To be clear, wireless carrier app stores have always kind of sucked. Verizon’s efforts to create its own app store were shut down in 2012, after underwhelming consumers for years. At the time, the narrative was that Verizon just didn’t find it worth the trouble in the face of Google domination and innovation. And while that’s still largely true (wireless carriers are utterly unfamiliar with competition and therefore historically suck at innovation and adaptation), it turns out there was another reason.
Namely, that Google was paying Verizon and other major wireless companies a big chunk of money to not compete with the Android marketplace. And they were paying smartphone manufacturers to ship devices without competing app stores installed. Both nuggets were buried in a freshly unredacted copy of Epic’s antitrust complaint (pdf) against Google, first spotted by Jeremy Owens:
Man, I love when the redactions come off and there are fascinating numbers underneath.
This unredacted graf shows that telcos get up to 25% of Google's app sales to keep them from developing rival app stores on the smartphones they sell and service. pic.twitter.com/Vx6p1YBU6S
This agreement to start paying wireless carriers 20-25% of app sales was occurring right around the time that Google brass was visibly starting to wimp out on consumer-centric issues like net neutrality. That involved working closely with Verizon to push the FCC toward flimsy, loophole-filled, “compromise” 2010 net neutrality rules that excluded wireless entirely. Verizon proceeded to then successfully sue the FCC to have those repealed anyway, leading to better rules in 2015 that were also dismantled a few years, later, albeit thanks to lobbying, not the courtroom.
Google’s shift from hugely innovative disruptor to entrenched, elbow-swinging turf protector has been a fairly ugly and historically unsurprising transition. You can clearly see the line in the sand somewhere around 2010 to throw away many of the guiding principles that made them successful and popular. There was another executive leadership pivot sometime around 2016 that brought with it increased timidity at the company (see: the company’s abrupt decision to largely give up on expanding Google Fiber and many other exciting moonshot projects). Then, more recently there’s the whole AI ethics scandals, which speaks for itself.
To be clear Google still does a lot of interesting and popular stuff, but it’s pretty damn clear that the ethics and bravery that guided the company originally were obliterated some time back.
I have to think that revelations Google was paying wireless carriers and smartphone manufacturers to not compete with it will likely fuel several different antitrust inquiries and court cases. Maybe wireless carriers would have always failed to develop compelling app stores of their own thanks to innate incompetence, but it’s harder than ever for that to happen when Google is paying you billions of dollars to not even try. And then, should those competing app stores succeed, paying handset makers not to carry them anyway, even if they happen to become popular.
As a little side note, the fact Google has been paying wireless carriers billions of dollars to do nothing kind of puts an additional dent in FCC Commissioner’s ongoing, dumb claim that “big tech” gets a “free ride” on telecom networks. Getting paid to do nothing is the exact kind of thing AT&T has been pushing for since 2003 or so. It’s the kind of stupid demand that started the net neutrality debate. Whether the payoffs violated the law is for antitrust lawyers to decide, but the fact Google repeatedly thought nothing about ignoring its original founding principles continues to speak pretty loudly either way.
There’s a new cottage industry of Section 230 lawsuits springing up from the law offices of Tycko & Zavareei in Washington, DC (with the assistance of Pearson, Simon & Warshaw of California, the state where the lawsuits are being filed).
Over the past few years, we’ve seen a plethora of lawsuits alleging vicarious liability for terrorist attacks being filed against social media platforms by opportunists at 1-800-LAW-FIRM and Excolo Law. Not a single one of these lawsuits has made it past the pleading stage, even if one Ninth Circuit judge went off the rails a bit during oral arguments last spring. Whatever Section 230 immunity doesn’t eliminate, the law firms’ decision to sue the wrong parties (i.e., anyone but the people who committed the crimes) has generally proven fatal to their claims.
Fortunately, this new batch of lawsuits doesn’t involve exploiting people who’ve recently suffered personal tragedies. Instead, they’re trying to force companies like Google and Apple to reimburse small-time losers who lost real money to gambling apps.
No less than five putative class actions over (incredibly small) gambling losses have been filed by Hassan Zavareei of Tycko & Zavareei and Daniel Warshaw of Pearson, Simon & Warshaw. The only unique factor is the dollar amount of gambling losses. But these aren’t whales. These are small fish in the online gambling ocean demanding courts order app store purveyors pay them back for the tens of dollars they’ve lost. Not a single one of these plaintiffs has lost more than $300 to gambling apps, but every single one of them is demanding a chunk of damages their attorneys claim exceeds $5,000,000.
Everything is boilerplate, other than the named plaintiffs’ individual losses and their choice of app store purveyor. Apple is named in one lawsuit. Google is named in all the others. But they’re all equally ridiculous. Feast your eyes on this accusation:
Google permits and facilitates illegal gambling by operating as an unlicensed casino.
The lawsuits reach this conclusion by noting Google (and Apple) allow users to download gambling apps from their app stores. At no point do Google or Apple create and develop any gambling apps, nor do they operate or maintain ownership of the apps. All they do is offer a storefront. Users are responsible for their own actions while interacting with third-party apps. The companies do not need to obtain licenses to operate casinos because… THEY DON’T OPERATE CASINOS.
The lawsuits then do a bit of narrative explaining the obvious: gambling can be addictive and it can cost people vast sums of money. The suits also note that several states have laws prohibiting exchanging money for more playing time — some of those put in place recently to protect users from things like pay-to-win games and “loot boxes,” which some states have chosen to view as another form of unlicensed gambling.
Then the lawsuits quote liberally from the Statute of Anne — something we’ve seen misquoted more often in terms of copyright enforcement here at Techdirt, even though it was instrumental in creating the idea of “public domain.” The relevant part of the Statute, passed in 1710 partly as a legislative attempt to prevent British citizens from gambling themselves into bankruptcy, allowed residents to sue to recoup their gambling losses. (That it was repealed almost entirely in 2005 seems to have escaped the notice of the find legal minds at both law firms.)
[A]ny Person . . . who shall . . . by playing at Cards, Dice, Tables, or other Game or Games whatsoever, or by betting on the Sides or Hands of such as do play any of the Games aforesaid, lose to any . . . Person . . . so playing or betting in the whole, the Sum or Value of ten Pounds, and shall pay or deliver the same or any Part thereof, the Person . . . losing and paying or delivering the same, shall be at Liberty within three Months then next, to sue for and recover the Money or Goods so lost, and paid or delivered or any Part thereof, from the respective Winner . . . thereof, with Costs of Suit, by Action of Debt . . . .
So how does a 1710 British law factor into a bunch of online gaming lawsuits filed in the United States? Well, a lot of nascent US states adopted British laws because they didn’t have many of their own at that point. And it was safe to assume newly minted US citizens were just as likely to make bad decisions in games of chance. So, these laws went into the books, along with other large chucks of the Statute of Anne and its offshoots.
This aspect of the Statute has rarely the focus of gambling related litigation. But it has been used successfully in a few cases where courts allowed families/significant others to sue over gambling losses, usually under the theory an entire family shouldn’t be put into the poorhouse just because one of its residents blew a bunch of money on gambling. And in the cases that did secure a victory, the amount at stake was hundreds of thousands of dollars, rather than the $160-250 range represented in these lawsuits.
Only twenty-five states have adopted this aspect of the Statute of Anne. The litigants represented here are from states that adopted the anti-gambling text. But it’s not going to be nearly as helpful as they believe it will be. At best, the law simply makes some gambling debts unenforceable.
Online gaming in virtual casinos (unlike more direct gambling options like online betting services that provide actual cash payouts) don’t incur gambling debt, even if they may result in regular, non-gambling debt if users spend too much money gaming. No one is under any obligation to pay to do more gaming, nor are they able to obtain credit from app operators to continue gaming, which makes it impossible to rack up the sort of gambling debt this Statute was adopted to address. That’s just the beginning of the apparently willful misreading of this law by the attorneys representing these clients. There’s more.
First, the lawsuits have been filed in California, which — as a late-arriving member of the Union — did not adopt this Statute. Second, even if the courts decide that the losses occurred in the plaintiffs’ home states (rather than wherever the app developers’ gaming servers are located), it’s definitely not going to help in at least two cases. There’s a case directly on point dealing with venue-shifting by Mississippi plaintiffs hoping to use another state’s laws to allow them to recover gambling losses.
We too find that it would be a great injustice if Tennesseans could reap the benefits of gambling in states where it is legal when they are successful, but seek shelter in Tennessee courts when they lose. As a result, we conclude that there is nothing in the Mississippi laws in question that outrages the public policy of Tennessee. Therefore, the gaming contract between the parties is enforceable in Tennessee.
This means the two plaintiffs from Mississippi aren’t going to be able to use another state’s laws to claw their money back from Google and Apple. But even if local laws are given deference — along with the residents’ claims their losses occurred in Mississippi — it still won’t work. The adoption of the Statute of Anne varies from state-to-state. In some states, it only allows for government enforcement via suits brought by the state attorney general. In other states, gambling losers can sue directly, but they have to sue the entity they lost money to. No matter how the local laws are interpreted, they cannot be read to allow people who lost money to online casinos to sue a third-party that never took any money from them.
But there’s really no reason to even get into the weeds of local laws adopted hundreds of years ago by newly developed states in a brand new country. The lawsuits all note the plaintiffs lost money to app operators like Zynga, SpinX Casino, and DoubleUGames. None of those companies are listed as defendants. Only the operators of app stores are. And that’s not going to work. You have to sue the party that injured you, not one at least once step removed from the equation.
Section 230 allows Google and Apple to exit lawsuits that claim they’re responsible for content — including apps — uploaded by third parties. This holds true even if the content is vetted by Google, etc. before being allowed to go live. Moderation (or this perceived lack thereof) does not undermine these protections.
But that argument likely isn’t even likely to be considered. Suing the wrong party should result in dismissals even if the court decides not to consider Google and Apple’s expected Section 230 defense. You just can’t hope to win a case if you’re not willing to sue the right defendants.
The only silver lining in this batch of bad-faith litigation is the plaintiffs haven’t lost hundreds of thousands of dollars gambling at this point, so they likely haven’t destroyed anyone’s lives at this point, not even their own. But who’s going to take up the case of possibly hundreds of class-action plaintiffs who are going to be duped by law firms and lawyers like those pushing these cases? I mean, as long as we’re talking about holding other people responsible for your own bad decisions, why not find someone willing to go after shit-heel attorneys padding their resumes with the sad stories of rubes they’ve duped into believing they actually have something worth suing over?
Arizona appears to be moving forward with an interesting (though, potentially unconstitutional) bill to say that Apple and Google would need to allow alternative payment systems in their app stores. I think this bill means well in that it’s targeting what appears to be a real issue: the control that Apple (especially) and Google (to a lesser, but still significant extent) have over getting apps onto iOS and Android devices. Both companies take a pretty large cut out of in app-purchases — basically 30% (it’s a little more complicated than that).
The argument from both companies is that (1) it’s their system and their providing value by creating the very platform that effectively allows all these apps to exist in the first place, and (2) part of the value of having a single app store model is that it allows for more security and privacy protections for end users (that’s a big part of Apple’s argument, certainly). Google is slightly more open in that it does allow for sideloading and even third party app stores, but it strongly discourages such practices. And, there is some validity to that argument… but it’s also partially nonsense. For many apps, Google and Apple aren’t really adding that much value, and for them to demand such a large cut seems silly. 30% is also… quite a lot. It’s way more than other platforms in more competitive situations take, which often take closer to 5 to 10%. That certainly suggests some rent seeking.
That said, the bill has some issues as well. The biggest being that this is a state bill, which likely makes it unconstitutional. Regulating Apple and Google services like that likely violates the Commerce Clause, which limits the states’ ability to pass laws that regulate “interstate” commerce. It seems like if this kind of law is being written, it should be a federal law, rather than a state one.
The other big question is what are the downstream impacts of such a bill. If Google and Apple rely on their cut of these in-app sales for revenue, and those effectively go away with such a law, then they’re going to seek to make up that revenue elsewhere. Now, one hopes that they would do this by improving their offerings, adding additional value and figuring out ways to charge for those value-added features. And perhaps that would happen. But the fear is that the companies would seek to find a different revenue stream to tap — such as charging for access to dev tools or even just to list an app on the app store. And, the end result of that might be to shut down or shut out smaller app developers.
The other odd thing about this bill is that it literally exempts the equivalent situation with video game consoles (which also take a ~30% cut):
The bill specifically exempts game consoles ?and other special-purpose devices that are connected to the internet,? and it also bars companies like Apple and Google from retaliating against developers who choose to use third-party payment systems.
I don’t quite understand this. If this approach is good for mobile phone devices, why shouldn’t it also apply to video game consoles? I can’t see any consistent reason to not treat the two similarly.
So, there does seem to be a legitimate concern about Apple and Google’s effective control over the phone device software ecosystem. Perhaps it would be less of a problem if web apps had more access to core device functionality and could bypass the app stores entirely. Or, if sideloading was more common (or even allowed, as in the case with iOS). However, that doesn’t change the fact that this particular bill doesn’t seem like the best way of dealing with this particular situation.
I’ve delayed writing deeper thoughts on the total deplatforming of Parler, in part because there was so much else happening (including some more timely posts about Parler’s lawsuit regarding it), but more importantly because for years I’ve been calling for people to think more deeply about content moderation at the infrastructure layer, rather than at the edge. Because those issues are much more complicated than the usual content moderation debates.
And once again I’m going to make the mistake of offering a nuanced argument on the internet. I urge you to read through this entire post, resist any kneejerk responses, and consider the larger issues. In fact, when I started to write this post, I thought it was going to argue that the moves against Parler, while legal, were actually a mistake and something to be concerned about. But as I explored the arguments, I simply couldn’t justify any of them. Upon inspection, they all fell apart. And so I think I’ll return to my initial stance that the companies are free to make decisions here. There should be concern, however, when regulators and policymakers start talking about content moderation at the infrastructure layer.
The “too long, didn’t read” version of this argument (and again, please try to understand the nuance) is that even though Parler is currently down, it’s not due to a single company having total control over the market. There are alternatives. And while it appears that Parler is having difficulty finding any such alternative to work with it, that’s the nature of a free market. If you are so toxic that companies don’t want to do business with you, that’s on you. Not them.
It is possible to feel somewhat conflicted over this. I initially felt uncomfortable with Amazon removing Parler from AWS hosting, effectively shutting down the service, and with Apple removing its app from the app store, effectively barring it from iPhones. In both cases, those seemed like very big guns that weren’t narrowly targeted. I was less concerned about Google’s similar removal, because that didn’t block Parler from Android phones, since you don’t have to go through Google to get on an Android phone. But (and this is important) I think all three moves are clearly legal and reasonable steps for the companies to take. As I explored each issue, I kept coming back to a simple point: the problems Parler is currently facing are due to its own actions and the unwillingness of companies to associate with an operation so toxic. That’s the free market.
If Parler’s situation was caused by government pressure or because there were no other options for the company, then I would be a lot more concerned. But that does not appear to be the case.
The internet infrastructure stack is represented in different ways, and there’s no one definitive model. But an easy way to think of it is that there are “edge” providers — the websites you interact with directly — and then there’s everything beneath them: the Content Delivery Networks (CDNs) that help route traffic, the hosting companies/data centers/cloud providers that host the actual content, the broadband/network/access providers, and the domain registers and registrars that help handle the naming and routing setup. And there are lots of other players in there as well, some (like advertising and certain communications providers) with elements on the edge and elements deeper in the stack.
But a key thing to understand is the level of granularity with which different players can moderate, and the overall impact their moderation can have. It’s one thing for Twitter to remove a tweet. It’s another thing for Comcast to say “you can’t access the internet at all.” The consequences of moderation get much more severe the deeper you go into the stack. In this case, AWS’s only real option for Parler was to remove the entire service, because it couldn’t just target the problematic content (of which there was quite a lot). As for the app stores, it’s a tricky question. Are app stores infrastructure, or edge? Perhaps they are a little of both, but they had the same limited options: remove the app entirely, or leave it up with all its content intact.
For many years, we’ve talked about the risks of saying that players deeper in the infrastructure stack should be responsible for content moderation. I was concerned, back in 2014, when there was talk of putting liability on domain registrars if domains they had registered were used for websites that broke the law. There have been a few efforts to hold such players responsible as if they were the actual lawbreakers, and that obviously creates all sorts of problems, especially at the 1st Amendment level. As you move deeper into the stack, the moderation options look less like scalpels and more like sledgehammers that remove entire websites from existence.
Almost exactly a decade ago, in a situation that has some parallels to what’s happened now, I highlighted concerns about Amazon deciding to deplatform Wikileaks in response to angry demands from then Senator Joe Lieberman. I found that to be highly problematic, and likely unconstitutional — though Wikileaks, without a US presence, had little standing to challenge it at the time. My concern was less with Amazon’s decision, and more with Lieberman’s pressure.
But it’s important to go back to first principles in thinking through these issues. It’s quite clear that companies like Amazon, Apple, and Google have every legal right to remove services they don’t want to associate with, and there are a ton of reasons why people and companies might not want to associate with Parler. But many people are concerned about the takedowns based on the idea that Parler might be “totally” deplatformed, and that one company saying “we don’t want you here” could leave them with no other options. That’s not so much a content moderation question, as a competition one.
If it’s a competition question, then I don’t see why Amazon’s decision is really a problem either. AWS only has 32% marketshare. There are many other options out there — including the Trump-friendly cloud services of Oracle, which promotes how easy it is to switch from AWS on its own website. Oracle’s cloud already hosts Zoom (and now TikTok’s US services). There’s no reason they can’t also host Parler.*
But, at least according to Parler, it has been having trouble finding an alternative that will host it. And on that front it’s difficult to feel sympathy. Any business has to build relationships with other businesses to survive, and if no other businesses want to work with you, you might go out of business. Landlords might not want to rent to troublesome tenants. Fashion houses might choose not to buy from factories with exploitative labor practices. Businesses police each other’s business practices all the time, and if you’re so toxic that no one wants to touch you… at some point, maybe that’s on you, Parler.
The situation with Apple and Google is slightly different, and again, there are lots of nuances to consider. With Apple, obviously, it is controlling access to its own hardware, the iPhone. And there’s a reasonable argument to be made that Apple offers the complete package, and part of that deal is that you can only add apps through its app store. Apple has long argued that it does this to keep the phone secure, though it could raise some anti-competitive concerns as well. But Apple has banned plenty of apps in the past (including Parler competitor Gab). And that’s part of the nature of iPhone ownership. And, really, there is a way to route around Apple’s app store: you can still create web apps that will work on iOS without going through the store. This does limit functionality and the ability to reach deeper into the iPhone for certain features, but those are the tradeoffs.
With Google, it seems like there should be even less concern. Not only could Parler work as a web app, Google does allow you to sideload apps without using the Google Play store. So the limitation was simply that Google didn’t want the app in its own store. Indeed, before Amazon took all of Parler down, the company was promoting its own APK to sideload on Android phones.
In the end, it’s tough to argue that this is as worrisome as my initial gut reaction said. I am still concerned about content moderation when it reaches the infrastructure layer. I am quite concerned that people aren’t thinking through the kind of governance questions raised by these sledgehammer-not-scalpel decisions. But when exploring each of the issues as it relates to Parler specifically, it’s hard to find anything to be that directly concerned about. There are, mostly, alternatives available for Parler. And in the one area that there apparently aren’t (cloud hosting) it seems to be less because AWS has market power, and more because lots of companies just don’t want to associate with Parler.
And that is basically the free market telling Parler to get its act together.
We were just discussing how there are some cracks starting to show in the PR war that Epic decided to kick off when it initiated the PC gaming platform war against Steam. Part of the problem Epic has is that, despite its attempt to frame its exclusivity deals as some attempt to heal a broken PC gaming industry, the public very clearly isn’t buying it. It’s gotten bad enough that publishers that buy into Epic’s exclusive deals are proactively messaging publicly to the gaming masses that they would prefer not to be the target of widespread harassment.
That, honestly, is bad enough to warrant concern by the industry as a whole. But when indie developers begin coming out publicly to refuse an Epic Store agreement, and frame that decision as a moral choice, the problem has only deepened. Wlad Marhulets is the solo developer behind Darq, a horror game released recently. He got an email from Epic seeking to sell the game on the Epic Store. Marhulets read the email and its request for an exclusivity deal, then he took a look at all the backlash other publishers have faced for entering into that agreement, and decided that he would be breaking his word to the public by entering into such a deal.
After asking whether Epic Games’ offer necessitated exclusivity, and hearing that it did, Marhulets turned down the deal before even discussing money. Darq had been on Steam since November, 2018, and is also for sale on GOG. The horror adventure game was within the top 50 most wishlisted games on the platform before launch. “I felt going for an exclusivity deal would show that my word means nothing (as I just had promised the game would launch on Steam),” wrote Marhulets on Reddit. The positive response from fans was huge.
To be clear, you can think that what Epic is doing is truly good for the industry while also acknowledging that stories like this show pretty clearly that Epic appears to be losing the PR war it decided to wage. Again, the public is not on the side of exclusivity in exchange for higher splits for publishers. It would honestly likely be much different if Epic offered its splits without the exclusivity. In that case, the messaging would be: “You can buy it on Steam and screw the gamemaker, or buy it on our platform and benefit them. Your choice.” In that case, the moral case is much more clear than when Epic attempts to limit consumer choice the way they have.
This is shown to be all the more the case when looking at how fans have reacted to Marhulets’ messaging.
Darq’s Steam comments are dominated by grateful messages from fans and some derision for Epic. “I purchased a copy of DARQ to support this fine developer’s ethical business practices. Thank you for keeping your promises and taking a stand against store exclusivity. The world needs more folks like yourselves,” wrote one. “Support devs who keep their promises and stand up against evil. It also happens to be a great game so.. what are you waiting for?” said another.
If Epic wants to be as idealistic as it claims, it can have its profit splits and cool it with the exclusivity. The way this is going, it is starting to feel clear that this isn’t a war Epic is going to win long term anyway.
Seems like this would be something that would go without saying: if you’re an American tech company, don’t willingly assist oppressive regimes in the oppression of their populace. Twitter is forever helping the Turkish government silence critics and journalists. Facebook has allowed governments to weaponize its moderation tools, quite possibly contributing to government-ordained killings.
Apple and Google have been accused of helping to “enforce gender apartheid” in Saudi Arabia, by offering a sinister app which allows men to track women and stop them leaving the country.
Both Google Play and iTunes host Absher, a government web service which allows men to specify when and how women can cross Saudi borders, and to get close to real-time SMS updates when they travel.
There’s really no reason either company should be hosting this app in their app stores. If Absher’s creators want to distribute an app that prevents certain Saudi citizens from being treated as equals, they’re free to host it on their own site. It’s not like the developers don’t have the clout to go it alone. The app is developed and supported by none other than the Saudi government.
This isn’t the sort of thing American companies should be giving platform space to, even if it technically meets the inconsistent standards both companies apply to app submissions.
As critics have pointed out, both companies have policies against apps that “facilitate threats and harassment.” Absher may have some benign functions built in (like paying parking tickets) but the overall point of the app is to allow Saudi men to dictate when and where their wives can travel, as well as be alerted to any movements suggesting their spouses are trying to escape the horrible abuses allowed by this country’s laws. Threats and harassment are all but guaranteed, and that’s without even delving into the app’s ability to provide employers with 24-hour surveillance of their employees.
Seems like the easy decision would be to pull the app. What’s the potential downside? An oppressive regime complaining about a slight dip in oppression?
Like clockwork, governments eager to censor the internet inevitably shift their gaze toward tools like VPNs used to get around restrictions. We’ve documented rising efforts to ban the tools use in countries like Russia, where VPN providers are being forced out of business for refusing to aid internet censorship. Whether it’s to protect VoIP revenue for state-run telecom monopolies, or to prevent users from tap-dancing around state-mandated filters or other restrictions, VPNs have become the bogeyman du jour for oppressive governments looking to crack down on pesky free speech and open communication.
China’s great firewall is a sterling example of draconian censorship, and since 2012 or so China has been trying to curtail both encryption and VPN use. Earlier this year China’s Ministry of Industry and Information Technology declared that all VPN providers now needed prior government approval to operate, a move generally seen as the opening salvo of an outright ban. These new restrictions will last until July 2021, impose fines up to $2000 on companies offering unsanctioned VPNs (read: all of them), and feature government warnings sent to users consistently caught using the tools.
We have received notice from the higher authorities. We regret to inform you that Green will cease our service on July 1st, 2017. We apologize for any inconvenience caused.
We will start processing our users? refund request after service stopped (the amount will be calculated based on the remaining days in your plan). If you need a refund, please make sure to submit your refund request by August 31, 2017. We won?t be able to process any refund request submitted after that date. Since the workload of processing the requests, information verification and money transfer would be huge, we won?t be able to set an exact date for the refund. We plan to process the refund soon after August 31, please wait patiently.
Originally, statements made by the Ministry of Industry and Information Technology seemed to suggest the country’s VPN ban wouldn’t be fully implemented until March 2018. But these recent reports indicate that the Chinese government has grown tired of the pretense and has expedited its VPN crackdown dramatically. Since around 1-3% of China’s 731 million internet users use tools like VPNs to tap dance around internet filters, even with this crackdown this will be a long, difficult, expensive game of Whack-a-Mole for the Chinese government all the same.
While VPNs are not a panacea for our endlessly eroded privacy rights, they remain an incredibly useful tool for those living under repressive regimes. Most legislative VPN bans are of the “death by a thousand cuts” variety, where lawmakers go out of their way to pretend they’re not trying to kill VPNs, even if the end goal always remains the same: the elimination of any tool that might let citizens peek through the curtain of draconian efforts at information control.
When you testify before Congress, it helps to actually have some knowledge of what you’re talking about. On Tuesday, the House Energy & Commerce Committee held the latest congressional hearing on the whole silly encryption fight, entitled Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives. And, indeed, they did have witnesses presenting “industry” and “law enforcement” views, but for unclear reasons decided to separate them. First up were three “law enforcement” panelists, who were free to say whatever the hell they wanted with no one pointing out that they were spewing pure bullshit. You can watch the whole thing below (while it says it’s 4 hours, it doesn’t actually start until about 45 minutes in):
Lots of craziness was stated — starting with the idea pushed by both chief of intelligence for the NYPD, Thomas Galati and the commander of the office of intelligence for the Indiana State Police, Charles Cohen — that the way to deal with non-US or open source encryption was just to ban it from app stores. This is a real suggestion that was just made before Congress by two (?!?) separate law enforcement officials. Rep. Morgan Griffith rightly pointed out that so many encryption products couldn’t possibly be regulated by US law, and asked the panelists what to do about it. You can watch the exchange here:
You see Cohen ridiculously claim that since Apple and Google are gatekeepers to apps, that the government could just ban foreign encryption apps from being in the app stores:
Right now Google and Apple act as the gatekeepers for most of those encrypted apps, meaning if the app is not available on the App Store for an iOS device, if the app is not available on Google Play for an Android device, a customer of the United States cannot install it. So while some of the encrypted apps, like Telegram, are based outside the United States, US companies act as gatekeepers as to whether those apps are accessible here in the United States to be used.
This is just wrong. It’s ignorant and clueless and for a law enforcement official — let alone one who is apparently the “commander of the office of intelligence” — to not know that this is wrong is just astounding. Yes, on Apple phones it’s more difficult to get apps onto a phone, but it’s not impossible. On Android, however, it’s easy. There are tons of alternative app stores, and part of the promise of the Android ecosystem is that you’re not locked into Google’s own app store. And, really, is Cohen literally saying that Apple and Google should be told they cannot allow Telegram — one of the most popular apps in the world — in their app stores? Really?
Galati then agreed with him and piled on with more ignorance:
I agree with what the Captain said. Certain apps are not available on all devices. So if the companies that are outside the United States can’t comply with same rules and regulations of the ones that are in the United States, then they shouldn’t be available on the app stores. For example, you can’t get every app on a Blackberry that you can on an Android or a Google.
Leaving aside the fact he said “Android or a Google” (and just assuming he meant iPhone for one of those)… what?!? The reason you can’t get every app on a BlackBerry that’s on other devices has nothing to do with any of this at all. It’s because the market for BlackBerry devices is tiny, so developers don’t develop for the BlackBerry ecosystem (and, of course, some BlackBerries now use Android anyway, so…). That comment by Galati makes no sense at all. Using the fact that fewer developers develop for BlackBerry says nothing about blocking foreign encryption apps from Android or iOS ecosystems. It makes no sense.
Why are these people testifying before Congress when they don’t appear to know what they’re talking about?
Later in the hearing, when questioned by Rep. Paul Tonko about how other countries (especially authoritarian regimes) might view a US law demanding backdoors as an opportunity to demand the same levels of access, Cohen speculated ridiculously, wildly and falsely that he’d heard that Apple gave China its source code:
Here’s what Cohen says:
In preparing for the testimony, I saw several news stories that said that Apple provided the source code for iOS to China, as an example. I don’t know whether those stories are true or not.
Yeah, because they’re not. He then goes on to say that Apple has never said under oath whether or not that’s true — except, just a little while later, on the second panel, Apple’s General Counsel Bruce Sewell made it quite clear that they have never given China its source code. Either way, Cohen follows it up by saying that Apple won’t give US law enforcement its source code, as if to imply that Apple is somehow more willing to help the Chinese government hack into phones than the US government. Again, this is just blatant false propaganda. And yet here is someone testifying before Congress and claiming that it might be true.
Thankfully, at the end of the hearing, Rep. Anna Eshoo — who isn’t even a member of the subcommittee holding the hearing (though she is a top member of the larger committee) joined in and quizzed Cohen about his bizarre claims:
She notes that it’s a huge allegation to make without any factual evidence, and asks if he has anything to go on beyond just general “news reports.” Not surprisingly, he does not.
Elsewhere in the hearing, Cohen also insists that a dual key solution would work. He says this with 100% confidence — that if Apple and law enforcement had a shared key it would be “just like a safety deposit box.” Of course, this is also just wrong. As has been shown for decades, when you set up a two key solution, you’re introducing vulnerabilities into the system that almost certainly let in others as well.
And then, after that, Rep. Jerry McNerney raises the point — highlighted by many others in the past — that rather than “going dark,” law enforcement is in the golden age of surveillance and investigation thanks to more and new information, including that provided by mobile phones (such as location data, metadata on contacts and more). Cohen, somewhat astoundingly, claims he can’t think of any new information that’s now available thanks to mobile phones:
Here’s Cohen:
Sir, I’m having problems thinking of an example of information that’s available now that was not before. From my perspective, thinking through investigations that we previously had information for, when you combine the encryption issue along with shorter and shorter retention periods, in a service provider, meaning they’re keeping their records, for both data and metadata, for a shorter period of time, available to legal process. I’m having difficulty finding an example of an avenue that was not available before.
Huh?!? He can’t think of things like location info from mobile phones? He can’t think of things like metadata and data around unencrypted texts? He can’t think of things like unencrypted and available information from apps? Then why is he on this panel? And the issue of data retention? Was he just told before the hearing to make a point to push for mandatory data retention and decided to throw in a nod to it here?
At least Galati, who went after him, was willing to admit that tech has provided a lot more information than in the past — but then claimed that encryption was “eliminating those gains.”
Cohen is really the clown at the show here. He also claims that Apple somehow decided to throw away its key and that it was “solving a problem that doesn’t exist” in adding encryption:
There he’s being asked by Rep. Yvette Clarke if he sees any technical solutions to the encryption issue, and he says:
The solution that we had in place previously, in which Apple did hold a key. And as Chief Galati mentioned, that was never compromised. So they could comply with a proper service of legal process. Essentially, what happened is that Apple solved a problem that does not exist.
Again, this is astoundingly ignorant. The problem before was that there was no key. It wasn’t that Apple had the key, it’s that the data was readily available to anyone who had access to the phone. That put everyone’s information at risk. It’s why there was so much concern about stolen phones and why stolen phones were so valuable. For a law enforcement official to not realize that and not think it was a real problem is… astounding. And, again, raises the question of why this guy is testifying before Congress.
It also raises the question of why Congress put him on a panel with no experts around to correct his many, many errors. At the very least, towards the beginning of the second panel, Apple GC Sewell explained how Cohen was just flat out wrong on these points:
If you can’t see that, after his prepared remarks, Sewell directly addresses Cohen’s claims:
That’s where I was going to conclude my comments. But I think I owe it to this committee to add one additional thought. And I want to be very clear on this: We have not provided source code to the Chinese government. We did not have a key 19 months ago that we threw away. We have not announced that we are going to apply passcode encryption to the next generation iCloud. I just want to be very clear on that because we heard three allegations. Those allegations have no merit.
A few minutes later, he’s asked directly about this and whether or not the Chinese had asked for the source code, and Sewell says that, yes, the Chinese have asked, and Apple has refused to give it to them:
Seems like they could have killed 3 hours of ignorant arguments presented to Congress, if they had just not allowed such ignorance to be spewed earlier on.
The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals…
The main purpose of the workshops was to find new ways to exploit smartphone technology for surveillance. The agencies used the Internet spying system XKEYSCORE to identify smartphone traffic flowing across Internet cables and then to track down smartphone connections to app marketplace servers operated by Samsung and Google.
Branded “IRRITANT HORN” by the NSA’s all-caps random-name-generator, the pilot program looked to perform man-in-the-middle attacks on app store downloads in order to attach malware/spyware payloads — the same malicious implants detailed in an earlier Snowden leak.
While the document doesn’t go into too much detail about the pilot program’s successes, it does highlight several vulnerabilities it uncovered in UC Browser, a popular Android internet browser used across much of Asia. Citizen Lab performed an extensive examination of the browser for CBC News, finding a wealth of exploitable data leaks. [PDF link for full Citizen Lab report]
In addition to discovering that phone ID info, along with geolocation data and search queries, was being sent without encryption, the researchers also found that clearing the app cache failed to remove DNS information — which could allow others to reconstruct internet activity. Citizen Lab has informed the makers of UC Browser of its many vulnerabilities, something the Five Eyes intelligence agencies obviously had no interest in doing.
But IRRITANT HORN went beyond simply delivering malicious implants to unsuspecting users. The Five Eyes agencies also explored the idea of using compromised communication lines to deliver disinformation and counter-propaganda.
[The agencies] were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations that are used to spread propaganda or confuse adversaries. Moreover, the agencies wanted to gain access to companies’ app store servers so they could secretly use them for “harvesting” information about phone users.
As is the case with each new leak, the involved agencies have either declined to comment or have offered the standard defensive talking points about “legal framework” and “oversight,” but it’s hard to believe any legal mandate or oversight directly OK’ed plans to hijack private companies’ servers for the purpose of spreading malware and disinformation. And, as is the case with many other spy programs, IRRITANT HORN involves a lot of data unrelated to these agencies’ directives being captured and sifted through in order to find suitable targets for backdoors and implants.
