Capitalist Lion Tamer’s Techdirt Profile


About Capitalist Lion TamerTechdirt Insider

List of blogs started with enthusiasm, which now mostly lie dormant:

[reserved for future use]

[recently retired]

[various side projects]

Posted on Techdirt - 24 October 2016 @ 1:33pm

Judge Orders FBI To Turn Over Information On How Many People Around The World It Snagged With Its Playpen NIT

from the malware-whereabouts dept

This might be big, depending on how much of this information is passed on to the general public, rather than delivered ex parte or under seal. Joseph Cox of Vice/Motherboard was the first to snag this ruling [PDF] by a Washington district court judge ordering the FBI to turn over tons of info about the NIT it deployed in the Playpen child porn investigation.

As we're already aware, the NIT was deployed by the FBI in Virginia but obtained identifying information about Tor-cloaked site visitors not just all over this country, but all over the world. The motion to compel discovery asked for several details about the NIT and its deployment and most of them have been granted.

Here's the full list (with additional commentary):

1. All records related to the Government’s review and approval of Operation Pacifier.

The Court has taken this discovery request under advisement. An order is soon forthcoming.

2. Copies of any reports made to the National Center for Missing and Exploited Children (NCMEC) regarding child pornography posted on the Playpen web site.

Defendants’ motions are granted.

3. Copies of any notifications that were sent to victims by the Government for obtaining restitution related to images that were posted on, or distributed from, the Playpen web site.

Defendants’ motions are granted.

4. The number of new images and videos (i.e. content not previously identified by NCMEC) that was posted on the site between February 20, 2015 and March 5, 2015.

Defendants’ motions are granted.

(This information -- whether or not actually useful in suppression motions -- should at least provide some insight into how much additional child porn made its way to site visitors as a result of the FBI's decision to seize [and act as administrators of] the server, rather than shut it down. Information obtained in other court cases suggests the FBI not only acted as hosts during the NIT deployment, but actually made the site faster and more responsive.)

5. The names of all agents, contractors or other personnel who assisted with relocating, maintaining and operating Playpen while it was under Government control.

Defendants’ motions are granted.

6. Copies of all notes, emails, reports, postings, etc. related to the maintenance, administration and operation of Playpen between February 20, 2015 and March 5, 2015.

Defendants’ motions are granted.

(Again, this info could confirm whether or not the FBI improved the child porn site's performance during its two-week turn as administrators, as well as provide additional insight into how much child porn distribution was aided and abetted by the agency.)

7. Copies of all legal memoranda, emails and other documents related to the legality of the FBI’s operation of Playpen (and the distribution of child pornography by the Government), including requests for agency/departmental approvals of the undercover operation of Playpen and any communications with Main Justice or the Office of General Counsel at the FBI.

The Court has taken this discovery request under advisement. An order is soon forthcoming.

(This would be the government's legal rationale for running a child porn site rather than shutting it down. Chances are this will remain under seal and is probably FOIA-proof, as most legal guidance documents are.)

8. Copies of all correspondence, referrals and other records indicating whether the exploit used in the Playpen operation has been submitted by the FBI or any other agency to the White House’s Vulnerability Equities Process (VEP) and what, if any, decision was made by the VEP.

The Court has taken this discovery request under advisement. An order is soon forthcoming.

(Little is known about the government's actual handling of the VEP. On one hand, we have public statements which pay lip service to not screwing US companies by hoarding vulnerabilities. On the other hand, we have the exact opposite in practice.)

9. Copies of invoices and other documents for the hosting facility/facilities where the Government operated the Playpen server, the server from which the Government delivered the NIT malware and the server that NIT targets sent their identifying information back to, including documents revealing whether the Government informed the hosting provider(s) that child pornography would be stored in their facility or transmitted over their networks.

Defendants’ motions are granted. To the extent that the Playpen hosting provider was the Government, not a private party, it appears there may not be much discovery responsive to this request.

(There may be nothing here. Or there could be third party hosts involved who were never informed about their participation in the FBI's sting operation. If so, fun times ahead for the US government.)

10. The number of Playpen-related investigations that have been initiated but did not result in criminal charges, beyond the approximately 200 cases now pending across the country.

Defendants’ motions are granted.

(Another can of worms the FBI would probably like to remain closed. According to the government's own arguments in these cases, users would have connected to the site for a single purpose: to engage in criminal activity. A lack of charges would be a surprise and somewhat undermine the government's assertions about the criminal intent of visitors to the site.)

11. The total number of IP addresses and MAC IDs that were seized during the time the FBI was operating Playpen, over and above those related to these approximately 200 pending cases.

Defendants’ motions are granted.

12. The number of IP addresses and MAC IDs obtained during the investigation from foreign computers and the countries in which this data was obtained.

Defendants’ motions are granted.

(These are the potential goldmine. This will show how far-flung the FBI's net actually was, as well as provide more ammo for suppression motions predicated on Rule 41 jurisdictional limitations. The FBI is well aware it can't perform searches outside the jurisdiction covered by the warrant, but it chose to do so anyway. So far, its evidence has mostly held up, thanks to courts deciding suppression isn't the correct remedy, or crediting the FBI for unearned "good faith." The FBI and DOJ are pushing for changes to Rule 41 that eliminate the jurisdictional limits, so it's disingenuous for the agency to claim its agents acted in good faith when securing the warrant.)

This now becomes the Playpen case to watch, even if most of this information is likely to remain in the hands of defense lawyers only. Dismissal and suppression motions will contain references to the content of these documents, however, which will shed more light on the FBI's NIT deployment and its child porn site administration.

Read More | 5 Comments | Leave a Comment..

Posted on Techdirt - 24 October 2016 @ 8:06am

NSA Says Federal Cyber Strategy Needs More NSA More Often, And On The Information Sharing Ground Floor

from the cyber-me-once,-shame-on-me... dept

The NSA doesn't like the fact that it didn't get a big enough slice of the tax-dollar-grabbing cyber pie. After much discussion about which agencies would oversee what aspects of the US government's cyberwar defense systems, the NSA -- despite all of its computing power and hoarded exploits -- ended up with the unenviable task of protecting the home turf rather than engaging in more offensive maneuvers.

Currently, the NSA has responsibility for protecting U.S. government IT systems that carry classified or sensitive data — like the Department of Defense’ massive intranet known as NIPRNet.

It's a clear case of cyber envy. The DHS gets all the good stuff, including a first look at any juicy data turned over to it from the government's one-way "information sharing" program.

But the security of most civilian federal IT systems — and the private sector networks that support the functioning of vital industries like banks and telecoms — are the responsibility of DHS’ Office of Cybersecurity and Communication…

The DHS is supposed to vet and minimize this information before passing it along to federal cybersecurity partners like the NSA. The NSA, however, isn't used to seeing unminimized data. Nor is it content to hang out underneath the DHS's cybertable and wait for it to toss it a bone. So, it's proposing a revamping of the federal government's cyber strategies so that they align more closely with what the NSA apparently feels should have been done in the first place.

“I’m now firmly convinced that we need to rethink how we do cyber defense as a nation, possibly even going so far as that we unite pieces of those three organizations into one organization that does it on behalf of the whole government,” said Curtis Dukes, the NSA’s deputy national manager for national security systems.

Yeah! That's how a partnership is supposed to work: the NSA seated in the same room with the DHS and law enforcement agencies, with everyone comparing the size of their information silos. Excellent. Dukes says he might be a "bit biased" in placing the NSA on equal footing with domestic security and law enforcement agencies, but cyber lives are at stake, dammit!

Dukes said the “bad news” was, with every cyber intrusion becoming a potential crime scene, meaning the FBI had to be involved, and with the DHS in charge, “as we orchestrate across those three department and agencies what we find is that we’re suboptimal and by the time we actually respond to an intrusion, it takes hours to days and by then in cyber time, the adversary has already met their objective.”

Figuring out under whose authorities an incident response should be run meant giving the enemy a head start, he said. “By the time we fill out the paperwork that would allow NSA to provide assistance, it’s typically days to a week before we can actually respond,” he added.

Wonderful. Exigent circumstances but for domestic snooping.

The NSA wants first access to private sector communications and data because the current method takes too long to get the data into the NSA's hands. That's the pitch. Never mind the fact that the NSA is supposed to be an intelligence service tasked with collecting FOREIGN communications and data. Never mind the fact that the agency exploited post-9/11 terrorism fears to become a domestic surveillance agency that turned the Third Party Doctrine into a loophole to be exploited in bulk. Never mind that it simply makes more sense to route domestic security-related data to the the domestic agencies (DHS, FBI, etc.) for several reasons, not the least of which are (at least) two Constitutional amendments (First, Fourth).

But there you have it: the NSA is lobbying for first peek at shared data from US companies, and it's claiming its only interest is better cybersecurity. And it's making this pitch while glossing over the fact that it is not -- and never has been -- a domestic law enforcement agency. Somehow, it still feels it's entitled to act like one and engage in even more domestic snooping.

8 Comments | Leave a Comment..

Posted on Techdirt - 24 October 2016 @ 6:07am

Zuckerberg Momentarily Curbs 'Hate Speech' Moderation Stupidity At Facebook To Reinstate Posts By Donald Trump

from the but-will-it-scale? dept

Another "free speech" controversy has blown up at Facebook. "Free speech" in quotes because Facebook is a private company that can make it own rules about speech it's willing to tolerate, much less protect. It's also one that can make up the rules as it goes along and apply them inconsistently. Welcome to the Internet. That's just how things are done.

So, it comes as no surprise that moderators at Facebook attempted to remove Donald Trump's posts as "hate speech." (via Slashdot)

Facebook employees pushed to remove some of Republican presidential candidate Donald Trump's Facebook posts — such as one proposing the ban of Muslims from entering the U.S. — from the service as hate speech that violated the giant social network's policies, the Wall Street Journal reported Friday.

To some readers, Facebook's attempts to remove posts by a Republican may seem like business as usual. The social media network has been criticized before for playing politics with its news feeds. But digging a little deeper into the details of the story reveals this mini-debacle starts as most censorship stories do: with the site's users, rather than its moderation team.

Issues around Mr. Trump’s posts emerged when he posted on Facebook a link to a Dec. 7 campaign statement “on preventing Muslim immigration.” The statement called for “a total and complete shutdown of Muslims entering the United States until our country’s representatives can figure out what is going on.”

Users flagged the December content as hate speech, a move that triggered a review by Facebook’s community-operations team, with hundreds of employees in several offices world-wide.

Flagging a policy proposal as "hate speech" sounds very much like certain Facebook users' attempts to create their own echo chambers -- the normal efforts of those who have mistaken the "report" button for Facebook's still-nonexistent "dislike" button.

The problem could have ended there. Moderators could have easily decided this was relevant to the upcoming election and not something that should be declared "hate speech." But it didn't go that way.

Some Facebook employees said in internal chat rooms that the post broke Facebook’s rules on hate speech as detailed in its internal guidelines, according to people familiar with the matter.

Facebook's definition of "hate speech" is far too broad. Even CEO Mark Zuckerberg agreed the post violated the company's "hate speech" policy, but overrode moderators and reinstated the posts. The rules will apparently continue to be rewritten on the fly.

On Friday, senior members of Facebook’s policy team posted more details on its policy. “In the weeks ahead, we’re going to begin allowing more items that people find newsworthy, significant, or important to the public interest—even if they might otherwise violate our standards,” they wrote.

This is a better interpretation of the rules, but one that should be permanently implemented, rather than just half-assed into place to lower the risk of losing campaign advertising dollars. Facebook has earned a lot of the criticism thrown in its direction over its surprisingly terrible post moderation decisions. So, FB earns a golf clap for deciding to prevent user-generated echo chambers, at least up until the second Tuesday in November.

The other problem is that this decision just isn't good enough for some Facebook employees.

[O]thers, including some Muslim employees at Facebook, were upset that the platform would make an exception. In Dublin, where many of Facebook’s content reviewers work, more than a dozen Muslim employees met with their managers to discuss the policy, according to another person familiar with the matter. Some created internal Facebook groups protesting the decision, while others threatened to leave.

Those that threatened to leave should do so. They're only going to make Facebook an even worse place for the world to get its news. There's plenty of unpleasantness out there that is newsworthy, significant, or important to the public interest. Very little of it rises to the level of hate speech -- even in Facebook's broad, constantly-changing definition of the term.

Lot of things Trump has said and advocated for are objectively repugnant and undoubtedly offensive to the races and religions targeted by them. But they are not "hate speech." They are bad ideas borne of worse thought processes. In any event, it's better to know what presidential candidates are supporting, rather than being unpleasantly surprised post-election.

The same goes for "normal" people. Why police "hate speech" in such a heavy-handed fashion? Wouldn't it be better to have those in your social circles out themselves publicly as repellant human beings, rather than discover this during a child's birthday party or other IRL social gathering?

Facebook isn't a free speech defender. It's a private company with a lot of advertising dollars and billions of users with competing interests on the line. It will play it safe and continue its long run of dubious moderation decisions. But what it shouldn't do is continue to expand its definition of hate speech so moderators become nothing more than a heckler's veto extensions.

105 Comments | Leave a Comment..

Posted on Techdirt - 24 October 2016 @ 3:10am

Appeals Court Says Government Doesn't Have To Disclose Contents Of Its Secret Terrorist Organization List

from the terrorist-farm-teams-or-something dept

An attempt to force the government to reveal its secret list of terrorist groups has been shot down by the Seventh Circuit Court of Appeals [PDF]. The Heartland Alliance Immigrant Justice Center's FOIA request for "Tier III" terrorist groups can remain unfulfilled. [h/t Brad Heath]

Without giving too much away (and neither the court nor the government does), "Tier III" is apparently more nebulous and fluid than tiers I and II.

Tier I and Tier II organizations are publicly identified terrorist groups such as ISIS and al‐Qaeda. Tier III organizations are defined in 8 U.S.C. § 1182(a)(3)(B)(vi)(III) as any group of two or more people that engages in terrorist activity (as defined in 8 U.S.C. § 1182(a)(3)(B)(iv)), even if their terrorist activity is conducted exclusively against regimes that are enemies of the United States. Tier III organizations tend to have a lower profile than Tier I’s or Tier II’s, not only because the government does not publish their names but also because they tend to be groups about which the U.S. government does not have good intelligence, making it essential that the Department be able to obtain information about them during screening interviews that are as focused and complete as possible.

The government withheld this info under FOIA 7(E), which covers "techniques and procedures for law enforcement investigations or prosecutions." As the government argued, divulging these "groups" of two or more possible terrorists would likely allow screened immigrants to hide their involvement in these groups.

[A]s explained in the government’s brief, “an alien who becomes aware that a particular organi‐zation has been found to fall within the definition of a Tier III organization will have a very strong incentive to falsify or misrepresent any and all encounters, activities, or associations that he or she may have had with that organization.” If the alien doesn’t know that a terrorist organization that he has belonged to, been affiliated with, or maybe simply has provided supplies or money to, has been identified by our government as a terrorist organization, he is likely to be less guarded in answering questions about his activities in or associations with the organization. But if he knows that the organization he belonged to or was associated with is deemed a terrorist organization, he is likely to deny having ever had any connection to it or even having ever heard of it.

The Justice Center pointed out that the government's fear of slippery foreigners might be overstated. After all, members of terrorist groups -- whether publicly acknowledged by the government or not -- would be just as likely to lie about their affiliation even if privy to the contents of the Tier III list.

The Appeals Court doesn't think much of the Justice Center's counterargument, positing that any interrogation predicated on the Center's assumptions would be a "dumb interrogation." In the eyes of the court, the government's secrets allow it to more gracefully handle questionings, allowing it to tease out affiliations detainees would otherwise be unwilling to disclose.

The court isn't much kinder to the Justice Center's speculations about the contents of the Tier III list.

We learn in the Center’s reply brief that its primary concern is not with names but with the Tier III category itself, for it says for example that “the designation of Tier III organizations is often doubtful.” It hopes that if it can obtain the names of all the organizations—its goal in this litigation—it will be able to discredit some or perhaps many of them. Deeply distrustful of the U.S. government, by the tone and content of its briefs the Center signals its disbelief that the government has secrets worth keeping from asylum seekers and their helpers (such as the Center), but it does not explain what the government would gain by pretending that harmless organizations are actually terrorist groups.

The court does give the government a bit more credit than it deserves. It's not so much that the government would try to gain something by designating harmless groups as terrorist organizations. It's that government agencies have shown a willingness in the past to designate political groups they don't like as enemies or criminals, subjecting them to unlawful surveillance and other rights violations.

The concurring opinion raises another concern -- one that the court finds bolsters the government's secrecy assertions, but one that could also be read as a call for more scrutiny of this particular list.

At oral argument, the government noted plausible foreign relations grounds for the government withholding this information under other FOIA exemptions. Specifically, it noted that U.S. government relations with Tier III organizations might change on short notice, and that revealing certain Tier III organizations might have foreign policy ramifications. What one day might be an allied Christian militia fighting against the Islamic State (ISIS) might the next day be our nation's enemy, and while not rising to the level of a Tier I or II organization, might fall under Tier III. All of this suggests that the government has, in our nation’s FOIA law, adequate alternative claims for exemption that it chose to avoid, so there is no need to broadly construe 7(E).

The unasked question is this: if alliances shift, does the government immediately release detainees affiliated with groups the government has arbitrarily decided are now the nation's allies? Or do they just sit around forgotten in detention centers while the government moves organization names on and off the list? Who knows. The opinion suggests this is a problem for Congress to solve -- either by scaling back the scope of the FOIA exemption or by actually using its oversight powers to periodically review the Tier III list.

Read More | 24 Comments | Leave a Comment..

Posted on Techdirt - 21 October 2016 @ 3:21am

FBI Director: We Need More Data On Police Shootings So Law Enforcement Can 'Change The Narrative'

from the it's-not-about-accountability,-it's-about-control dept

FBI Director James Comey didn't dig into his bag of "Ferguson Effect" rhetorical devices during his comments to a law enforcement conference on Sunday, but he came close. Under that theory, the possibility of being held accountable by citizens and their recording devices has apparently been holding officers back from enforcing laws, making arrests, or otherwise earning their paychecks.

The problem now is a lack of data, Comey claims. Law enforcement has lost control of the narrative, he stated, as if a one-sided portrayal of every police use of excessive/deadly force was somehow beneficial to the nation.

Dramatic videos of deadly law enforcement encounters and the absence of reliable data about how often police use force contribute to a regrettable narrative that "biased police are killing black men at epidemic rates," FBI Director James Comey said Sunday.

That story line has formed amid a lack of comprehensive, national data about how many citizens are killed or injured at the hands of police officers.

Thanks to the DOJ and FBI's active disinterest in collecting this data (until just recently), the "narrative" is no longer law enforcement's to control. Comey at least admits the FBI -- which was charged with collecting this data but somehow believed voluntary reporting would result in a comprehensive dataset -- is partly to blame.

We do not know whether number of black, brown or white people being shot by police is up because we have not collected data.

The problem with Comey's comments is that he apparently believes data on excessive force and killings by police officers will be ultimately exculpatory.

We need to show people what American law enforcement is really like, because if they see what we see, the chasm will close.

But the data collected by the public of its own initiative shows exactly what Comey claims it doesn't: that law enforcement officers are killing black men at "epidemic rates." Worse, Comey believes data collected and disseminated well after the fact will somehow be able to defuse immediate reactions to released video of officers killing or abusing citizens.

Videos of fatal police encounters that capture the public's attention and are shared broadly across the internet can fuel the perception that "something terrible is being done by the police," even if the data aren't there to back it up.

Given the audience, Comey probably didn't feel comfortable pitching the truth: that policing in America is every bit as bad as it's portrayed to be. Comey thinks data will give law enforcement control over the narrative, but that seems to be his only concern. The culture of American policing needs to change before the data start matching law enforcement's narrative.

Almost without fail, DOJ investigations of law enforcement agencies find two things: routine use of excessive force and biased policing. These aren't anomalies or "bad apples." This is how policing in America works.

As for the narrative, law enforcement still largely controls it. The corpse of the recently killed is barely on the way to the city morgue before law enforcement officials are dumping criminal records and officers' "feared for their safety" claims into the hands of reporters. No amount of pointing to stats is going to change the fact that far too many interactions are needlessly escalated by responding officers, or that biased police tactics are generating far too many interactions in the first place.

While it's good to know the FBI is finally going to push for better data collection on police use of force, the fact that it did nothing for nearly two decades counts against any goodwill it might hope to generate by finally doing its job. Unfortunately for those hoping this might lead to better policing, Jim Comey has made it clear it's really about controlling the narrative and pushing the American public to view law enforcement the way Comey feels they should be viewed: as good people in tough jobs who rarely, if ever, screw up. We'll just have to see what sort of spin is applied when Comey realizes the numbers aren't going to add up to his preconceptions.

88 Comments | Leave a Comment..

Posted on Techdirt - 20 October 2016 @ 2:35pm

Former CIA Employee Sues Agency Over Its Refusal To Provide Documents In Electronic Form

from the exemption-(f)-u dept

The CIA is still causing problems for Jeffrey Scudder. Scudder used to work for the CIA. He was forced out of the agency after making a FOIA request for "historical documents of long-dormant conflicts and operations" while still employed there. Perhaps the agency thought only citizens outside of the agency should be making FOIA requests. Or maybe it thought Scudder was engaged in a particularly labyrinthine plot to exfiltrate declassified documents out of the agency. Whatever its thought process, it resulted in an FBI raid of Scudder's house, the seizure of his electronics, and the end of his career.

Unfortunately for the CIA, this has given Scudder more time to file FOIA requests and sue the agency when it responds in increasingly ridiculous ways. Scudder has already tangled with the CIA over its refusal to join the 20th century (never mind the current one) when turning over responsive documents. His last major request to the agency asked for "softcopy" -- i.e., not paper -- copies of 419 articles from the CIA's "Studies in Intelligence."

The CIA told him it had no way of providing him documents in the format he asked for. Instead, it claimed it only had one way to comply with the request: the stupidest, most circuitous way.

The defendant [CIA] avers that if it were ordered to honor the plaintiff's [FOIA] request [for soft copy records], it would have to print the existing electronic documents to paper and then rescan them into electronic documents so that they may be reproduced and released on removable media..."

Scudder called this an "administrative gimmick" -- something meant to discourage requesters and generate extra FOIA fees. The judge presiding over the case was less kind. She called it "Rube Goldbergian" while pointing out that FOIA law does allow requests to be turned down if they're too burdensome, but that's not an invitation to agencies to turn normal requests into overly burdensome ones by adding several layers of administrative busywork.

It's this case that's cited in Scudder's latest lawsuit against the CIA -- again hoping to force the agency to deliver documents digitally, rather than via a method lying somewhere between the hellish bureaucratic redundancy of Terry Gilliam's "Brazil" and a shoddy steampunk plot point. (To be fair, it could be institutional. The Defense Department itself once turned down a request from MuckRock because it couldn't find any money in its budget to repair/replace the single fax machine it used to receive FOIA requests.) From the filing [PDF] (via The FOIA Project)

Mr. Scudder, joined by three esteemed members of the academic community, now seeks through this new FOIA litigation to resolve once and for all whether CIA’s electronic production policy inextricably conflicts with the agency’s obligations under FOIA. A new FOIA request – outlined below – seeking electronic copies of historical CIA records is ripe for adjudication by this Court. Through this litigation, Mr. Scudder and his colleagues seek to bring CIA’s refusal to adhere to the letter – to say nothing of the spirit – of FOIA to an end.

This is pretty much more of the same for Scudder v. CIA, only this time Scudder brought colleagues: Ken Osgood, Hugh Wilford, and Mark Stout. He's also getting out ahead of the CIA's eventual denials and obtuse claims of technical ineptitude. He's forcing the issue by forcing the CIA to respond well ahead of its usual lackadaisical FOIA response schedule. Even better, he's brought another federal judge's not-at-all-impressed opinion of the CIA's reluctance to familiarize itself with peedee effs and ceedee romms… in 2016.

Hopefully, the court will prevent the CIA from continuing to blow taxpayer dollars on reams of paper, black toner cartridges, and snail mail postage.

Read More | 6 Comments | Leave a Comment..

Posted on Techdirt - 20 October 2016 @ 3:06am

Local Superior Court Judge Says DEA's Wiretap Warrant Factory Perfectly Legal

from the Judge-Malloy's-Wiretap-Warrant-Laundry-Service dept

Over the past several years, the DEA has run hundreds of wiretap warrants through a single county judge's court after getting them approved by whoever happened to be in the local district attorney's office when agents need one signed. The latter part of this process runs contrary to statutes enacted specifically to prevent abuse of wiretap warrants by the federal agencies.

The approval process, which had been streamlined to eliminate any possible roadblocks to the DEA's deployment of wiretaps all over the country, was considered by the DOJ to be far enough outside legal boundaries as to make the warrants questionable, if not legally "toxic."

The district attorney who was supposed to personally approve these wiretap warrants never did. Former Riverside County district attorney Paul Zellerbach delegated this task to anyone but himself. Because of this, some of the warrants have been challenged in court, leading to the DOJ stepping in to salvage wiretaps its lawyers had previously instructed DEA agents to keep out of federal courts.

Not much of this seems to matter now, as another Riverside County judge has just declared the DEA's wiretap warrants to be perfectly valid.

Superior Court Judge John Molloy ruled that the district attorney was allowed to delegate the responsibility of approving wiretap applications to his second-in-command.

Except that's not really what happened. Zellerbach, who managed to obtain a warrant of his own by failing to show up for court, never designated any particular person to approve the warrants. As Brett Kelman and Brad Heath reported earlier, Zellerbach himself stated that he delegated this task to "lower level lawyers," rather than a specific person -- contrary to statutes directly stemming from the federal government's previous abuse of wiretap warrants to surveil civil rights leaders during the 1960s.

Federal law bars the government from seeking court approval for a wiretap unless a top prosecutor has personally signed off on that request.

Zellerbach claimed he had no time to personally approve these wiretap requests. And he probably didn't, what with the DEA funneling several hundred of these through his office and into the hands of county judge Helios Hernandez (who singlehandedly approved five times as many wiretap warrants as any other judge in the nation).

Judge Molloy, however, likely views this abuse of the system as good police work.

Molloy, a former prosecutor who used to work with wiretap applications, ruled that Zellerbach’s practice of letting his number-two prosecutor sign off on them did not violate state or federal wiretap laws.

Molloy also said that because Zellerbach was away at an education conference in another Southern California town when the specific wiretap defense lawyers were challenging was approved, he would have been allowed to delegate it anyway.

Zellerbach's second-in-command testified in court that he usually handled wiretap requests, paying no mind to the federal limitation that Zellerbach be actually absent before he had permission to do so.

Under Zellerbach, that person was Van Wagenen. However, on Friday, Van Wagenen testified that he didn’t actually check if Zellerbach was available before he signed hundreds of applications.

“The protocol was that I was to sign the application instead of Mr. Zellerbach,” Van Wagenen said.

“On any occasion?” asked defense attorney Jan Ronis.

“If I was available and in the office, yes,” Van Wagenen answered.

Judge Molloy revisited the questioning minutes later.

‘Did you ever ask Paul Zellerbach to review a wiretap application?” Molloy asked.

“I did not,” Van Wagenen said.

"This is fine" ruled the judge, and at least one warrant -- if not dozens of others obtained in the same jurisdiction (which would be a significant percentage of the DEA's wiretap warrants) -- has been given a post facto veneer of lawfulness. This takes some weight off the DOJ's legal team, which had previously advised the DEA to steer clear of federal prosecutions stemming from questionable warrants. Now, it can just let the highest level local judge's blessing do its work for it.

3 Comments | Leave a Comment..

Posted on Techdirt - 19 October 2016 @ 5:15pm

Documents Show Chicago PD Secretly Using Forfeiture Funds To Buy Surveillance Equipment

from the no-accountability,-no-oversight dept

The Chicago Reader has put together a massive, must-read investigation into the Chicago Police Department's secret budget. The Chicago PD has -- for years now -- used the spoils of its asset forfeiture program to obtain surveillance equipment like Stingrays. This discretionary spending is done off the city's books, allowing the CPD to avoid anything that might prevent it from acquiring surveillance tech -- like meddling city legislators… or the public itself.

Since 2009, the year CPD began keeping electronic records of its forfeiture accounts, the department has brought in nearly $72 million in cash and assets through civil forfeiture, keeping nearly $47 million for itself and sending on almost $18 million to the Cook County state's attorney's office and almost $7.2 million to the Illinois State Police, according to our analysis of CPD records.

The Chicago Police Department doesn't disclose its forfeiture income or expenditures to the public, and doesn't account for it in its official budget. Instead, CPD's Bureau of Organized Crime, the division tasked with drug- and gang-related investigations, oversees the forfeiture fund in what amounts to a secret budget—an off-the-books stream of income used to supplement the bureau's public budget.

The Reader found that CPD uses civil forfeiture funds to finance many of the day-to-day operations of its narcotics unit and to secretly purchase controversial surveillance equipment without public scrutiny or City Council oversight.

It sounds like a lot of money -- $72 million in civil forfeiture funds -- and it is. But it's not like this money comes from a few large busts that have seriously affected the city's drug trade. That may be the rationale for the PD's convictionless seizing of property and cash (just like "terrorism" is often cited when acquiring surveillance tech ultimately destined for plain vanilla law enforcement use). But in reality, the forfeiture's rarely do anything more than financially cripple a large number of individuals who have little to anything to do with drug trafficking. The Chicago Reader reports that the median seizure in Illinois is only $530 -- hardly an amount one associates with criminal empires. In fact, the normal cash seizure probably sounds more like the following than a breathtaking dismantling of a local drug-running crew.

Ellie Mae Swansey, a 72-year-old retiree living on a fixed income, had her 2001 PT Cruiser seized two years ago when Chicago police arrested her son for drug manufacturing. The costs of simply beginning the long, circuitous, extremely-frustrating battle to reclaim her vehicle were prohibitive.

In order to have a chance at getting their property returned, claimants must put down a bond toward their asset when first submitting the official paperwork. This means that Swansey had to pay $140 (10 percent of her car's value) just to start the process. Then, to appear in court, she had to pay an additional $177 fee.

To Swansey, who lives on a $655-per-month social security check, these costs are substantial. Successful claimants will have 90 percent of their bond returned; unsuccessful claimants get nothing back.

The extensive investigation, compiled from dozens of FOIA request (more on than in a bit), notes that 90% of the seized funds spent by the CPD went to expected, above-board expenses: vehicles, cellphones, etc. But the rest of it went other places, obscured by redactions and withheld documents. Payments to cellphone forensics companies like CellBrite were uncovered, as were purchases of a license plate reader installed near the CPD's infamous Homan Square detention center black site, and $417,000-worth of cell tower spoofers.

The Chicago PD will continue to roll over retirees like Swansey because the laws governing forfeiture in Illinois have completely corrupted the incentives. It's not about law enforcement or crime prevention. It's about autonomy, power, and a steady flow of spendable cash.

When a government agency is allowed to handle the forfeiture proceeds it brings in—as is the case with both CPD and the Cook County state's attorney's office—it controls both "the sword and the purse," like an army that is also its own taxing authority. This is according to Lee McGrath, legislative counsel for the Institute for Justice, which seeks to reform civil asset forfeiture laws across the country.

And for what? What has been the end result of this massive amount of supposedly drug-focused seizures and spending?

[T]he prices of many drugs have decreased and purity has increased since the [drug] war began.

The second part of this story is just as interesting. It details how the Chicago Reader managed to get its hands on this stash of documents. It began with a FOIA request for Stingray documents from the Chicago PD. In between the redactions, the PD accidentally gave up its quasi-"black budget" account numbers.

On October 13, 2014, Christopher Kennedy, from CPD's Gang Investigations Division, wrote to Nicholas Roti, then chief of the department's Bureau of Organized Crime:

"Because this equipment will be used for [REDACTED] investigations in to [sic] [word missing] [I] recommend that it be paid for with both 1505 and 1505ML funds in equal amounts," he wrote.

Several requests later, Lucy Parson Lab (government transparency activists) and the Chicago Reader confirmed that these accounts were tied to asset forfeiture. Moving on from there, however, required some outside assistance. The Reader was going to be asking for a lot of documents and it would have been easy for the Chicago PD to deny such a request from a single entity as "unduly burdensome."

But several public records requesters, each using their own name? Not as easy.

To get over this hurdle, Lucy Parsons Labs launched a collaboration with MuckRock, a FOIA and transparency website, asking ordinary users to send FOIA requests on our behalf.

Lucy Parsons Labs drafted a sample FOIA request for users to download and submit. We also managed the responses from CPD—MuckRock's platform automatically followed up with CPD when the department was late responding to a request. Once checks came back from CPD, Lucy Parsons members collected the data in a centralized location and classified each purchase as being either part of routine police activities or as part of broader surveillance efforts. Eleven of our 13 community requesters used the MuckRock FOIA platform to submit and manage their requests.

This is how you beat a system predisposed to telling you "no." A "burdensome" request split 20 ways is no longer a burden. Sure, the Chicago PD might have experienced a bit more of a crunch fulfilling these, but it couldn't use the law to deny releasing documents it almost certainly would have preferred to keep under wraps.

14 Comments | Leave a Comment..

Posted on Techdirt - 19 October 2016 @ 3:00pm

FBI, CBP Join Forces To Turn Airports Into Informant Recruiting Centers

from the which-do-you-prefer?-a.)-spying-for-us-or-b.)-being-arrested? dept

The FBI and CBP have been using the nation's borders as recruiting stations for informants. This phrasing makes it sound a lot more voluntary than it actually is. The Intercept has obtained documents showing how these two agencies work together to pressure foreign visitors into basically becoming spies for the United States.

The FBI gives CBP a list of countries of origin to watch out for among passengers, sometimes specifying other characteristics, such as travel history or age. It also briefs CPB officers on its intelligence requirements. The CBP sifts through its data to provide the bureau with a list of incoming travelers of potential interest. The FBI can then ask CBP to flag people for extra screening, questioning, and follow-up visits. According to the documents, the FBI uses the border questioning as a pretext to approach people it wants to turn informant and inserts itself into the immigration process by instructing agents on how to offer an “immigration relief dangle.”

These documents confirm what was alleged in a lawsuit filed by Rahinah Ibrahim two years ago. Her filing pointed out that the FBI has used threats in the past to secure cooperation, like revoking traveling privileges or trying to prosecute immigrants for minor crimes. Ibrahim's lawsuit had another allegation: the secret "no fly" list is also being used as a coercive tool, with agents threatening to add travelers' names to the list if they refused to go to work as informants.

The documents obtained here note that the joint recruiting efforts have expanded far past the nation's border. Some form exists in every airport in the nation. Travel to and from certain countries is flagged for extra scrutiny. The CBP collects extensive data on everything crossing US borders -- people or products -- and turns this over to the FBI with any potential targets pre-flagged. It also provides the FBI with a list of passengers expected to arrive from "countries of interest" at the nation's airports within the next 72 hours.

The CBP is supposedly in the border-securing business and the FBI in the law enforcement business, but these directives turn them both into intelligence agencies. This has made both agencies far more interested in recruitment and data harvesting than their original directives. The documents show that the CBP tends to grab the most data, starting with basic traveler information. There is no predetermined endpoint to the CBP's investigative work. Secondary screenings at borders could run from a few minutes to several hours, depending on how much the CBP wants to harvest.

The CBP materials indicate that as part of secondary inspections, CBP can search “pocket litter,” documents, and cellphones. The April 2012 presentation promises a “full cell dump, including #s, text messages, pictures, etc.” at certain airports.

Everything is passed on to the Joint Terrorism Task Force, which then starts the uglier work of pushing certain travelers into becoming informants, using both carrots, sticks and, in some cases, visits to their homes. Immigration revocation threats are common. So is the promise of benefits. But in both cases, the FBI -- working with CBP info -- is using motivations it can't actually offer or revoke.

When potential informants are not U.S. citizens, they may be particularly vulnerable to pressure from the FBI. Indeed, the bureau is counting on people thinking that FBI involvement in immigration decisions is normal, the documents indicate. In reality, FBI agents are expressly forbidden from promising immigration benefits to potential informants or threatening deportation.

The agency apparently believes deceiving foreign citizens during the recruitment process causes zero damage.

“If subject is deemed ‘recruitable,’” the slides state, then a “series of overt interviews set into motion.” If the person is “not recruitable,” then “NO HARM. Subject believes that the interview is part of the immigration process.”

This is why these recruitment efforts work. The FBI is counting on the ignorance of visiting travelers to help it turn visitors into informants. A suspicionless detention in which several invasive questions are asked is considered to be "no harm," and the FBI will just move on to the next suggestion from CBP. And even if they think this might have been out of the ordinary, what are they going to do? Complain to another person in uniform and hope that the implied threats of deportation are bogus?

15 Comments | Leave a Comment..

Posted on Techdirt - 19 October 2016 @ 1:34pm

Intelligence Contractors Being Paid Millions To Surf The Web, Sext With Teens, Have Affairs With Co-Workers

from the your-tax-dollars-fucking-around dept

Let's review some Intelligence Community terminology, shall we? [All expanded definitions courtesy of Vice News and Jason Leopold's FOIA tenacity.]

"Collect [It] All [These Paychecks You Haven't Earned]"

The Intelligence Community Inspector General (IC IG) Investigations Division (INV) identified [redacted] is an employee of CENTRA* Technology, working on ODNI contract [redacted] The data analysis indicated that [redacted] was not likely present at her assigned worksite for the full period in which she billed the contract. [redacted] 1 June 2012 to 29 July [redacted] billed the government for 630 hours for which she was not present at her worksite.

*Jason Leopold points out CENTRA was contracted to review CIA torture documents. Or NOT review them, as appears to be the case here.

Total cost to taxpayers for [redacted] not being at work? Almost $30,000.

Finding: [redacted] falsely charged approximately 306 hours from 1 June 12 to 29 July 2013. She had a billing rate of $89.14 per hour during this time frame. The total amount of mischarging is approximately $27,301.

"Haystacks [of Single Women]"

In the administrative hearing held on 30 March 2012, [redacted] admitted that while at work he used his AIN connection to purchase non-official plane tickets, send instant messages to friends, and check online dating services. According to [redacted] he accessed these online dating and social accounts to view images of scantily clad or naked women. [Redacted] noted that while on the AlN he used MySpace and Meebo as his means of e-mailing and instant messaging his friends and acknowledged that some of these conversations lasted all day. [Redacted] also explained that 95% of his time spent on the internet was for personal use.

Total tab run up by Lazyass P. Horndog* - $974,000 over six years, with an admitted 95% of that being tax dollars down the drain.

"Incidental Collection [of Money in Exchange for not Doing a Damn Thing]"

Finding: [Redacted] submitted false time cards for approximately 220 hours which he did not work, from 15 FEB 12 until 31 JUL 12. [Redacted's] hourly rate charged to the government was approximately $125 per hour; the total loss to the government for this time frame is approximately $27,500. During the IC IG interview with on 18 October 2012, he admitted that he falsely recorded his time since 2005. Mr. [Redacted] previously worked on the same contract at a facility without [redacted]; therefore the IC IG has no record of his time at work prior to 15 Feb 2012. Mr. [Redacted] charged approximately 8.8 hours per week which he did not work over 25 weeks from 1 January 2005 through 15 Feb 2012. An average of 8.8 hours per week from January 2005 through 15 February 2012, equates to approximately 3,282.4 hours which is an estimated loss of $410,300 (without accounting for rate adjustments).

"Minimization Procedures [for Open Browser Tabs on Government Computers]"

In May 2013. the IC IG Investigations Division obtained additional AIN records of sexual chat. We found that [redacted] began using AIN for sex chat in May 2010 and continued on a near daily basis until his removal ODNI facilities on July 18, 2013, under the direction of agency security officials.

[Redacted] often engaged in as many as 20 exchanges per day seeking sex partners. The majority of [redacted's] sex chat included attempts to establish after work sexual encounters, descriptions of desired sex acts and graphic descriptions of his genitalia.

"Targeted Communications"

Upon discovery of information that [redacted] attempted to establish a sexual relationship with a possible minor residing in northern Virginia, this office referred the matter to the FBI, specifically the Northern Virginia Internet Crimes Against Children (ICAC) task force.

There's way too much fraud, misconduct, and criminal activity in these reports to fully cover here. The 264 pages [PDF] released to Leopold and Vice as the result of an FOIA lawsuit detail extramarital affairs involving supervisors and subordinates, unapproved telecommuting by contractors handling sensitive documents, and page after page of attendance fraud.

Multiple cases are included, most involving hundreds of hours and tens of thousands of dollars of unearned wages. The intelligence community has the big budget and all the manpower it wants, but it apparently doesn't have enough actual work to keep them all busy. Contractors have charged taxpayers for hours they never worked, running personal errands, moonlighting as university instructors, and tending their Farmville crops.

This is the direct result of the community's "collect it all" attitude. If some is good, more is better, and while budgets and staffing expand exponentially, lots and lots of tax dollars are spent paying contractors who aren't doing anything and plenty of other contractors engaged in IC busywork that contributes nothing to the nation's security and safety.

Read More | 16 Comments | Leave a Comment..

Posted on Techdirt - 19 October 2016 @ 8:24am

Appeals Court Affirms NSA Surveillance Can Be Used To Investigate Domestic Criminal Suspects

from the spooks-in-the-federal-cop-shop dept

The Seventh Circuit Court of Appeals confirms what's already known about the NSA's domestic surveillance: it's not just for terrorism.

The NSA collections -- done in the FBI's name -- are supposed to only gather info related to international terrorism. But that requirement has been phased out. The NSA "tips" a certain amount of data to the FBI for its own use and it has been shown in the past to do the same for the DEA, which it then instructs to obscure the origin of its info.

An opinion [PDF] just released by the Appeals Court, says basically the same thing: although the NSA's surveillance is supposed to be used to sniff out terrorists, there's nothing in the law that prevents it from using its collections to go after criminals.

Gregory Turner was convicted of conspiring with Prince Asiel Ben Israel (both US persons) to provide aid to Zimbabwean "Specially Designated Nationals" -- in this case a group working to block the institution of more democratic processes and procedures in that country.

Turner moved to suppress the evidence, claiming that the government's use of a FISA order to obtain information on his activities violated the NSAs foreign intelligence directives. But the court finds the directive does not limit FISA warrants to terrorism only. The government only needs to "reasonably believe" a target is an "agent of a foreign power."

The government informed Turner it had gathered evidence using FISA-authorized surveillance. Then it refused to turn over information to him with regards to its activities. From the redacted, terribly-reproduced decision:

On February 27, 2014, Turner filed a motion for disclosure of FISA materials and motion to suppress evidence obtained or derived from FISA. The government responded to these motions with a classified brief and a sealed appendix submitted ex parte to the district court and redacted, unclassified version served to Turner. Additionally, the government filed a "Declaration and Claim of Privilege" by the Attorney General that declared, "it would harm the national security of the United States to disclose or hold an adversarial hearing with regards to the FISA materials…"

Both motions by Turner were denied. These denials have been upheld by the Appeals Court. Turner claimed the government failed to meet its probable cause requirements for the FISA warrant and also violated his First Amendment rights with its surveillance.

Much of the court's reasoning is redacted but it does have this to say about Turner's assertions.

Turner contends that "FISA appears to require the communications subject to surveillance of a United States person must related directly to activities involving international terrorism as defined in FISA." Turner misstates the law. FISA is not limited to activities involving international terrorism. FISA authorizes surveillance and searches based on probable cause that the target is an "agent of foreign power," which relates to "any person" engaged in certain activities… on behalf of a foreign power, including "clandestine intelligence gathering activities" and "enter[ing] the United States under a false or fraudulent identity… or while in the United States… assum[ing] a false or fraudulent identity." These activities are listed in addition to "international terrorism."

Not only that, but the laws governing FISA-ordered activities were loosened in 2008 to encompass all sorts of criminal activity not related to foreign powers or international terrorism.

FISA, as amended in 2008, "eliminated any justification for the FISA court to balance the relative weight the government places on criminal prosecution as compared to other counterintelligence responses." [...] [T]he amended FISA statute "does not oblige the government to demonstrate to the FISA court that its primary purpose in conducting electronic surveillance is not criminal prosecution."

As for Turner's First Amendment claims, the court finds the activities he engaged in were not covered under the First Amendment, no matter how "right" Turner may have believed undermining the installation of a democratic government was. As the court sees it, the government established Turner was an "agent of a foreign power," something that strips away protections normally afforded to political activity. Or maybe just political activity the US government doesn't approve of.

Either way, it's very clear FISA court orders can be used to engage in domestic surveillance purely to investigate criminal activity, something the NSA hasn't exactly been forthcoming about. As long as a foreign power is somehow involved, the NSA and the FBI are interchangeable surveillance pieces, even though one of them is assumed to be mostly uninvolved in domestic surveillance of US persons.

Read More | 24 Comments | Leave a Comment..

Posted on Techdirt - 19 October 2016 @ 3:15am

Pam Geller Doubles Down On Claims That Facebook Removing Her Posts Is Section 230-Enabled 'Government Censorship'

from the when-in-doubt,-press-repeat dept

Pam Geller has decided there's nothing like grabbing more shovels when you're already in a hole. [And that means it's time for notable "leftist publication" Techdirt to crank out another "little hit piece" filled with "hyperbole and nonsense," apparently...]

Geller doesn't like the way she's been treated by Facebook, YouTube, and Twitter and has decided the problem is Section 230 of the CDA. So, she's suing the DOJ for "enforcing" the immunity the government has granted to websites to shield them from being held responsible for user-generated content.

The DOJ responded to her lawsuit by pointing out that the DOJ doesn't ENFORCE anything. It's a defense service providers can raise when entities come after them for content posted by their users. In Geller's mind, Section 230 gives service providers the "right" to arbitrarily remove content. She's wrong, of course. It does no such thing. Instead, Section 230 prevents service providers from being held civilly liable for making "good faith" efforts to remove objectionable content. The rest of what Geller's complaining about can be traced back to each provider's terms of service and their individual translations of what that means in terms of Geller's often-inflammatory content.

Geller continues to insist this is about suing Facebook, even though Facebook isn't a named party. And her response to the DOJ's motion to dismiss strongly suggests she feels she can't directly sue any service provider for taking down her content because of Section 230. This is also incorrect. She may have almost no chance of winning the suit, but nothing in Section 230 prevents service providers from being sued for allegedly discriminatory behavior. From Geller's opposition motion [PDF] (h/t Adam Steinbaugh):

By way of § 230, the Government is empowering this type of discrimination and censorship. By its own terms, § 230 permits Facebook, Twitter, and YouTube “to restrict access to or availability of material that [they] consider[] to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable.”

This is where Geller misreads "permits" as "orders." Section 230 does not place any content-based restrictions on speech. Instead, it immunizes service providers from civil liability for good faith content removal. Geller calls this immunization "government-sanctioned discrimination and censorship of speech" -- somehow finding a defense mechanism to be an avenue of attack. (She repeats her laughable assertion that Section 230 is a "heckler's veto" multiple times in the filing.)

From there, Geller theorizes that Section 230 would prevent Facebook, et al from being sued for violating California's anti-discrimination statutes. This theory is incorrect as well.

The pertinent part of Section 230 reads:

Nothing in this section shall be construed to prevent any State from enforcing any State law that is consistent with this section. No cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.

This law immunizes Facebook from being held liable for, say, Pam Geller's controversial content -- even if a state law says otherwise. What it doesn't do is immunize Facebook from liability for violating California discrimination laws, which is where Geller has a somewhat more cognizable claim. Unfortunately for her, she's chosen to name the wrong defendants and file in the wrong jurisdiction. Continuing to misconstrue a defense as an attack, Geller insists that she has standing to sue the federal government for content removal performed by a private company.

The very reason why Facebook, Twitter, and YouTube are able to engage in their discriminatory practices with impunity is § 230. See Klayman v. Zuckerberg, 753 F.3d 1354 (D.C. Cir. 2014) (concluding that § 230 foreclosed tort liability predicated on Facebook’s decision to allow or to remove content). In other words, the Government has sanctioned these discriminatory practices by placing them above the law. Consequently, the traceability element is satisfied.

If there's anything "traceable" here, it's the California location of the entities she mentions in her lawsuit (YouTube, Facebook, Twitter) but has not named as defendants. California law is the angle she should be using to attack these companies for their allegedly "discriminatory" removal of her postings, but she has filed in federal court and named the DOJ as the defendant.

Geller notes that California law prohibits the sort of discriminatory behavior she's alleging:

Section 51 of the California Civil Code provides, in relevant part, All persons within the jurisdiction of this state are free and equal, and no matter what their sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, or sexual orientation are entitled to the full and equal accommodations, advantages, facilities, privileges, or services in all business establishments of every kind whatsoever.

If her allegations are true and these service providers are discriminating against her, Section 230 would not immunize them against these claims. But even if she were to raise claims solely under this law, she would likely not succeed.

The law only requires company provide "access." It does not demand they allow anyone to do whatever they want once they're granted access. Under this law, Facebook can't deny Geller an account simply because it doesn't like her religious views, but it is under no obligation to allow her to post whatever she wants. The DOJ, in its motion to dismiss, addressed this point as well (even though it was under no obligation to make California's arguments for it).

Nor is it clear how California law can require a private social media company to publish Plaintiffs’ speech, see Compl. ¶¶ 46-61, or how such a state-law requirement would be consistent with the First Amendment, which arguably protects a social media company’s editorial control or judgment from government regulation that would require publication of a certain message.

If Geller were able to prove she was denied access based on her religious beliefs (and a temporary ban doesn't cut it, legally-speaking), Section 230 would not stand in the way of the civil suit Geller doesn't appear to actually want to file. All Section 230 immunizes against is holding Facebook civilly liable for content users like Pam Geller have posted. And Geller's main complaint is that Facebook keeps taking her posts down, not allowing them to stay up.

At best, Geller's extremely misguided lawsuit may eventually boil down to litigation directly implicating California's anti-discrimination law and how that is actually applied to service providers located in California, but with users all over the world. It may also result in a somewhat indirect challenge of that law's Constitutionality. But what it won't do is make the federal government responsible for Facebook's actions. And Geller, whose popularity and following largely relies on inflammatory speech, is only shooting herself in the foot by attacking Section 230. If this immunization were not provided to social media platforms, it's highly unlikely she'd have anything more than a self-hosted personal blog for a soapbox.

The final irony is that Geller is no doubt opposed to anti-discrimination laws like California's that force private businesses to cater to customers they'd rather not -- perhaps even in opposition to their own religious beliefs. (See also: same sex marriage/wedding cakes.) But she wants the government to step in and act as arbiters of private companies' terms of service and prevent the sort of discrimination she claims is taking place.

Read More | 36 Comments | Leave a Comment..

Posted on Techdirt - 18 October 2016 @ 2:30pm

Reputation Management Company Linked To Bogus Libel Lawsuits Now Hyping Its Anti-Cyberbullying Skills

from the loutish-abuse-of-the-legal-system-notwithstanding dept

Fake lawsuits featuring fake plaintiffs filed against fake defendants and hustled past judges to secure court orders demanding delisting by search engines: that's the new face of reputation management, apparently.

Paul Alan Levy, along with newly-acquired partner Eugene Volokh, have managed to track down the possible perpetrator behind a couple dozen bogus lawsuits filed in recent months. Richart Ruddie and his company, Profile Defenders, appear to be engaging in some illegal activity in order to provide clients with the services they've promised them.

Ruddie has refused to comment on the lawsuits or answer questions posed by Levy and Volokh. Instead, he has opted to fight speech with more speech [lol] by issuing a very self-serving press release.

Here's what Profile Defenders has to say about itself -- not in response to any questions, but rather to buff some of the tarnish off its dented armor. It's not just about "protecting the rich." [No. Really.] It's about saving clients from cyberbullying. (h/t Paul Alan Levy)

Reputation management companies like Profile Defenders protect the innocent from the action of cyberbullies who prey on people.


Fortunately, reputation management companies like Profile Defenders have arrived, and in the war between reputation companies vs cyber bullies they give the innocent a chance to tell their story on the Internet. Co-founder of Profile Defenders, Richart Ruddie, is glad that people are given a second chance after being defamed by cyber bullies that act like new age mobsters trying to destroy good people through cyber bullying.

I assume Levy, Volokh, and others who have covered this slowly-unravelling debacle are the "new age monsters" attempting to destroy "good people" --"good people" who apparently have no problem filing bogus lawsuits and forging signatures, all the while charging thousands of dollars to drag down their clients' reputations along with their own.

Then there's this, helpfully pointed out by a commenter (and victim of one of PD's bogus lawsuits) on Levy's post. Ruddie's personal blog contains a post with some enlightening thoughts about journalism.

Writers and journalists typically use their powers for evil and to hurt good people.

And what sort of people are the "good people" hurt by "evil" journalists? Richart Ruddie is, according to Richart Ruddie.

Had one of the nicest compliments this past weekend. A new friend said "Chart do you know why I like you?"

"At the end of the day you're just a genuine person Richart Ruddie"

You're not looking for anything from anybody, you are just here to be happy and have a good time and if you can facilitate others to be happy as well then you do your part to ensure all others around you are happy.

Yep. Genuine as fuck. More from Levy:

[I] expect that Ruddie will prove a slippery character – the home page of his “Profile Defenders” web site provides a New York City street address that appears to be phony (a letter I sent him at that address demanding that he preserve relevant documents came back undeliverable), and both the Linked In and Google profiles of Profile Defenders show a Washington, D.C. address that does not exist. Moreover, Florida’s records reveal that Ruddie maintains a stable of many different LLC’s. It may take the investigative resources of a federal or state grand jury or of the Federal Trade Commission to track him and his assets down, and bring him to justice.

Volokh and Levy have uncovered plenty of damning evidence strongly suggesting Ruddie's company is now in the business of filing bogus lawsuits simply because (a) there's very little chance any judge will examine these cases closely (and when a judge does, the suit is refiled in another court) and (b) it's one of the only methods proven to result in delistings of negative reviews hosted by non-parties to the lawsuits. As Levy notes, it may be almost impossible to blow this wide open, much less get Ruddie to answer any questions about these lawsuits on the record. But the reputational damage his company is now causing indirectly to its clients may result in lawsuits Ruddie can't ignore, filed by aggrieved customers who paid thousands of dollars just to see themselves swept into Profile Defender's destructive vortex.

13 Comments | Leave a Comment..

Posted on Techdirt - 18 October 2016 @ 10:39am

FBI Facial Recognition Expert Helps Denver PD Arrest Wrong Man Twice For The Same Crime

from the all-hail-our-future-biometric-overlords dept

Never let it be said law enforcement won't get their man. Even if it's the wrong man. And even if they do it twice.

This was Denver native Steven Talley's first experience with the local PD.

It was just after sundown when a man knocked on Steve Talley’s door in south Denver. The man claimed to have hit Talley’s silver Jeep Cherokee and asked him to assess the damage. So Talley, wearing boxers and a tank top, went outside to take a look.

Seconds later, he was knocked to the pavement outside his house. Flash bang grenades detonated, temporarily blinding and deafening him. Three men dressed in black jackets, goggles, and helmets repeatedly hit him with batons and the butts of their guns. He remembers one of the men telling him, “So you like to fuck with my brothers in blue!” while another stood on his face and cracked two of his teeth. “You’ve got the wrong guy,” he remembers shouting. “You guys are crazy.”

Talley was driven to a Denver detention center, where he was booked for two bank robberies — the first on May 14 and the second on September 5, 2014, 10 days before his arrest — and for assaulting an officer during the second robbery.

Surveillance camera footage from the robbed banks had been circulated. Acquaintances and Talley's estranged ex-wife asserted that the man shown was Talley. Using these statements, the Denver PD moved forward with its particularly brutal arrest, one that left Talley with multiple injuries.

In the months that followed, a series of medical exams revealed that Talley had sustained several injuries on the night of his arrest, including a broken sternum, several broken teeth, four ruptured disks, blood clots in his right leg, nerve damage in his right ankle, and a possibly fractured penis.

Talley was held for two months until recordings made by his employer showed he was at his desk on sales calls during the time the May robbery took place. He was released and charges were dropped. But investigators still didn't have the right suspect in custody. So they turned the footage over to the FBI, which put one of its facial recognition experts on the case.

The detective assigned to Talley’s case, Jeffery Hart, had requested that an FBI facial examiner manually compare stills from the banks’ grainy surveillance videos to several pictures of Talley — a tall, broad-shouldered white man with short blond hair, mild blue eyes, and a square jaw.

The FBI analysis concluded that Talley’s face did not match the May robber’s, but that he and the September robber shared multiple corresponding characteristics, including the shape of the head, chin, jaw line, mole marks, and ear features. “The questioned individual depicted” in the September images, the report concluded, “appears to be Talley.”

"Appears." That was enough to justify putting Talley through this whole nightmarish experience again. Talley was arrested again, under the new law enforcement theory that the robberies had been committed by two different men, both of whom resembled Talley enough to have him arrested twice.

This time, the case fell apart almost immediately.

The FBI’s facial analysis was further called into question in court, when the prosecution’s star witness directly contradicted its conclusions. When Bonita Shipp — the sole witness to the September 5 robbery, who had previously identified Talley based on Hart’s photographic line-up — took the stand, she testified that Talley was not the same man who threatened her and robbed her station.

According to the internal bank form tellers fill out after each robbery, Shipp originally described the suspect as 6 feet, 175 pounds, with a slender build. But the man who stood before her, she noted, did not fit this description. Talley stood just under 6 feet 4 inches and weighed between 230 and 250 pounds. He did not, in her opinion, appear to be a slender man.

[I]n the cross-examination with the prosecutor, Shipp said that she had not previously told anybody about the robber’s hands. “When he reached his hands over the counter,” she told the DA, “I could see through his surgical gloves, and I could — he had like marks on his hands.”

The markings were moles and freckles, which she believed she would recognize if presented again with the robber’s hands. At the hearing, Talley offered to show Shipp his hands, and she examined them. “It’s not him,” she told the courtroom. “It’s not the guy who robbed me.” The prosecutor, Shipp recalled, went slack-jawed.

The reliance on facial recognition proved much more fallible than was asserted in court. The similarity between the faces -- as determined by the FBI's expert -- was based on little more than what one forensic scientist called "voodoo witchcraft."

No threshold currently exists for the number of points of similarity necessary to constitute a match. Even when agencies like the FBI do institute classification guidelines, subjective comparisons have been shown to differ greatly from examiner to examiner. And the appearance of differences, or similarities, between faces can often depend on photographic conditions outside of the examiner’s control, such as perspective, lighting, image quality, and camera angle.

And yet, the FBI and many other law enforcement agencies believe facial recognition software -- utilizing massive databases -- will do a better job than their own experts, which aren't exactly setting the forensic science world on fire. If anything, the move to software will only guarantee replicable errors, rather than a significant decrease in false positives. And whatever the software decides will still need to be translated by a human and presented by an expert in court, where claims of "certainty" have long been overstated.

Talley's case is one of the more dramatic outcomes of reliance on forensic techniques too inconclusive to truly be called "science." The continued push towards more reliance on experts' subjectivity and massive biometric databases ensures Talley's case won't remain an anomaly. In this incident, the only thing that's been proven is that law enforcement has the means and methods to arrest the wrong guy twice for the same crime.

74 Comments | Leave a Comment..

Posted on Techdirt - 18 October 2016 @ 9:40am

How Pharmaceutical Companies Are Keeping Americans From Doing Something The Government Says They Can Do

from the taking-options-away dept

The EFF's series on "shadow regulation" continues, this time exploring how American pharmaceutical companies are keeping affordable medication out of the hands of Americans. The examination goes beyond what's already common knowledge: that patents and regulatory capture have created a skewed marketplace that ensures healthy profit margins, rather than healthy Americans.

But what's not generally known is that the pharmaceutical companies have "partnered" with internet intermediaries to lock Americans out of purchasing options specifically approved by the FDA. To hear big pharmaceutical companies tell it, purchasing drugs from other countries (where the price is generally lower) is extremely dangerous, if not completely illegal. But that's simply not true.

[D]iscretionary guidelines developed by the Food and Drug Administration (FDA) and enforced by the CBP allow American consumers to import a 90-day supply of some prescription medications for personal use, including by bringing them across border checkpoints in personal luggage, or by mailing them from overseas. In the latter case, a large market exists for pharmacies registered in other countries such as Canada, Australia and Turkey, that will accept online orders and mail genuine pharmaceuticals to American consumers at cheaper than local prices.

Multiple industry groups -- most of them using the word "safe" in their names to insinuate that purchasing drugs anywhere but where they want you to is inherently "dangerous" -- have blacklisted certain foreign sellers and have pushed for internet service providers to enforce the blacklists.

The Alliance for Safe Online Pharmacies (ASOP) and Center for Safe Internet Pharmacies (CSIP) are two of these groups. Both groups feature a lot of overlapping membership but having two separate organizations gives this the appearance of more membership diversification than there actually is. While there's nothing inherently bad about wanting to ensure Americans purchase legitimate medications from foreign vendors, the blacklists cover more than just questionable sellers.

Two registers of online pharmacy websites are approved by both the ASOP and the CSIP. These are run respectively by LegitScript, and by the National Association of Boards of Pharmacy (NABP) under the name Verified Internet Pharmacy Practice Sites (VIPPS). A third, independent register is run by the eponymous, which the ASOP and the CSIP do not recognize. This is because while all three exclude sellers of fake and counterfeit drugs from their approved lists, only the U.S. pharmaceutical industry-run registers LegitScript and VIPPS also exclude overseas online pharmacies that supply genuine drugs to Americans under the FDA's personal use policy.

The shadow regulation keeps American purchasers away from legitimate sellers with lower prices. Going forward, ICANN's domain name registration is going to further prevent Americans from accessing more affordable drugs. These groups have pressured ICANN into using the same skewed blacklist when approving .pharmacy domains. While there are still other top-level domains available that may also help bring customers to legitimate vendors these groups want to lock out of the market, that too may change in the coming months. The National Association of Boards of Pharmacy (NABP) wants ICANN to police the web for it and, hopefully, to shut down domains owned by foreign medical vendors it doesn't like.

If it can't force ICANN to bend to its will, it will use tools it already has in place: pressuring online payments providers and ad services to cut off support for any seller it hasn't whitelisted.

This all helps ensure the industry can sell you drugs at the price it wants, rather than the price the market defines. Somehow, the exact same medicine produced by the exact same company should cost more simply because an American pharm tech put it into a bottle and printed a label, rather than someone who lives outside US borders.

12 Comments | Leave a Comment..

Posted on Techdirt - 18 October 2016 @ 8:24am

Granted Warrant Allowed Feds To Force Everyone At Searched Residence To Unlock Devices With Their Fingerprints

from the hello-dystopia dept

Thomas Fox-Brewster of Forbes has dug up an unsealed memorandum in support of a federal search warrant demanding… all the fingerprints of every occupant in the searched residence.

FORBES found a court filing, dated May 9 2016, in which the Department of Justice sought to search a Lancaster, California, property. But there was a more remarkable aspect of the search, as pointed out in the memorandum: “authorization to depress the fingerprints and thumbprints of every person who is located at the SUBJECT PREMISES during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the SUBJECT PREMISES and falls within the scope of the warrant.” The warrant was not available to the public, nor were other documents related to the case.

The memorandum goes on to point out that simply demanding fingerprints implicates neither the Fourth nor Fifth Amendments. But the additional permissions sought certainly do.

“While the government does not know ahead of time the identity of every digital device or fingerprint (or indeed, every other piece of evidence) that it will find in the search, it has demonstrated probable cause that evidence may exist at the search location, and needs the ability to gain access to those devices and maintain that access to search them. For that reason, the warrant authorizes the seizure of ‘passwords, encryption keys, and other access devices that may be necessary to access the device,’” the document read.

Not only are the devices being seized, but so are any passwords, which does carry some implications, but not necessarily at the point of seizure. It's the refusal to turn over passwords or encryption keys in the face of a court order that can result in contempt charges, and it's still less-than-settled that access information has no testimonial value.

But even the seizure of these devices in hopes of searching them later (but securing fingerprints to unlock them first) is a Fourth Amendment problem if they're accessed in nearly any way during the unlocking process. One court found, post-Riley, that simply opening a flip phone constituted a search. In that context, forcing a finger onto the phone and viewing the screen's contents could be considered a search -- and a warrantless one at that.

Of course, the government cited plenty of cases to back up its seizure, detention of residents, and its taking of fingerprints -- most of them at least 30 years old.

It also cited Holt v. United States, a 1910 case, and United States v. Dionisio, a 1973 case, though it did point to more recent cases, including Virginia v. Baust, where the defendant was compelled to provide his fingerprint to unlock a device (though Baust did provide his biometric data, it failed to open the iPhone; after 48 hours of not using Touch ID or a reboot Apple asks for the code to be re-entered.).

As for the Fourth, the feds said protections against unreasonable searches did not stand up when “the taking of fingerprints is supported by reasonable suspicion,” citing 1985′s Hayes v. Florida. Other cases, dated well before the advent of smartphones, were used to justify any brief detention that would arise from forcing someone to open their device with a fingerprint.

This is the reality of what the government is seeking: law enforcement officers detaining suspects and non-suspects alike and forcing them to apply their fingers to all locked devices on the premises. If this is the new normal for warrant service, it's time for the courts to step up and be a bit more aggressive in holding the government to particularity requirements.

Read More | 33 Comments | Leave a Comment..

Posted on Techdirt - 17 October 2016 @ 2:26pm

Government Seeks Do-Over On Win For Microsoft And Its Overseas Data

from the please-please-please-let-me-get-what-I-want dept

The DOJ wants the Second Circuit Court of Appeals to revisit the decision it handed down in July -- the one that's preventing it from forcing Microsoft to hand over data stored on its servers in Ireland. The DOJ hoped the court would read the Stored Communications Act as applying to the location of the company served with the data request, rather than the actual location of the data. The Appeals Court disagreed with the lower court's finding -- one that dragged in the Patriot Act for some reason -- pointing out that the purpose of the SCA was to protect the privacy of communications, not to facilitate the government in obtaining them.

The government has filed a petition [PDF] for a rehearing of the case, obviously in hopes of a reversal. Jennifer Daskal of Just Security has posted several reasons why the DOJ's desired interpretation of the Stored Communications Act is dangerous, along with other problems arising from this decision.

To begin with, the decision raises new logistical issues, both for the government and the private companies served with these warrants.

According to the government, companies like Google and Yahoo! now need to ascertain the location of sought-after data “at the moment the warrant is served.” If the content is stored abroad, it is now “beyond the reach of a Section 2703 warrant, even when the account owner resides in the United States and the crime under investigation is entirely domestic.”

The court's interpretation of the SCA theoretically means Google will never again have to turn over requested emails to law enforcement.

Moreover, in the case of Google, this data is also outside the reach of a MLA request “because only Google’s US-based employees can access customer email accounts, regardless of where they are stored.” (p.6) In other words, US law enforcement cannot access the data because it is outside the reach of the US warrant authority. And foreign governments cannot because they lack jurisdiction over the US-based employees that control the data. No law enforcement official can access it anywhere.

That being said, Daskal points out that the government also feels that just because it has a warrant, it should be able to demand the production of communications wherever, whenever. This flat assertion that warrants trump privacy in every case is every bit as one-sided as the DOJ's theory that Google now has the option to rebuff warrants at its sole discretion.

The DOJ's fears aren't entirely unfeasible. Companies that sell their communications tools with privacy-heavy sales pitches could simply offshore their data storage to put it out of reach of SCA-citing warrants, turning the 2nd Circuit's ruling into a middle finger to US law enforcement.

If this is going to be fixed in any sort of way that doesn't turn this into a one-sided victory for service providers or the government, it's probably going to need to be through legislation. The court's revisitation of the issue (courts have generally been favorable to rehearing requests from the US government) may come to that very conclusion.

Indeed, the DOJ has already begun pushing for a legislative solution, albeit one that heavily favors the government. The DOJ wants existing Mutual Legal Assistance Treaties (MLATs) modified so the FBI, etc. can continue to compel the production of communications stored overseas without tripping over reluctant US service providers or statutory limitations built into the SCA.

As Daskal notes, Congress is better off addressing this issue sooner rather than later. Should the court reverse its decision and allow the FBI to demand communications from foreign data centers using nothing more than a warrant issued by a local magistrate, other countries far less concerned about US privacy protections will be sure to utilize the same tactics.

Yet I continue to have concerns about the result of a governmental win: the government gets free rein to compel any US-based provider to disclose any user’s data, without any constraint based on things like the location or nationality of the target. This is a rule that will be watched, and likely mimicked, by others.

Consider the broader implications: The United States would (or at least should) be concerned if foreign governments unilaterally demanded the unilateral production of US citizens and residents data. And in fact current US law prohibits US-based providers from responding to those demands—requiring that the foreign governments instead employ the MLA process and ultimately obtain a US warrant based on the US standard of probable cause. Foreign government also have an interest in controlling access to their residents data. Those interests ought to be taken into account.

Unfortunately, Congress doesn't really have a great track record when it comes to legislative fixes for tech issues. We have a more technologically-adept set of legislators than we've ever had previously, but there are still many who won't see the forest of implications for the law enforcement trees. But the situation may become much, much worse if left unattended.

Read More | 20 Comments | Leave a Comment..

Posted on Techdirt - 17 October 2016 @ 11:46am

FBI Lifts Gag Order On NSL Issued To Google... Which Doesn't Have Much To Say About It

from the THIS-JUST-IN:-mumblemumble...gag-order...mumble dept

The government's embrace of transparency -- an uncomfortable hug forced on it like a drunken uncle at a wedding reception by the passage of the USA Freedom Act -- has paid off for a local computer concern. Google is now able to speak in non-specifics about one (1) National Security Letter it has received.

The national security letter issued to Google was mentioned without fanfare in Google’s latest bi-annual transparency report, which includes information on government requests for data the company received from around the world in the first half of 2016.

Google received the secret subpoena in first half of 2015, according to the report.

Here's the original wording from the report, which follows actual specifics about new countries Google can add to the list of entities demanding user info from it (Algeria, Belarus, Cayman Islands, El Salvador, Fiji, and Saudi Arabia):

[P]ursuant to the USA Freedom Act, the FBI lifted a gag restriction on an NSL issued in the second half of 2015.

The law requires the FBI to "periodically" review its NSL-related gag orders to see whether the restriction still needs to be in effect. Theoretically, the gag order should be lifted three years after the NSL is issued or the investigation concludes, whichever comes first. Theoretically. I guess we'll see if the gag order floodgates begin opening in 2019.

In addition to finally being able to barely talk about it, Google was also able to move the transparency dial forward exactly one click.

To reflect this, we have updated the range of NSLs received in that period — July to December 2015 — from 0-499 to 1-499.

What Google hasn't done is publish the request itself, something both Yahoo and Signal did once given the green light by the feds. It cited no reasons for withholding the contents. However, it may be unable to fully publish the letter, despite the lifting of the gag order, as The Intercept's Jenna McLaughlin points out.

It’s… unclear why Google wouldn’t immediately publish the document — unless the gag is only partially lifted, or the company is involved in ongoing litigation to challenge the order, neither of which were cited as reasons for holding it back.

In other news, Google saw an increase in FISA-ordered requests for user info, bumping it up by about 5,000 total accounts as compared to the previous reporting period.

Hopefully, Google's ungagged-but-still-secret NSL won't stay secret for much longer. It would be troubling if this were to become Google's standard policy -- the announcement of gag order removals but with no further details forthcoming. Not much "transparency" in the Transparency Report, unfortunately… not if that's how it's going to be handled.

True, much of the opacity is still the government's fault: the not-at-all-useful "banding" that makes NSL numbers impossible to parse (1-499 could mean one NSL… or almost 500 in one reporting period), the gag orders that remain in place forever, etc. But private companies shouldn't take their cues from naturally-secretive government agencies. They're pretty much all we have to provide us with an outside, somewhat unrestricted measure of the government's surveillance efforts.

12 Comments | Leave a Comment..

Posted on Techdirt - 17 October 2016 @ 10:44am

UK Tribunal Says Spy Agencies Illegally Collected Communications Data In Bulk For More Than A Decade

from the 17-years-of-bulk-rogering dept

A big ruling has been handed down by the UK's Investigatory Powers Tribunal, stating that intelligence agencies' (GCHQ, MI5, MI6) bulk data collection has been illegal since its inception.

The ruling said the regime governing the collection of bulk communications data – the who, where, when and what of personal phone and web communications – failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was made public.

It said the holding of bulk personal datasets (BPD) – which might include medical and tax records, individual biographical details, commercial and financial activities, communications and travel data – also failed to comply with article 8 for the decade it was in operation until its public avowal in March 2015.

This ruling comes at a particularly opportune time -- just as the UK government is putting the finishing touches on another investigatory powers bill: the so-called Snooper's Charter. But not necessarily because this will deter GCHQ from further bulk data collections. In fact, the ruling may give pro-surveillance politicians a better idea of how to make future collections stand up to legal challenges.

On the other hand, the tribunal's examination of the case uncovered some interesting statements by agency insiders who rather presciently noted the press would have a field day if information about the programs were ever made public. (The statement also shows the agency was prepared to head off backlash by questioning the media's truthiness.)

The IPT ruling included the disclosure from an unpublished 2010 MI5 policy statement that the “bulk personal datasets” include material on the nation’s personal financial activities. “The fact that the service holds bulk financial, albeit anonymised, data is assessed to be a high corporate risk, since there is no public expectation that the service will hold or have access to this data in bulk. Were it to become widely known that the service held this data, the media response would most likely be unfavourable and probably inaccurate,” it says.

The ruling is the end result of Privacy International's multiple legal challenges to British spying powers. Even though this is a win for PI, the charity also notes that no ruling was made on how the illegally-obtained datasets should be disposed of… or if they even will be.

The UK government responded to the ruling showing it had "overseen" more than a decade's-worth of illegal data collection with a cheerily tone deaf, "Things are so much better now!"

"The powers available to the security and intelligence agencies play a vital role in protecting the UK and its citizens. We are therefore pleased the tribunal has confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes.

Through the investigatory powers bill, the government is committed to providing greater transparency and stronger safeguards for all of the bulk powers available to the agencies."

It's not the stuff that's gone on for years. That's apparently not important. No, UK citizens need to keep their eyes on the prize: the ten months or so of legal spying UK intelligence agencies have been engaged in, as well as the eventual codification of other possibly-illegal surveillance programs.

7 Comments | Leave a Comment..

Posted on Techdirt - 17 October 2016 @ 8:30am

Two More Courts Find In Favor Of The FBI And Its NIT Warrant; No Suppression Granted

from the malware-deployment-is-a-go dept

Two more rulings on suppression motions in FBI Playpen cases have been handed down. (h/t Riana Pfefferkorn) The ruling [PDF] in Tennessee agrees with the defendant that the FBI's NIT warrant exceeded Rule 41 jurisdiction limits. The following quotes are from the more substantive "Report and Recommendation" [PDF] by the magistrate judge, which has been adopted by the court overseeing the criminal trial.

The undersigned agrees with the majority of courts to analyze the Virginia search warrant that it violates Rule 41(b) because the magistrate judge in the Eastern District of Virginia lacked authority to issue a search warrant to search property located outside of her district.

Defendant’s computer was never located in the Eastern District of Virginia. See Fed. R. Crim. P. 41(b)(1) & (2). Moreover, the FBI was not investigating a crime of terrorism in the Eastern District of Virginia, nor was it attempting to seize property located in a United States territory or foreign state. See Fed. R. Crim. P. 41(b)(3) & (5). The Government argues that Rule 41(b)(4) is persuasive because the NIT is analogous to a tracking device, which was installed on the Defendant’s computer when his electronic transmission “touched down” in the Eastern District of Virginia, where Playpen was hosted. However, as observed by the Western District of Washington, applying Rule 41(b)(4) to the Virginia warrant “stretches the rule too far…"

That being said, the court decides suppression is not the right remedy for this violation:

In balancing the present facts and circumstances, the magistrate judge first correctly concluded that suppressing the evidence in this case would not meaningfully deter future law enforcement misconduct. The defendant’s objections that officers acted deliberately, recklessly, or with gross negligence, and that it should have been apparent to law enforcement that the Virginia magistrate lacked authority to sign the warrant, are simply unsupported by the record.


To the extent that there was error in this investigation, such error “rests with the issuing magistrate, not the police officer, and ‘punish[ing] the errors of judges’ is not the office of the exclusionary rule.”

Interestingly (and a bit infuriatingly), the court grants good faith to the FBI for its apparent inability to fully comprehend the "intricacies of the jurisdictions of federal magistrates." This gives the FBI credit for pretending to misunderstand the very statutes it's in the process of trying to change. The FBI -- and the DOJ above it -- very much want the jurisdictional limitations of Rule 41 removed precisely for cases like these: where a search and seizure is performed on remote computers located far outside the jurisdiction where the warrant was issued.

The Nebraska decision [PDF] is much, much worse. First, the court finds there's no expectation of privacy in an IP address, even if the defendant has taken affirmative steps to obscure it.

With or without Tor, Defendant was sharing his IP address with others—total strangers, to potentially include law enforcement officers—with the hope and belief that the users of the first “node” computer would keep his IP address secret. While Defendant’s choice to use Tor may be evidence of his “actual, (subjective) expectation of privacy” in his IP address, using Tor does not elevate that expectation to “one that society is prepared to recognize as ‘reasonable.’”

Not only that, but the court rules the NIT is not a search (nor a "tracking device," as the government argued in the Tennessee case), even though it had to extract this information from the user's computer.

But deploying the NIT to reveal the IP address was not a computer search. Defendant’s IP address is not a “physical component” of the computer or a file residing on his computer like electronic documents or pictures. Rather, the IP address is assigned to a user by the ISP and typically is “maintained on the internet modem that connects an internet device to the internet.” Thus, the NIT essentially compelled Defendant’s computer to produce its IP address (similar to a return address on an envelope) when the NIT instructed the computer to send other information identified in the Virginia Warrant. And the NIT was deployed only after Defendant sought out and visited the Playpen website. “The FBI did not come looking for Defendant. Instead it waited until he came to them and engaged in illicit activity by downloading content from Playpen.”

And here we have another reason why digital-to-analog so often fails. Comparing the compelled production of an IP address to a return address on an envelope is a non-starter because utilizing the postal service does not require the use of a return address, whereas an internet connection almost always requires an IP address.

Worse, the opinion cites Virginia judge Henry Morgan Jr.'s decision in another Playpen case -- where he asserted the FBI could hack computers with invalid warrants because, hey, computers get hacked all the time.

See also Matish, --- F. Supp. 3d ---, 2016 WL 3545776 at *22-24 (holding that with the prevalence of computer hacking and the “compromise of unprecedented amounts of data previously thought to be private,” all individuals have a diminished expectation of privacy once they log onto the internet.)

The court also finds that the FBI's NIT reach didn't exceed Rule 41 geographical limitations. Instead, the defendant made a virtual "trip" to the warrant's jurisdiction to access content stored on the seized server.

Finally, even if the defendant had raised a Fourth Amendment challenge the court found valid, the good faith exception would have prevailed. As in the Tennessee decision, the court finds the FBI held up its side of the deal by providing the magistrate with an affidavit full of technical language and specifics about the search method to be deployed.

This appears to be the broader finding across the large number of Playpen/NIT cases. The FBI's warrant may be invalid but either there's no expectation of privacy in the information obtained or the good faith exception prevents suppression of the obtained evidence.

The first is less problematic than the latter. While some users may undertake efforts to obscure their IP addresses, their expectation of privacy is no more "reasonable" than that of those who don't. Either the info has an expectation of privacy or it doesn't. The legal justifications used by judges, however, haven't been all that great, with the worst being that having your anonymity stripped and your information absconded with is just the price of doing business on the internet -- whether it's a criminal or law enforcement performing the actions apparently matters very little.

The latter part -- the reliance on the FBI's good faith -- is more of an issue. The FBI clearly knew its NIT would travel far beyond the jurisdiction the warrant was issued in. It apparently felt that it benefited heavily from good faith rulings as it made little attempt to obscure this fact from the magistrate judge it presented its affidavit to. But it still withheld some information, including the fact that it would actually be delivering a malware package that would "phone home" once it reached its destination. Just because the search sort of originated at a seized server in Virginia does not excuse seizures performed all over the nation utilizing a single, jurisdictionally-limited warrant.

Read More | 16 Comments | Leave a Comment..

More posts from Capitalist Lion Tamer >>