Posted on Techdirt - 26 March 2015 @ 3:47pm
Good news from California: a bill requiring warrants for Stingray device usage (among other things) has passed out of a Senate committee and is headed for an assembly vote.
Among other sweeping new requirements to enhance digital privacy, the bill notably imposes a warrant requirement before police can access nearly any type of digital data produced by or contained within a device or service.
In other words, that would include any use of a stingray, also known as a cell-site simulator, which can not only used to determine a phone’s location, but can also intercept calls and text messages. During the act of locating a phone, stingrays also sweep up information about nearby phones—not just the target phone.
Despite similar bills being killed by governor vetoes in 2012 and 2013, California legislators are still looking to reform the state's privacy laws. For one thing, this new bill would put the state's Electronic Communication Privacy Act in compliance with the Supreme Court's recent Riley v. California
decision (warrant requirement for cell phone searches incident to arrest), as Cyrus Farivar points out.
The committee passed it with a 6-1 vote, suggesting there's broader support for privacy and Fourth Amendment protections now
than there were in the pre-Snowden days. Of course, the usual opposition was on hand to portray those pushing for a warrant requirement as being in favor of sexually abusing children.
[Marty] Vranicar [California District Attorneys Association] told the committee that the bill would "undermine efforts to find child exploitation," specifically child pornography.
"SB 178 threatens law enforcement’s ability to conduct undercover child porn investigation. the so-called peer-to-peer investigations," he said. "Officers, after creating online profiles—these e-mails provide metadata that is the key to providing information. This would effectively end online undercover investigations in California."
Vranicar failed to explain how an officer conducting an ongoing investigation would be unable to obtain a warrant for PTP user data… unless, of course, the "investigation" was nothing more than unfocused trolling or a sting running dangerously low on probable cause. Nothing in the bill forbids officers from using other methods -- Fourth Amendment-respecting methods -- to pursue those suspected of child exploitation. What it does do is make it more difficult to run stings and honeypots, both of which are already on shaky ground in terms of legality.
Additionally, the bill
demands extensive reporting requirements pertaining to government requests for data, and makes an effort to strip away the secrecy surrounding search warrants.
1546.2 (a) Except as otherwise provided in this section, any government entity that executes a warrant or wiretap order or issues an emergency request pursuant to Section 1546.1 shall contemporaneously serve upon, or deliver by registered or first-class mail, electronic mail, or other means reasonably calculated to be effective, the identified targets of the warrant, order, or emergency request, a notice that informs the recipient that information about the recipient has been compelled or requested, and states with reasonable specificity the nature of the government investigation under which the information is sought. The notice shall include a copy of the warrant or order, or a written statement setting forth facts giving rise to the emergency.
(b) If there is no identified target of a warrant, wiretap order, or emergency request at the time of its issuance, the government entity shall take reasonable steps to provide the notice, within three days of the execution of the warrant, to all individuals about whom information was disclosed or obtained.
This isn't blanket coverage or without exceptions. Officers can still offer sworn affidavits in support of sealing to the court, which may then seal warrants on a rolling 90-day basis at its discretion.
Law enforcement will continue to fight this bill, but its opposition seemingly had no effect on the Public Safety Committee. This bill brings the government into a much tighter alignment with the wording and the intent of the Fourth Amendment. The arguments against it demonstrate that the law enforcement community continues to prize efficient policing over the public's (supposedly) guaranteed rights.
Read More | 7 Comments | Leave a Comment..
Posted on Techdirt - 26 March 2015 @ 2:36pm
Cyber-this and cyber-that. That's all the government wants to talk about. The NSA, which has always yearned for a larger slice of the cybersecurity pie, is pushing legislators to grant it permission to go all-out on the offensive to protect
foreign-owned movie studios the USofA from hackers.
NSA director Mike Rogers testified in front of a Senate committee this week, lamenting that the poor ol’ NSA just doesn’t have the “cyber-offensive” capabilities (read: the ability to hack people) it needs to adequately defend the US. How cyber-attacking countries will help cyber-defense is anybody’s guess, but the idea that the NSA is somehow hamstrung is absurd.
Yes, we (or rather, our representatives) are expected to believe the NSA is just barely getting by when it comes to cyber-capabilities. Somehow, backdoors in phone SIM cards
, backdoors in networking hardware
, backdoors in hard drives
, compromised encryption standards
, collection points on internet backbones
, the cooperation of national security agencies around the world
, stealth deployment
of malicious spyware, the phone records
of pretty much every American, access to major tech company data centers
, an arsenal
of purchased software and hardware exploits, various odds and ends yet to be disclosed and the full support of the last two administrations just isn't enough. Now, it wants the blessing of lawmakers to do even more than it already does. Which is quite a bit, actually.
The NSA runs sophisticated hacking operations all over the world. A Washington Post report showed that the NSA carried out 231 “offensive” operations in 2011 - and that number has surely grown since then. That report also revealed that the NSA runs a $652m project that has infected tens of thousands of computers with malware.
That was four years ago -- a lifetime when it comes to an agency with the capabilities the NSA possesses. Anyone who believes the current numbers are lower is probably lobbying increased power. And they don't believe
it. They'd just act like they do.
Unfortunately, legislators may be in a receptive mood. CISA
-- CISPA rebranded -- is back on the table. The recent Sony hack
, which caused millions of dollars of embarrassment, has gotten more than a few of them fired up
about the oft-deployed term "cybersecurity." Most of those backing this legislation don't seem to have the slightest idea (or just don't care) how much collateral damage it will cause or the extent to which they're looking to expand government power.
The NSA knows, and it wants this bill to sail through unburdened by anything more than its requests for permission to fire.
The bill will do little to stop cyberattacks, but it will do a lot to give the NSA even more power to collect Americans’ communications from tech companies without any legal process whatsoever. The bill’s text was finally released a couple days ago, and, as EFF points out, tucked in the bill were the powers to do the exact type of “offensive” attacks for which Rogers is pining.
In the meantime, Section 215 languishes slightly, as Trevor Timm points out. But that's the least of the NSA's worries. It has tech companies openly opposing
its "collect everything" approach. Apple and Google are both being villainized by security and law enforcement agencies for their encryption-by-default
plans. More and more broad requests for user data are being challenged, and (eventually) some of the administration's minor surveillance tweaks will be implemented.
Section 215 may die. (Or it may keep on living even in death, thanks to some ambiguous language in the PATRIOT Act.) But I would imagine the bulk phone metadata is no longer a priority for the NSA. It has too many other programs that harvest more and face fewer challenges. The NSA wants to be a major cyberwar player, which is something that will only increase its questionable tactics and domestic surveillance efforts. If it gets its way via CISA, it will be able to make broader and deeper demands for information from tech companies. Under the guise of "information sharing," the NSA will collect more
less. And what it does share will be buried under redactions, gag orders and chants of "national security." Its partnerships with tech companies will bear a greater resemblance to parasitic relationships than anything approaching equitable
, especially when these companies will have this "sharing" foisted upon them by dangerously terrible legislation.
But until it reaches that point, the NSA will keep claiming it's under-equipped to handle the modern world. And it will continue to make the very dubious claim that the best defense is an unrestrained offense.
17 Comments | Leave a Comment..
Posted on Techdirt - 26 March 2015 @ 12:32pm
Well, this is (potentially) good news. New York is going forward with the first "right to repair" bill in the nation, as pointed out on Twitter by Amanda Levendowski. The bill will allow constituents to bypass manufacturer-authorized dealers/repair centers and use smaller (and cheaper) repair outlets. Or, if neither seems within the price range, they're more than welcome to perform these repairs -- using previously-hidden manufacturer specs and instructions -- themselves.
Perhaps the best thing about the bill (if it passes with as few loopholes as possible) is that it will eliminate the sort of ridiculousness that has been the end result of this tight grip on repair "permission." Like Immigrations and Customs Enforcement (ICE) raiding repair shops for using aftermarket products. Or teens being sued by multi-billion dollar companies for doing the same. Or local governments requiring unrelated licenses to be obtained before a person can start offering repairs.
Here's what's being authorized before the exceptions kick in. (ALL CAPS in the original.)
MANUFACTURERS OF DIGITAL ELECTRONIC PARTS AND MACHINES SOLD OR USED IN THE STATE OF NEW YORK SHALL:
I. MAKE AVAILABLE FOR PURCHASE BY INDEPENDENT REPAIR FACILITIES OR OTHER OWNERS OF PRODUCTS MANUFACTURED BY SUCH MANUFACTURER DIAGNOSTIC AND REPAIR INFORMATION, INCLUDING REPAIR TECHNICAL UPDATES, UPDATES AND CORRECTIONS TO FIRMWARE, AND RELATED DOCUMENTATION, IN THE SAME MANNER SUCH MANUFACTURER MAKES AVAILABLE TO ITS AUTHORIZED REPAIR CHANNEL. EACH MANUFACTURER SHALL PROVIDE ACCESS TO SUCH MANUFACTURER'S DIAGNOSTIC AND REPAIR INFORMATION SYSTEM FOR PURCHASE BY OWNERS AND INDEPENDENT REPAIR FACILITIES UPON FAIR AND REASONABLE TERMS; AND
II. MAKE AVAILABLE FOR PURCHASE BY THE PRODUCT OWNER, OR THE AUTHORIZED AGENT OF THE OWNER, SUCH SERVICE PARTS, INCLUSIVE OF ANY UPDATES TO THE FIRMWARE OF THE PARTS, FOR PURCHASE UPON FAIR AND REASONABLE TERMS…
EACH MANUFACTURER OF DIGITAL ELECTRONIC PRODUCTS SOLD OR USED IN THE STATE OF NEW YORK SHALL MAKE AVAILABLE FOR PURCHASE BY OWNERS AND INDEPENDENT REPAIR FACILITIES ALL DIAGNOSTIC REPAIR TOOLS INCORPORATING THE SAME DIAGNOSTIC, REPAIR AND REMOTE COMMUNICATIONS CAPABILITIES THAT SUCH MANUFACTURER MAKES AVAILABLE TO ITS OWN REPAIR OR ENGINEERING STAFF OR ANY AUTHORIZED REPAIR CHANNELS. EACH MANUFACTURER SHALL OFFER SUCH TOOLS FOR SALE TO OWNERS AND TO INDEPENDENT REPAIR FACILITIES UPON FAIR AND REASONABLE TERMS.
That's the good part. But there are potential loopholes in the bill already, including a major exception for one of the most tightlipped industries: auto manufacturers.
NOTHING IN THIS SECTION SHALL APPLY TO MOTOR VEHICLE MANUFACTURERS OR MOTOR VEHICLE DEALERS AS DEFINED IN THIS SECTION.
If any industry needs to be covered under a "right to repair," it's the auto industry, which has continually abused intellectual property laws
to keep the general public from diagnosing their own vehicles in order to perform their own repairs.
There's other potential bad news in there as well.
NOTHING IN THIS SECTION SHALL BE CONSTRUED TO REQUIRE A MANUFACTURER TO DIVULGE A TRADE SECRET.
Yeah. Guess what's going to start being declared "trade secrets?" Probably almost everything the bill orders manufacturers to make available to the public. Even if this bill passes, there's going to be a ton of litigation over what does and does not define a "trade secret." In the meantime, the public will be no better off than they were before the bill's passage.
And there's this exception, which would seem to pick up whatever slack "trade secrets" can't.
NOTHING IN THIS SECTION SHALL BE CONSTRUED TO REQUIRE MANUFACTURERS OR AUTHORIZED REPAIR PROVIDERS TO PROVIDE AN OWNER OR INDEPENDENT REPAIR PROVIDER ACCESS TO NON-DIAGNOSTIC AND REPAIR INFORMATION PROVIDED BY A MANUFACTURER TO AN AUTHORIZED REPAIR PROVIDER PURSUANT TO THE TERMS OF AN AUTHORIZING AGREEMENT.
"Non-diagnostic" could become the new "diagnostic." And the use of the word "and" seems to make "repair information" off-limits if any agreements are already in place with authorized dealers and repair shops.
There's also a good chance the bill's "fair and reasonable terms" will be construed as permission to price independent repair shops and the general public out of the market. Legislators obviously can't set base prices (or even determine a fair market price -- that information is kept under wraps as well), so the suggestion of a "fair" price is open to advantageous interpretation. There's an attempt to set some limits in the bill's definitions, with the most significant one being "THE ABILITY OF AFTERMARKET TECHNICIANS OR SHOPS TO AFFORD THE INFORMATION," but that, again, is going to generate a lot of friction (possibly of the litigious variety) when manfacturers and the rest of the public repeatedly fail to agree on the definition of "affordable."
Still, it's more than most governments are willing to attempt. Massachusetts passed one in 2013
-- one that targeted
auto manufacturers and dealers. It met with the usual resistance
from the auto industry (both ends) but gathered 86% of the public's votes, clearly signaling unhappiness with the automakers' closed systems. A federal "right to repair" law has been mooted several times
, but has never gained significant traction.
If this bill is going to succeed as a law, legislators need to do some loophole stitching pre-passage, and regulators will need to keep a very close eye on reticent manufacturers after it becomes law.
Read More | 8 Comments | Leave a Comment..
Posted on Techdirt - 26 March 2015 @ 11:33am
Since the Snowden leaks began, there have been several efforts made -- legislative and administrative -- in response to the exposure of the NSA's domestic surveillance programs. Some have been real fixes. Some have been fake fixes. Others have targeted the thing the NSA desires even more than seemingly limitless access to data from all over the world: funding.
But none of these, not even the President's weak reform efforts, have managed to take hold. Neither will this, most likely, although you have to admire the audacity of the bill's authors, Reps. Thomas Massie and Marc Pocan.
The bill would completely repeal the Patriot Act, the sweeping national security law passed in the days after Sept. 11, 2001, as well as the 2008 FISA Amendments Act, another spying law that the NSA has used to justify collecting vast swaths of people's communications through the Internet.
If anything's due for a complete revamp, if not a complete repeal, it's the Patriot Act. It wasn't even good legislation back when it was passed. At best, it was "timely," which is a term that gives the rushed, secretive, knee-jerk legislation far more credit than it deserves. Pocan and Massie's (the latter of which has just introduced
a new phone-unlocking bill with Rep. Zoe Lofgren to replace the bad one
passed by the House in 2014) "Surveillance State Repeal Act
" doesn't waste any time "tinkering around the edges."
Not only would the bill repeal the law, it would reset anything (amendments/additional government powers) brought into force by the Patriot Act and
the FISA Amendments Act of 2008. On top of that, it would demand the immediate deletion of tons of data from the NSA's collections.
DESTRUCTION OF CERTAIN INFORMATION.—The Director of National Intelligence and the Attorney General shall destroy any information collected under the USA PATRIOT Act (Public Law 107-56) and the amendments made by such Act, as in effect the day before the date of the enactment of this Act, concerning a United States person that is not related to an investigation that is actively ongoing on such date.
The bill, oddly, also describes a path towards FISA Judge For Life positions.
TERMS; REAPPOINTMENT.—Section 103(d) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(d)) is amended— (1) by striking ‘‘maximum of seven’’ and inserting ‘‘maximum of ten’’; and (2) by striking ‘‘and shall not be eligible for re-designation’’.
Which is fine (not really) if you like
the judges already appointed. But this is the sort of thing that leads to the permanent appointment of judges favored by either side of the surveillance question. And so far, presidential administrations have come down in favor of domestic surveillance. Removing the term limits just encourages the appointment of permanent NSA rubber stamps
The bill creates a warrant requirement for the acquisition of US persons' data under the FISA Amendments Act and
Executive Order 12333. It also expressly forbids a government mandate for encryption backdoors
, although the first sentence of this section seems to be a rather large loophole.
Notwithstanding any other provision of law, the Federal Government shall not mandate that the manufacturer of an electronic device or software for an electronic device build into such device or software a mechanism that allows the Federal Government to bypass the encryption or privacy technology of such device or software.
If this bill somehow manages to pass a round or two of scrutiny, language tweaks will certainly be requested -- possibly leading to a complete subversion of the bill's intent. But that's a huge
"if." Very few legislators have the stomach to gut the Patriot Act or
the FISA Amendments Act. Many will be happy to entertain smaller fixes, but most won't be willing to essentially strip the NSA of its domestic surveillance powers. No one wants to be the "yea" vote that's pointed to in the wake of a terrorist attack and only a few more are actually willing to go head-to-head with the intelligence agency.
Read More | 24 Comments | Leave a Comment..
Posted on Techdirt - 26 March 2015 @ 10:31am
CNN and Fox had the market cornered on ridiculous airplane crash theories, up until recently. When Malaysia Airlines Flight 17 just up and vanished, CNN produced wall-to-wall coverage seemingly cribbed from low-rent conspiracy theory sites. UFO? Black hole? Any and all theories were entertained.
Fox News hasn't exactly been the epitome of restraint, either. While it managed to avoid following CNN down these plane crash rabbit holes, it too has entertained some theories better left to operations that don't claim "news" to be a major part of their offerings. Fox News host Anna Kooiman suggested the metric system was to blame, what with kilometers being different than miles and Celsius and Fahrenheit not seeing eye-to-eye, potentially leading to some sort of in-flight calculation error.
MSNBC has decided it won't let its competition be the only "news" agencies spouting ridiculous theories. In an effort to get out ahead of the facts -- black box recordings indicated the co-pilot of the aircraft deliberately crashed the plane after locking the commanding pilot out of the cockpit -- MSNBC allowed the following theory to be presented -- completely unchallenged -- by one of its guests.
“There’s one possibility that no one has brought up, and I wonder could this be a hacking incident?” former commercial pilot Jay Rollins told MSNBC’s Diaz-Balart. “This is very similar in my mind to what happened when the U.S. lost that drone over Iran. The same thing, suddenly the aircraft was responding to outside forces…"
Rollins said that the plane’s descent was “worrisome” because “it makes me think about hacking, some sort of interference into the computer system.”
Now, hacking a plane isn't impossible
. At 2013's Hack in the Box conference, German security consultant Hugo Teso used his own app -- PlaneSploit -- to demonstrate that an Android phone could be used to reroute a plane, send it diving towards the ground or to set off every alarm in the aircraft
Or not. Teso's demonstration involved sending flight information to airborne planes with these instructions (in a simulated environment, of course) via ACARS (Aircraft Communications and Response Addressing System) to the FMS (Flight Management System). But there were multiple problems with his plan. First of all, the flight computer has to accept
the new instructions and, secondly, pilots would have to be unable to override bad instructions. Neither of which are a distinct possibility.
Patrick Smith, another commercial airline pilot, albeit one far less likely to openly speculate on "hacked" planes than Jay Rollins, pointed out the flaws in Teso's hack
The problem is, the FMS — and certainly not ACARS — does not directly control an airplane the way people think it does, and the way, with respect to this story, media reports are implying. Neither the FMS nor the autopilot flies the plane. The crew flies the plane through these components. We tell it what to do, when to do it, and how to do it. Whatever data finds its way into the FMS, and regardless of where it’s coming from, it still needs to make sense to the crew. If it doesn’t, we’re not going to allow the plane, or ourselves, to follow it.
The sorts of disruptions that might arise aren’t anything a crew couldn’t notice and easily override. The FMS cannot say to the plane, “descend toward the ground now!” or “Slow to stall speed now!” or “Turn left and fly into that building!” It doesn’t work that way. What you might see would be something like an en route waypoint that would, if followed, carry you astray of course, or an altitude that’s out of whack with what ATC or the charts tells you it ought to be. That sort of thing. Anything weird or unsafe — an incorrect course or altitude — would be corrected very quickly by the pilots.
So, the problem isn't that hacking is impossible. It's just very, very
unlikely. And in this case, hacking had nothing to do with the plane crash.
No, the problem is that news agencies looking to wring every bit of ratings possible from a tragedy are willing to make viewers stupider under the guise of "news." When facts just aren't available, 24-hour news teams lean heavily on whatever theory will provide the most entertainment (for lack of a better word). Former pilot Jay Rollins may have three decades of experience, but his speculation draws on none of it. Instead, it just takes a bit of what's selling right now (anything "cyber"
) and what has always
sold (fear) and leaves the viewers with less
information than they would have obtained by skipping the coverage completely. The truth, however, is simultaneously more horrific (in that there's little that can be done to thwart a pilot determined to crash a plane) than the "hacked plane" theory and more mundane -- at least in terms of "exciting" news coverage.
42 Comments | Leave a Comment..
Posted on Techdirt - 25 March 2015 @ 2:50pm
Asset forfeiture -- both at state and national levels -- is receiving some intense scrutiny, thanks to unflattering coverage in major news outlets like the New York Times and Washington Post. Attorney General Eric Holder made some minor cuts to the DOJ's participation in states' forfeiture programs. Meanwhile, at the state level, legislators have introduced bills targeting these programs' perverted incentives -- namely, that the agency performing the asset seizure usually benefits directly from the "forfeited" wealth.
It hasn't always been successful. Wyoming legislators were shot down by the governor -- a former prosecutor -- who explained that asset forfeiture is "good" and "right" -- something it rarely is in practice. Washington DC's city council managed to push its reform bill through, placing more constraints on seizures and raising the evidentiary standard needed to declare other people's assets "guilty."
Back at the national level, Sen. Chuck Grassley is raising some pointed questions about the US Marshals' use of asset forfeiture funds. He sent two letters to the agency recently, the first of which questioned its hiring practices.
Grassley said a whistleblower claimed that Kimberly Beal, then the deputy assistant director of the AFD, had qualification requirements waived to hire a person for a high-paying contract who was recommended by Stacia Hylton, the director of the Marshals Service. According to the whistleblower, Beal did so while under consideration for her current position of assistant director, raising suspicions that the hiring was a quid pro quo arrangement.
“This quid pro quo exchange of favors, if true, would raise serious doubts about the operational practices of the USMS AFD under Ms. Beal as well as, frankly, Ms. Hylton’s leadership of the USMS,” Grassley’s office said in the letter.
The second letter
questions the Marshals Service's appetite for office luxuries.
1. Regarding AFD offices at Crystal Mall 4, please answer the following questions:
a. Did AFD purchase a conference table that exceeded $10,000 in cost? If so, what was the cost and why was a less expensive table not considered?
b. Did AFD replace window treatments already provided for in the office lease with expensive custom window treatments? If so, why and what was the cost?
c. Did AFD install custom wallpaper, artwork, crown moldings, and chair rails in its offices? If so, why and at what cost for each of these installations?
d. Does AFD intend to expend similar amounts to decorate and furnish new office space it anticipates moving into in the near future? What will happen to the furnishings and decorations after AFD moves out?
That's the most eyegrabbing part of Grassley's letter but the rest asks similar -- if less dramatic -- questions about the agency's spending habits.
The US Marshals Service doesn't necessarily have a long history of asset forfeiture abuse, but it has previously been called out by the DOJ's Inspector General for being less than accurate with its bookkeeping
In at least eight of the 55 cases taken up by the asset team between 2005 and 2010, the purchaser or the price of the asset was not recorded. On top of that, the team failed to perform sufficient market research to properly value the assets it was eyeing; for some of them, it couldn’t even provide the OIG with bank statements and other basic documentation.
More damning was the OIG's discovery
of a huge conflict of interest. Another
whistleblower uncovered lead asset forfeiture official Leonard Briskman's extremely fortuitous moonlighting gig. Briskman, who appraised assets for the US Marshals Service, ran his own private appraisal business on the side
The inspector general reported that in several instances, Briskman valued and sold the same asset himself without supervision by anyone in the marshal’s office. In addition, he failed to publicly announce the sale of some assets, which limited their availability to the general public. In one case, an assistant U.S. Attorney from the Southern District of New York objected to a decision by Briskman to sell assets that had been seized during the Bernard Madoff case–more than one million shares of a pet prescription firm and a 5 percent stake in another investment portfolio–without announcing the sale.
The US Marshals Service doesn't need to dirty its hands by performing seizures. All it has to do is sit there and wait for assets from equitable sharing programs
to roll in. And roll in they do, thanks to local law enforcement agencies partnering up with the DOJ to avoid state laws put in place to limit the sort of abuse that is all too frequent when cops are given the authority to declare money, vehicles and other property guilty on the spot.
As would befit any government agency spending other people's money and divesting itself of other people's property, the US Marshals Service buys $10,000 tables and does little to ensure its auctioned items return something close to market value. Because of its lax accounting and questionable appraisals, money from sales went AWOL and what it did receive from auctions was likely less than it would have obtained with a bit more diligence and competence.
Whether Grassley will receive any answers to his questions remains to be seen, but the recent history of the US Marshals Service doesn't indicate it's an agency enthralled with concepts like fiscal responsibility and public accountability. If the agency is blowing seized funds on pricey tables and custom window treatments, it's going to take more than a couple of angry letters to change its "Spend it like you seized it!" culture.
22 Comments | Leave a Comment..
Posted on Techdirt - 25 March 2015 @ 1:15am
Following a trail blazed by Maryland councilman Kirby Delauter, a Virgin Islands Attorney General is making an ass of herself by threatening journalists for having the audacity to do their job. Delauter infamously publicly attacked a reporter for daring to publish his name in her paper, apparently unaware that this sort of thing happens to public officials roughly all the damn time. The ensuing internet maelstrom forced a retraction and apology from Delauter.
The Virgin Islands Daily News is still waiting for an apology from acting Attorney General Terri Griffiths for this wholly inappropriate response to acts of journalism. [via Jim Romenesko]
Acting Attorney General Terri Griffiths told executives of The Virgin Islands Daily News on Thursday morning that she will prosecute the newspaper on criminal charges because of its telephone calls to obtain comment and information from her.
"I'll be filing criminal charges against you," Griffiths said as she abruptly left a meeting at The Daily News' offices on St. Thomas.
She also claimed a quote appearing in one of the paper's stories was "fabricated." This is the quote:
"I will not comment on the Parole Board hearings."
This quote seems like something an attorney general would be very likely to say. In fact, the refusal to comment has long been a hallmark of law enforcement-press relations. Not commenting is the national pastime of law enforcers, who are often the first party to issue a solid "no comment" after controversial incidents. But Griffith claims this completely innocuous and completely boring quote was fabricated. The Daily News found otherwise.
The Daily News has reviewed Griffiths' allegations that a quote attributed to her had been fabricated and stands by its published report, Robbins said.
"We take any report of inaccuracy very seriously, and we publish a clarification or correction if an error appears in print," Robbins said. "In this case, we found that the reporter was accurate."
But Griffiths is more upset that Daily News reporters are calling her on her cell phone to obtain additional "no comments" on various stories involving her office. This would almost be a legitimate complaint (provided you ignore the ensuing "I'll put you in jail" threat that accompanied it), if it weren't for the fact that Griffiths herself
provided the cell phone number to the paper.
Griffiths spoke at length about her desire not to be called on the cell phone or after hours, and she termed the calls "telephone harassment."
Daily News reporters have called Griffiths on her cell when unable to reach her on her office phone. The cell number they used is the one she provided to the newspaper.
The meeting broke down when Robbins asked Griffiths to answer specific questions about her grievances.
Griffiths objected to that and said she did not want to be "blindsided."
"I don't want to talk to your reporters ever. There will be no communication between me and The Daily News ever again," she said.
She asked Robbins whether he would instruct reporters not to call her on the cell phone.
Robbins said, "No."
Griffiths then left the meeting, announcing, "Then I am going to file criminal charges against you."
Welcome to the life of a public figure, Ms. Griffiths. Reporters are going to call you when your input is needed or desired. It won't always be during business hours, especially if your office can't provide "I will not comment" (non)comments in your absence. Certainly, an excessive amount of calls after "business hours" (whatever that means to powerful law enforcement figures/journalists -- I would imagine those timetables have significant differences) would be irritating, but it doesn't rise to the level of harassment.
And Griffiths' comment about resenting being "blindsided" strongly suggests she'd rather not deal with this part of the job at all. Any question can be deferred to a later time if the answer isn't immediately apparent, but the pattern of calls Griffiths calls "harassment" suggests she's not exactly forthcoming or timely in her responses.
Harassment may be a crime, but journalism isn't. If Griffiths would rather not answer questions, she can place that burden on her staff. Or she can communicate only through official statements and press releases. Or she can give the newspaper guidance on what times are acceptable to call. But what she definitely can't do -- or at least shouldn't
-- is abuse the power of her position to mute pesky guardians of public accountability.
22 Comments | Leave a Comment..
Posted on Techdirt - 24 March 2015 @ 3:46pm
Poor dears. A bunch of law enforcement associations are worried that they won't be able to keep all that sweet, sweet ALPR (automatic license plate reader) data for as long as they want to. In fact, they're so worried, they've issued a letter in response to a nonexistent legislative threat.
Despite the fact that no federal license plate legislation has been proposed, the International Association of Chiefs of Police (IACP) has sent a pre-emptive letter to top Congressional lawmakers, warning them against any future restrictions of automated license plate readers. The IACP claims to be the "world's oldest and largest association of law enforcement executives."
is stained with the tears of law enforcement entities whose thirst for bulk collections is only rivaled by national security agencies.
We are deeply concerned about efforts to portray automated license plate recognition (ALPR) technology as a national real-time tracking capability for law enforcement. The fact is that this technology and the data it generates is not used to track people in real time. ALPR is used every day to generate investigative leads that help law enforcement solve murders, rapes, and serial property crimes, recover abducted children, detect drug and human trafficking rings, find stolen vehicles, apprehend violent criminal alien fugitives, and support terrorism investigations.
The "efforts to portray" ALPRs as ad hoc tracking devices aren't limited to imaginative conspiracy theorists. Millions of plate scans are added to private companies' databases every day
. The total number of records retained by Vigilant, the most prominent manufacturer of ALPRs, totals in the billions
. That amount of data can easily be used to track nearly anyone's day-to-day movements. And the database is accessible by law enforcement agencies around the nation. There's no geofencing keeping the data compartmentalized to what's "relevant" to local agencies.
As for the rest of the paragraph, those claims have yet to be backed up by arrest statistics. The amount of plate data collected far outweighs the results
There is a misconception of continuous government tracking of individuals using ALPR information. This has led to attempts to curtail law enforcement’s use of the technology without a proper and fair effort to truly understand the anonymous nature of the data, how it is used, and how it is protected.
Note how the "misconception" is nothing privacy advocates are actually saying. No one's mistaking plate scans for a GPS tracking device. They've just noted that the end result is nearly identical. Gather enough data and you don't need a more "intrusive" method.
We are seeing harmful proposals – appropriations amendments and legislation – to restrict or completely ban law enforcement’s use of ALPR technology and data without any effort to truly understand the issue. Yet, any review would make clear that the value of this technology is beyond question, and that protections against mis-use of the data by law enforcement are already in place. That is one of the reasons why critics are hard-pressed to identify any actual instances of mis-use.
Translation: no one understands this high-tech device but us cops.
Also: "value" is "beyond question?" If so, why is it so hard to get any law enforcement agency to produce some evidence
to back up this claim? It's high tech, but it's also fallible tech
. And it's tech that is being deployed with little to nothing in the way of privacy protections or oversight.
That's what legislators (non-federal) are seeking. Some sort of limits and accountability. Virginia just passed one of the most restrictive pieces of legislation
pertaining to ALPRs -- one that installs limits on collection and retention.
Virginia has become the first state in America to impose a very short data retention limit on the use of automated license plate readers (LPRs, or ALPRs). VA cops will now only be able to keep such data for seven days unless there is an active, ongoing criminal investigation.
Only a few states have imposed any legislative limits on the technology. For most US law enforcement agencies, the data is gathered en masse (and sometimes in inappropriate places
) and held forever. The LAPD argued that every one
of the thousands of plate scans it had gathered is somehow "relevant" to ongoing investigations. When you're faced with claims like that, it's hard to argue with legislative limits being introduced. The police won't police themselves. Someone usually has to force them into applying even the most minimal of restrictions on ALPR use.
We call on Congress to foster a reasonable and transparent discussion about ALPR.
That's rich. "Transparent discussion." The hell does that even mean in a law enforcement context? Agencies don't want to talk about ALPRs
, Stingray devices
, their officers' misconduct
, etc. The prevailing law enforcement mentality is almost completely opposed to transparency. These police associations aren't interested in Congress or anyone else having a "transparent discussion." What they want is a guided
discussion that results in more data-hauling business as usual for the agencies these associations represent.
But this sentence is the best thing about this overwrought letter:
If legislative efforts to curtail ALPR use are successful, federal, state, and local law enforcement’s ability to investigate crimes will be significantly impacted given the extensive use of the technology today.
Shorter police: "We like our shiny tech tools so much, we've forgotten how to perform police work." If they can't get as much as they can, as often as they can and access it at their leisure, the streets will run red with the blood of the innocent. This sort of thinking goes all the way to the top, where the FBI's James Comey has promised
death, molestation and Colombia 2.0 if the government isn't allowed to build itself backdoors in cellphone encryption.
How a device that delivers a 0.2% hit rate has become something the cops lean on so heavily they simply can't go on without it is a question that deserves a "transparent" answer, rather than the hitch-in-the-throat talking points delivered here. All anyone wants is something telling cops they can't keep everything
for as long as they want
. They want privacy impact assessments and honest answers to worrying questions. All we've received so far is unproven claims of the tech's "effectiveness" and the constant pimping of dead children and human trafficking victims, with the existential threat of suppliers delivering product to a receptive market thrown in for good measure.
48 Comments | Leave a Comment..
Posted on Techdirt - 24 March 2015 @ 9:31am
The NSA's bulk phone metadata program is unstoppable. Despite being called out by legislators and the administration's civil liberties oversight board as unconstitutional and illegal -- and despite being targeted by several of the administration's surveillance reforms -- it continues uninterrupted and largely unchanged.
Legislators who watched their Section 215-targeting bills die on the Congressional floor are now watching the clock. This part of the PATRIOT Act is set to expire June 1st (as is the latest bulk metadata order) and if Congress doesn't act to renew it, the program will grind to a halt. Or so you would think. But the FISA judge James Boasberg doesn't see why this provision's sunset should have any negative effect on the continued collection of phone metadata.
On the last page of the court's most recent order, Boasberg says the following:
If Congress, conversely, has not enacted legislation amending § 1861 or extending its sunset date established by Section 102(b) of Public Law 109-177, 120 Stat. 195, as most recently amended by Section 2(a) of Public Law 112-14, 125 Stat. 216, the government is directed to provide a legal memorandum pursuant to Rule 11(d) addressing the power of the Court to grant such authority beyond June 1, 2015.
It's Public Law 109-177
that's aiding the effortless reauthorization. Charlie Savage of the New York Times
noted this possibility last year. There's an exception in place that allows authorized surveillance programs to continue even after their authorizations have lapsed.
(2) Exception.–With respect to any particular foreign intelligence investigation that began before the date on which the provisions referred to in paragraph (1) cease to have effect, or with respect to any particular offense or potential offense that began or occurred before the date on which such provisions cease to have effect, such provisions shall continue in effect.
provide for endless bulk surveillance under Section 215, even without renewal of the program. Or it could just be the FISA judge signaling conversations the general public isn't privy to, as Marcy Wheeler points out
That basically says the Court is aware of this discussion, either because it reads the NYT or because the government has mentioned it. This order doesn’t tip a hand on how FISC would regard this claim, but it does make clear it considers it a distinct possibility.
Note, unless I’m missing something, no language like this appears in any of the unredacted sections of previous dragnet orders, not even when Congress was giving the government straight renewals. We can’t be sure, but that certainly seems to suggest the Court has been having conversations — either by itself or with the government — about alternatives in a way Bob Litt and others are not having publicly.
Even if the court chooses to read the PATRIOT Act as killing Section 215 when it sunsets, this likely won't end the collection of phone metadata. The government still has other options
Many privacy advocates believe the White House would have two routes available if it chose to continue the program, absent congressional action. Along with potentially being able to continue investigations that are ongoing despite an expiration, the administration could also rely on a "pen/trap" statute, which allows for phone tapping and has a loose standard of relevancy, akin to Section 215, and typically does not require probable cause.
This option would require a bit more paperwork and slightly refined targeting of court-approved numbers. It would, at least temporarily, halt the incoming collection of everything
and force the NSA to relinquish control of the database. A PR/TT order wouldn't allow for collection in bulk, but rather return records linked to certain numbers from telcos searching their own
databases. So, it would be a step forward in terms of Section 215 reform (moving the database out of the NSA's control), however inadvertently.
Others believe the language in the latest FISA order signifies nothing in particular.
Stewart Baker, a former general counsel at the NSA, said it's possible the surveillance court could use the leeway to grant a "one-off measure" in May to keep the bulk-records program going only through June. He noted that Boasberg's order requests that a memorandum from the government be filed not by June 1 but by May 22, a notable deadline, given that "most observers expect that Congress will only act at the last minute."
"The much harder question is whether it could issue any orders in June," Baker said. "There's an argument that it can, but I suspect that the administration won't be willing to make that argument."
Section 215 might expire, but the door is open for the NSA to continue its collecting uninterrupted. Things may become much more interesting in late May as the clock winds down. Perhaps Congress will have the courage to just let this section of the PATRIOT Act die, but it will have to weather plenty of "terrorists... terrorists everywhere!" posturing from Section 215's defenderss. If nothing else, an expiration would force the reforms the NSA has shown little interest in implementing.
Read More | 13 Comments | Leave a Comment..
Posted on Techdirt - 24 March 2015 @ 4:09am
It appears that Amazon is very serious about walling off its garden. Late last year, it pushed out a firmware update for its Amazon Fire TV devices that not only made rooted devices unusable, but prevented Fire TV owners from rolling back firmware to previous, more root-friendly versions. Apparently, Kindle users were also included in this lockdown.
A recent post at Good Reader notes that the latest firmware for Kindles is pretty much identical to its Fire TV firmware, right down to the destruction of functionality.
The new firmware was pushed out to all modern Kindle devices in late November of last year. Anything after version 5.60 will not allow you to hack the firmware and do interesting things like change the screensaver system or install custom apps.
And, like its firmware for the Fire TV, rollback to less hack-resistant firmware
is nearly impossible. You can
force it back, provided you have a soldering iron
(and the willingness to apply it to your device) or you can follow a few not-so-simple steps
to take your root access back from Amazon. But once again, it's the company removing functionality for the sole purpose of making devices perform the way Amazon wants them to, rather than leaving these sorts of decisions to those who have purchased the devices.
And it's not as though Kindle owners are receiving any heads up from Amazon about the firmware's plans for their jailbroken devices. No mention of it is made in the firmware's specifications
, which only tells you about the (supposedly) good
things the update will bring: vague "bug fixes and improvements." Softpedia's hosting page for the latest version
(5.6.1) goes into a little more detail, but it only contains a list of slightly-upgraded Amazon features, rather than the limitations the firmware will impose on paying customers.
If you like Amazon's walled garden, the company is more than happy to ensure you never find the gate. If you don't, Amazon is more than happy to step in and brick over any openings. The latter does a huge disservice to paying customers who are looking to get the most out of something they purchased
, but seems to still somehow "belong" to Amazon.
110 Comments | Leave a Comment..
Posted on Techdirt - 23 March 2015 @ 1:38pm
If you're a UK-based journalist who's reported on the Snowden leaks, it's safe to say you're under investigation. Not only are you being investigated, but that investigation itself is so secret, it can't be discussed. The Intercept's Ryan Gallagher sent a Freedom of Information request to London's Metropolitan Police (the Met) for more information about the investigation -- something twice publicly confirmed by Met representatives.
But when asked specifically for information on the ongoing investigation, the agency had nothing to say.
[T]he Metropolitan Police... says everything about the investigation’s existence is a secret and too dangerous to disclose. In response to a Freedom of Information Act request from this reporter, the force has repeatedly refused to release any information about the status of the investigation, how many officers are working on it, or how much taxpayer money has been spent on it. The Met wrote in its response:
"to confirm or deny whether we hold any information concerning any current or previous investigations into the alleged actions of Edward Snowden could potentially be misused proving detrimental to national security.'
In this current environment, where there is a possibility of increased threat of terrorist activity, providing any details even to confirm or deny that any information exists could assist any group or persons who wish to cause harm to the people of the nation which would undermine the safeguarding of national security."
The response is hardly a response. In fact, almost the entirety of the nine-page document
Gallagher received is simply reasons WHY the Met won't be responding affirmatively or negatively to his inquiry. The only new information gleaned is that control of the investigation has changed hands.
AC Mark Rowley has taken over as Head of Specialist Operations following the departure of Cressida Dick
That's the one thing the "Counter Terrorism Command" can confirm. This would be the same department within the Met that was directly involved with the detainment and questioning
of Glenn Greenwald's partner, David Miranda. Everything else falls under a variety of exemptions, including the oh-so-opaque "state secrets" designation.
The Metropolitan Police Service can neither confirm nor deny whether it holds any of the information that you have requested, as the duty in S1(1)(a) of the Freedom of Information Act 2000 does not apply, by virtue of the following exemptions:
Section 23(5) - Information supplied by, or concerning, certain security bodies
Section 24(2) - National Security
Section 30(3) Criminal Investigations
Section 31(3) - Law Enforcement
Section 40(5) - Personal information
There's more detail later, when the response details the agency's decision to declare the request to be "not in the public interest."
The security of the country is of paramount importance and the Police service will not divulge whether information is or is not held if to do so would undermine National Security or law enforcement. Whilst there is a public interest in the transparency of policing operations and providing assurance that the police service is appropriately and effectively engaging with the threats posed by groups or individuals there is a very strong public interest in safeguarding the integrity of police investigations and operations in the highly sensitive area of extremism, crime prevention, public disorder and terrorism prevention.
After weighing up the competing interests I have determined that confirmation or denial of any information being held concerning whether the MPS has investigated the alleged actions of Edward Snowden or not would not be in the public interest. To confirm or deny that information is held regarding any individual or investigation that may or may not have taken place could be detrimental to any investigations that may be being conducted now or in the future.
But, of course, all of this discussion about national security, public interest and possibly compromised investigations does not
confirm that there's a twice-previously-confirmed investigation of UK journalists in progress.
However, this should not be taken as necessarily indicating that any information that would meet your request exists or does not exist.
This UK-style Glomar tosses the request back to The Intercept, which has tossed it to the nearest governing body..
The Intercept has filed a complaint with the Information Commissioner’s Office, the public body that enforces the U.K.’s freedom of information laws, about the Met’s refusal to release information about the current status of the investigation. The commissioner will now look at how the police handled the request and decide whether they should be ordered to hand over the relevant details.
Even in the UK, information doesn't want to be free. It wants to be litigated
The Met continues to maintain its code of silence in the face of its earlier public statements about investigating those publishing the Snowden leaks. When asked how something the agency itself publicly discussed several months ago is now a "national security" issue, the Met offered a swift "no comment" -- a handy way to dodge the logic hole in its Freedom of Information request denial.
Read More | 13 Comments | Leave a Comment..
Posted on Techdirt - 23 March 2015 @ 8:08am
You don't hear much about FBI whistleblowers. Many other agencies have had wrongdoing exposed by employees (and the government has often seen fit to slap the whistles out of their mouths with harsh prosecution), but the FBI isn't one of them. Forty-three years ago, whistleblowers broke into the FBI and retrieved damning documents, but no one's really broken out of the FBI to do the same. In fact, the FBI would rather not talk about whistleblowing at all.
An optimist might chalk this up to the FBI being a tightly-run organization that polices itself for malfeasance and wrongdoing. They'd be wrong, of course. Just within the past year, the FBI has twice thwarted its own oversight and may soon face budgetary constraints if it won't turn over the documents the DOJ's Inspector General is seeking.
There's a reason no one blows the whistle at the FBI and this GAO report spells it out: unlike every other government agency, the DOJ's internal policies contain nothing to shield FBI whistleblowers from retaliation.
Unlike employees of other executive branch agencies, FBI employees do not have a process to seek corrective action if they experience retaliation based on a disclosure of wrongdoing to their supervisors or others in their chain of command who are not designated officials. This difference is due, in part, to DOJ’s decisions about how to implement the statute governing FBI whistleblowers. When issuing its regulations in 1999, DOJ officials did not include supervisors in the list of entities designated to receive protected disclosures, stating that Congress intended DOJ to limit the universe of recipients of protected disclosures, in part because of the sensitive information to which FBI employees have access.
To ostensibly protect means, methods and (presumably) the country itself, the DOJ eliminated several options whistleblowers could pursue when taking their complaints through official channels. A 2012 Presidential Policy Directive aimed at increasing whistleblower protections failed to move the needle.
In response to this requirement, DOJ reviewed its regulations and in an April 2014 report recommended adding more senior officials in FBI field offices to the list of designated entities, but did not recommend adding all supervisors. DOJ cited a number of reasons for this, including concerns about striking the right balance between the benefits of an expanded list and the additional resources and time needed to handle a possible increase in complaints. By dismissing retaliation complaints based on a disclosure made to an employee’s supervisor or someone in that person’s chain of command, DOJ leaves some FBI whistleblowers—such as the 17 complainants we identified—without protection from retaliation.
The DOJ is plainly uninterested in sheltering those who would point out FBI wrongdoing. It has set up a minefield most whistleblowers are unable to navigate.
We concluded that, without clear information on how to make a protected disclosure, FBI whistleblowers may not be aware that, depending on how they report their allegation, they may not be able to seek corrective action if they experience retaliation.
So, with no roadmap and extremely limited protections, whistleblowers who do
manage to bring their complaints up through proper channels are often subjected to retaliatory actions for which they have no remedy.
[I]n 2002, former FBI agent Jane Turner filed a whistleblower complaint with DOJ alleging that her colleagues had stolen items from Ground Zero after the September 11, 2001, terrorist attacks. She was then given a “does not meet expectations” rating, placed on leave, and notified of proposed removal.
This retalitation was reported by Agent Turner to the DOJ, which then slowly ground its heavy wheels of so-called justice for more than a decade.
[The] DOJ ultimately found in her favor in 2013—over 10 years later.
Turner's case isn't an anomaly. The GAO found that, while the DOJ was often quick to dismiss retaliation complaints simply because the whistleblower failed to properly navigate its labyrinthine reporting restrictions, it was seldom interested in moving quickly on behalf of those who managed to luck into complete compliance.
The 4 complaints we reviewed in our 2015 report that met threshold regulatory requirements and that DOJ ultimately adjudicated on the merits, took up to 10.6 years to resolve, and DOJ did not provide parties with expected time frames for its decisions throughout these cases.
The DOJ blames this on "case complexity" and "staffing priorities." The latter excuse is likely the most honest. The DOJ is far more inclined to prosecute whistleblowers than protect whistleblowers. Blowing the whistle at the FBI means being subjected to vindictive actions with little to no recourse. The DOJ may
decide to take a whistleblower's case, but will do little, if anything, to escalate its response. In the meantime, whistleblowers are apparently supposed to take a number and wait things out in a hostile environment.
Will this GAO report result in better protections? Highly doubtful, considering a directive issued by the President's office itself failed to produce any significant change. Even the agency's inside oversight -- the Office of the Inspector General -- is finding the DOJ completely unresponsive to its complaints about FBI stonewalling and obfuscation. It's highly unlikely the DOJ will handle lower-level whistleblower complaints with more speed or openness.
The DOJ, along with the FBI, has successfully neutralized most forms of accountability. The OIG is openly ignored. FOIA requests are frequently greeted with massive amounts of withheld documents
. When pressed, the nation's top law enforcement agency tends to wrap itself in a patchwork of undeclared wars (drugs, terrorism) and claims accountability will lead to an unsafe and unsecured country. Meanwhile, its own underling agencies go rogue while tangled, useless policies keep whistleblowers from ever opening their mouths.
Read More | 15 Comments | Leave a Comment..
Posted on Techdirt - 23 March 2015 @ 5:49am
In the wake of the Snowden leaks, more and more tech companies are providing their users with transparency reports that detail (to the extent they're allowed) government requests for user data. Amazon -- home to vast amounts of cloud storage -- isn't one of them.
Amazon remains the only US internet giant in the Fortune 500 that has not yet released a report detailing how many demands for data it receives from the US government.
Although people are starting to notice, the retail and cloud giant has no public plans to address these concerns.
Word first spread last week when the ACLU's Christopher Soghoian, who's spent years publicly denouncing companies for poor privacy practices, told attendees at a Seattle town hall event that he's "hit a wall with Amazon," adding that it's "just really difficult to reach people there."
Zack Whittaker and ZDNet ran into the same wall. Nearly thirty Amazon representatives were contacted but only one provided a response: an anonymous statement that the company was under "confidentiality obligations" not to discuss requests for data.
There are several reasons why Amazon might be hesitant to share intel/law enforcement request data, perhaps none bigger than its $600 million/10-year contract with the US intelligence community
. It might also be its multiple contracts with other federal agencies
, including connecting the nation's law enforcement agencies through its AWS-hosted Criminal Justice Information Service
But that can't be the whole explanation. It's not as if other companies now providing transparency reports aren't similarly engaged with the government at some level.
Microsoft has contracts with various governments to provide Windows and Office software. Google offers a range of open-source and cloud-based services to the government, and Apple provides iPhones and iPads to government and military users, thanks to earning various certifications.
Even telephone service providers, which have historically been very proactive in accommodating government demands for data -- going so far as to give intelligence analysts guidance on how to skirt legal restrictions
-- are producing bi-annual transparency reports. But Amazon simply refuses to do so, and then refuses to explain its refusal.
This lack of transparency has gone past the point of being merely vexatious. Amazon isn't satisfied with simply selling and storing. It's gathering far more data than its more famous offerings would indicate.
With its smartphone and tablet line-up, the company is taking on even more data -- including browsing history through its Silk browser, reading habits, and other data like IP addresses. The company is slated to be moving into the enterprise and work-based email provider space.
Silence and secrecy aren't improving Amazon's reputation, at least not with those with privacy concerns. Unfortunately for them, it's been well-established that Amazon will do whatever it wants
with little regard
for public opinion. No one's going to "guilt" Amazon into doing anything. But the concerns are legitimate. Who wants to be housed "next door" to the CIA, knowing it has shown little respect
for data barriers put in place to safeguard other government entities
? I'm sure the answer is "hardly anybody," but Amazon's opacity prevents ordinary people from knowing even the slightest about the government's activities and demands.
25 Comments | Leave a Comment..
Posted on Techdirt - 20 March 2015 @ 10:24am
Cisco became an inadvertent (and very unwilling) co-star in the NSA Antics: Snowden Edition when its logo was splashed across the web by a leaked document detailing the agency's interception of outbound US networking hardware in order to insert surveillance backdoors.
It moved quickly to mitigate the damage, sending a letter
to the President asking him and his administration to institute some safeguards and limitations to protect US tech companies from the NSA's backdoor plans. To date, there has been no direct response. So, Cisco has decided to handle the problem itself
Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says.
The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers…
"We ship [boxes] to an address that's has nothing to do with the customer, and then you have no idea who ultimately it is going to," Stewart says.
"When customers are truly worried ... it causes other issues to make [interception] more difficult in that [agencies] don't quite know where that router is going so its very hard to target - you'd have to target all of them. There is always going to be inherent risk."
Stewart acknowledges that Cisco's modified dead drop shipping operations aren't foolproof, but will at least force the agency to do a little more research before intercepting packages. Stewart also noted that some customers aren't taking any chances, opting to pick up their hardware from Cisco directly.
There are also variables Cisco simply can't control, like the possibility of inbound components from upline manufacturers arriving pre-compromised. But it's doing what it can to ensure that "Cisco" isn't synonymous with "spyware."
Then there's always the possibility that the government may find Cisco's new routing methods to be quasi-fraudulent and force the company to plainly state where each package is actually
going. No response has been issued by the ODNI or NSA to this news, and most likely, none will be forthcoming. Any statement on Cisco's fictitious routing would tip its hand.
Cisco's plan makes a lot of assumptions about the NSA's capabilities, most of which aren't particularly sound, but this seems to be more a public display of pique than a surefire way to eliminate most of the NSA's hardware interceptions. It also sends a message to the NSA, one it's been hearing more and more of over the last couple of years: the nation's tech companies aren't your buddies and they're more than a little tired of being unwilling partners in worldwide surveillance.
36 Comments | Leave a Comment..
Posted on Techdirt - 20 March 2015 @ 8:11am
Overclassification and abuse of FOIA exemptions is a given with most of our nation's security/law enforcement agencies. Two agencies -- the DHS and the FBI -- both redacted publicly-available information on drone possession and usage. Why? Because no one will stop them. Public accountability isn't something these agencies embrace. Their real love is secrecy, obfuscation and an allegiance to the eternal protection of "techniques and procedures," even when the information has already been disseminated elsewhere.
MuckRock's Phil Mocek recently received responsive documents from the US Marshals Service on its Stingray usage. The Marshals Service is notoriously secretive about the Stingrays in its law enforcement stable and is equally infamous for the thug-like tactics it has deployed to hide documents from public records requests.
So protective is it of this information that its response to Mocek jumped the secrecy shark. Hidden behind the numerous black redaction bars is information freely available on an official government website.
While it appears the USMS is not under any nondisclosure agreement with the device manufacturer, the agency has withheld a wide range of basic information under an exemption meant to protect law enforcement techniques. However, much of the redacted data is already available online via a federal accounting website…
Particular item names and descriptions are universally redacted throughout the documents. But released invoices and purchase orders indicate that USMS spending on cell site simulators and related services totaled nearly $10 million between September 2009 and April 2014.
As MuckRock's Shawn Musgrave points out, this information deemed too sensitive to be released to a FOIA requester can be found at the General Services Administration's website
. The GSA handles a majority of government contracts and, as a government entity, is only allowed to display information deemed suitable for public consumption. The same information withheld by the US Marshals Service has been previously cleared for release on the GSA's site.
An overabundance of caution by the US Marshals Service? Maybe. Or maybe it's just accustomed to throwing plenty of black ink around when fielding FOIA requests. Either way, this withholding of publicly-available data suggests one thing: the USMS's justification for blotting out this info doesn't mean shit.
Extensive redactions throughout the document cache are made under a provision in the federal Freedom of Information Act — exemption (b)(7)(E), for the FOIA nerds — meant to protect law enforcement information.
Specifically, per the Justice Department’s own guidelines, this exemption covers information that "would disclose techniques and procedures for law enforcement investigations or prosecutions”, or that “would disclose guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably be expected to risk circumvention of the law."
The trouble is, much of the information blacked out by USMS FOIA officers is already available online to the general public, and hardly qualifies as law enforcement information as defined in this provision.
It's not that the US Marshals Service doesn't understand the correct deployment of FOIA exemptions. It just doesn't care. How a dollar amount can be both publicly-available through the GSA and
a too-sensitive-for-the-public "technique or procedure" will never be explained by the wilfully opaque law enforcement agency. At best, it will suggest the redaction was an error. But more likely, it will be happy to stay quiet on the issue and allow the BS exemptions to speak for themselves
14 Comments | Leave a Comment..
Posted on Techdirt - 20 March 2015 @ 6:04am
VentureBeat has news on two "startups" (which neither really are) that could possibly "upend" intellectual property laws: Qentis (copyright) and Cloem (patents).
The first, Qentis, was covered here previously. Qentis isn't actually a company. It appears to be the trolling byproduct of artist Marco Marcovici. The "company" claims to be algorithmically generating millions of photos and pages of text at a rate that will soon see it creating copyrighted material faster than the creators themselves. At some point, Qentis will hold the copyright of everything that can possibly be created, making every new creation instantly infringing.
Never mind the fact that no one has the computing power to generate photos and text at the rate Qentis is claiming it can, or the fact that algorithmically banging out creative works in advance of others doesn't make independent creations automatically infringing. Never mind pretty much all of it because the claims are so blatantly false as to be laughable, especially considering the source.
On the other hand, Cloem's business model seems a bit more grounded in reality. VentureBeat describes Cloem -- and its aims -- this way:
[A] company that provides software (not satirically, it appears) to linguistically manipulate a seed set of a client’s patent claims by, for example, substituting in synonyms or reordering steps in a process, thereby generating tens of thousands of potentially patentable inventions.
Cloem describes its team
as a mixture of patent experts and "computer linguistic specialists." The key element of its potentially-patentable variations lies within "seed lists," which draw from a variety of sources, including (according to Cloem) "70,000,000 patent documents." Its algorithms then brute force together lists of "new" patent claims, which can then be filed and used offensively or defensively.
Cloem's business model seems custom-built for patent trolls
, who will be able to "expand" their already-broad patents to nail down even more IP turf. Cloem's service also makes it easy for non-inventors to jam up patent offices with me-too "inventions" based on minor iterations of existing patents. While there's a good chance some of these will be tossed due to prior art, more than a few will inevitably make their way past examiners. With millions of patents just waiting to be iterated into "new" methods, Cloem's service further separates "inventing" from "invention."
It's a system that's built for abuse, but Cloem doesn't see it that way. In response to a somewhat critical post at RatioIP
, Cloem's rep offers up the defense of "Hey, we just make the tool. We can't control how it's used."
In our view, Cloem is a logical and natural evolution of the patent system. The technology in itself is neutral. Like a tool, we can use it in many ways, both offensive and defensive. It may well be that we could help to “raise the bar” and get rid of undue patents. Some see our system as an embodiment of the “skilled person” (i.e. which indicates what “routine work” can produce and reach), although we do think that cloem texts can be inventive, that is not excluded from patentability.
And that's mostly true. Entities wishing to protect their prior inventions could
"fence off" adjacent territory and deter future lawsuits by producing and filing very closely-related patents. But a tool like this -- if it creates anything patentable at all -- will always be more attractive to the "offensive" side of the equation.
sets the company at the forefront of an IP revolution, but its envisioned future is no more heartening than Qentis' dystopian, IP-generating machines of loving grace
. At least Qentis is a joke. Cloem's taglines only read
With Cloem, you can invent more, faster and cheaper.
Except there's no "invention" taking place. Nothing generated by Cloem's algorithms will be any more "inventive" than all the re-skins and palette swaps clogging up the "Games" section in mobile app stores. Cloem hopes to bridge the gap between its "silos of knowledge" and its silos of synonyms, somehow coming up with worthwhile patents in the process. Sure, previous knowledge always informs new creations, but it takes more than swapping the sentence
"a plurality of discrete content items arranged chronologically" around in the method description to generate inventive, worthwhile patents.
26 Comments | Leave a Comment..
Posted on Techdirt - 19 March 2015 @ 4:05am
A handful of deleted photos taken of a public structure is going to cost taxpayers $18,000. (via Poynter)
In what was seen as a victory for First Amendment rights, the U.S. government agreed Thursday to pay The Blade $18,000 for seizing the cameras of a photographer and deleting photographs taken outside the Lima tank plant last year.
In turn, The Blade agreed to dismiss the lawsuit it filed April 4 in U.S. District Court on behalf of photographer Jetta Fraser and reporter Tyrel Linkhorn against Charles T. Hagel, then the U.S. Secretary of Defense; Lt. Col. Matthew Hodge, commandant of the Joint Systems Manufacturing Center, and the military police officers involved in the March 28, 2014, incident.
The two journalists were apprehended by security staff at the Lima, OH, manufacturing center while taking pictures
of the outside of the building. Despite there being plenty of photos
of the tank parked proudly in front of the facility, as well as others detailing the interior
of the plant, the security guards decided the journalists' activity was Terrorism Lite™ and deleted the photos from the camera. They also made derogatory comments about journalist Jetta Fraser's perceived lack of femininity and threatened to "go under her bra" to… well, I don't know what exactly, but given the context of the comments, apparently to "prove" for themselves that she was indeed female.
Like most settlements, there's no admission of wrongdoing to be found in the government's offer. Somewhat bizarrely -- considering the photos were apparently deleted -- the settlement demands pictures taken that day never be published.
Plaintiffs agree not to publish, distribute, reproduce, sell or share any of the photographs taken of the Joint Systems Manufacturing Center in Lima, Ohio on March 28, 2014.
The Toledo Blade and its journalists offer no explanation for agreeing to these particular terms. The only logical explanation is that the photos could not be recovered, making this largely a moot point. Even so, this concession allows the censorious plant staff to salvage a partial victory from defeat and does nothing at all to prevent future abusive actions.
In fact, in its non-apologetic letter to the plaintiffs, the US Army pretty much vows to make the same "mistake" repeatedly in the future.
The letter, dated Feb. 25 and signed by Col. Ronald J. Shun, chief of staff for the U.S. Army Tank-Automotive and Armaments Command... states that the Army “takes seriously its obligation to protect its military installations” and “acknowledges the important role that the press serves in a free society.”
“The Army is interested in a positive relationship with The Blade, its employees, and all members of the media,” Colonel Shun wrote.
But not that interested. The letter goes on to say that the US Army -- and representatives from its tank plant -- will only entertain press requests for statements and photos, so dropping by to snap pictures while in the area (as The Blade's journalists did) is still unwelcome and will likely result in extra attention from the plant's security. So, the First Amendment isn't really being protected here. It's just being humored.
The public embarrassment -- rather than the settlement -- will likely have more of a deterrent effect on plant personnel. Armed with the knowledge that snapping photos of the outside of the Lima plant is protected speech may lead to other photographers informally "polling" the plant's security staff in the future. But in the end, it's always the same. The government -- whose grasp of laws and rights should be better
than its constituents -- will put on its "terrorist" blinders to violate more rights and allow taxpayers to pick up the tab.
Read More | 32 Comments | Leave a Comment..
Posted on Techdirt - 18 March 2015 @ 9:03pm
In a long-overdue nod to both privacy and security, the administration finally moved Whitehouse.gov to HTTPS on March 9th. This followed the FTC's March 6th move to do the same. And yet, far too many government websites operate without the additional security this provides. But that's about to change. According to a recent post by the US government's Chief Information Officers Council, HTTPS will (hopefully) be the new default for federal websites.
The American people expect government websites to be secure and their interactions with those websites to be private. Hypertext Transfer Protocol Secure (HTTPS) offers the strongest privacy protection available for public web connections with today’s internet technology. The use of HTTPS reduces the risk of interception or modification of user interactions with government online services.
This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services.
In a statement that clashes with the NSA's activities
and the FBI's push for pre-compromised encryption
, the CIO asserts that when people engage with government websites, these interactions should be no one's business but their own.
All browsing activity should be considered private and sensitive.
The proposed standard would eliminate agencies' options, forcing them to move to HTTPS, both for their safety and the safety of their sites' visitors. To be sure, many cats will still need to be shepherded if this goes into effect, but hopefully there won't be too many details to trifle over. HTTPS or else is the CIO Council's goal -- something that shouldn't be open to too much interpretation.
As the Council points out, failing to do so places both ends of the interaction at risk. If government sites are thought to be unsafe, it has the potential to harm citizens along with the government's reputation.
Federal websites that do not use HTTPS will not keep pace with privacy and security practices used by commercial organizations, or with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and reduces their confidence in their government. Although some Federal websites currently use HTTPS, there has not been a consistent policy in this area. The proposed HTTPS-only standard will provide the public with a consistent, private browsing experience and position the Federal government as a leader in Internet security.
The CIO's short, but informative, explanatory page
lists the pros of this proposed move, as well as spells out what HTTPS doesn't
protect against. It also notes that while most sites should actually see a performance boost from switching to HTTPS, sites that gather elements for other parties will be the most difficult to migrate. And, it notes, the move won't necessarily be inexpensive.
The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time. The development burden will vary substantially based on the size and technical infrastructure of a site. The proposed compliance timeline provides sufficient flexibility for project planning and resource alignment.
But, it assures us (at least as much as any government entity can...), the money will be well-spent.
The tangible benefits to the American public outweigh the cost to the taxpayer. Even a small number of unofficial or malicious websites claiming to be Federal services, or a small amount of eavesdropping on communication with official US government sites could result in substantial losses to citizens.
The CIO is also taking input from the public, at Github no less
A very encouraging -- if rather belated -- sign that the government is still making an effort to take privacy and security seriously, rather than placing those two things on the scales for intelligence and law enforcement agencies to shift around as they see fit when weighing their desires against Americans' rights and privileges
10 Comments | Leave a Comment..
Posted on Techdirt - 18 March 2015 @ 11:37am
Now that it's pretty much settled that the public has the right to record the police*, legislators are now moving to peel back this begrudgingly "granted" First Amendment protection.
*Exceptions, of course. Far, far too many of them.
Filed by Dallas State Representative Jason Villalba (R), the bill prohibits anyone in public within 25 feet of police to record them. The buffer is even greater at 100 feet, for anyone recording video who is also carrying a gun. Only accredited news organizations, like KENS5, would be allowed to record without the buffer zone.
Guess who gets to decide whether any unaccredited videographers are "too close" to the action? That's right. It'll be the person deploying handcuffs or demanding the camera be shut off/relinquished. It will all be in the eye of the uniformed beholder who's just going to eyeball the distance between him and the unaffiliated bodies of public accountability, and if it's close, just go ahead and call it a crime. A crime with some rather hefty penalties
, considering it involves recording public figures in public areas.
Anyone caught filming within the 25-foot radius could be prosecuted for a Class B misdemeanor, punishable by up to 180 days in jail and a $2,000 fine. For gun-carriers who step within 100 feet, it would be a Class A misdemeanor, punishable by up to a year in jail and a $4,000 fine.
Blogger Ex-Cop Law Student calls it the "Kory Watkins Law,"
after the open-carry activist, who has filmed many of his interactions
with local law enforcement.
This is basically a reaction to the confrontational style of Kory, who has a tendency to get very close to the officers while being loud and armed with either a rifle or a black powder revolver. So Villalba decided that a new law was needed, despite the fact that there is already a perfectly valid law on the book that deals with the issue.
Of course, the "valid" law is one that's already frequently abused: "interfering with public duties." This catch-all has snagged many citizens
and their cellphones. Villalba's proposal just gives police officers another way to legally violate the First Amendment rights of others.
Villalba's hardly a neutral party. According to the Dallas Observer
, his best man was a police officer. So are many of his family members and friends. This string of tweets
issued as the criticism began to roll in shows pretty clearly which side Villalba is legislating for.
There's nothing wrong with having cops as friends (and you can't choose your family members), but favoring a single subset of your constituents in order to -- at least, indirectly -- shield them from accountability isn't something legislators should be doing. They should be doing more to ensure their non-uniform-wearing, non-government employees are better equipped and more empowered to keep their public officials in line. This bill does nothing but create a larger power gap.
As always, it's an outsized "concern" for certain people's safety that is driving the legislation.
Villalba says cops often can't spare the time or attention to put up yellow tape or ask a photographer to step back. "They have the ability to say, 'Step back, please don't interfere,' but a lot of times these situations are in the heat of a law enforcement officer doing their jobs," he said. With HB 2918, "We're just trying to create enough separation, enough space so that officer feels comfortable."
Here's an idea: if they don't have time to push people around, then maybe they shouldn't waste those valuable moments harassing photographers. Most photographers aren't closing the distance between them and cops. It's usually the other way around -- officers approaching people they see filming. 25 feet is "reasonable" but it shouldn't be a misdemeanor and no legislator should be attempting to criminalize First Amendment-protected activity. Interfering with police duties is already illegal and it can be deployed if there's actual
interference occurring. If you're being prevented from doing your job (effecting an arrest, etc.), then it's legitimate. If not, then it's perfectly acceptable, no matter how annoying it might be personally
Ex-Cop Law Student points out the logical flaw in Villalba's "cops just don't have the time" argument:
Uh, Jason? If they are too busy to tell someone to move back, wouldn’t they be too busy to make an additional arrest? Because the purpose of the law is to criminalize the gathering of information that can be used to exercise the right to free speech. The fact that a law is on the books doesn’t magically make people move back, nor does it encourage the police to welcome citizen photographers. On the contrary, it encourages police officers to suppress free speech.
No matter how Villalba might frame it, and no matter how potentially pure his motivations (highly debatable), the fact remains that this law, if passed, will be just as abused as the one already on the books ("interfering with public duties"). In fact, it will be more
heavily abused because it gives the recorded the power to control the recordings.
67 Comments | Leave a Comment..
Posted on Techdirt - 18 March 2015 @ 8:19am
If nothing else, Universal Music Group is becoming a case study for everything that's wrong with YouTube's takedown system. Between nuking its own artists' official videos, targeting MegaUpload's video simply because it utilized some of its roster and using its direct partnership with YouTube to blow past any fair use considerations, UMG has been able to wreak a fair amount of havoc.
Its latest demonstration of its "my rights are bigger than yours" attitude towards IP protection has managed to yank someone else's creations right out from under their creator, as TorrentFreak reports.
Norwegian musician Bjorn Lynne… has had two of his videos hijacked by Universal Music Group (UMG) which is now running ads alongside his work.
“Can I just state publicly that I hate Universal Music Group. For the second time now, they have hijacked my music and claimed ownership of it in all YouTube videos that include my music, thereby monetizing my music,” Lynne writes.
Lynne isn't exaggerating. UMG owns the rights to an audiobook that uses one of Lynne's songs as a backing track. No problem up to this point, because anyone -- even UMG -- can use Lynne's tracks if properly licensed, which this apparently was. No, the problem is that UMG is claiming -- by proxy -- that it "owns" Lynne's track.
UMG have entered the audiobook in YouTube’s Content-ID system, and as a result they’ve hijacked the ads on the original video.
Which is why leaving infringement detection up to algorithms is a bad idea, even if doing otherwise is technically unfeasible. According to Content ID, the backing track belongs to UMG. That's a problem, but it's a fixable one. All it would take is for UMG to release the claim after having the error brought to its attention. But UMG clearly isn't in the business of resolving disputes. It's just there to claim everything Content ID says belongs to it, even when the content clearly doesn't.
“One thing would have been to have done this unwittingly, by mistake. But I have ‘disputed’ the claim on YouTube, written an explanation and told them about the origins of this music — then waited the FULL 30 DAYS that the claimant has to process the dispute, only to be told that UMG have reviewed the dispute and UPHELD their claim!” Lynne notes.
That's the process available to indie artists: sit back and let major players claim your stuff. If Company A rejects your dispute, the decision is final. In YouTube's eyes, the burden of proof always falls on the accused and the existence of proof ultimately has no bearing on the outcome. All the claimant has to do is push the "REJECT" button and someone else's ad money will be rerouted.
Lynee could fight this further, but it would take a stack of money and some ambitious lawyers -- neither of which most indie artists have at their disposal. The only thing UMG has to do is what it did: shrug and return to siphoning money away from Bjorn Lynne. The system works -- at least for the major players. For everyone else, it's just a matter of trying to mitigate the damage they can't prevent, much less reverse.
58 Comments | Leave a Comment..
More posts from Capitalist Lion Tamer >>