Tim Cushing's Techdirt Profile

Tim Cushing

About Tim Cushing

Posted on Techdirt - 28 June 2022 @ 10:51am

Security Researchers: Indian Police Agencies Digitally Planted Evidence To Frame Activists

Law enforcement agencies have access to very powerful digital tools. Thanks to companies with eyes on market expansion but very little consideration of moral or ethical issues, cops have the power to completely compromise phones, turning them into unwitting informants… or worse.

This blockbuster report — written by Andy Greenberg for Wired and based on research performed by Citizen Lab and SentinelOne — shows cops can use powerful malware to create the probable cause they need to start arresting people. The fix is in.

More than a year ago, forensic analysts revealed that unidentified hackers fabricated evidence on the computers of at least two activists arrested in Pune, India, in 2018, both of whom have languished in jail and, along with 13 others, face terrorism charges. Researchers at security firm SentinelOne and nonprofits Citizen Lab and Amnesty International have since linked that evidence fabrication to a broader hacking operation that targeted hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware, as well as smartphone hacking tools sold by the Israeli hacking contractor NSO Group. But only now have SentinelOne’s researchers revealed ties between the hackers and a government entity: none other than the very same Indian police agency in the city of Pune that arrested multiple activists based on the fabricated evidence.

I get it. Who doesn’t like an easy day at work? Planting evidence makes arrests easy. Cops do it all the time. The difference here is the cops don’t have to carry around contraband on their persons or in their vehicles and wait for a situation to present itself.

Using powerful malware, officers can plant evidence whenever it’s most convenient for them and follow up with an arrest and device seizure that allows them access to the evidence they planted. And it’s not just for phones. The report notes that one activist arrested as the apparent result of planted evidence had his laptop compromised by police malware, allowing the Pune police to add 32 incriminating files to his hard drive.

It took researchers several months to confirm attribution. The link to the police department came via a recovery email address and phone number attached to compromised email accounts. That information was traced back to a police official in Pune who somehow thought it was wise to include his full name in the bogus recovery accounts.

That malware deployment has turned from passive to offensive shouldn’t come as a surprise. Very few malware developers care how their products are used and tend to make changes only when prompted by sanctions or months of negative press.

And it definitely shouldn’t come as a surprise that an element of the Indian government is abusing malware to plant evidence to shut down dissent. That’s the Indian government’s main goal at this point: to force the nation’s 1.2 billion residents into subservience by any means necessary. Whether it’s a law that abuses the notion of national security to turn residents into billions of data points or the government openly targeting critics via social media services (and threatening those services with fines and imprisonment when they fail to play along), the Indian government continues to expand the size of its thumb and, with any luck, will have an entire nation under it in the near future.

Posted on Techdirt - 27 June 2022 @ 03:37pm

Victims’ Rights Laws Abused Again To Hide Identities Of Officers Who Killed Someone

Ten states are currently home to a version of California’s “Marsy’s Law.” This law is a “victim’s rights” law, named after a California murder victim. It was written with the intent of involving crime victims in the criminal justice process, giving them a “right” to be heard during court proceedings, choose their own representation (rather than be solely represented by the prosecution), and — as is most relevant here — prevent crime victims’ names from being released publicly.

That’s where these laws have become convenient for cops. When cops deploy excessive force (including killing people), the person subjected to police violence is often hit with criminal charges. Resisting arrest is a popular one. So is “assaulting an officer,” which may mean nothing more than a person bumped into an officer while being detained. Since those are criminal charges, the cops turn themselves into victims, despite having performed far more violence than the person they restrained (to death, in some cases).

States where victim rights laws are in force allow officers to prevent their names from being published by media covering deadly force incidents. Since the cops are nominal “victims,” the law applies to them. A law enforcement officer in South Dakota used the state’s law to keep their name out of the papers following their shooting of driver during a traffic stop.

The same thing happened in Florida a few years later. Two cops who deployed deadly force were able to convince a judge the state’s Marsy’s Law applied to them — even superseding the public’s right to this information through the state’s public records laws.

It has happened again. Same state, same law, same outcome. Here’s Scott Shackford for Reason:

In Sarasota County, three deputies were sent to a condo in April to help evict 52-year-old Jeremiah Evans. According to Sarasota County Sheriff Department’s report, Evans pulled out a knife and threatened the deputies. One of the deputies shot and killed Evans.

Prosecutors determined that the shooting was justified. The Sarasota Herald-Tribune submitted a public records request to the State Attorney’s Office, and among the information they received were the unredacted last names of the deputies involved.

Then the Sarasota County Sheriff’s Office swung into action, going to a judge to invoke Marsy’s Law to try to prohibit the newspaper from publishing the names of the officers involved. On Friday evening a judge granted a temporary injunction preemptively prohibiting the newspaper from publishing the officers’ names. Despite failing to redact the names by accident, the State Attorney’s Office also supported the sheriff’s department and joined the action against the newspaper, essentially attempting to shift responsibility onto the newspaper for the office’s own supposed breach of the law.

The Herald-Tribune, which had already obtained some of this information (last names only) from the state attorney’s office, is rightfully upset at this turn of events. It has filed a motion in opposition to this injunction — one secured by both the Sheriff’s Office and the state attorney — pointing out that this is an unjustified abuse of the victim’s rights law in hopes of memory-holing information already provided to the paper.

In the newspaper’s motion, attorneys said nothing in Marsy’s law creates a private right of action against third parties or empowers courts to “censor private persons, such as respondents.” If disclosure of the deputies’ names violated Marsy’s Law, the motion argues, the violator was the State Attorney’s Office, not the newspaper. 

“Petitioners cite no case law that places Marsy’s Law above the free-speech guarantee in Article I, Section 4 of the Florida Constitution. And any reading of Marsy’s Law that prohibits the news media from publishing publicly disclosed information also would bring Marsy’s Law into conflict with the United States Constitution,” the motion states.

First and foremost, the law cannot be used to stuff the genie back into the bottle. The newspaper already has access to the involved officers’ last names, thanks to a public records response by the state attorney’s office. The emergency injunction does not prevent the paper from publishing information it already has because the public release, as the paper points out, was performed by the state attorney.

Second, the injunction process appears to have abandoned the concept of due process entirely. It was obtained by the sheriff and state attorney with zero opportunity for input from the party directly affected by the injunction. The paper was not notified the injunction was being sought and was not informed of law enforcement’s efforts until after the order was secured. And it was obtained on Friday evening at 6:30 pm, presumably to maximize the length of the questionably obtained opacity, preventing the paper from engaging in any challenge of the order until the following Monday.

This certainly isn’t the way those writing these laws expected them to be used. But that’s what these laws enable when they’re abused by public employees who deploy deadly force: a larger gap between state law enforcement officers and the already distant accountability that rarely serves to deter future misconduct.

Posted on Techdirt - 27 June 2022 @ 10:50am

Supreme Court To Citizens: Miranda Rights Aren’t Actually Rights So No More Suing About Them

The “Miranda rights” established by the Supreme Court in 1966 are a little less guaranteed going forward. The Supreme Court has issued an opinion [PDF] that limits what citizens whose rights have been violated can do — limiting them to exercising these rights during criminal trials as a component of their Fifth Amendment rights.

The Miranda warning mandated by the Supreme Court is supposed to prevent arrestees from being deprived of legal representation during questioning or exercising their Fifth Amendment right to remain silent. Any statements made in lieu of the reading of these rights (and the affirmative waiving of these rights by arrestees) are supposed to render statements made without warning/respect for these rights unusable in court.

Many times this isn’t the case. The un-Mirandized statements survive dismissal attempts and result in people being convicted despite their rights being violated. When consequent challenges (at the appellate level, etc.) reveal the statements were made without respect or notification of these rights, citizens have usually been able to file civil rights lawsuits alleging violations of their Fifth Amendment rights under the Miranda decision.

That is no longer the case. The Supreme Court (in a ideologically split 6-3 decision) has declared suing over violated Miranda rights is no longer an option. Here’s the ACLU’s summary of the decision:

Today, in Vega v. Tekoh, the court backtracked substantially on its Miranda promise. In Vega, the court held 6-3 (over an excellent dissent by Justice Elena Kagan) that an individual who is denied Miranda warnings and whose compelled statements are introduced against them in a criminal trial cannot sue the police officer who violated their rights, even where a criminal jury finds them not guilty of any crime. By denying people whose rights are violated the ability to seek redress under our country’s most important civil rights statute, the court has further widened the gap between the guarantees found in the Bill of Rights and the people’s ability to hold government officials accountable for violating them.

The Supreme Court says the Miranda ruling was nothing more than something meant to encourage law enforcement officers to respect Fifth Amendment rights. Even if they fail to do so, it doesn’t mean they should be sued for rights violations.

In Miranda, the Court concluded that additional procedural protections were necessary to prevent the violation of the Fifth Amendment right against self-incrimination when suspects who are in custody are interrogated by the police. Miranda imposed a set of prophylactic rules requiring that custodial interrogation be preceded by now-familiar warnings and disallowing the use of statements obtained in violation of these new rules by the prosecution in its case-in-chief. Miranda did not hold that a violation of the rules it established necessarily constitute a Fifth Amendment violation. That makes sense, as an un-Mirandized suspect in custody may make self-incriminating statements without any hint of compulsion.

Maybe so. But that’s the entire point of the Miranda ruling. Law enforcement is supposed to make people aware of their rights so they don’t make self-incriminating statements under the mistaken belief they have no other option but to start talking while in police custody. The “prophylactic” is supposed to shield people from law enforcement abuse of their rights, but this decision encourages abuse by limiting the possible negative outcomes of Miranda rights violations.

This is something law enforcement already routinely abuses. Cops will question people in their homes, cars, driveways, places of work — all under the legal assumption that a person surrounded by officers (but not actually locked in an interrogation room) is somehow “free to go.” Even when they do Mirandize people, they do everything they can to subvert these rights to avoid having to deal with lawyers or arrestees who now realize they don’t have to say a damn thing while being questioned.

This decision means some rights are more equal than others. You can still file a Section 1983 lawsuit against officers for violating other rights (Fourth, First, Eighth, and Fourteenth are the most common) but you can’t sue under certain elements of the Fifth Amendment.

The facts of the case undercut this conclusion. Here’s a very concise summary of the events leading to this lawsuit, which started when law enforcement arrested Terence Tekoh for allegedly sexually assaulting an immobilized female patient at a Los Angeles hospital:

Carlos Vega, a Los Angeles County sheriff deputy, questioned Tekoh, although he failed to read him his rights as required by the 1966 precedent of Miranda v. Arizona, where the court held that a defendant must be warned of a “right to remain silent.” Under that precedent, without the Miranda warning, criminal trial courts are generally barred from admitting self-incriminating statements made while the defendant was in custody.

Tekoh ultimately confessed to the crime, was tried and acquitted — even after the introduction of his confession at trial

This decision limits the remedy for Miranda violations to the suppression of evidence during trials — something that did not happen here. The prosecution was able to convince the trial court Tekoh’s statements were voluntary, even if the officers never informed Tekoh of his rights.

The dissent (written by Elena Kagan) points out the majority is overriding its own precedent and claiming there’s no inherent rights violations in interrogating someone who hasn’t been informed of their rights. The Supreme Court now pretends Miranda rights are not constitutional rights, despite stating otherwise several times.

Begin with whether Miranda is “secured by the Constitution.” We know that it is, because the Court’s decision in Dickerson says so. Dickerson tells us again and again that Miranda is a “constitutional rule.” 530 U. S., at 444. It is a “constitutional decision” that sets forth “‘concrete constitutional guidelines.’” Id., at 432, 435 (quoting Miranda, 384 U. S., at 442). Miranda “is constitutionally based”; or again, it has a “constitutional basis.” 530 U. S., at 439, n. 3, 440. It is “of constitutional origin”; it has “constitutional underpinnings.” Id., at 439, n. 3, 440, n. 5. And—one more—Miranda sets a “constitutional minimum.” 530 U. S., at 442. Over and over, Dickerson labels Miranda a rule stemming from the Constitution.

But not anymore, the majority has unilaterally declared. Now it’s just a “prophylactic” meant to protect people from rights abuses. When it fails to do so, the Supreme Court says there’s no rights violation, which means no one can sue over these specific violations. The Fifth Amendment isn’t stricken from the litigation books, but it is damaged by the court’s decision to make Miranda rights violations exempt from civil rights lawsuits.

Today, the Court strips individuals of the ability to seek a remedy for violations of the right recognized in Miranda. The majority observes that defendants may still seek “the suppression at trial of statements obtained” in violation of Miranda’s procedures. Ante, at 14–15. But sometimes, such a statement will not be suppressed. And sometimes, as a result, a defendant will be wrongly convicted and spend years in prison. He may succeed, on appeal or in habeas, in getting the conviction reversed. But then, what remedy does he have for all the harm he has suffered? The point of §1983 is to provide such redress—because a remedy “is a vital component of any scheme for vindicating cherished constitutional guarantees.” Gomez v. Toledo, 446 U. S. 635, 639 (1980). The majority here, as elsewhere, injures the right by denying the remedy.

The (occasional [it didn’t even happen in the case triggering this SCOTUS review!]) suppression of evidence may derail a few prosecutions. But it won’t do anything to encourage cops to ensure the people they question are apprised of their rights under the law. If anything, it will encourage officers to keep detainees and arrestees in the dark, knowing they can’t be directly sued for refusing them access to counsel or pretending these rights don’t exist to coerce people into confessions. The decision is pure cognitive dissonance: one that says un-Mirandized statements are a rights violation when submitted as evidence during trials but not a rights violation when the falsely accused/arrested/convicted bring lawsuits against officers.

Posted on Techdirt - 24 June 2022 @ 03:41pm

India’s Government Amps Up Facial Recognition Deployment, Claims The Only People Affected Are Criminals

Prime Minister Nahendra Mohdi’s government has apparently peered over the Great Wall of China (to pedants: figuratively, of course) and liked what it was seeing. China is the world leader in pervasive surveillance — something the government uses to shield the government from criticism and to keep the people the government considers to be undesirable under the bootheel.

It would be inconceivable to believe at this point that this isn’t the aim of the Mohdi government. Since his election in 2014, Mohdi has been increasingly taking direct control of communications (mainly via laws targeting internet use) and ensuring no Indian citizen goes unsurveilled.

The Indian government is home to one of the largest biometric databases in the world, one that contains at least some information on most of the nation’s 1.2 billion residents. And it’s going to get bigger. Anyone stopped, detained, or arrested by Indian law enforcement is forced to submit iris/retina scans to the national database, under the theory this will “modernize policing” and “increase the conviction rate.”

The easiest way to expand this biometric collection is to allow cops to hassle as many people as humanly possible. Since “detainment” isn’t clearly defined, any interaction with law enforcement can lead to the harvesting of biometric details. And that’s being accelerated by the Indian government’s apparently unconditional embrace of facial recognition tech.

It’s an obvious abuse of police power. Agnee Ghosh’s article for Vice details a routine traffic stop that devolved into the forcible collection of the driver and passenger’s facial images. That the two people stopped were Muslim minorities adds to the impression these programs are being aggressively rolled out to monitor residents the government considers to be inherently suspicious.

It’s well known that facial recognition tech is less accurate when it deals with anything but white males. The adverse side effects of false positives and negatives don’t appear to matter much to India’s law enforcement agencies, which deploy the tech carelessly while comforting themselves with empty statements claiming the only people hurt by pervasive surveillance are criminals. Here’s more from the Vice article:

The Hyderabad city police department is known for employing facial recognition for a variety of objectives, including questionable cordon and search operations, profiling people for narcotics, and unlawful phone-searching activities. They claim that facial recognition technology has worked as a “deterrent” and helped them apprehend criminals.

“We don’t infringe upon the privacy of any individual, as we are not barging into anybody’s house to take pictures,” C.V. Anand, Hyderabad’s police commissioner, told Reuters in January. “The technology is being used only to keep surveillance on criminals or suspected criminals.”

The only possibly true statement here is that the tech has helped apprehend criminals. Every other assertion is bogus. It’s clear Indian law enforcement does not limit its surveillance to criminals and suspected criminals. And just because you haven’t “barged into anybody’s house” doesn’t mean the surveillance dragnet the Indian government oversees isn’t violating anyone’s rights.

Hyderabad’s surveillance is symptomatic of the state it’s located in. What’s been installed in the state of Telangana is downright dystopic. It is home to nearly 300,000 police-owned CCTV cameras — over 60% of the entire country’s total. It is also home to the largest number of facial recognition programs in any Indian state.

Everything collected by static cameras and questionable police activity feeds into a central database, which immediately belies the Hyderabad police official’s claim the surveillance programs only target suspected criminals.

In Telangana, there are numerous facial recognition datasets that are being integrated into a “smart governance program,” called Samagram, which gives the state government a full picture of every resident’s life, including their employment status and other personal information. The goal isn’t only to track down criminals, but to build up a ‘360 degree view’ of every single person.

Hundreds of thousands of cameras, combined with national and local biometric collection programs, have turned the supposed democracy into a police state. Not only is it pervasive, it’s patchwork. With no national guidelines, local agencies are allowed to collect and retain data with nearly zero restrictions. Centralized databases are overseen by states, with national surveillance programs layered over the top of the local level panopticons. It’s unclear where the responsibility lies when a (inevitable) data breach occurs and the lack of coherent oversight (or any indication government at any level has any interest in overseeing these programs) encourages abuse. Above all of this lie the statements of public officials, who directly contradict police statements about limiting surveillance to criminals when bragging about the tech they’re using.

It’s ugly and it’s only going to get worse. The national government backs a prime minister who appears to want to convert a democracy to an autocracy. The surveillance programs in use aren’t there for public safety. They’re just a very affordable form of oppression.

Posted on Techdirt - 24 June 2022 @ 01:31pm

Things Are Looking Up: Clearview Cuts Sales Staff, Dumps Chief Revenue Officer

Clearview has never had a great reputation. Its first appearance in the public eye — via a Kashmir Hill report for the New York Times — was inauspicious, to say the least. The company’s database was composed of data and photos scraped from thousands of websites. This image database — which has now passed 10 billion images — is packaged with Clearview’s facial recognition AI and sold to whoever wants to buy it: law enforcement agencies, app developers, human rights violators, retailers, etc.

After being sued in Illinois for violating the state’s privacy laws (and facing fines and fees around the world for similar violations), Clearview reached a settlement agreement in which it would suspend sales of its product to private entities in the United States. This does not, however, prevent it from selling to private companies contracted by government agencies, so Clearview still has some revenue options in the US.

But when your company arrives on the scene with its reputation already in tatters, there’s only so much you can do. The company could have made moves to rehabilitate its image, perhaps by ditching its scraped image database and focusing more on things like 1:1 facial recognition that does not rely on third party content to make the AI useful. Clearview has a solid AI that could be deployed responsibly, but has chosen to become the top pariah in a sketchy field full of questionable tech purveyors.

Clearview CEO Hoan Ton-That has frequently displayed a dismissive attitude toward the steady stream of criticism his company has faced. That dismissive attitude has likely contributed to actual dismissals as the company struggles to survive following several self-inflicted reputational wounds.

Clearview AI cut much of its sales staff this week and has parted ways with two of three executives hired about a year ago, according to people familiar with the matter and posts online, as the high-profile facial recognition startup grapples with litigation and difficult economic conditions.

[…]

The cuts included staff who worked with local law enforcement, LinkedIn profiles showed. 

The CEO is downplaying these developments, which appear to show a company unsure of what market it should be pursuing. Ton-That claims this is just normal business stuff being done to “better position” Clearview for “financial security.” But cutting sales staff and the head of revenue generation suggests, at best, a change in product focus is underway, shifting Clearview away from the law enforcement market it clearly desired to something a bit less problematic, like 1:1 security products for government agencies and contractors that have no access to the company’s 10-billion scraped image database that has generated so much negative press.

If so, that’s great. If it’s some deck chair reshuffling prior to insolvency, so be it. But if it’s Ton-That opening up positions to fill with people who will more aggressively pursue sales of its ethically odious, scraped-from-the-web product to whoever it can, we can only hope it will never find enough paying customers to keep the lights on.

Posted on Techdirt - 24 June 2022 @ 10:47am

US Marshal Indicted For Abusing Access To Cell Location Data To Run Personal Searches

Give anyone access to tons of sensitive personal information and it’s bound to result in abuse. Give cops access to this data and abuse is guaranteed. Why? Because law enforcement officers — for reasons unfathomable to regular people — face far fewer consequences for violating internal policies and breaking laws.

Regular people get fired. Cops get wrist slaps and a few weeks of bad press. Abuse of sensitive law enforcement databases is so commonplace it’s just become more unremarkable noise generated by news cycles.

More than half of Minnesota’s law enforcement officers misused access to drivers license databases. That scandal managed to raise eyebrows for perhaps half a day back in 2013. MORE THAN HALF! More than 5,550 officers! And yet, it’s little more than a data point a decade later.

Why? Because it keeps happening and so very little is done in response. Twenty-five Denver PD officers were caught abusing access to sensitive law enforcement databases. Nearly every one of the officers received nothing more than a written reprimand, rather than the criminal penalties the same PD would inflict on regular people who unlawfully accessed sensitive information.

Every so often a cop receives a severe punishment. But these anomalies only highlight how common the abuse is. An Ohio cop was fired for using law enforcement tools to spy on ex-wives and their relatives. Two police officers in California were hit with criminal charges for using DMV and other government records to [rereads post] screen women they were interested in dating. A Michigan police officer did the same thing, resulting in an ultra-rare criminal conviction.

Here’s another anomaly… not in terms of abuse, which continues to be widespread, but that a law enforcement officer might be punished for misusing law enforcement databases. The DOJ is pursuing criminal charges against a US Marshal who abused access to cell location data to run searches on people for purely personal reasons.

Adrian Pena, 48, of Del Rio, Texas, made his initial appearance in federal court yesterday in the Western District of Texas.

According to court documents, Pena allegedly unlawfully used a law enforcement service operated by Securus Technologies Inc. (Securus) for personal reasons, including to obtain cell phone location information relating to multiple individuals with whom the defendant had personal relationships and their spouses. Pena obtained this information by uploading false and fraudulent documents to the Securus system and by certifying that those documents were official documents giving permission to obtain the relevant individuals’ cell phone location information. 

The indictment [PDF] also notes the US Marshal lied to the Inspector General’s investigators about his abuse, downplaying his unauthorized searches as nothing more than testing or demonstrations for others… like his wife.

The system Pena allegedly accessed is run by Securus, a company that has its own questionable history. In 2015, it was caught ignoring its own internal safeguards to capture privileged calls between prisoners and their legal reps. Nothing much happened to the company, due to its almost monopolistic stranglehold on prison phone services. That led to the company catching heat a few years later for providing law enforcement with unfettered access to cell location data harvested from nearly every cell phone user in the country.

That’s the database the US Marshal apparently had access to. And the system was easy to beat. According to the indictment, the database could be duped into providing access with nothing more than a blank Microsoft Word document.

Even though the system requires users to upload supporting documents justifying the searches, no one appears to be performing any verification of the uploaded docs. All Pena had to do was upload literally any document in a supported format and click a box stating that the submitted document was “official” and granted “permission to look up the phone number requested.”

To obtain location data relating to these individuals’ cellular telephones, PENA uploaded false and fraudulent documents to the Securus LBS platform, including blank pages, award certificates, a list of justifications for a merit promotion, letterhead templates, and other assorted documents.

Any document, one checkbox, and Pena was free to go.

Through this process, PENA repeatedly obtained cellular telephone location data relating to his personal associates and their relatives through misrepresentations and without the required official documentation or authorization. These queries were performed for personal and unofficial reasons and were not authorized by the United States Marshals Service, the Uvalde County Sheriff’s Office, or any other law enforcement agency or intelligence agency.

That’s it. That’s the “process.” As easy to bypass as age restrictions on a YouTube video. Just plug in some fake info and sally forth. Except it’s not a red band trailer being accessed, but sensitive location data, including the targeted phone’s current location.

Safeguards are supposed to do something. The ones Securus has in place do nothing. While it may be impossible for Securus employees to determine what is or isn’t actual justification for a search, a cursory examination of, I don’t know, a blank MS Word document should have made it obvious someone was cheating the system.

And if it’s wrong to expect Securus to second-guess uploads, law enforcement agencies should be more engaged in this process and ensuring — in as close to real-time as possible — that officers aren’t abusing the system. While it’s good this US Marshal’s actions were exposed, it didn’t happen until he had abused the system more nearly a dozen times. That sort of delayed reaction does very little to head off future abuse or ensure sensitive location data pertaining to millions of US cell phone users doesn’t become a plaything for law enforcement.

Posted on Techdirt - 23 June 2022 @ 01:33pm

Stingray Manufacturer L3Harris Seeking To Acquire NSO Group

Well, this is an unwelcome development.

The US defence contractor L3Harris is in talks to take over NSO Group’s surveillance technology, in a possible deal that would give an American company control over one of the world’s most sophisticated and controversial hacking tools.

Multiple sources confirmed that discussions were centred on a sale of the Israeli company’s core technology – or code – as well as a possible transfer of NSO personnel to L3Harris.

If anyone has any objections, speak now or forever… well, actually there are already objections. The US federal government has some, namely the sanctions it placed on NSO Group (and competitor Candiru) last November.

In a statement, a senior White House official said: “Such a transaction, if it were to take place, raises serious counterintelligence and security concerns for the US government.”

Those are still in place and that would seem to suggest L3Harris (the company resulting from the merger of Stingray manufacturer Harris Corporation and defense contractor L3 Technologies) can’t actually make this purchase. Unfortunately, the statement given to the Guardian suggests the White House may not actually be able to stop the purchase from taking place.

This statement, given to Lucas Ropek of Gizmodo, strays even further from a flat statement saying the acquisition would violate the Commerce Department’s sanctions.

In an email to Gizmodo, a senior White House official said that the government “opposes” the circumvention of U.S. sanctions. “The U.S. Government, and the White House specifically, has not been involved in any way in this reported potential transaction,” said the official. “While we can’t speak to this particular report, the U.S. Government opposes efforts by foreign companies to circumvent U.S. export control measures or sanctions, including placement on the U.S. Department of Commerce’s Entity List for malicious cyber activity.”

The White House will oppose this acquisition but there might be an exploitable loophole in the sanctions. Being acquired by an American company won’t remove NSO from the sanctions list, but it would force the federal government to jump through a bunch of hoops (and, presumably, face litigation) to ensure its sanctions are valid and address actual threats to US entities, including other defense contractors whose offerings might be targeted by foreign purchasers of NSO malware.

What might make it less objectionable (and more likely to result in lifted sanctions) is L3Harris’s customer list, which is largely composed of countries and government entities the US government likes, rather than the sprawling list of human rights violators NSO sold to. That could be something that allows the acquisition to take place with the federal government’s tentative blessing, if the company agrees to trim its customers list down to the US government’s preferred customer list.

Even if it may somewhat whitewash NSO’s reputation, this merger shouldn’t be welcomed by anyone. It adds the abuses of cell tower simulator technology to the abuses of powerful cell phone-compromising exploits. When a single product can force phones to connect with it in order to deploy malware, the abuses observed to date are going to look pretty mild.

Beyond the theoretical combinations of phone-targeting tech, there’s no reason an American company should willingly get in bed with a company currently facing sanctions from the US government. But NSO’s powerful malware may be too tempting to ignore, especially when Harris has played fast and loose with export regulations in the past. Hopefully, this acquisition will remain what it is now: merely one of several possible outcomes.

Posted on Techdirt - 22 June 2022 @ 10:52am

Uvalde PD Continues Stonewalling, Hires Private Law Firm To Block Release Of School Shooting Recordings

The Uvalde Police Department — recipient of 40% of the city’s budget — botched its response to a mass shooting at Robb Elementary School. Rather than rush to the sound of gunfire, the officers stopped making forward progress once they were adjacent to the gunfire. It took another law enforcement agency (a Border Patrol tactical team) to end the killing, which at that point numbered 19 students and two teachers.

As new, and embarrassing, details continue to leak out, the Uvalde Police Department has tried desperately to stop the steady drip. It has decided to simply refuse to respond to nearly every one of the hundred-plus school shooting-related requests it has received. (The PD is also refusing to cooperate with a federal investigation of the shooting, so it’s not just stonewalling taxpayers.)

And it has benefited from an unexpectedly united front. The Texas Department of Safety has come to the defense of the extremely defensive Uvalde Police Department, claiming any information or documents it might have on hand relating to the shooting response (including body cam footage) cannot be released because it might (and I quote) “enable criminals to anticipate weakness in law enforcement procedures.”

The procedure was the weakness, at least as carried out by the Uvalde police officers. Training tells first responders to sacrifice their own safety to protect others during active shooter situations, but that simply did not happen. The department’s immediate statements portrayed officers as heroes, an illusion the PD couldn’t even manage to sustain for 24 hours.

The Uvalde PD clearly does not want to release any information about its botched shooting response. As Jason Koebler reports for Motherboard, the PD has retained private representation to engage in legal warfare on its behalf, spending the public’s money to keep documents out of their hands.

The City of Uvalde and its police department are working with a private law firm to prevent the release of nearly any record related to the mass shooting at Robb Elementary School in which 19 children and two teachers died, according to a letter obtained by Motherboard in response to a series of public information requests we made. The public records Uvalde is trying to suppress include body camera footage, photos, 911 calls, emails, text messages, criminal records, and more.

“The City has not voluntarily released any information to a member of the public,” the city’s lawyer, Cynthia Trevino, who works for the private law firm Denton Navarro Rocha Bernal & Zech, wrote in a letter to Texas Attorney General Ken Paxton. The city wrote the letter asking Paxton for a determination about what information it is required to release to the public, which is standard practice in Texas. Paxton’s office will eventually rule which of the city’s arguments have merit and will determine which, if any, public records it is required to release.

Hiring outside counsel isn’t necessarily unusual when plenty of litigation appears inevitable. What is a bit more unusual is the private law firm’s approach to the public records requests. Rather than present reasons why certain documents and recordings might be exempt from disclosure, it has chosen to treat all requests as one inseparable mass to which any or all possible exemptions might apply.

The city says that it has received 148 separate public records requests (including several from Motherboard), and has lumped all of them together, making a broad legal argument as to why it should not be required to respond to many of them. 

That’s the pitch the law firm is making to state Attorney General Ken Paxton, hoping the AG will take its side and declare most of those 148 requests exempt from release. That may work with the AG but it’s certainly not going to work in court when the inevitable lawsuits over denied requests start flowing in.

But that’s the point. It buys the Uvalde PD more time. It forces requesters to spend their own time and money suing for access to records by battling a private law firm being paid with public money to help the Uvalde PD screw the public.

This raises questions about what might be captured in documents and body cam footage. The concerted effort to prevent any information from being released gives the distinct impression this is a cover-up operation. What it’s covering up is left to the imagination of the general public, which is no closer to obtaining access to the stuff the PD is keeping hidden. Are there falsified reports? Cops caught on camera cowering-in-place? Cops mocking the terrified families waiting outside of the school? Confusion? Chaos? Panic? Law enforcement professionals being far less heroic than they believe themselves to be?

Whatever it is, it will come out eventually. This is the PD delaying the inevitable. And the longer it fights, the more irate the public will be. The PD has been dishonest from the outset. Now, it’s using the public’s own money against them.

Posted on Techdirt - 21 June 2022 @ 08:00pm

Appeals Court Tells Police Union Its Contract Doesn’t Supersede State Public Records Laws

Cops love secrecy. When a citizen does something wrong, it’s a public record. When cops do the wrong thing, union contracts, internal policies, and multiple public records exemptions often allow law enforcement agencies to keep the public from learning about misconduct.

Things have been changing, though. California recently amended its public records law, making police misconduct records publicly available for the first time in the state’s history. New York recently repealed a law that allowed law enforcement to keep misconduct records secret.

The same thing happened in Connecticut. Shortly after the murder of George Floyd by Minneapolis police officer Derek Chauvin, the legislature passed a law that nullified state Freedom of Information Act exemptions that allowed law enforcement agencies to withhold certain misconduct records.

The Connecticut State Police Union (CSPU) didn’t like this unexpected level of transparency. It sued the state official tasked with upholding the law, claiming the collective bargaining agreement it had signed a year earlier contained these exemptions and that the state’s new law violated the Contracts Clause of the US Constitution by basically overriding that portion of the contract.

The district court denied the union’s attempt to enjoin the law — one that specifically forbade any future police union contractual language that would undermine the alterations to the state’s public records law. (The law also applied retroactively, nullifying the language in the union contract). It said the government’s interest in increasing police transparency and accountability was aligned with the public’s interests, in contrast to the bargaining agreement language, which only benefited police officers accused of misconduct.

The Second Circuit Appeals Court agrees with the lower court. It also points out in its decision [PDF] that it was the exemptions granted in the union contract that upset the status quo. The law passed after the George Floyd murder simply reset things back to the way they were. (h/t Courthouse News Service)

That the original text of Connecticut’s FOIA did not contain the exception for police disciplinary records created by the 2018 collective bargaining agreement indicates that the legislature, in creating a broad mandate for open government in the public interest, adopted the very public policy with respect to police records that the CSPU characterizes as self-interested or favoring narrow special interests. It was, to the contrary, the collective bargaining agreement that introduced a special contractual departure from the original policy to satisfy a powerful group of public employees. The restoration of the prior FOIA regime exemplifies the point that the legislature cannot permanently bargain away its responsibility to govern in the public interest.

The Appeals Court doesn’t care for any of the union’s arguments. The state was justified in its alteration of the contract.

The CSPU argues that there was no change in circumstance that could have justified impairing the collective bargaining agreement. But Floyd’s murder, and the nationwide protests it prompted, presented precisely the sort of changed circumstance to which the legislature might reasonably have wished to respond.

As for the union’s insistence that the elimination of this exemption would allow the public to obtain records detailing nothing more than accusations against officers, the Appeals Court says “So what?” This is all part of the transparency and accountability the legislation was written to achieve.

The CSPU counters that Floyd’s murder could not have justified the FOIA provisions of the Act because disclosing investigations that result in a disposition of “exonerated,” “unfounded,” or “not sustained” would simply disseminate “false allegations of misconduct” rather than truly address the absence of police accountability. We disagree. As the Commissioner points out, the fact that a complaint results in such a disposition does not necessarily mean that the allegations were false. It could also mean that there was insufficient or disputed evidence to substantiate the complaint, or that the complained-of action occurred but was proper under the circumstances. At a more general level, the public may often have a strong interest in learning about a complaint even when it does not justify disciplinary action.

The Appeals Court says the public’s interests were being served by the state legislature — a legislature that was understandably compelled to increase accountability and repair the damaged trust created by years of lax oversight and law enforcement’s tendency to control the narrative by restricting access to misconduct records. All the law did was undo the damage done by the union contract. And that’s simply not enough to create a constitutional violation.

Posted on Techdirt - 21 June 2022 @ 10:48am

UK Approves Extradition Of Julian Assange, Allowing The US Government To Continue Criminalizing Journalism

It appears all but inevitable that Julian Assange will be receiving an all-expenses-paid (except for his defense!) one-way trip to the United States to face espionage charges for, mostly, performing acts of journalism.

The Wikileaks founder has done plenty of self-inflicted damage to his reputation over the past few years, but his organization was instrumental in uncovering plenty of abusive behavior by the US government that had been perpetrated in secret.

Leaks are an instrumental part of government accountability, even if governments often treat leaks as criminal acts. And while it’s abhorrent to see the government punish whistleblowers who found the accepted whistleblowing routes inadequate, it’s even worse to see the US government engaged in a prosecution that threatens press freedoms in the home of the First Amendment.

The Obama Administration toyed with the idea of extraditing Assange to try him on criminal charges, but ultimately abandoned that effort, most likely due to the First Amendment implications. The Trump Administration — despite finding Assange to be an unlikely ally — had no such concerns. As the administration struggled to contain seemingly daily leaks, it decided sacrificing an ally might send a message to US journalists, many of whom the president treated with open hostility.

Why the Biden Administration is allowing this to continue isn’t clear. Perhaps the Biden DOJ feels the espionage charges are legit. Maybe it feels it should silence Assange before he does any more damage to the federal government. Maybe it feels it should punish an ally of Trump (and a seeming supporter of Russian disinformation campaigns) before he can wreak any more havoc on democracy in general.

Whatever the case, the prosecution continues. And, as Trevor Timm points out in his post for Freedom of the Press Foundation, you don’t have to be a supporter of Assange to understand extradition and prosecution over the publication of leaked documents will do severe damage to journalists in the United States, and anywhere else in the world the US government has extradition agreements in place.

You don’t have to like Assange or his political opinions at all to grasp the dangerous nature of this case for journalists everywhere, either. Even if you don’t consider him a “journalist,” much of the activity described in the charges against him is common newsgathering practices. A successful conviction would potentially make receiving classified information, asking for sources for more information, and publishing certain types of classified information a crime. Journalists, of course, engage in all these activities regularly.

There’s precedent for this, unfortunately. But it’s the sort of precedent the Biden DOJ shouldn’t willingly embrace. Timm notes that the extradition announcement falls on the anniversary of the Pentagon Papers trial, one instigated by a president whose downfall was the result of journalists publishing leaked documents.

What many do not know is that the Nixon administration attempted to prosecute Times reporter Neil Sheehan for receiving the Pentagon Papers as well — under a very similar legal theory the Justice Department is using against Assange.

Thankfully, that prosecution failed. And until this one does too, we continue to urge the Biden administration to drop this prosecution. Every day it continues to further undermine the First Amendment.

You’d think any administration would actively avoid replicating nearly anything instigated by the Nixon Administration. But here we are, fifty years later, experiencing deja vu as our government spends millions of our dollars to threaten long-held First Amendment protections.

More posts from Tim Cushing >>