Capitalist Lion Tamer’s Techdirt Profile


About Capitalist Lion TamerTechdirt Insider

List of blogs started with enthusiasm, which now mostly lie dormant:

[reserved for future use]

[recently retired]

[various side projects]

Posted on Techdirt - 20 October 2017 @ 7:39pm

NYPD Tells Judge Its $25 Million Forfeiture Database Has No Backup

from the overpriced-by-at-least-$25-million dept

The NYPD is actively opposed to transparency. It does all it can to thwart outsiders from accessing any info about the department's inner workings. This has led to numerous lawsuits from public records requesters. It has also led to a long-running lawsuit featuring the Bronx Defenders, which has been trying to gain access to civil forfeiture documents for years.

The NYPD has repeatedly claimed it simply cannot provide the records the Bronx Defenders (as well as other records requesters) have requested. Not because it doesn't want to, even though it surely doesn't. But because it can't.

The department has spent $25 million on a forfeiture tracking system that can't even do the one thing it's supposed to do: track forfeitures. The Property and Evidence Tracking System (PETS) is apparently so complex and so badly constructed, the NYPD can't compile the records being sought.

Oddly enough, the Bronx Defenders has pieced together enough data from the NYPD's broken PETS (along with other public records) to at least point out the glaring discrepancy between what the department publicly claims it has in its forfeiture accounts and what the database says it does.

At the hearing, the NYPD claimed that it only legally forfeited $11,653 in currency last year — that is, gone to court and actually made a case as to why the NYPD should be taking this money.


In the accounting summaries which the Bronx Defenders submitted as part of its testimony, the NYPD reports that as of December 2013, its property clerk had almost $69 million in seized cash on hand. This amount had been carried over from previous years, showing an annual accumulation of seized cash that has reached an enormous amount. The documents also show that each month, the five property clerk’s offices across the city took in tens of thousands of dollars in cash, ultimately generating over $6 million in revenue for the department.

When pressed in court, NYPD experts claim the NYPD lacks the expertise to extract the sought data from its forfeiture database. These assertions are at odds with the NYPD's self-perception: that it is fastest and smartest law enforcement agency in the US (better than the FBI, in fact) and foreign governments should be grateful its officers and analysts are showing up uninvited at scenes of overseas terrorist attacks.

Somehow, these highly-trained officers are unable to extract data from a $25 million database. Maybe it's not the lack of talent. Maybe it's the lack of desire. Maybe the NYPD has zero interest in tracking this data because it doesn't want the public to see how much it has hoovered up or make it any easier for citizens to challenge forfeitures.

The lawsuit continues, with the NYPD continuing to top itself with each round of expert testimony. As Adam Klasfield reports for Courthouse News, the NYPD's $25 million database is worth even less than previously assumed.

New York City is one power surge away from losing all of the data police have on millions of dollars in unclaimed forfeitures, a city attorney admitted to a flabbergasted judge on Tuesday.

“That’s insane,” Manhattan Supreme Court Judge Arlene Bluth said repeatedly from the bench.

It is insane. There's no way around it. The assumption would be that a $25 million database has built-in redundancy. But of course it wouldn't. Not with the NYPD running it and not with its active disinterest in providing records to records requesters or having any accountability present in its forfeiture system.

And why should the NYPD fix it? From its perspective, this is fine. Data goes in and never comes out. If it all disappears because someone trips over the power cord, the NYPD suffers no negative consequences. Everything it has taken over the years defaults to the NYPD until proven otherwise by claimants. And that's going to be a lot tougher to do when the NYPD has no records related to the forfeiture.

The court is in no position to do anything about this. It can't order the NYPD to fix its system. All it can do is demand it comply with records requests and pay the legal fees of prevailing parties. But the NYPD can continue to run a useless system for the rest of whatever. The burden of proof in forfeiture cases is already shifted to claimants. A broken system places even more of a burden on those seeking return of their property, thanks to PETS being unable to confirm or deny existence of responsive records. It's GlomarDb and it makes a mockery of public records laws and due process simultaneously.

65 Comments | Leave a Comment..

Posted on Techdirt - 20 October 2017 @ 9:23am

Lawyers: Trump's Twitter Account Not Presidential; Also: Trump Is President, Can't Be Sued

from the block-chain dept

A lawsuit filed against President Trump alleges a host of First Amendment violations stemming from Trump's Twitter blocklist. According to the suit filed by the Knight First Amendment Institute at Columbia University, an official government account shouldn't be allowed to block users from reading tweets. Sure, there's an actual official presidential Twitter account, but nothing of interest happens there. Everything from retweets of questionable GIFs to arguable threats of nuclear war happen at Donald Trump's personal account. But everything's all mixed together because the president insists on using his personal account (and its blocklist) to communicate a majority of his thoughts and opinions.

The government's lawyers are now forced to defend the president (and his blocklist) from these allegations. It's not an easy job. In fact, as Alison Frankel reports, it requires a significant amount of cognitive dissonance.

First, the government has argued the Twitter account President Trump uses most is not a publicly-owned (read: government) Twitter account.

The brief’s primary argument is that @realdonaldtrump is not a public forum. It’s a private platform governed by the rules of a private company, the Justice Department said. The president opened his account before he was an elected official, the brief said, and his continued operation of the account is not a right conferred by his election to the presidency. “The president does not operate his personal Twitter account by virtue of federal law, nor is blocking made possible because the President is clothed in Article II powers,” the brief said.

This makes some sense, even if Trump's use of this account to announce positions on issues and potential government action undermine the "not a public forum" argument. He did have this account prior to the presidency, but perhaps he should have abandoned it for the official presidential account once he took office. Even though this argument is somewhat credible, the next argument from the government almost completely undermines it.

President Trump, in other words, is not flexing his presidential power when he tweets as @realdonaldtrump, according to the Justice Department. But at the same time, Justice argued in the summary judgment brief, the president can’t be sued for posting to his private account because he’s acting as the president.

He's not the president (so to speak) when he tweets from his personal account. But he is the president, so he can't be sued. No matter how many accounts he blocks. The president, according to White House counsel, is able to occupy two states simultaneously thanks to the magical powers of Twitter.

It sounds ridiculous (and it is), but as Frankel points out, seemingly contradictory arguments are made all the time at this point in the pleadings. The judge is one that decides which arguments move forward -- sometimes even without calling out lawyers for arguing against their own arguments.

Stripping the case of all legalese, the account Trump prefers to use should be considered an official account. And if it's an official account, Trump needs to lay off the "block" button. You can't force citizens to jump through hoops to view proclamations made in a de facto public square. Even if Trump can't be sued, he should at least lift the blocks. It's not very presidential to pointedly lock certain people out of public discussions.

Read More | 46 Comments | Leave a Comment..

Posted on Techdirt - 20 October 2017 @ 3:23am

Seeking To Root Out Leakers, The Intelligence Community Is Destroying Official Routes For Whistleblowers

from the ensuring-there's-only-one-way-out dept

The Trump Administration is continuing its war on leakers. It's probably meant to keep whistleblowers at bay as well. This isn't necessarily a trait unique to Trump's White House. There really hasn't been a whistleblower-friendly administration in pretty much ever, but this particular administration has been awash in leaked documents, each one prompting more severe crackdowns.

But it's going to come to a head at the national security level. The "Intelligence Community" -- sixteen agencies participating and partaking in intelligence analysis and collection under the Office of the Director of National Intelligence -- is basically ousting its internal oversight. Jenna McLaughlin, writing for Foreign Policy, has the details.

[Dan] Meyer, whose job is to talk to intelligence community whistleblowers, can no longer talk to whistleblowers. He has been barred from communicating with whistleblowers, the main responsibility of his job as the executive director for intelligence community whistleblowing and source protection. He is currently working on an instructional pamphlet for whistleblowers, and he will have no duties to perform after he’s completed that work.

He can also no longer brief the agencies or the congressional committees on his work as he’s done in the past, send out his whistleblower newsletter, or conduct outreach. And he has no deputy or staff.

This is the end result of internal struggles and the continual sidelining of the so-called "proper channels." They weren't worth much when Snowden decided to leak. They were relatively worthless when others leaked documents years before Snowden began changing the intelligence community from the far outside. And if they were ever going to be worth anything, that effort has been derailed in favor of hunting down leakers.

This is incredibly stupid. If the administration wants to stop leaks, one of the better tools is proper channels that actually work -- ones that get results and shield whistleblowers from retaliation. Instead, intelligence officials have decided leaking and whistleblowing are pretty much the same thing and have headed off attempts to build an official whistleblowing outfit worth a damn

What's being ousted, bit by bit, is the IC's Inspector General's office. Elimination of whistleblower outlets may only be part of the plan. Once rendered toothless, it may be prevented from performing other oversight duties. But the war of leakers starts where it always starts: with whistleblowers. If the Inspector General's office is completely neutralized, the only option will be leaking, not exactly the best news for this particularly sieve-like administration.

23 Comments | Leave a Comment..

Posted on Techdirt - 19 October 2017 @ 12:04pm

Government Drops Its Demand For Data On 6,000 Facebook Users

from the sunlight-disinfectant dept

It's amazing what effect a little public scrutiny has on government overreach. In the wake of inauguration day protests, the DOJ started fishing for information from internet service providers. First, it wanted info on all 1.2 million visitors of a protest website hosted by DreamHost. After a few months of bad publicity and legal wrangling, the DOJ was finally forced to severely restrict its demands for site visitor data.

Things went no better with the warrants served to Facebook. These demanded a long list of personal information and communications from three targeted accounts, along with the names of 6,000 Facebook users who had interacted with the protest site's Facebook page. Shortly before oral arguments were to be heard in the Washington DC court, the DOJ dropped its gag order.

The last minute removal of the gag order appears to have been done to avoid the establishment of unfavorable precedent. It looks like the government perhaps has further concerns about precedential limitations on warrants served to service providers. As Kate Conger reports for Engadget, the DOJ has decided to walk away from this particular warrant challenge.

In a court hearing today, the Department of Justice dropped its request for the names of an estimated 6,000 people who “liked” a Facebook page about an Inauguration Day protest, the American Civil Liberties Union said. The ACLU challenged several warrants related to protests against President Trump’s inauguration on Friday, one of which included the search, claiming they were over-broad.

The ACLU notes the judge seemed sympathetic to allegations of overreach. In response, the government has apparently reduced its demands to info from two arrested protestors' accounts and further limited the date range from which data is sought.

This isn't a good look for the government. Dropping demands before an order has been issued indicates the DOJ had some idea its demands were too broad. It also shows the government will make concessions, rather than risk adverse rulings.

Then there's the whole issue of seeking personal information on protesters. This sort of thing creates a very real chilling effect by threatening to turn over personal information to the same entity the protesters were protesting. Fortunately, the government has walked back most of its demands in both cases.

9 Comments | Leave a Comment..

Posted on Techdirt - 19 October 2017 @ 6:21am

UK Gov't Considering Redefining Social Media Services As Publishers To Make It Easier To Control Them

from the failing-upward dept

Like seemingly every other government on the planet, the UK government wants internet companies like Google and Facebook to do more. Everyone has an axe to grind, whether it's not enough censorship, or the wrong kind of censorship, or the innate desire to hold companies accountable for the actions of their users. The voluntary moderation efforts made by these platforms always fall short of politicians' ideals. These legislators believe -- without evidence -- that perfectly moderated services are just a couple of button pushes away.

Because the things governments complain about are actually the words and deeds of users -- rather than the companies themselves -- pushes for "more" have limited effect. This doesn't make governments happy. This is a "problem" that needs "solving," apparently. And officials in the UK think they have an answer. They'll just arbitrarily redefine services until they're more easily pushed around.

Karen Bradley, the culture secretary, has said the government is considering changing the legal status of Google, Facebook and other internet companies amid growing concerns about copyright infringement and the spread of extremist material online.

The internet groups are considered conduits of information rather than publishers under UK law, meaning they have limited responsibility for what appears on their sites.

However, the chairman of the media regulator Ofcom said on Tuesday she believed the likes of Google and Facebook were publishers, raising the prospect that they could eventually face more regulation.

Before we delve into the bullshit that is redefining tech companies for easier regulation, let's take a look at the activities the UK government is treating as equals: terrorism and copyright infringement. Tell me that's not screwed up. I understand the government can be concerned about multiple online issues simultaneously, but while it may be conceivable the use of social media platforms by terrorists necessitates closer government scrutiny, mentioning infringement in the same breath cheapens the entire argument. It immediately makes it clear the endgame isn't curbing murderous acts that kill and injure dozens of people, but regulation of any sort of internet activity the government finds bothersome.

This is the slippery slope, delivered by a government official in a single sentence. Terrorism concerns make it easy to diminish freedoms and expand governmental control of communication services. Once it's set in motion, it remains in motion, moving from great evils like terrorism to comparatively minor quibbles like file sharing -- an activity that has yet to kill anyone. One is an existential threat. The other threatens nothing more than incumbents and their business models. Bradley's comment strongly suggests her ear's been bent nearly to the point of removal by entertainment lobbyists.

Moving beyond that, there's the problem with redefinition. You can't call a cat a dog just because more people register dogs than cats and you want to see that revenue stream increased. You can't call third parties publishers just because it makes it easier to hold them accountable for the actions of their users. If you head down this path, you invite every special interest group with a complaint about the internet to treat service providers as publishers. In short, you're asking to rain down litigation hell on tech companies with the end result being fewer services available for internet users.

If there's an upside, it's that the culture secretary views this definition shift as problematic.

I am looking into this. I am not sure the publisher definition in UK law would necessarily work in the way that people would like it to work. I think it would end up being very restrictive and make the internet not work in the way we want it to work.

But Bradley also wants the UK to be the "safest place to be online." It's hard to maintain a "free vibrant internet" while clamping down on everything the UK government considers to be dangerous. Website blocking by UK service providers already creates something far less free and vibrant than can be found elsewhere, and yet, it hasn't done much to make the UK much safer online, much less IRL.

Bradley may be hesitant to throw a different label on social media services, but the UK government as a whole hasn't exactly been shy about creating an AOL-esque Wee Britain online -- something that chills speech and deprives UK citizens of sources of information.

26 Comments | Leave a Comment..

Posted on Techdirt - 18 October 2017 @ 3:35pm

Supreme Court Agrees To Hear Case Involving US Demands For Emails Stored Overseas

from the spending-locally,-thinking-globally dept

The Supreme Court has granted the government's request for review of Second Circuit Appeals Court's decision finding Microsoft did not have to turn over communications stored overseas in response to US-issued warrants.

This is a pretty quick turnaround as far as tech issues go. The Supreme Court is finally willing to take a look at the privacy expectation of third party phone records (specifically: historical cell site location info), following years of courtroom discussion... which follow years of Third Party Doctrine expansion.

That being said, a resolving of sorts is needed to clarify the reach of US law enforcement going forward. The Second Circuit twice shut down the DOJ's requests to extend its reach to offshore servers. Even as the Microsoft case was still being litigated, other courts were coming to contrary decisions about data stored overseas.

The target in these cases was Google. Google's data-handling processes contributed to the adverse rulings. Unlike Microsoft -- which clearly delineated foreign data storage -- data and communications handled by Google flow through its servers constantly. Nothing truly resides anywhere, a fact the DOJ pressed in its arguments and the one two judges seized on while denying Google's warrant challenges.

The Supreme Court's ruling will be needed to tie these disparate decisions up into a cohesive whole.

Or not. Rule 41 changes that went into effect at the beginning of this year remove a lot of jurisdictional limitations on search warrants. On top of that, the DOJ has been angling for expanded overseas powers, pushing Congress towards amending the Stored Communications Act.

This, of course, is what the Second Circuit Appeals Court told the government to do: take it up with legislators. But if litigation is a slow process, legislation can be just as time-consuming. The DOJ wants permission now and the Supreme Court gives it the best chance of being allowed to grab communications stored outside of the United States using a warrant signed by a magistrate judge anywhere in the US.

In the meantime, the DOJ will continue to pursue amendments to the Stored Communications Act -- a law it's already taken advantage of, thanks to it being outdated almost as soon as it was implemented. Further rewriting of the law in the DOJ's favor would allow US law enforcement to become the world's police, serving warrants in the US to gather documents stored around the globe.

While this may seem like a boon to law enforcement, it should be approached with extreme caution. If this becomes law (rather than just a precedential court decision) the US government should expect plenty of reciprocal demands from other countries. This would include countries with far worse human rights records and long lists of criminal acts not recognized in the US (insulting the king, anyone?). The US won't be able to take a moral or statutory stand against demands for US-stored communications that may be wielded as weapons of censorship or persecution against citizens in foreign countries. Whoever ends up handing down the final answer -- the Supreme Court or Congress -- should keep these implications in mind.

21 Comments | Leave a Comment..

Posted on Techdirt - 18 October 2017 @ 9:33am

Use A Landline To Talk About Criminal Activity? The Government Can Seize The House Around It

from the extreme-home-takeover dept

The Intercept has obtained a leaked asset forfeiture guide for seizures performed by ICE. (It has, unfortunately, chosen not to share the original document. Then again, the last non-Snowden leak it published appears to have helped out the document's source.)

For those familiar with the process of civil asset forfeiture, the contents of the guide are mostly unsurprising. Despite the document dating back to 2010, ICE did confirm the version seen by The Intercept is its most recent guidance. ICE is allowed to seize property without bringing charges or securing convictions -- something still permitted by federal law (your state laws may vary) and greatly encouraged by the new head of the DOJ, Jeff Sessions.

What is surprising about the document is how much emphasis is placed on the seizure of real estate. As Ryan Devereaux and Spencer Woodman point out, ICE's forfeiture teams are pretty much property flippers, albeit ones working with the undeniable advantage of making zero initial investment.

Much of the handbook is devoted to describing the process of seizing real estate — homes, farms, and businesses — and it is in these pages that the dual priorities of financial gain and law enforcement objectives become most apparent. While the handbook contains little discussion on how to utilize asset forfeiture to maximize crime-fighting outcomes, there is extensive discussion of how agents should painstakingly determine whether a property is valuable enough to make seizure worthwhile


More than a dozen pages of the document describe an important — if perhaps surprising — role of AIRG agents: as real estate appraisers. Using the example of “houses used to store narcotics or harbor illegal aliens,” the manual walks agents through a comprehensive process of assessing homes and landed properties to determine the financial appeal to ICE of acquiring such real estate.

If ICE can obtain a warrant to search the property it plans to seize, it will usually send a private real estate appraiser along during the search. AIRG [Asset Identification and Removal Group] agents apparently ballpark property values using public databases -- something that tells ICE whether or not it should move forward with the forfeiture.

As is the case in most civil forfeiture operations, the connecting tissue of criminal activity doesn't need to be much more than gossamer-thin.

The manual instructs agents seeking to seize a property to work with confidential informants, scour tax records, and even obtain an interception warrant to determine whether “a telephone located on the property was used to plan or discuss criminal activity” in order to justify seizing the property.

You would think the phone would be the "guilty" property -- at least as far as you can follow forfeiture's twisted logic. Apparently not. According to ICE's guidance, the entire house around the landline is equally culpable.

The handbook also points out civil forfeiture is preferable to criminal forfeiture, thanks to its general disdain for due process. The key factor is the conviction itself -- something you'd think a law enforcement agency would value over seized property. In criminal proceedings, seized property is generally returned if the charges don't stick. Not so with civil forfeiture. ICE's guidance says when in doubt, go civil. That way the agency may still keep something, even if the alleged perp goes free.

ICE is by far the biggest contributor to the DHS's total forfeiture take. This can be expected to grow with the new administration's intense focus on illegal immigration. As with any government program experiencing sudden growth, one can expect an exponential leap in abuse.

61 Comments | Leave a Comment..

Posted on Techdirt - 17 October 2017 @ 3:49pm

Fired Cop's Attorney Argues His Client Is Being Punished Unfairly Because The Public Got To See His Misconduct

from the but-for-self-inflicted-video dept

A little over a month ago, body cam footage of a police officer trying to bully a nurse into breaking the law went viral. Salt Lake City police detective Jeff Payne wrapped up his failed intimidation attempt by arresting nurse Alex Wubbels for following her hospital's policy on blood draws. If there are no exigent circumstances and the person not suspected of criminal activity, police need a warrant to draw blood.

None of those factors were present when Detective Payne demanded the hospital draw blood from an accident victim. The victim was, in fact, a reserve police officer from an Idaho law enforcement agency, who had been hit head-on by a fleeing suspect. This officer later died from his injuries. He was in a coma when Detective Payne began demanding the hospital hand over some blood, obviously in no condition to consent to the search.

The entire bodycam video of the incident can be seen below.

Payne argued, after being fired for violating department blood draw policies (and for violating a Supreme Court decision, but Payne isn't expected to know the laws directly affecting his position on the PD's blood draw team), he arrested Wubbels because he "didn't want to create a scene" in the emergency room. If he hadn't arrested her, or demanded she violate both the law and hospital policy, there would have been no scene to be concerned about.

Instead, Payne thought he could intimidate his way through this. Now he's out of a job and attempting to sue his way back in. (Side note: Payne also lost his moonlighting gig as a paramedic as the body cam footage also caught him saying he would start routing "good patients" to another hospital and bring Wubbels' ER "transients.")

His lawyer is making a hell of an argument: Payne was unfairly fired because the public saw him violating department policies.

Attorney Greg Skordas, who represents Payne, said his client plans to appeal a firing he considers unfair and over the top. Skordas said Payne would still be employed if the body camera footage hadn't generated so much attention and blown the events out of proportion.

There are (at least) two ridiculous implications contained in this statement.

First is the implication that the only "proper "investigation is one that clears the officer of wrongdoing and/or results in the most minimal of discipline. The second follows the first: Skordas is basically affirming law enforcement agencies rarely hand out proportionate discipline unless forced to by public outcry. Neither are good looks for Skordas, his client, or his former employer.

The internal investigation reached the same conclusions anyone would have after viewing the body camera footage: both Payne and his supervisor, Lt. James Tracy, acted in bad faith during the incident, using both intimidation and a profound -- perhaps even deliberate -- misconstruing of applicable laws in hopes of taking blood from an accident victim (and fellow police officer).

Beneath Skordas' argument is another ugly assertion: his client feels he's being unfairly treated because a police camera captured him behaving exactly the way he behaved when he arrested a nurse for following hospital policy and a Supreme Court decision. Detective Payne deprived someone of their liberty -- albeit briefly -- for daring to stand up for the rights of her patient. That's about as ugly as it gets.

90 Comments | Leave a Comment..

Posted on Techdirt - 17 October 2017 @ 10:45am

ICE Now Calling Aiding Unaccompanied Minors 'Human Trafficking' To Bypass Sanctuary City Laws

from the offline-SESTA-ing dept

In the name of fighting sex trafficking, legislators are willing to make the internet mostly worthless. Punching a hole in Section 230 protections will encourage incumbents to limit user participation and prevent startups from ever making it off the ground. Proponents claim it's narrowly-targeted and abuse-proof, but the language would allow any service provider to be held accountable for the criminal actions of users. If traffickers can't use Facebook or Google thanks to heavier moderation, they'll move onto other websites and services until those too are rendered useless by government action.

Part of the problem with legislation like this is mission creep. It may start with sex trafficking, but it will inevitably be expanded to cover other illicit content. And sex trafficking itself is its own dodge. All the government has to do is claim something is trafficking and the hammer begins to fall.

This is because the term leaves no room for intelligent conversations. Proponents know people aren't likely to speak up against efforts to fight sex trafficking, especially when they point out this sometimes includes children. It becomes a governmental blank check for enforcement action -- something that deters questioning of the government's activities, much in the way the term "national security" has limited legislative and judicial discussion about surveillance overreach.

A recent raid by ICE in Oakland, California, appears to have been carried out under false pretenses: a bog standard immigration enforcement action masquerading as a human trafficking investigation.

Following a controversial Aug. 16 raid of a West Oakland home by Immigration and Customs Enforcement agents, Oakland Police Chief Anne Kirkpatrick said repeatedly that the operation was part of a criminal human trafficking investigation. She also asserted that OPD did not violate Oakland's sanctuary city policy by assisting ICE — by providing several patrol officers to block off the street during the raid — because it was a criminal, not civil immigration matter.

Sounds ominous. But the paper trail undermines the official narrative.

But according to evidence presented by Oakland Privacy Advisory Commission Chair Brian Hofer at the commission's meeting last week, the raid hasn't resulted in a single criminal prosecution. Rather, the only person arrested, Santos de Leon, is facing civil immigration charges and could be deported.

This is generating controversy because it appears Oakland police violated the city's sanctuary statutes by providing assistance to ICE in routine immigration enforcement efforts. But that's not the only reason it's controversial. It appears ICE is using loaded language to redefine activities performed by citizens aiding stranded children.

Immigration advocates are worried that the West Oakland raid could be an example of a new and troubling trend: ICE has recently begun to classify the act of providing shelter and other assistance to unaccompanied minors who recently immigrated to the United States as "human trafficking," and is charging adults, often close family members, with the crime.

When someone refers to a bill containing massive collateral damage as "narrowly targeted," they're either being ignorant or disingenuous. No one knows how to exploit legislation better than government agencies, and ICE calling acts of aid "human trafficking" (or "sex trafficking," according to the Oakland PD police chief) allows it to utilize local law enforcement and bypass local restrictions.

This is an IRL example of the exploitability of the terminology tied to SESTA. It's apparently being abused to allow local law enforcement agencies to violate local laws. Letting legislation like SESTA loose on the internet will result in similar abusive acts, accelerating mission creep's inevitable advance.

73 Comments | Leave a Comment..

Posted on Techdirt - 17 October 2017 @ 3:13am

The Cyber World Is Falling Apart And The DOJ Is Calling For Weakened Encryption

from the better-for-cops,-worse-for-everyone-else dept

It seemed like the (mostly) one-man War on Encryption had reached a ceasefire agreement when "Going Dark" theorist James Comey was unceremoniously ejected from office for failing to pledge allegiance to the new king president. But it had barely had time to be relegated to the "Tired" heap before Deputy Attorney General Rod Rosenstein resurrected it.

Rosenstein has been going from cybersecurity conference to cybersecurity conference raising arguments for encryption before dismissing them entirely. His remarks have opened with the generally awful state of cybersecurity at both the public and private levels. He says encryption is important, especially when there are so many active security threats. Then he undermines his own arguments by calling for "responsible encryption" -- a euphemism for weakened encryption that provides law enforcement access to locked devices and communications on secured platforms.

Considering recent events, this isn't the direction the DOJ should be pushing. Russian hackers used a popular antivirus software to liberate NSA exploits from a contractor's computer. Equifax exposed the data of millions of US citizens who never asked to be tracked by the service in the first place. Yahoo just admitted everyone who ever signed up for its email service was affected by a years-old security breach. Ransomware based on NSA malware wreaked havoc all over the world. These are all issues Rosenstein has touched on during his remarks. But they're swiftly forgotten by the Deputy Attorney General when his focus shifts to what he personally -- representing US law enforcement -- can't access because of encryption.

DAG Rosenstein needs to pay more attention to the first half of his anti-encryption stump speeches, as Matthew Green points out at Slate:

[A]ny technology that allows U.S. agencies to lawfully access data will present an irresistible target for hackers and foreign intelligence services. The idea that such data will remain safe is laughable in a world where foreign intelligence services have openly leveraged cyberweapons against corporate and political targets. In his speech, Rosenstein claims that the “master keys” needed to enable his proposal can be kept safe, but his arguments are contradicted by recent history. For example, in 2011 hackers managed to steal the master keys for RSA’s SecurID authentication product—and then used those keys to break into a slew of defense contractors. If we can’t secure the keys that protect top-secret documents, it’s hard to believe we’ll do better for your text messages.

Rosenstein is steering everyone towards his new term "responsible encryption" but there's nothing responsible about creating a set of encryption keys for lawful access. It may not necessarily be a backdoor -- a term Rosenstein is trying hard to distance himself from -- but it is a hole that wouldn't otherwise exist. And if keys are created and stored by manufacturers and platform providers, the chance malicious hackers can find them will always remain above 0%.

54 Comments | Leave a Comment..

Posted on Techdirt - 16 October 2017 @ 7:36pm

Court Tells Sheriff's Dept. Shackling Kids Above The Elbows Is Excessive Force

from the no-longer-enough-to-be-simply-inept;-one-must-also-be-brutal dept

You wouldn't think it would take a federal court decision to make this clear, but here we are.

A school resource officer in Kentucky who handcuffed young children acted unreasonably and violated the children's constitutional rights, a federal judge ruled this week.

Two children, ages 8 and 9, were handcuffed by Kevin Sumner, a school resource officer with Covington Independent Public Schools. They were cuffed behind their backs, and the cuffs were placed above their elbows because the restraints would have slipped off their wrists. Video of the handcuffing of the 8-year-old went viral after it was made public by the American Civil Liberties Union in 2015

The ruling [PDF] restates common sense, albeit in 33 pages of legalese. It is excessive force to restrain preteens who weigh less than 60 lbs. with handcuffs meant to keep full-grown adults from moving their arms. The procedural history notes school personnel are forbidden from using mechanical restraints on students by state law. This law, however, does not forbid law enforcement officers from using handcuffs on students.

In both cases, the students cuffed by a sheriff's deputy had been combative. School personnel turned both students over to the SRO once it became obvious they would not be able to calm the students down. The combativeness didn't stop once the deputy entered the picture. These would appear to be arguments in the deputy's favor but only if other factors weren't considered -- like the students' ages and sizes. Both children also suffered from behavioral disorders.

Nonetheless, this is what happened once Deputy Kevin Sumner took control of the situation:

Sumner handcuffed S.R. behind his back, placing the cuffs on S.R.’s biceps above the elbows. The video shows that S.R.’s arms are pulled tightly behind his back with what appears to be only approximately three or four inches between his elbows. Sumner testified that he checked the handcuffs for tightness and that, since the chain connecting the handcuffs was nearly as long as the width of S.R.’s body, he had no reason to believe it would cause him pain. The video clearly demonstrates, however, that the chain is not nearly as wide as S.R.’s body, and that his arms are extremely taut.


Sumner pulled L.G. off of Craig and tried to hold her physically for a few minutes, but she continued the same behavior. Sumner told L.G. that if she did not stop, he would handcuff her. L.G. continued to kick and hit, and Sumner placed her in handcuffs, above her elbows behind her back. Assistant Superintendent Wilkerson contacted L.G.’s mother, who came to school to get her. Her mother testified that when she arrived, L.G. was on her knees and Sumner was holding her arms up behind her above her head. Sumner then removed the handcuffs.

Sumner tried to argue the handcuffing was permitted because state law exempted law enforcement officers from the restriction on restraint methods. The court says that's all well and good, but it doesn't change the outcome. No matter which "hat" -- school personnel or law enforcement officer -- Sumner was wearing, the force used was excessive.

Applying the Graham factors, the severity of the “crime” committed by S.R. and L.G. — assault — weighs in their favor. While S.R. kicked a teacher and L.G. tried to and/or did hit a teacher, these are very young children, and their conduct does not call to mind the type of “assault” which would warrant criminal prosecution. Indeed, Sumner testified that “none of what they did was worthy of trying to file a criminal charge.”

The second factor, whether the children posed an immediate threat to themselves or others, weighs in S.R.’s favor. At the time he was handcuffed, S.R. had largely calmed down, Sumner had escorted him to the restroom without incident, and they had returned to the office. While Sumner testified that S.R. swung his elbow towards Sumner, such can hardly be considered a serious physical threat from an unarmed, 54-pound eight-year-old child.

This factor weighs less in favor of L.G., who was engaging in more physical abuse towards her teachers and Sumner. Nonetheless, the age and stature of these children is highly relevant to this analysis.

Even if the cuffing were deemed appropriate, the method deployed by Sumner was not.

Finally, the method of handcuffing that Sumner employed leads this Court to conclude that his actions were unreasonable and constituted excessive force as a matter of law. The video of S.R. shows that his arms were pulled tightly behind him, with only inches between his elbows. While Sumner testified that the chain between the cuffs was as wide as S.R.’s torso, the video belies that assertion. Where a witness’s version of the facts “cannot be countenanced based upon what the video shows,” the Court must adopt the video as fact.

Upon being cuffed in this manner, S.R. cried out, “Ow, that hurts.” It was thus immediately apparent that this method — which, it is undisputed, was the same method by which L.G. was cuffed — was causing pain. S.R. was left in this position to cry and squirm for fifteen minutes.

And there was no one willing to back up Sumner's claims the cuffing method was common or inexcessive -- not even those testifying on behalf of the deputy.

Plaintiff’s handcuffing expert, Robert Rail, testified that he does not know of any police instructor in the United States who would allow the elbow cuffing of children such as was used on S.R. and L.G., nor does he know of any program that teaches that method. (Rail Depo. 109-10).

Even defendants’ handcuffing expert, William A. Payne — who has been conducting handcuffing training for law enforcement for over 20 years — testified that he has never trained law enforcement to use handcuffs above the elbow. (Payne Depo. 37, 121). He further testified that he was not aware of any law enforcement agency that trains their officers to use such a technique.

The court finds the cuffing method -- not the cuffing itself -- excessive. Without any prior cases on point, Deputy Sumner is granted qualified immunity because he could not have reasonably known his handcuffing methods were excessive. This is disappointing, but the court has one surprise left. The county that employs Sumner can be held civilly liable for Sumner's actions.

Kenneth Kippenbrock was the SRO Coordinator for the Kenton County Sheriff’s Office at the time of these events. He testified that Sumner’s handcuffing of S.R. and L.G. was consistent with the policy of the sheriff’s department. He also testified that since the SRO program was initiated, more than ten children have been handcuffed by SROs in schools, and it is possible that the number is more than twenty-five.

Kenton County Sheriff Korzenborn also testified that Sumner acted in accordance with all applicable Kenton County policies in handcuffing S.R. and L.G. He has never asked Sumner whether Sumner has ever handcuffed other elementary children in the district, and he is not interested in knowing how often his deputies handcuff school children. Handcuffing children above their elbows behind their back is acceptable practice by his deputies.


Korzenborn further testified that he was not familiar with the Kentucky Administrative Regulations regarding the use of mechanical restraints in schools.


Korzenborn has not implemented any changes in the training of his SROs since these incidents.

Given this undisputed testimony, Kenton County is liable as a matter of law for Sumner’s unlawful handcuffing of S.R. and L.J.

School resource officers won't be able to handcuff students the same way in the future and expect to walk away from resulting civil lawsuits. The unanswered question -- is it ever appropriate to handcuff pre-teens on a school campus -- remains open. But the message sent here is pretty straightforward: there's almost zero chance the court will find it acceptable to use adult handcuffs on children, because the only way to keep them on tiny bodies is to deploy them in a fashion that is excessive in nature.

Read More | 56 Comments | Leave a Comment..

Posted on Techdirt - 16 October 2017 @ 10:44am

White House Cyber Security Boss Also Wants Encryption Backdoors He Refuses To Call Backdoors

from the torturing-words dept

Deputy Attorney General Rod Rosenstein recently pitched a new form of backdoor for encryption: "responsible encryption." The DAG said encryption was very, very important to the security of the nation and its citizens, but not so important it should ever prevent warrants from being executed.

According to Rosenstein, this is the first time in American history law enforcement officers haven't been able to collect all the evidence they seek with warrants. And that's all the fault of tech companies and their perverse interest in profits. Rosenstein thinks the smart people building flying cars or whatever should be able to make secure backdoors, but even if they can't, maybe they could just leave the encryption off their end of the end-to-end so cops can have a look-see.

This is the furtherance of former FBI director James Comey's "going dark" dogma. It's being practiced by more government agencies than just the DOJ. Calls for backdoors echo across Europe, with every government official making them claiming they're not talking about backdoors. These officials all want the same thing: a hole in encryption. All that's really happening is the development of new euphemisms.

Rob Joyce, the White House cybersecurity coordinator, is the latest to suggest the creation of encryption backdoors -- and the latest to claim the backdoor he describes is not a backdoor. During a Q&A at Cyber Summit 2017, Joyce said this:

[Encryption is] "definitely good for America, it's good for business, it's good for individuals," Joyce said. "So it's really important that we have strong encryption and that's available."

Every pitch against secure encryption begins exactly like this: a government official professing their undying appreciation for security. And like every other pitch, the undying appreciation is swiftly smothered by follow-up statements specifying which kinds of security they like.

"The other side of that is there are some evil people in this world, and the rule of law needs to proceed, and so what we're asking for is for companies to consider how they can support legal needs for information. Things that come from a judicial order, how can they be responsive to that, and if companies consider from the outset of building a platform or building a capability how they're going to respond to those inevitable asks from a judge's order, we'll be in a better place."

In other words, Joyce loves the security encrypted devices provide. But he'd love them more if they weren't quite so encrypted. Perhaps if the manufacturers held the keys… The same goes for encrypted communications. Wonderful stuff. Unless the government has a warrant. Then it should be allowed to use its golden key or backdoor or whatever to gain access.

Once again, a government official asks for a built-in backdoor, but doesn't have the intellectual honesty to describe it as such, nor the integrity to take ownership of the collateral damage. Neither the White House nor Congress seem interested in encryption bans or mandated backdoors. The officials talking about the "going dark" problem keep hinting tech companies should just weaken security for the greater good -- with the "greater good" apparently benefiting only government agencies.

This way, when everything goes to hell, officials can wash their hands of the collateral blood because there's no mandate or legislation tech companies can point to as demanding they acquiesce to the government's desires. Officials like Joyce and Rosenstein want all of the access, but none of the responsibility. And every single person offering these arguments think the smart guys should do all the work and carry 100% of the culpability. Beyond being stupid, these arguments are disingenuous and dangerous. And no one making them seems to show the slightest bit of self-awareness.

42 Comments | Leave a Comment..

Posted on Techdirt - 16 October 2017 @ 6:12am

DOJ Continues Its Push For Encryption Backdoors With Even Worse Arguments

from the let-us-save-you-from-your-security dept

Early last week, the Deputy Attorney General (Rod Rosenstein) picked up the recently-departed James Comey's Torch of Encroaching Darkness +1 and delivered one of the worst speeches against encryption ever delivered outside of the UK.

Rosenstein apparently has decided UK government officials shouldn't have a monopoly on horrendous anti-encryption arguments. Saddling up his one-trick pony, the DAG dumped out a whole lot of nonsensical words in front of a slightly more receptive audience. Speaking at the Global Cyber Security Summit in London, Rosenstein continued his crusade against encryption using counterintuitive arguments.

After name-dropping his newly-minted term -- responsible encryption™ -- Rosenstein stepped back to assess the overall cybersecurity situation. In short, it is awful. Worse, perhaps, than Rosenstein's own arguments. Between the inadvertently NSA-backed WannaCry ransomware, the Kehlios botnet, dozens of ill-mannered state actors, and everything else happening seemingly all at once, the world's computer users could obviously use all the security they can get.

Encryption is key to security. Rosenstein agrees… up to a point. He wants better security for everyone, unless those everyones are targeted by search warrants. Then they have too much encryption.

Encryption is essential. It is a foundational element of data security and authentication. It is central to the growth and flourishing of the digital economy. We in law enforcement have no desire to undermine encryption.

But “warrant-proof” encryption poses a serious problem.

Well, you can't really have both secure encryption and law enforcement-friendly encryption. Rosenstein knows this just as surely as Comey knew it. That didn't stop Comey from pretending it was all about tech company recalcitrance. The same goes for Rosenstein who, early on in his speech, plays a shitty version of Sympathy for the Tech Devil by using the phrase "competitive forces" as a stand-in for "profit seeking" when speaking about the uptick in default encryption.

The underlying message of his last speech was that American tech companies should spurn profits for helping out the government by unwrapping one end of end-to-end encryption. The same pitch is made here, softened slightly in the lede thanks to the presence of UK tech companies in the audience. The language may be less divisive, but the arguments are no less stupid this time around.

In the United States, when crime is afoot, impartial judges are responsible for balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns. That is how we obtain search warrants for homes and court orders to require witnesses to testify.

Warrant-proof encryption overrides our ability to balance privacy and security. Our society has never had a system where evidence of criminal wrongdoing was impervious to detection by officers acting with a court-authorized warrant. But that is the world that technology companies are creating.

I'm not sure what this "system" is Rosenstein speaks about, but there has always been evidence that's eluded the grasp of law enforcement. Prior to common telephone use, people still communicated criminal plans but no one insisted citizens hold every conversation within earshot of law enforcement. Even in a digital world, evidence production isn't guaranteed, even when encryption isn't a factor.

Going on from there, the rest of speech is pretty much identical to his earlier one. In other words: really, really bad and really, really wrong.

Rosenstein believes the government should be able to place its finger on the privacy/security scale without being questioned or stymied by lowly citizens or private companies. Even if he's right about that (he isn't), he's wrong about the balance. This isn't privacy vs. security. This is security vs. insecurity. For a speech so front-loaded with tales of security breaches and malicious hacking, the back end is nothing more than bad arguments for weakened encryption -- something the government may benefit from, but will do nothing to protect people from malicious hackers or malicious governments.

All the complaints about a skewed balance are being presented by an entity that's hardly a victim. Electronic devices -- particularly cellphones -- generate an enormous amount of data that's not locked behind encryption. The government can -- without a warrant -- track your movements, either post-facto, or with some creative paperwork, in real time. Tons of other "smart" devices are generating a wealth of records only a third party and a subpoena away. And that's just the things citizens own. This says nothing about the wealth of surveillance options already deployed by the government and those waiting in the wings for the next sell off of civil liberties

It also should be noted Rosenstein is trying to make "responsible encryption" a thing. He obviously wants the word "backdoor" erased from the debate. While it's tempting to sympathize with Rosenstein's desire to take a loaded word out of the encryption debate lexicon, the one he's replacing it with is worse. As Rob Graham at Errata Security points out, the new term is loaded language itself, especially when attached to Rosenstein's bullshit metric: "measuring success in prevented crimes and saved lives."

I feel for Rosenstein, because the term "backdoor" does have a pejorative connotation, which can be considered unfair. But that's like saying the word "murder" is a pejorative term for killing people, or "torture" is a pejorative term for torture. The bad connotation exists because we don't like government surveillance. I mean, honestly calling this feature "government surveillance feature" is likewise pejorative, and likewise exactly what it is that we are talking about.

Then there's the problem with Rosenstein deploying rhetorical dodges in his discussions about encryption, which presumably include a number of government officials. Alex Gaynor, who worked for the United States Digital Service and participated in the Obama Administration's discussion of potential encryption backdoors, points out Rosenstein's abuse of his position.

Mr. Rosenstein plainly wants to reopen the "going dark" debate that began under the previously administration, spearheaded by FBI Director Jim Comey. While I disagree vehemently with him, it's a valid policy position - and I have every reason to believe him that there are investigations in which encryption does hamper the Justice Department and FBI's ability to investigate. However, he is not entitled to mislead the public in order to make that point. And make no mistake. Attempting to use the spectre of familiar computer security challenges in order to make the argument that his policy is necessary, even though his policy has nothing to do with these challenges, is the height of intellectual dishonesty.

There's an endgame to Rosenstein's dishonest rhetoric. And it won't be tech companies being guilted into participating in his "responsible encryption" charade. It will be backdoors. And they will be legislated.

The Deputy Attorney General says that he is interested in "frank discussion". However, his actual remarks demonstrate he is interested in anything but -- his goal is to secure legislation akin to CALEA for your cellphone, and he doesn't care who he has to mislead to accomplish this. Mr. Deputy Attorney General, I expect better.

This is what the DOJ wants. But Rosenstein is too weak-willed to say it out loud. So he spouts this contradictory, misleading, wholly asinine garbage to whatever audience will have him. Rosenstein is obtuse enough to be dangerous. Fortunately, most legislators (so far) seem unwilling to sacrifice the security of citizens on the altar of lawful access.

45 Comments | Leave a Comment..

Posted on Techdirt - 13 October 2017 @ 1:39pm

DreamHost Wins Challenge Against DOJ's Overbroad Data Demands

from the the-Man-briefly-experiences-having-it-stuck-to-him dept

DreamHost has been fighting the DOJ and its breathtakingly-broad demand for information on all visitors to an anti-Trump website. This has gone on for a few months now, but the origin of the DOJ's interest in the DreamHosted site traces all the way back to protests during Trump's inauguration.

Here's what the DOJ demanded DreamHost hand over:

a. all records or other information pertaining to that account or identifier, including all files, databases, and database records stored by DreamHost in relation to that account or identifier;

b. all information in the possession of DreamHost that might identify the subscribers related to those accounts or identifiers, including names, addresses, telephone numbers and other identifiers, e-mail addresses, business information, the length of service (including start date), means and source of payment for services (including any credit card or bank account number), and information about any domain name registration;

c. all records pertaining to the types of service utilized by the user,

d. all records pertaining to communications between DreamHost and any person regarding the account or identifier, including contacts with support services and records of actions taken.

These demands conceivably applied to every single one of the site's 1.2 million visitors. The DOJ scaled back some of its demands a week later, but also stated its attempt to "converse" (read: talk DreamHost into compliance) had been rebuffed, with the hosting company stating its desire to continue challenging the subpoena.

This demand for information would be in addition to a warrant it served to Facebook, seeking everything ever from the accounts of more than 6,000 users. This was served to Facebook, along with a gag order -- something the DOJ conveniently dropped the night before oral arguments, perhaps sensing it might be in for an unfavorable precedential ruling.

Chief Judge Morin of the DC Superior Court has issued a ruling on the DreamHost-targeting subpoena, and it's good news for everyone but the overreaching DOJ. DreamHost reports on the judge's order:

Under this order, we now have the ability to redact all identifying information and protect the identities of users who interacted with before handing over any data to the court.


We are now required to hand over a drastically reduced amount of data to the government and will redact any identifying information from every scrap of it that relates to non-subscribers.

On top of that, the DOJ will have to submit search protocols and procedures to the court for approval before demanding further site visitor info and limit its requests to info it can show the court is linked to actual criminal activity (violations of DC's rioting statutes). The DC Superior Court will make final determinations on the validity of the government's data requests before any identifying information is released by DreamHost.

As the court notes in its order [PDF], it's not interested in assisting the government with its fishing expeditions.

Because of the potential breadth of the government's review in this case, the Warrant in its execution may implicate otherwise innocuous and constitutionally protected activity. As the Court has previously stated, while the government has the right to execute its Warrant, it does not have the right to rummage through the information contained on DreamHost's website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities.

And this still may not be the end of the DOJ's problems. Even if revised info demands are approved by the court, there are still a handful of potential investigation targets (site visitors and owners) readying their own challenges of the government's data requests. At this point, site visitors who've already attempted to challenge the subpoena obviously don't know if they're actually targeted by the DOJ. The court has dismissed their appeals without prejudice, which will allow them to refile if they make the government's final cut.

This is good news for everyone who avails themselves of third-party services (which is pretty much everybody). A little pushback sometimes goes a long way. Anyone seeking to keep their private info private should be taking note on who's willing to challenge the government's overreach and who's willing to act as little more than a data broker for law enforcement agencies.

Read More | 7 Comments | Leave a Comment..

Posted on Techdirt - 13 October 2017 @ 10:38am

Another Ridiculous Lawsuit Hopes To Hold Social Media Companies Responsible For Terrorist Attacks

from the from-an-alternate-reality-where-Section-230-doesn't-exist dept

Yet another lawsuit has been filed against social media companies hoping to hold them responsible for terrorist acts. The family of an American victim of a terrorist attack in Europe is suing Twitter, Facebook, and Google for providing material support to terrorists. [h/t Eric Goldman]

The lawsuit [PDF] is long and detailed, describing the rise of ISIS and use of social media by the terrorist group. It may be an interesting history lesson, but it's all meant to steer judges towards finding violations of anti-terrorism laws rather than recognize the obvious immunity given to third party platforms by Section 230.

When it does finally get around to discussing the issue, the complaint from 1-800-LAW-FIRM (not its first Twitter terrorism rodeo…) attacks immunity from an unsurprising angle. The suit attempts to portray the placement of ads on alleged terrorist content as somehow being equivalent to Google, Twitter, et al creating the terrorist content themselves.

When individuals look at a page on one of Defendants’ sites that contains postings and advertisements, that configuration has been created by Defendants. In other words, a viewer does not simply see a posting; nor does the viewer see just an advertisement. Defendants create a composite page of content from multiple sources.

Defendants create this page by selecting which advertisement to match with the content on the page. This selection is done by Defendants’ proprietary algorithms that select the advertisement based on information about the viewer and the content being. Thus there is a content triangle matching the postings, advertisements, and viewers.

Although Defendants have not created the posting, nor have they created the advertisement, Defendants have created new unique content by choosing which advertisement to combine with the posting with knowledge about the viewer.

Thus, Defendants’ active involvement in combining certain advertisements with certain postings for specific viewers means that Defendants are not simply passing along content created by third parties; rather, Defendants have incorporated ISIS postings along with advertisements matched to the viewer to create new content for which Defendants earn revenue, and thus providing material support to ISIS.

This argument isn't going to be enough to bypass Section 230 immunity. According to the law, the only thing social media companies are responsible for is the content of the ads they place. That they're placed next to alleged terrorist content may be unseemly, but it's not enough to hurdle Section 230 protections. Whatever moderation these companies engage in does not undercut these protections, even when their moderation efforts fail to weed out all terrorist content.

The lawsuit then moves on to making conclusory statements about these companies' efforts to moderate content, starting with an assertion not backed by the text of filing.

Most technology experts agree that Defendants could and should be doing more to stop ISIS from using its social network.

Following this sweeping assertion, two (2) tech experts are cited, both of whom appear to be only speaking for themselves. More assertions follow, with 1-800-LAW-FIRM drawing its own conclusions about how "easy" it would be for social media companies with millions of users to block the creation of terrorism-linked accounts [but how, if nothing is known of the content of posts until after the account is created?] and to eliminate terrorist content as soon as it goes live.

The complaint then provides an apparently infallible plan for preventing the creation of "terrorist" accounts. Noting the incremental numbering used by accounts repeatedly banned/deleted by Twitter, the complaint offers this "solution."

What the above example clearly demonstrates is that there is a pattern that is easily detectable without reference to the content. As such, a content-neutral algorithm could be easily developed that would prohibit the above behavior. First, there is a text prefix to the username that contains a numerical suffix. When an account is taken down by a Defendant, assuredly all such names are tracked by Defendants. It would be trivial to detect names that appear to have the same name root with a numerical suffix which is incremented. By limiting the ability to simply create a new account by incrementing a numerical suffix to one which has been deleted, this will disrupt the ability of individuals and organizations from using Defendants networks as an instrument for conducting terrorist operations.

Prohibiting this conduct would be simple for Defendants to implement and not impinge upon the utility of Defendants sites. There is no legitimate purpose for allowing the use of fixed prefix/incremental numerical suffix name.

Take a long, hard look at that last sentence. This is the sort of assertion someone makes when they clearly don't understand the subject matter. There are plenty of "legitimate purposes" for appending incremental numerical suffixes to social media handles. By doing this, multiple users can have the same preferred handle while allowing the system (and the users' friends/followers) to differentiate between similarly-named accounts. Everyone who isn't the first person to claim a certain handle knows the pain of being second... third… one-thousand-three-hundred-sixty-seventh in line. While this nomenclature process may allow terrorists to easily reclaim followers after account deletion, there are plenty of non-ominous reasons for allowing incremental suffixes.

That's indicative of the lawsuit's mindset: terrorist attacks are the fault of social media platforms because they've "allowed" terrorists to communicate. But that's completely the wrong party to hold responsible. Terrorist attacks are performed by terrorists, not social media companies, no matter how many ads have been placed around content litigants view as promoting terrorism.

Finally, the lawsuit sums it all up thusly: Monitoring content is easy -- therefore, any perceived lack of moderation is tantamount to direct support of terrorist activity.

Because the suspicious activity used by ISIS and other nefarious organizations engaged in illegal activities is easily detectable and preventable and that Defendants are fully aware that these organizations are using their networks to engage in illegal activity demonstrates that Defendants are acting knowingly and recklessly allowing such illegal conduct.

Unbelievably, the lawsuit continues from there, going past its "material support" Section 230 dodge to add claims of wrongful death it tries to directly link to Twitter, et al's allegedly inadequate content moderation.

The conduct of each Defendant was a direct, foreseeable and proximate cause of the wrongful deaths of Plaintiffs’ Decedent and therefore the Defendants’ are liable to Plaintiffs for their wrongful deaths.

This is probably the worst "Twitter terrorism" lawsuit filed yet, but quite possibly exactly what you would expect from a law firm with a history of stupid social media lawsuits and a phone number for a name.

Read More | 21 Comments | Leave a Comment..

Posted on Techdirt - 13 October 2017 @ 3:23am

Australian Police Ran A Dark Web Child Porn Site For Eleven Months

from the presiding-over-a-period-of-unprecedented-growth dept

Thanks to an investigation by Norwegian newspaper VG, a long-running child porn operation by Australian police has been (inadvertently) uncovered. An IT specialist at VG was monitoring forum activity and only stumbled on law enforcement's involvement on accident.

In comparison to the FBI's takeover of the Playpen site, the Taskforce Argos operation was epic. The FBI held onto the seized Playpen seizure for only a couple of weeks. The Australian police served as replacement administrators for eleven months.

The government's turn as child porn site administrators began with the arrest of two men in the United States, one of them a Canadian citizen. Both were apparently actively abusing children as well as running the dark web site. According to data gathered by investigators, Childs Play had more than a 1 million registered users by the time it was shut down. (Estimates suggest fewer than 5,000 accounts could be considered active, however.) Based on estimates from multiple countries now involved in the law enforcement action, the eleven-month hosting effort has resulted in nearly 1,000 suspects being identified. Some have already been arrested.

The article is worth a read (as is the Guardian's more succinct take), if for no other reason than the sheer amount of detective work performed by a few journalists. The ends are worthy -- the arrest and punishment of child abusers -- but, as in the FBI's child porn operations, the means are highly questionable.

Presumably Australian law enforcement used something similar to the FBI's malware to reveal identifying information about the forum's users. No details have been provided to VG, but there's a good chance details will begin to surface as cases proceed to trial.

But it is concerning law enforcement felt a need to continue to distribute child porn for eleven months before deciding to shut down the site. It also seems highly possible the site was only shut down was because the operation had been uncovered by VG's detective work.

While impersonating one of the arrested forum moderators, police had to provide a monthly update post to prevent the site's warrant canary from kicking in. One requirement was to include a child porn image with this update, under the assumption law enforcement officers wouldn't be legally allowed to distribute this contraband.

That leads directly to another problematic aspect of the investigation: the website was relocated for easier exploitation.

It is VG’s understanding that when WarHead surrendered access to Childs Play and Giftbox each forum was stored on servers in separate European countries. Police, lawyers and the suspects themselves refuse to say which.

Police in Australia and the European country saw obvious benefits to having the Australian police, rather than a European force, running the site.

Australian laws give the police unusually broad powers to monitor suspicious activities online.

By consolidating the operation under Australian jurisdiction, investigators now had legal latitude to distribute child porn. The police may not have distributed much directly, but during the eleven months the site operated under new ownership, business was booming. According to statistics compiled by VG's investigation, hosted images quadrupled during that period, from 3,000 to over 12,000 total image. And some of the uploaded images became incredibly popular.

On 25 October 2016, two weeks after Argos took over the site, an unidentified user created a discussion thread featuring images of an eight-year-old girl being raped.

By August of this year, the post had been viewed 770,617 times – all while the police were running the website.

Some victims of child sexual abuse interviewed by VG are upset their images were redistributed by law enforcement. Others are a bit more pragmatic about the investigators' actions. But the redistribution of child porn by law enforcement raises a bunch of questions no one in law enforcement seems interested in answering.

Carissa Byrne Hessick, a professor of law at the University of North Carolina, questions [investigator Paul] Griffith’s argument. She is one of the world’s leading legal experts on investigating such abuse.

"It sounds like the police tell one story about how damaging the images are when others share them, and another story when the police share them.

That’s a kind of hypocrisy I really don’t like. But this sheds light on the argument that any and all sharing of such an image is abuse. If the police say they’re only sharing images that have been shared before, it means the police do not think all sharing is harmful," says Hessick.

The counterargument, of course, is law enforcement commits illegal acts for the greater good. But the argument is somewhat hollow when child porn convictions come with restitution orders based on the number of images shared. Eleven months running a child porn site seems like overkill, especially when the two principal members were already in custody by the time investigators took over.

48 Comments | Leave a Comment..

Posted on Techdirt - 12 October 2017 @ 11:57am

Investment Fund Manager Tries To Bury Past Screwups With Sketchy Libel Suit Court Order

from the hold-my-beer dept

More libel-related bullshittery happening on the internet. And, again, Eugene Volokh is on top of it. Between him, Paul Levy of Public Citizen, and Pissed Consumer, we've seen a huge amount of shady-to-completely-fraudulent behavior by lawyers and rep management firms exposed. This is more of the same, although it doesn't appear anyone in the SEO business was involved.

Jordan Wirsz is an investment manager with a problem. He's previously gotten in trouble with state regulators for running investment schemes without a license. It's not a huge problem, but it's enough to make people think twice before trusting him with their money.

Faced with state regulator decisions cluttering up his search results, Wirsz has apparently opted to make his Google searches even less flattering. He took a commenter named "Richard" to court, alleging defamation based on the contents of comments "Richard" posted to sites like RipoffReport. He won a default judgment, which conveniently contained several URLs not linked to "Richard" or the alleged libel.

The list of URLs included, in the middle, three official Arizona government documents, which of course couldn’t have been posted by any “Richard”; their author isn’t an anonymous commenter, but rather the Arizona Corporation Commission, which Wirsz did not sue. Unsurprisingly, the material in the order is based on Phillips’s application for default judgment, which said that “Defendant posted” various statements, and that “such statements and similar statements have been posted at” various links, including the links — even though the links are actually quite different criticisms of Wirsz, which are not libelous and which are unrelated to “Richard.”

And that's not all. The default judgment a judge agreed to includes other URLs not related to "Richard" and his supposed libel.

Some of the other URLs in the default judgment (and the takedown request) were copies of various documents in this very case, such as an earlier court order granting a preliminary injunction against “Robert,” which were uploaded to Scribd by RipOffReport… Some other URLs pointed to other Scribd documents uploaded to RipOffReport that didn’t even mention Wirsz, except that Scribd’s other-recommended-document list at the bottom of the pages mentioned one of the Wirsz orders.

Volokh wasn't able to get anyone involved to comment on the court order. Wirsz is now represented by a different lawyer -- not the Brandon Phillips who obtained the court order, nor the Brian Dziminski who served the order to Google. Obviously, Wirsz hoped Google was as inattentive as the judge signing the order, but it appears Google didn't comply with the court order's demands it delist government agency URLs.

This bogus scrubbing of search results continues, but is certainly becoming much less of a sure thing than it used to be. One rep management company engaging in fraudulent libel lawsuit tactics is paying out $70,000 and may be out even more once the US Attorney's Office is done with it. Another rep management firm is facing two legal actions over its fraud on the court for the same bogus lawsuit v. bogus defendant tactics. With Google paying more attention to incoming court orders, the law of diminishing returns has finally been enacted.

6 Comments | Leave a Comment..

Posted on Techdirt - 12 October 2017 @ 9:27am

Emails Show ICE Couldn't Find Enough Dangerous Immigrants To Fulfill The Adminstration's Fantasies

from the Operation-Goalpost-Relocation dept

When you've got an official narrative to deliver, you need everyone to pitch in to keep it from falling apart. No one can say ICE didn't try. The Trump administration -- bolstered by supporting statements conjecture from DOJ and DHS officials -- has portrayed undocumented immigrants as little more than nomadic thugs. Unfortunately, there's hardly any evidence available to back up the assertion that people here illegally are more likely to commit serious criminal acts.

Back in February, shortly after Trump handed down immigration-focused executive orders, ICE went all in on arresting undocumented visitors and immigrants. Included in this push was a focus on so-called "sanctuary cities" like Austin, Texas, which had vowed to push back against Trump's anti-immigrant actions.

Emails obtained by The Intercept show ICE doing all it can to prop up Trump's "dangerous criminal" stereotyping. Unfortunately, despite all of its efforts, ICE failed to come across many dangerous criminals during its February sweeps.

On February 10, as the raids kicked off, an ICE executive in Washington sent an “URGENT” directive to the agency’s chiefs of staff around the country. “Please put together a white paper covering the three most egregious cases,” for each location, the acting chief of staff of ICE’s Enforcement and Removal Operations wrote in the email.

It's a good starting point, especially if the administration is relying on you to back up its assertions. ICE was willing to go the extra mile to do just that, apparently.

“If a location has only one egregious case — then include an extra egregious case from another city.”

This is an interesting ploy: cannibalizing nearby cities' reporting in order to present some semblance of an "egregious case" immigrant nightmare --one that would need to be stripped of redundancy before final presentation.

Unfortunately for ICE agents, you can't make something out nothing. Three cases per city proved to be almost impossible. Many raids failed to uncover even one egregious case. With the clock ticking down, some ICE offices decided to grab "egregious cases" completely unrelated to the current operation.

In February 11, an official responded to a colleague’s list of egregious cases by pointing out that they were unrelated to the ongoing operation. “The arrest dates are before any operation and even before the EO’s. What is up with these cases?” the official wrote.

What's up with those cases is there were almost zero new cases to report to the man upstairs. Hundreds of arrests were made, but many involved people with no prior criminal record. In the remaining arrests, most of the priors found were minor violations, with the worst being drunk driving.

Not exactly the "public safety threat" the Trump administration had promised. When it became clear the "egregious case" reports might total only a handful of serious criminal offenses from hundreds of arrests nationwide, ICE quickly applied its own spin.

As criticism escalated, ICE shifted to downplaying the operation as “no different than the routine,” telling reporters that the raids were the same “targeted arrests carried out by ICE’s Fugitive Operations Teams on a daily basis,” and suggesting off the record that claims to the opposite were “false, dangerous, and irresponsible.” As it became clear that dozens of individuals with no criminal history had been apprehended, ICE shifted gears and told reporters that in addition to targeting safety threats, the raids were always meant to target those whose only crimes were immigration-related, like re-entering the U.S. after deportation…

By spinning it this way, ICE can pay needed lip service to the administration's "dangerous immigrants" narrative and portray the lack of egregious cases as the result of the banal day-to-day work of immigration enforcement. But in doing so, it undercuts the narrative it's trying to serve. If there are so many dangerous criminals out there, why isn't ICE focused on them, rather than dozens of people whose only criminal act is a lack of documentation? ICE can't have it both ways. Neither can the White House.

70 Comments | Leave a Comment..

Posted on Techdirt - 11 October 2017 @ 11:57am

DOJ Says No One Has Any Right To Question The Adminstration's Handling Of Records, Not Even The Courts

from the inches-to-miles dept

Frequent FOIA requesters CREW (Citizens for Responsibility and Ethics in Washington) and NSA (National Security Archive) are trying to obtain a court ruling forcing the Trump administration to stop standing in the way of transparency and accountability.

Their complaint [PDF], filed earlier this year, accuses the Trump administration of not just serious impropriety, but of actually taking proactive steps to ensure there's no documentation of its questionable deeds.

From early on in this Administration, White House staff have used and, on information and belief, continue to use certain email messaging applications that destroy the contents of messages as soon as they are read, without regard to whether the messages are presidential records. Presidential statements made on Twitter sent from the President’s personal Twitter account, which are subject to federal record-keeping obligations, have been destroyed. The President also has implied that he is secretly tape-recording some or all conversations with Administration officials, and it is unclear if these tapes are being preserved. And there is at least one news report that, when the ongoing congressional and FBI investigations were disclosed, White House aides purged their phones of potentially compromising information. These practices violate the Presidential Records Act.

On top of that, the lawsuit alleges the White House is going even darker by consolidating power and forcing federal agencies to route as much as possible through administration staff to ensure as many records as possible could be considered exempt from FOIA requests.

The DOJ has filed its motion to dismiss [PDF]. And it's incredibly dismissive, as Eriq Gardner reports:

In a court filing Friday, not only do attorneys at the Justice Department say that courts can't review this, but they also argue that when it comes to laws pertaining to government record-keeping, judicial review would be inappropriate even if Trump deleted secret recordings with administration officials or even if his staff purged phone records because they expected to be subpoenaed in connection with various investigations.

Over the course of 36 pages, the DOJ tells the court the plaintiffs are wrong, the court is wrong… pretty the only entity entirely in the right is the President and his staff, who efforts cannot be questioned under the Presidential Records Act.

Courts cannot review the President’s compliance with the Presidential Records Act (“PRA”). As the D.C. Circuit has squarely held, “permitting judicial review of the President’s compliance with the PRA would upset the intricate statutory scheme Congress carefully drafted to keep in equipoise important competing political and constitutional concerns.” Armstrong v. Bush, 924 F.2d 282, 290 (D.C. Cir. 1991) (“Armstrong I”). Indeed, “Congress . . . sought assiduously to minimize outside interference with the day-to-day operations of the President and his closest advisors and to ensure executive branch control over presidential records during the President’s term in office,” and so “it is difficult to conclude that Congress intended to allow courts, at the behest of private citizens, to rule on the adequacy of the President’s records management practices or overrule his records creation, management, and disposal decisions.”

The DOJ's arguments are pretty blunt, considering they're spread over 30 pages. The DOJ flatly states the plaintiffs have no standing as they can allege no harm but possibly-thwarted FOIA requests at some point in the future. Even if the court somehow finds a way to grant standing, the DOJ states this won't help the plaintiffs' case at all.

Even if Plaintiffs had standing, the vast majority of their claims are precluded by the PRA. As noted above, the D.C. Circuit held in Armstrong I that private litigants may not bring suit to challenge the President’s compliance with the PRA. While the D.C. Circuit subsequently held that courts hearing FOIA cases may review the President’s PRA guidelines to ensure that he does not improperly treat agency records subject to FOIA as though they were instead presidential records subject to the PRA, see Armstrong v. Exec. Office of the President, 1 F.3d 1274, 1294 (D.C. Cir. 1993) (“Armstrong II”), D.C. Circuit law does not permit judicial review of whether the President is properly managing and preserving those records that are in fact subject to the PRA.

The DOJ likely has a point. Congress did give the President's office lots of leeway on how to handle records retention. It's the sort of thing that seems like a good idea when you're the party in power but not so much when things change hands. For everyone else on the outside, it's just another way the government insulates itself from accountability.

Read More | 16 Comments | Leave a Comment..

Posted on Techdirt - 11 October 2017 @ 9:24am

Deputy AG Pitches New Form Of Backdoor: 'Responsible Encryption'

from the laugh-and-the-world-laughs-with;-pull-this-crap-and-you're-on-your-own dept

The DOJ is apparently going to pick up where the ousted FBI boss James Comey left off. While Attorney General Jeff Sessions continues building his drug enforcement time machine, Deputy AG Rod Rosenstein is keeping the light on for Comey's prophesies of coming darkness.

Rosenstein recently gave a speech at the US Naval Academy on the subject of encryption. It was… well, it was pretty damn terrible. Once again, a prominent law enforcement official is claiming to love encryption while simultaneously extolling the virtues of fake encryption with law enforcement-ready holes in it.

The whole thing is filled with inadvertently hilarious assertions, like the following:

Encryption is a foundational element of data security and authentication. It is essential to the growth and flourishing of the digital economy, and we in law enforcement have no desire to undermine it.

Actually, Rosenstein has plenty of desire to do that, which will be amply demonstrated below, using his own words.

But the advent of “warrant-proof” encryption is a serious problem. Under our Constitution, when crime is afoot, impartial judges are charged with balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns.

The law indeed recognizes this and provides law enforcement access to communications, documents, etc. with the proper paperwork. What the law cannot do is ensure the evidence is intact, accessible, or exactly what law enforcement is looking for.

Rosenstein is disingenuously reframing the argument as lawful access v. personal privacy, when it's really about law enforcement's desires v. user security. The latter group -- users -- includes a large percentage of people who've never been suspected of criminal activity, much less put under investigation. Weakened encryption affects everyone, not just criminal suspects.

Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, especially when officers obtain a court-authorized warrant. But that is the world that technology companies are creating.

Our society has had plenty of systems where evidence was "impervious to detection." Calls, text messages, emails, personal conversations, passed notes, dead drops, coded transmissions, etc. have existed for years without law enforcement complaining about everything getting so damn dark. Law enforcement has never had 100% access to means of communications even with the proper paperwork in hand. And yet, police departments and investigative agencies routinely solved crimes, even without access to vast amounts of personal communications.

Rosenstein follows this loop a few times, always arriving at the same mistaken conclusion: law enforcement should be able to access whatever it wants so long it has a warrant. Why? Because it always used to be able to. Except for all those times when it didn't.

Since Rosenstein isn't willing to handle the encryption conversation with any more intellectual honesty than the departed James Comey, he's forced to come up with new euphemisms for encryption backdoors. Here's Rosenstein's new term for non-backdoor encryption backdoors.

Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization.

At worst, this means some sort of built-in backdoor, sort of what Blackberry uses for its non-enterprise customers. Nearly just as bad, this possibly means key escrow. These are the solutions Rosenstein wants, but he doesn't even have the spine to take ownership of them. Not only does the Deputy AG want tech companies to implement whatever the fuck "responsible encryption" is, he wants them to bear all expenses, cope with customers fleeing the market for more secure options, and be the focal point for the inevitable criticism.

Such a proposal would not require every company to implement the same type of solution. The government need not require the use of a particular chip or algorithm, or require any particular key management technique or escrow. The law need not mandate any particular means in order to achieve the crucial end: when a court issues a search warrant or wiretap order to collect evidence of crime, the provider should be able to help.

In other words, the private sector needs to build the doors and hold the keys. All the government needs to do is obtain warrants.

Rosenstein just keeps piling it on. He admits the law enforcement hasn't been able to guilt tech companies into backdooring their encryption. That's the old way. Going forward, the talking points will apparently portray tech companies as more interested in profits than public safety.

The approach taken in the recent past — negotiating with technology companies and hoping that they eventually will assist law enforcement out of a sense of civic duty — is unlikely to work. Technology companies operate in a highly competitive environment. Even companies that really want to help must consider the consequences. Competitors will always try to attract customers by promising stronger encryption.

That explains why the government’s efforts to engage with technology giants on encryption generally do not bear fruit. Company leaders may be willing to meet, but often they respond by criticizing the government and promising stronger encryption.

Of course they do. They are in the business of selling products and making money.

In other words, tech companies are doing it for the clicks. This is a super-lazy argument often used to belittle things someone disagrees with. (A phrase that has since been supplanted by "fake news.") This sort of belittling is deployed by (and created for) the swaying of the smallest of minds.

Having painted the tech industry as selfish, Rosenstein airlifts himself to the highest horse in the immediate area.

We use a different measure of success. We are in the business of preventing crime and saving lives.

The Deputy AG makes a better point when he calls out US tech companies for acquiescing to ridiculous censorship demands from foreign governments. If companies are willing to oblige foreign governments with questionable human rights records, why can't they help out the US of A?

It's still not a very strong point, at least not in this context. But it is something we've warned against for years here at Techdirt: you humor enough stupid demands from foreign governments and pretty soon all of them -- including your own -- are going to start asking for favors.

It would be a much better argument if it wasn't tied to the encryption war Rosenstein's fighting here. Comparing censorship efforts and VPN blocking to the complexities of encryption isn't an apples-to-apples comparison. Blocking or deleting content is not nearly the same thing as opening up all users to heightened security risks because the government can't get at a few communications.

Whatever it is Rosenstein's looking for, he's 100% sure tech companies can not only provide it, but should also bear all liability for anything that might go wrong.

We know from experience that the largest companies have the resources to do what is necessary to promote cybersecurity while protecting public safety. A major hardware provider, for example, reportedly maintains private keys that it can use to sign software updates for each of its devices. That would present a huge potential security problem, if those keys were to leak. But they do not leak, because the company knows how to protect what is important. Companies can protect their ability to respond to lawful court orders with equal diligence.

It's that last sentence that's a killer. This is Rosenstein summing up his portrayal of tech companies as callous, profit-seeking nihilists with a statement letting everyone know the DOJ will pin all the blame for any future security breaches on the same companies who got on board with the feds' "nerd harder" demands.

This is a gutless, stupid, dishonest speech -- one that deliberately misconstrues the issues and lays all the blame, along with all the culpability on companies unwilling to sacrifice users' security just because the government feels it's owed access in perpetuity.

65 Comments | Leave a Comment..

More posts from Capitalist Lion Tamer >>