory/misleading reviews and acts in good faith to remove defamatory or misleading postings when notified. It also points out that Albert's claim that Yelp itself creates misleading/defamatory reviews is not supported by any available evidence.
The plaintiff has asked for the opportunity to amend her complaint (not a bad idea, considering every allegation was rebuffed), but the court points out that the anti-SLAPP statute would be completely useless if complainants were allowed to rewrite their pleadings in light of a court's decision.
As this court recently pointed out, when a complaint is attacked by an anti-SLAPP motion, it cannot be amended so as to add or omit facts that would take the claim out of the protection of the anti-SLAPP statute. In the instant case, the plaintiff sued the ubiquitous business review internet service Yelp, alleging three causes of action which are unmeritorious. On appeal she posits she might be able to amend to allege other causes of action, at least two of which, unfair competition and false advertising, might arguably have merit given the Second District’s recent decision in Demetriades v. Yelp, Inc. (2014) 228 Cal.App.4th 294 (Demetriades) [suit based on Yelp’s statements about itself].) But whether they have merit cannot be reached in this case. Given the rule against amendments to add or omit facts in anti-SLAPP cases, we must affirm the judgment based on the three causes of action actually alleged.
While the decision does affirm what's already assumed about Section 230 protections, it's good to see these protections reaffirmed -- especially given recent highly-questionable decisions emanating from that area of the country. Yelp will recover the costs of its appeal, and if Albert still has money to blow, she's welcome to sue the people who posted the negative material, rather than the website hosting it.
Read More | 3 Comments | Leave a Comment..
Posted on Techdirt - 19 July 2016 @ 11:49am
No sooner had the ink dried on the Second Circuit Appeals Court decision regarding Microsoft and its overseas servers than new legislation designed to undercut the court's finding has been printed up by the DOJ and presented to the administration.
Microsoft successfully argued that the US government couldn't force it to unlock a server in Dublin, Ireland, so it could rummage around for evidence. Nor could the DOJ force the company to act on its behalf, performing a search of its overseas servers for documents the US government couldn't access otherwise.
Since that decision obviously just won't do, the DOJ has presented proposed legislation [PDF] that would alter existing Mutual Legal Assistance Treaties (MLATs) so the agency can do the very thing a court just said it couldn't do.
The details are discussed in, um, detail over at the Lawfare blog by none other than a former DOJ lawyer (David Kris). Needless to say, the post skews towards "supportive," but the analysis is thorough and offers some excellent insight on what the DOJ hopes to open up -- and what it's willing to concede in return for this new power.
The law would limit searches to communications from non-US citizens located abroad and only for criminal investigations. This would prevent the altered MLATs from being used by US agencies to gather intelligence, restricting them only to gathering evidence of criminal activity. That being said, for every concession made, there's a DOJ land grab.
The heart of the proposed legislation is section 4, which allows for executive agreements between the U.S. and foreign governments. Where a satisfactory agreement is in place, the barriers to access in the Wiretap Act, Stored Communications Act, and criminal Pen Register statute are removed (by section 3).
Of all the places to remove existing limits, the DOJ has chosen three of its most-abused laws/statutes. The Wiretap Act has been rendered toothless by the DEA's collusion with a judicial rubber stamp in California and used by the DOJ to push American telcos into doing its spying for it. The Stored Communications Act was just another (failed) angle of attack for the DOJ in its fight against Microsoft. And the Pen Register Act has been used as a cover for Stingray deployments by multiple law enforcement agencies, all with the tacit approval of the FBI, which still acts as a middleman in every IMSI catcher purchase by local PDs.
From there, the DOJ offers a melange of legal authorities to govern its searches of foreign servers.
The foreign orders authorized by the agreement must meet several specific requirements. First, they must pertain to the “prevention, detection, investigation, or prosecution of serious crime, including terrorism.” This means that affirmative foreign intelligence gathering is out of bounds. Conceptually, the idea here seems similar to the split in FISA’s two definitions of “foreign intelligence information,” 50 U.S.C. 1801(e)(1)-(2).
Second, the foreign orders must use a “specific” identifier such as a name or account as the “object of the order.” This comes from the USA Freedom Act’s amendments to FISA, designed to prevent bulk collection, 50 U.S.C. 1841, 1861.
Third, the orders must be “based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation,” and must be subject to “review or oversight” by a judge or other “independent authority.” These elements seem to be derived in part from several U.S. constitutional requirements—e.g., those governing a stop and frisk (Terry v. Ohio, 392 U.S. 1 (1967)), the definition of probable cause (Illinois v. Gates, 462 U.S. 213 (1983)), the requirements for a search warrant (including particularity and a neutral and detached magistrate, see Maryland v. Garrison, 480 U.S. 79 (1987)), and a proportionality requirement.
At first blush, these would seem to subject DOJ requests to multiple forms of oversight. But it most likely won't. The self-written loopholes allow for plenty of "search first, ask permission later" action.
Of course, the requirements are not exactly the same as those the Fourth Amendment would compel—for example, the reference to “review or oversight” by a judge or other “independent authority” would seem to permit after-the-fact review by a Parliamentary body rather than advance review of orders by a judge.
On top of that, the folding in of FISA language allows the FBI, et al to interpret "criminal investigation" very loosely.
Note, however, that counter-intelligence, expressly including counter-terrorism but also probably including counter-espionage, is included, because the language refers not only to “investigation” and “prosecution,” but also to “prevention” and “detection” of crime.
So, despite saying the MLAT alterations would be limited to investigatory work, rather than intelligence gathering, the new agreements could be read as permitting both. And, despite restricting agencies from using foreign government to obtain data or communications they otherwise wouldn't be able to access, the proposal does allow these entities to provide US agencies with data and communications involving US persons. Sure, there are minimization procedures, but they're apparently tied to restrictions built into foreign governments' laws rather than our own, and auditing for abuses of this access is limited to a review every half-decade -- hardly the sort of thing that stops abuse in its tracks.
And the minimization procedures deployed by foreign governments when handing over info on US persons are tied to a bunch of exceptions -- the usual parade of horrors agencies use to justify intrusive surveillance.
[A] foreign government “may not disseminate the content of a communication of a U.S. person to U.S. authorities unless it is relevant to the “prevention, detection, investigation, or prosecution of serious crime, including terrorism, or necessary to protect against a threat of death or serious bodily harm to any person,” and also “relates to significant harm, or the threat thereof, to the United States or U.S. persons, including but not limited to crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud.”
So, it can't be used for anything not included on the "serious crimes" list, which doesn't leave much. There's not a whole lot of criminal activity that can't be squeezed into this laundry list. Moving violations? Jaywalking? Lord knows anything drug-related will still be considered "dangerous," even if most of the threat is composed of overreacting drug warriors lobbing flash bangs into cribs at 5 am.
Obviously, the DOJ wasn't just going to stand by and let the Second Circuit determine how it's going to operate. This bill may have been a long time in the works, but its public debut is impeccably timed.
Read More | 34 Comments | Leave a Comment..
Posted on Techdirt - 19 July 2016 @ 8:44am
Jason Leopold is back in court (is he ever NOT there?) battling the NSA and the DOJ's Office of Legal Counsel (OLC) over the release of documents related to the NSA and FBI's surveillance of federal and state judges. The two parties had already been told to do more looking around for responsive records by Judge Tanya Chutkan, who rejected their original request for summary judgment last July.
The two agencies went back and performed another search. And still came up empty-handed.
Let me rephrase that: the two agencies went back and performed another "search." Here's what that "search" actually entailed, as described in the opinion [PDF].
The search that OLC ultimately conducted pursuant to the court’s July 2015 Memorandum Opinion and Order proceeded as follows:
[A]n OLC attorney asked an OLC Deputy Assistant Attorney General and an OLC Senior Counsel, both of whom are senior attorneys with long tenures in OLC (the Deputy Assistant Attorney General joined the Office in 1989; the Special Counsel joined the Office in 1998, departed for nine years in 2001, and rejoined the Office in 2010) and have close familiarity with OLC’s work on national security and surveillance matters, . . . whether they were aware of any classified or unclassified OLC projects concerning the “propriety of surveilling federal or state judges,” regardless of whether the project resulted in final legal advice. (Id. ¶¶ 6, 9).
“This inquiry yielded no responsive records.” (Id. ¶ 9).
According to the OLC, asking a couple of people if they've heard anything about a surveillance program is the same thing as actually searching its own files using keywords and phrases relevant to the subject matter.
In addition, the OLC claimed that actually searching for these documents would bring its slowly-moving FOIA machinery to a near halt.
Colborn avers that searching OLC’s paper files, the email files of departed OLC attorneys and the hard drives of departed users “likely would take several years and the diversion of resources from other FOIA requests,” which “would result in a dramatic increase in [OLC’s] FOIA processing backlog.”
Judge Chutkan didn't find either of these excuses persuasive. As for the OLC's claim that asking a few in-house lawyers about a surveillance program qualifies as a search for responsive documents, the judge had this to say:
The court agrees with Plaintiff, and finds that the senior attorneys’ responses to this inquiry do not provide sufficient basis to reasonably conclude either that OLC is unlikely to possess responsive records or that responsive records are unlikely to be found by a more in-depth search. Moreover, the court finds that asking all current OLC attorneys if they had, or were aware of, any draft legal memoranda or opinions relating to the propriety of surveilling federal or state judges – as was done here after Plaintiff filed his opposition brief – was also insufficient.
Judge Chutkan points out that there's way too much turnover in staff at the OLC to consider asking all current counsel whether or not they've heard of a program to be an adequate substitute for an actual records search. The latter method wouldn't be nearly so dependent on individuals' memory, or whether those who might be familiar with the surveillance program were still working for the agency.
As for its complaint about "diverted resources" and its FOIA processing backlog, the judge similarly has no sympathy.
The court finds that Defendants have not established that searching the email files of departed OLC attorneys would be unduly burdensome. While Colborn avers that it “likely would take several years and the diversion of resources from other FOIA requests” to search for responsive documents among OLC’s paper files, hard drives and emails, he does not break out the time and resources that would be required to search only the emails of departed OLC attorneys. (Id.). Given that these emails and their attachments can be searched using an eDiscovery tool without needing to open each email and its attachments individually, and in the absence of any representations from Colborn or any other declarant regarding the burden associated with running such searches separate and apart from searching OLC’s paper files and hard drives, Defendants have not demonstrated that doing so would constitute an undue burden.
So, for a second time, Judge Chutkan is forced to tell the OLC how to do its job.
Accordingly, the court hereby ORDERS OLC to use the Clearwell eDiscovery tool referenced in the Fourth Colborn Declaration to search the email files of departed OLC attorneys, as well as any attachments to those emails, for any draft legal memoranda or opinions relating to the propriety of surveilling federal or state judges.
Everyone seems to know what tools are available and how to use them… except the agency "responding" to the FOIA request. A search will finally be performed -- after two motions to dismiss, several misspent tax dollars, and an FOIA requester forced to use the court system to get an agency to do its job correctly.
Read More | 14 Comments | Leave a Comment..
Posted on Techdirt - 19 July 2016 @ 3:33am
No better way to celebrate the 50th anniversary of the Freedom of Information Act than filing a lawsuit claiming an agency is refusing to comply with it. FOIA enthusiast Ryan Shapiro has done exactly that, suing the DOJ [PDF] for the FBI's continued refusal to perform anything more than a cursory search, using its most outdated software, for responsive records.
Foia requests to the FBI are processed by searching the Automated Case Support system (ACS), a software program that celebrates its 21st birthday this year.
Not only are the records indexed by ACS allegedly inadequate, Shapiro told the Guardian, but the FBI refuses to search the full text of those records as a matter of policy. When few or no records are returned, Shapiro said, the FBI effectively responds “sorry, we tried” without making use of the much more sophisticated search tools at the disposal of internal requestors.
“The FBI’s assertion is akin to suggesting that a search of a limited and arbitrarily produced card catalogue at a vast library is as likely to locate book pages containing a specified search term as a full text search of database containing digitized versions of all the books in that library,” Shapiro said.
Shapiro went meta to prove this point. Along with a handful of requests for documents about the FBI's "mosaic" theory, Shapiro also requested processing notes on the requests themselves. The FBI "failed" to locate much in the way of responsive documents, thanks to its insistence on using 21-year-old software, rather than more modern tools it has at its disposal.
The DOJ -- despite using millions of tax dollars to fund better search tools -- continues to insist it only needs to perform the bare minimum when searching for responsive documents. The software old enough to buy its own booze only searches for terms entered by FBI agents handling cases, not the text included in the files themselves.
It's not that the DOJ doesn't have the capability to perform a more in-depth search. It just feels it doesn't have to do anything more than a cursory surface scan for responsive documents. Whatever fails to turn up in this search is withheld without actually having to be declared "withheld" and justified with a FOIA exemption. Rather than present FOIA requesters with something they can challenge in court, the FBI simply claims it performed a search and shrugs at the lack of responsive files.
This non-responsiveness didn't impress Judge Randolph Moss back in January and it's that decision Shapiro is hoping will help him prevail in this lawsuit.
The FBI's use of an outdated system -- seemingly solely for the purpose of generating as few responsive files as possible -- is well-documented. And yet, there's almost no way to force the FBI to perform thorough searches -- utilizing the multiple tools and databases it has access to -- without dragging the DOJ to court. The FBI knows this, and knows that its unwillingness to utilize its internal FOIA tools is an easy way to discourage FOIA requests, as there are only a few filers with the means to pursue a lawsuit against the government. And any decision by a judge ordering the FBI to perform a more thorough search will be taken by the agency as only applying to the case at hand.
Of course, the FBI will do anything it can to keep Shapiro from obtaining more documents. Shapiro is the FBI's "mosaic" theory defined. The agency seems to fear his ability to pull together information from multiple, overlapping requests. And the DOJ has gone so far as to claim his dissertation research (involving the government's handling of animal rights activists) is a threat to national security. So, it will continue fighting for its "right" to deliberately perform inadequate document searches and maintain its non-responsive status quo.
Read More | 12 Comments | Leave a Comment..
More posts from Capitalist Lion Tamer >>