Another Victim Of The GDPR & CCPA: Security Researchers No Longer Can Get Anonymous Access To Internet Attack Data

from the not-understanding-privacy... dept

We’ve pointed out before that we’re generally bad at regulating privacy because we don’t understand privacy. All of the regulations around privacy seem to treat a set of information as “special” that must be locked up and hidden. However, as we’ve pointed out over and over again, privacy is actually a set of trade-offs, and in some situations, certain information should be shared, and in others not. But it requires an awful lot of context — and no privacy regulations that I’ve seen seem to take that context question into account. Because of that we end up with nonsensical results that often do more harm than good.

The latest example of this comes from Rapid7, a cybersecurity company that, among other things, tracks network activity and attacks to help fend off attackers. Back in 2018, Rapid7 launched the Open Data project to enable more researchers to have access to important data generated from its Project Sonar and Project Heisenberg research efforts. Via the Open Data Initiative researchers could access important useful data for improving security and understanding various threats online.

The Open Data Project offered two forms of access to researchers — both free. The first required signup, at which point registrants were “subject to light vetting and terms of service” before being able to access current and historical data. The second was free access “to a one-month window of recent data” from Project Sonar. However… thanks to laws like the GDPR in the EU and the CCPA in California, apparently sharing that information is becoming a liability. So Rapid7 is doing away with the second type of access, the kind that was widely available (the one month snapshot) for anyone to see on their website.

Reading between the lines, it sounds like Rapid7 was facing some threats under the GDPR and/or the CCPA, claiming that the very, very useful service it provided for anyone to look at the data, was possibly revealing… IP addresses. And, once again, this gets into the trade-off nature of privacy. In some cases, IP address information might reveal sensitive information — but the fact is that, in most instances, it absolutely does not. However, courts are getting aggressive about this — as you may recall from our recent story about a German court fining a company for… using Google’s fonts. The violation? Passing IP address info back to Google.

Rapid7 has noticed that this means its data service is potentially a liability:

During the past few years, we have also seen an evolving regulatory environment for data protection. Back in 2018, GDPR was just coming into effect, and everyone was trying to figure out its implications. In 2020, we saw California join the party with the introduction of CCPA. It seems likely we will see more privacy regulations follow.

The surprising thing is not this focus on privacy, which we wholeheartedly support, but rather the inclusion and control of IP addresses as personal data or information. We believe security research supports better security outcomes, which in turn enables better privacy. It’s fundamentally challenging to maintain privacy without understanding and addressing security challenges.

Yet IP addresses make up a significant portion of the data being shared in our security research data. While we believe there is absolutely a legitimate interest in processing this kind of data to advance cybersecurity, we also recognize the need to take appropriate balancing controls to protect privacy and ensure that the processing is “necessary and proportionate” — per the language of Recital 49.

The company says it will still work to make the data available, but from now on it’s going to require registration, rather than just being openly available on the website.

Once again, this seems like it will mostly likely have a negative impact on actual online security and privacy… all to comply with rules that are supposed to be improving our privacy. Some of us have warned regulators of these kinds of consequences, and are always brushed off, but we keep seeing this kind of thing happening.

Filed Under: ccpa, gdpr, privacy, public information, research
Companies: rapid7

Meta Sues Firm For Data Scraping; Claims That Signing Up For New Accounts After Being Banned Is Equivalent Of Hacking

from the why-is-this-a-problem? dept

For years we’ve talked about the infamous Facebook lawsuit against Power.com. As you may recall, this was a key CFAA case against a site, Power.com, that was trying to create a social media aggregator dashboard — in which you could login through a single interface, and access content from and post to a variety of different social media platforms. Facebook alleged that this was a form of hacking — claiming it was “unauthorized access” to Facebook. This was even though there was no actual unauthorized access. Individual users gave Power their login credentials, so everything was completely authorized. After years of winding through the courts, unfortunately, it was decided that this was a violation of the CFAA, mainly because Facebook sent a cease & desist letter, and somehow going against that now made it “unauthorized.” In my mind, this is one of the biggest reasons why Facebook has much less competition today than it otherwise might — because it used the CFAA and cases against Power.com to create a “you can check in, but you can’t check out” kind of data arrangement. Things like Power.com were an empowering system that might have made people much less reliant on Facebook — but it was killed.

In an age now where people are increasingly talking about the importance of data portability and interoperability, something like Power.com would be a useful tool.

So, it’s interesting (and a little disturbing) to see that Facebook’s new corporate identity, Meta, has now sued another company for data scraping. It is notable that in this case, the defendant, Social Data Trading Ltd., is a lot less sympathetic a character than Power.com was. And — more importantly — Facebook is not using the CFAA this time (other cases have suggested that what Facebook got away with in the Power case it would no longer be able to get away with under that law). However, it is trying to use California’s state law equivalent of the CFAA. And now matter how you look at it, it’s still at least a little worrisome that Facebook (ok, whatever, Meta) believes it has a legal right to stop scraping of otherwise public data.

So first, Social Data Trading is not sympathetic. It appears to be a sketchy service in its own right, scraping data on social media users to sell “in-depth insights into the demographics and psychographics of influencers and their audiences.” Meta put in place some technical blocks to try to stop the company from scraping (which seems like fair game), but SDT would then just register new domains and continue scraping. Facebook had apparently tried to stop a predecessor company to Social Data Trading called “Deep.Social,” though the complaint seems to imply that SDT is just a reworking of Deep.Social.

The more difficult issue here is that part of the way that SDT did its scraping was by creating fake accounts on Facebook and Instagram, and then using those fake accounts to scrape the data. And that does bring things into a legally more complex area, but also gives Meta the route around to go after these guys without using the CFAA.

At issue is that when you create one of those accounts… you agree to the terms of service, and those terms say you can’t use the site for “collecting information in an automated way.” Thus, the core argument here is that it’s a breach of contract case, and that the SDT folks agreed to the terms and then broke them by using their fake accounts to scrape.

Since January 2019, Defendant created and used multiple Instagram accounts and agreed to Instagram?s Terms. Defendant agreed to Instagram’s Terms no later than January 30, 2019.

In addition, since September 2020, Defendant has used thousands of Instagram accounts to scrape Instagram.

Defendant breached the Terms by using unauthorized automated means to access Instagram and collect data from Meta computers without permission, including after Meta revoked Defendant?s access to its platform.

Of course, it seems to me that if this is a breach, the remedy should simply be removal of service, not anything more. But Meta claims damages “in excess of $75,000” (the minimum needed to get into federal court).

The second claim in the lawsuit seems… a lot sketchier. It claims violations of California Penal Code Section 502, which is (more or less) California’s equivalent to the CFAA. While, apparently, Meta’s lawyers know enough to not go to the well again on the federal CFAA, the use of the state equivalent is still quite concerning.

Beginning no later than June 2021, Defendant, without permission, knowingly accessed and otherwise used Meta?s computers, computer system, and computer network in order to (a) devise or execute any scheme or artifice to defraud and deceive, and (b) to wrongfully obtain money, property, or data, in violation of California Penal Code ? 502(c)(1).

Beginning no later than June 2021, Defendant, without permission, knowingly accessed and took, copied, and made use of data from Meta?s computers, computer system, and computer network in violation of California Penal Code ? 502(c)(2).

Beginning no later than June 2021, Defendant knowingly and without permission used or caused to be used Meta?s computer services in violation of California Penal Code ? 502(c)(3).

Since June 2021, Defendant knowingly and without permission accessed and caused to be accessed Meta?s computers, computer systems, and/or computer networks in violation of California Penal Code ? 502(c)(7). Defendant accessed Meta?s computer network after Meta disabled its Instagram accounts, blocked its domain, and sent correspondence to Defendant revoking its access.

Because Meta suffered damages and losses as a result of Defendant?s actions and continues to suffer damages and losses as a result of Defendant?s actions, Meta is entitled to compensatory damages in an amount to be determined at trial, attorney fees, any other amount of damages proven at trial, and injunctive relief under California Penal Code ? 502(e)(1) and (2).

Because Defendant willfully violated California Penal Code ? 502, and there is clear and convincing evidence that Defendant committed ?fraud? as defined by section 3294 of the Civil Code, Meta is entitled to punitive and exemplary damages under California Penal Code ? 502(e)(4).

All of this should be concerning to folks. It basically says that if you get kicked off a site and then create a new account… you could face serious consequences (and while this is a civil suit, Section 502 violations can lead to criminal liability as well). This should be cause for alarm. Yes, even if the defendant is a sketchy data operation, and even if Meta really didn’t want them scraping their site, to turn around and use what is, ostensibly, a computer “hacking” law against them for setting up new accounts seems incredibly dangerous and could lead to very bad consequences.

Finally there’s an “unjust enrichment” claim which also seems a bit silly — especially for a company like Facebook, which makes so much of its money by collecting data in surreptitious ways, to argue that another firm doing that back to Facebook is somehow “unjustly” enriching itself is pretty rich.

Still, it’s claim two that should raise some eyebrows, and I wish that Facebook recognized what a dangerous game its playing in trying to argue that signing up for a new account after you’ve been banned somehow violates an anti-hacking law.

Filed Under: analytics, cfaa, data, data scraping, hacking, privacy, public information
Companies: facebook, meta, social data trading

FBI Cites Guidelines That Don't Actually Forbid Social Media Monitoring As The Reason It Was Blindsided By The January 6 Attack

from the some-monitoring-is-more-equal-than-others dept

The FBI has spent thousands on social media monitoring software. These contracts are public, making it literally unbelievable the agency has managed to stave off FOIA requests by handing out “neither confirm nor deny” non-answers. A court didn’t buy the FBI’s excuse for its Glomar, pointing out that confirming public information would not give criminals a heads-up on surveillance software the FBI is currently using.

The FBI’s inability to honestly discuss its social media monitoring programs continues. The January 6th raid on the US Capitol building has resulted in hundreds of arrests. A lot of the evidence for these prosecutions has come from social media posts by members of the ad hoc raiding party.

The FBI continues to provide contradictory responses when questioned about its social media monitoring programs. Its Congressional testimony has kind of eluded direct questions about the FBI’s incursions into First Amendment territory — something the FBI is now using to explain why it wasn’t more aware of the impending threat prior to January 6th.

Quinta Jurecic’s post for Lawfare points out the FBI lack of awareness was somewhat stunning, given the vast amount of publicly available information circulating social media prior to the Capitol raid.

The only document the FBI produced warning about Jan. 6 was a single bulletin issued by the bureau’s Norfolk, Virginia, field office. This absence of warning is particularly striking given that a significant amount of the planning for the Jan. 6 riot took place in public on social media platforms like Facebook, Gab and Parler. Anyone with a Twitter account and an hour of time to kill could have warned about the potential for violence on Jan. 6—and many did.

FBI Director Chris Wray has been questioned about the FBI’s lack of preparedness. And his responses haven’t cleared much up. According to Wray, FBI guidelines forbid agents from camping out on social media and searching for evidence of potential criminal activity.

“We’re not allowed to … just sit and monitor social media and look at one person’s posts … just in case,” Wray told the House Judiciary Committee recently.

But that’s not strictly true. The agency’s guidelines do not strictly forbid this activity. The FBI can monitor social media platforms. It just usually doesn’t. Wray says guidelines prevent agents from “collecting First Amendment activities,” but there’s nothing in the rules that says the FBI can’t monitor open-source information like public posts.

This has been Wray’s line through several hearings this year. But the guidelines say something completely different.

[A]ssessments may be undertaken proactively with such objectives as detecting criminal activities; obtaining information on individuals, groups, or organizations of possible investigative interest, either because they may be involved in criminal or national security-threatening activities or because they may be targeted for attack or victimization by such activities; and identifying and assessing individuals who may have value as human sources. For example, assessment activities may involve proactively surfing the Internet to find publicly accessible websites and services through which recruitment by terrorist organizations and promotion of terrorist crimes is openly taking place…

So, perhaps the problem was the January 6th raid was carried out by the wrong kind of terrorists. The FBI is certainly proactive when it comes to monitoring the Muslim community “just in case.” When it comes to white insurrectionists, the agency apparently just hangs back and lets things take their course until it becomes imperative for the FBI to get involved.

Wray, at best, is only partly right.

In other words, Wray is correct that the bureau needs an authorized purpose to review social media, and that First Amendment considerations are involved. But his testimony leaves out the fact that the DIOG specifically authorizes FBI employees to review social media posts potentially protected by the First Amendment under certain circumstances—circumstances that could well have been met in the case of the soon-to-be Capitol rioters. After all, wouldn’t Facebook posts announcing plans to invade a government building raise criminal or national security concerns under the FBI’s definition of “authorized purpose”?

It’s not that we should be encouraging the FBI to engage in more proactive monitoring of social media — something that’s sure to raise some First Amendment issues. It’s that the FBI has never been shy about focusing this attention on certain kinds of people while appearing to ignore others who haven’t historically been considered a threat to national security by the agency.

Perhaps this take isn’t accurate and the FBI takes a similar hands-off approach when keeping an eye on other potential threats involving less-white people. But given the FBI’s long history of utilizing social media to radicalize local adherents of Islam into attempting to commit criminal acts, it hardly seems likely the FBI follows these guidelines (the ones that don’t say what the FBI Director says they do) consistently. It has experienced this sort of colorblindness in the past. And the conclusion one can easily draw — especially when the FBI hasn’t offered up a better explanation for why it missed the warning signs for the January 6th attack — is that the agency largely feels white people are nothing to worry about.

Filed Under: chris wray, fbi, insurrection, january 6th, public information, social media, social media monitoring

Now Twitter's 'Report' Function Being Used To Disappear Complaint About GDPR Being Used To Disappear Public Court Document

from the so-that's-great dept

Just recently we wrote about how a guy in France, Michael Francois Bujaldon, who had been sued in the US and accused of securities and real estate fraud, had apparently been using the GDPR’s right to be forgotten features to get the court docket about this lawsuit deleted from the web (in at least one case) or have his name removed from it (in the other). Our story focused on the situation with the website PlainSite, which is run by Aaron Greenspan and hosts tons of public court dockets. In our comments, it was interesting to note that at least one person seemed hellbent on trashing Greenspan. Greenspan and I have had our own differences throughout the years, and he has been a vocal critic of the way I’ve covered him in the past, but these comments seemed to go way over the line.

And now, Greenspan informs me that someone is trying to get his original tweet — which alerted me to this abuse of the GDPR to delete public documents — disappeared from the internet as well. On Wednesday morning Greenspan discovered that both his PlainSite Twitter account and his personal Twitter account were “limited” due to reports. It’s unclear why his personal account was limited, but Twitter told him that his original tweet about Bujaldon violated its rules on “posting personal information.”

It is difficult to see how a tweet that simply reads “French scam artist Michael Francois Bujaldon is using the GDPR to attempt to remove traces of his United States District Court case from the internet. He has already succeeded in compelling PacerMonitor to remove his case. We have 24 hours to respond” (and then links to the PlainSite docket) could possibly violate any Twitter rules, but the company told him he needed to delete the tweet in question:

Once again, we’re in a situation where if you hand people tools to delete content they dislike — whether it’s a DMCA takedown process, a GDPR “right to be forgotten” or a private platform’s “report abuse” button — some percentage of people are going to abuse that. And, as we’ve discussed many times, with the private platform decision making process involving overworked, underpaid workers who have to make determinations on each “report” with about 5 seconds to consider the report, many, many mistakes are going to be made. This is yet another one, and is yet another example of why we should be careful about giving people even more tools for deleting content.

Filed Under: aaron greenspan, content moderation, dockets, erasing history, gdpr, michael francois bujaldon, public information, right to be forgotten, rtbf
Companies: plainsite, twitter

Brazilian Court Agrees Wikipedia Can Use Publicly-Available Personal Information For An Article

from the wow,-you-don't-say dept

A couple of weeks ago, we wrote about a victory in the courts for Creative Commons licenses, noting that such judgments were still rather few and far between. That’s unfortunate, in the sense that some people still think CC licensing is weird, rarely-used or even invalid. The situation regarding Wikipedia is similar. Even though it has been around for 15 years — just like Creative Commons — it too suffers from continuing doubts about its aims and methods, and a relative dearth of legal cases helping to clarify the status of both.

Here’s one from Brazil, which has recently been settled in favour of Wikipedia’s parent organization, the Wikimedia Foundation. It concerns the Brazilian musician Rosanah Fienngo, who had brought a lawsuit objecting to information about her personal life being included on her Portuguese Wikipedia page. Wikimedia pointed out:

The Portuguese Wikipedia article about Ms. Fienngo contained information about her as a notable public figure in Brazil. This information included some details of her personal life, but this information was derived from public sources, most of which Ms. Fienngo had provided herself, such as an interview Ms. Fienngo gave to the gossip website O Fuxico.

You would have thought that someone who had provided details about her personal life to a gossip website would (a) realize that people might pass on that public information — that’s how gossip works — and (b) be grateful to those who spread details she herself had chosen to make public. Fortunately, the judge seems to have understood the situation:

The court stated that although the information available on her Wikipedia page concerned her private life, Ms. Fienngo had already disclosed that information to the media herself, so its inclusion on Wikipedia was not an invasion of her privacy.

It’s ridiculous that it required a court case to establish that, but the good news is the judgment should help to discourage others from bringing more such suits. Well, probably. Unfortunately, another similarity between the Brazilian Wikipedia case and the earlier Creative Commons one is that Ms. Fienngo could make an appeal, although Wikimedia notes:

We believe that the decision was strong enough that community members should feel free to make editorial decisions to write articles like the one about Ms. Fienngo.

Let’s hope they’re right.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: brazil, private information, public information, rosanah fienngo
Companies: wikimedia, wikipedia

Legislators In North Carolina Want To Let Law Enforcement Hide Personal Info From Public Records

from the I-guess-we're-referred-as-'the-Public'-for-a-reason... dept

Often, it seems there are two sets of rules: the set we the public are expected to follow, and those that legislators, law enforcement and other government subsects follow. Sometimes, it’s not just something that feels that way. Sometimes, it actually is, like the discovery that lawmakers were profiting from inside trading. This prompted a quick change in laws to make legislators act like law-abiding citizens, but it was just as swiftly rolled back once the outrage had died down.

Legislators in North Carolina are now considering a bill that would give government employees and officials unprecedented control over public records — a “courtesy” that apparently won’t be extended to the public. (via Techdirt reader Jj)

Wake County Assistant District Attorney Colleen Janssen spoke before a House judiciary committee before it passed a measure allowing state and federal prosecutors, federal judges and police officers to remove any information that could be used to identify them from city and county websites. Such information could include local tax payments, property deeds and other records accessible to the public online.

It includes one small caveat.

Identifying information wouldn’t be removed from the actual records on file at local government offices.

Anyone with enough time on their hands can still head down and experience some quality face time at the local government office should they want to see the offline-only information, an interaction that will presumably be logged in some fashion, just in case.

Why is this bill even being considered? Because bad things happened once to this one person — who also happens to be a prosecutor.

A prosecutor recently targeted by kidnappers urged a legislative committee Wednesday to endorse a bill that would shield the identity of law enforcement officials online.

An indictment says alleged gang members kidnapped Janssen’s father, 63-year-old Frank Janssen, from his Wake Forest home in April and held him captive in an Atlanta apartment for five days before he was rescued by federal agents. The kidnappers had targeted the daughter as revenge for her prosecution of a gang member, but ended up at the wrong address and decided to abduct the father instead.

Janssen believes this law would help shield law enforcement members, along with the rest of the prosecution side of government, from those with “nefarious intentions.” Presumably, the general public will still be subjected to nefarious actions, since they aren’t being afforded the same luxury. Despite the fact that law enforcement has become a much safer occupation over the last 50 years, we are constantly told that the dangers are increasing, usually as a justification for misconduct, expanded surveillance or the acquisition of military equipment. Presumably, a world more dangerous for law enforcement would also be more dangerous for civilians, but very little thought is given to the wellbeing of the public. Instead, we get statements like this:

“Kidnapping and mortal danger are faced by state and federal prosecutors constantly.”

That’s from Robert Guthrie, the president of the National Association of Assistant United States Attorneys.

So, this would allow these parties to scrub online info, but the public’s can still be public, even though this information is used by “nefarious” people as well, like scam artists, vengeful ex-anythings (employees, spouses, etc.) and other members of the criminal element. But only the chosen few will be allowed to take public information out of public records.

And that few may only stay a few for a brief amount of time. If passed, the law would open the door for nearly any entity, inside the government or out, to claim that its members are adversely affected by the publication of personal information in public records and that they too should be allowed to scrub their identifying information as well.

If this goes through, North Carolina will have two sets of public records laws — one for whom danger is considered unacceptable and one for everyone else, where danger is expected to be just part of life.

Filed Under: law enforcement, north carolina, privacy, prosecutors, public information

Chicago Court Rules Police Misconduct Records Must Be Made Publicly Available

from the it's-called-oversight,-and-if-the-cops-won't-do-it,-the-public-will dept

The insularity of law enforcement — the secrecy and opacity that allows misbehaving officers to escape being held responsible for their actions — has been partially stripped away in Chicago. The city’s appellate court has delivered a decision that puts police misconduct records into the hands of the public.

Citizen complaints about Chicago police misconduct and the related investigative files are public records and must be turned over by the city, an Illinois appeals court ruled this week.

A three-judge panel of the state Appellate Court in Chicago rejected the city’s claim that such files are exempt from the Illinois Freedom of Information Act.

The fact that investigative files are now public records is a big win for public oversight. Internal investigation documents have often been withheld by law enforcement agencies, many of whom seem completely uninterested in opening up their departments to additional scrutiny. Additionally, the city’s appellate court has severely limited the use of existing exemptions to deny requests for police misconduct files.

City lawyers argued such records were covered by an exemption in the state’s Freedom of Information law for “preliminary drafts, notes, recommendations, memoranda and other records in which opinions are expressed, or policies or actions are formulated.”

The judges wrote that exemption only applies to “opinions that public officials form while creating government policy. It does not protect factual material or final agency decisions.”

There’s still a bit of a loophole left for the Chicago PD to exploit, however.

If a complaint results in disciplinary charges against an officer, records from that process may still be kept secret, the appellate court noted.

From what information is out there, it’s unclear whether this exception applies to only documents directly related to the disciplinary process or whether it exempts everything related to the case from public records. In either case (though certainly more damaging to oversight in the latter), this exemption gives back a little opacity to misbehaving cops.

On the plus side, this new ruling allows for easier tracking of Chicago police misconduct.

The appeals court also found that “RL” files are open to the public. Those files identify police officers who have accumulated the most misconduct complaints. At issue were two RL files that named officers with the most complaints between 2001-2006 and 2002-2008.

This transparency is something the city of Chicago sorely needs.

A study by University of Chicago professor Craig Futterman found that just 19 of 10,149 complaints accusing CPD officers of excessive force, illegal searches, racial abuse, sexual abuse, and false arrests led to a police suspension of a week or more. In more than 85 percent of internal investigations of complaints, the accused officer was never even interviewed.

If the Chicago PD decides to return to business as usual in terms of responding to misconduct complaints, it will no longer be able to hide its inactivity behind expansive FOI exceptions. And if officers realize they’re creating easily accessible public records every time someone files a complaint, they’re bound to exercise a bit more discretion while on-duty.

Filed Under: chicago, police misconduct, public information, records

Mayor Bloomberg Uses Private Email To Avoid FOI Requests; Has No Plans To Retain Archive Of Office, NYPD Emails

from the he-must-be-bored-of-the-job----only-reason-why-he-isn't-mayor-for-life dept

It appears New York mayor Michael Bloomberg has left no process unexploited during his term as the city’s boss, creating a hybrid police/nanny-state firmly founded on the principle that “Bloomberg knows best.” If anyone dared to express their doubts, they were swiftly assuaged in a condescending tone that let the questioner know that asking such questions was not only foolish, but also potentially dangerous.

As much of New York impatiently holds open the EXIT door, further details of Bloomberg’s casual abuse of power have emerged.

Mayor Michael Bloomberg has a private way of discussing city business — using an email account from his company, Bloomberg L.P.

DNAinfo New York has learned of correspondences between Bloomberg and a deputy mayor in which each uses an @bloomberg.net email address to discuss city-related matters.

DNAinfo claims to have emails discussing city matters in its possession. Obviously, Bloomberg’s use of a private email address means that these emails won’t be subject to FOIL requests. In order to see these emails, one would have to subpoena them, which isn’t exactly the way public information discussing matters that affect the public is supposed to work.

The half-hearted defense offered by the mayor’s spokesman fails to sufficiently apply lipstick to this pig.

LaVorgna acknowledged that Bloomberg and top aides have private accounts.

“Yes, people have personal email accounts. It’s no different than everyone with a Gmail, Hotmail or Yahoo account,” he said.

Sure, it’s no different than anyone with a private email address, except for the fact that official city business should be routed through official city email accounts. Sidestepping FOI laws isn’t something city officials should be doing, much less the head guy, who should be leading by example. (Maybe he is leading by example. After all, the NYPD is less responsive to FOI requests than national intelligence agencies and Bloomberg himself has spent a bit of the city’s money fighting information requests in the city’s courts.)

But this isn’t the nadir of Bloomberg’s attempts to preserve his legacy by obscuring his activities. DNAinfo points out that while many New York City agencies have a variety of potential plans in place to retain and archive agency email…

[T]he city plans to retain the emails of the Administration for Children’s Services, the Department of Buildings, the Law Department, the Office of Collective Bargaining, the Department of Aging, the Office of Administrative Trials and Hearings, the Business Integrity Commission, the Parks Department, the Department of Youth and Community Development, the Department of Probation, the Department of Small Business Services, the Department of Citywide Administrative Services, the Department of Consumer Affairs and smaller agencies.

four agencies conspicuously do NOT:

[T]he city still hasn’t decided whether to preserve the emails of major agencies like the mayor’s office, NYPD, the Department of Education and FDNY, sources said.

No surprises there. The easiest way to avoid potentially embarrassing/damaging info from making its way into the public eye is to a) take official business off official channels and b) let any remaining emails vanish into the memory hole.

The city (read: mayor) only has to hold out for ninety days or so and any potential problems solve themselves. Sure, this may open the city up to litigation somewhere down the line, but that’s a problem for Bloomberg’s successors and underlings to deal with.

Not that Bloomberg’s dickishness isn’t without precedent. Prominent New York politicians have a habit of keeping email archives out of the public’s reach. Rather than add them to the Municipal Archives, local pols have done things like this instead:

Rudy Giuliani… transferred his mayoral papers to a nonprofit he controlled rather than follow the usual protocol of handing them directly to the city’s Municipal Archives.

At the time, Giuliani said he was personally paying for a private archival firm to catalog the documents quickly.

And as for routing around FOIL, Governor Andrew Cuomo reportedly used a personal BlackBerry to punch holes in his paper trail.

Dismaying, but hardly surprising, especially considering Bloomberg’s enthusiasm for protecting those things he holds dear, like himself and his beloved PD. Bloomberg appears to be more than happy to let anything he didn’t run through his personal email address blink out of existence as he steps out the door.

Filed Under: email, freedom of information, mike bloomberg, public information
Companies: bloomberg

MIT Trying To Block The Release Of Aaron Swartz's Secret Service File

from the sharing-of-knowledge dept

It’s not all that uncommon to see government agencies try to refuse to release information that is subject to a Freedom of Information Act (FOIA) request — but to have a non-governmental third party jump into a FOIA request to seek to block the info from being released? That’s pretty damn rare. But it’s happened — and, amazingly, the third party is MIT, a school that is supposedly dedicated to advancing knowledge. Except, apparently, if that knowledge is going to make MIT look bad.

We recently noted that Judge Colleen Kollar-Kotelly had ordered Homeland Security to release the Secret Service file on Aaron Swartz that had been requested by Wired reporter/editor Kevin Poulsen. However, MIT has now stepped into the case trying to block the release of the information. The judge has consented to putting a stay on the initial order until MIT can file its motion.

MIT’s concern — as it was in a separate legal fight concerning releasing the evidence used against Aaron — is apparently that the released documents will reveal which MIT employees helped with the investigation, and that could lead to unwarranted harassment. However, as Poulsen notes, the documents that have already been released have been redacting those names, so it’s unlikely that these further releases would leave those same names unredacted.

The larger issue, however, is that an institute of higher learning, one which supposedly supports information sharing and knowledge transfer, is intervening in a FOIA case to actively support keeping information from the public. This is quite incredible, and a rather shameful move from the MIT administration, following a string of similarly shameful moves having to do with how it handled the Swartz situation from the very beginning. As Poulsen notes, the situation is incredibly rare:

I have never, in fifteen years of reporting, seen a non-governmental party argue for the right to interfere in a Freedom of Information Act release of government documents. My lawyer, David Sobel, has been litigating FOIA for decades, and he’s never encountered it either. It’s saddening to see an academic institution set this precedent.

MIT was one of the first universities to support open online courses. It has a long history of encouraging the open exchange and sharing of knowledge and information. It seems like quite a departure from its history and mission to suddenly focus on trying to increase the government’s secrecy and blocking access to information.

Filed Under: aaron swartz, foia, homeland security, mit, public information

Investigative Journalist Claims Her Public Tweets Aren't 'Publishable;' Threatens To Sue Blogger Who Does Exactly That

from the hubristupidity! dept

Update: In case this isn’t enough, there’s a follow up to this story, as Teri Buhl is apparently not a fan of our writeup.

Choose your battles carefully. This warning/advice is more relevant than ever in an era of instant feedback, social media and thousands of pages of “relevant results” microseconds away. Here’s a small story of how not to deal with a problem caused by your own actions.

Mark Bennett, a Houston criminal defense lawyer, was recently pointed in the direction of a rather inexplicable statement attached to a Twitter profile. Teri Buhl, an investigative journalist specializing in Wall Street, has this wording on her profile page:

A friend of Bennett’s (@gideonstrumpet) asked, “What does that mean?” Buhl replied:

Gideon sensibly replied “ok thanks. I don’t know how you prevent that, though. I could write a post quoting you.”

At this point, Buhl went “legal,” responding that she would sue him because she “stated” her tweets are not “on record comments.” And she certainly could, although one wonders who would take her case. Gideon asked for a few second opinions on the legality of Buhl’s claim, and got answers from these two gentlemen whose names are likely familiar to Techdirt regulars, Marc Randazza and Popehat.

So, we have someone thinking their public tweets are private property, and therefore lawsuit-bait if anyone attempts to “quote” them. While Twitter’s TOS assures users that their Tweets are their property, it’s quite another thing to state something publicly and then claim you don’t want it quoted. Would a retweet be a violation of Buhl’s statement? After all, it’s a “direct quote” originating from another account. What about embedding the tweet? Still a problem? Even if Buhl’s claim wasn’t baseless, she’d still have a hell of a time enforcing it. If you don’t want something you said going public, why on earth would you use a very public platform like Twitter to say it?

It gets uglier from there, though. Buhl decided to continue her legal threats via email shortly after Mark Bennett posted screencaps of her tweets.

This prompted Bennett to do a little digging. For someone who’s so concerned with retaining strict control of her information, Buhl certainly doesn’t seem to mind throwing around other people’s information — even the contents of a teenage girl’s personal journal.

A New Canaan woman police say posted personal and sexually explicit information on Facebook about her boyfriend’s 17-year-old daughter was arraigned Tuesday in state Superior Court on charges of second-degree harassment, second-degree breach of peace and interfering with an officer.

Teri Buhl, 38, of 81 Locust Ave., appeared briefly before Judge Maureen D. Dennis with her lawyer, Christopher W. Caldwell of Norwalk…

Buhl surrendered on Oct. 27 at New Canaan police headquarters after learning that a warrant had been obtained for her arrest. She was released after posting a $5,000 bond.

Here’s how Buhl allegedly set about “publishing” someone else’s much more private “statements:”

A look at the documents that led to the warrant and arrest tells a disturbing story of Web-based strong-arming and privacy invasion from a woman who knew her victim and attempted to disguise her own identity.

New Canaan police Youth Bureau Commander Sgt. Carol Ogrinc said in an affidavit that the girl and her father, Paul Brody, came to police June 24 to report that someone using the name ‘Tasha Moore’ had posted personal notes from the girl’s journal on Facebook.

The girl said she kept the journal in her dresser drawer in her bedroom, and that she wrote the notes shown on Facebook last April. The girl said she had replied to the e-mail address provided by Moore on her Facebook page, and had told Moore to stop posting personal information about her or she would contact police.

Moore reportedly answered that she welcomed the legal action and knew the girl’s father was a corporate lawyer. Moore said she didn’t think the girl would contact police because then her father would find out about the embarrassing information from the journal, according to Ogrinc’s statement.

As Bennett points out, it’s apparently OK to publicly post information from a minor’s personal journal, but not OK to post a public Teri Buhl tweet anywhere else on the internet.

Buhl has finally done what she should have done a long time ago and taken her account private. This will likely be the end of this story as Buhl has probably realized she’s on very shaky ground. (This belated tweet captured via her page at Muck Rack seems to confirm this.)

With a trial date set for March 22nd, she may not have time to fight another legal battle. Not only that, but if she’s going to go after “republishers” like Bennett and Gideon, she’s also going to need to free up time to go after less human foes like favstar, Topsy and yfrog.

Here’s a suggestion: don’t antagonize people by attaching implicit legal threats to your public profile. All it does is attract the kind of attention you don’t want — for instance, another public airing of your alleged illegal actions. It doesn’t win you any new friends or followers and it certainly does very little to raise anyone’s estimation of you. Instead, it makes you look like exactly what you are — someone who’s going to slip into “sue” mode at the drop of a tweet.

Filed Under: agreements, contracts, public information, quoting, teri buhl, tweets