Tim Cushing's Techdirt Profile

Tim Cushing

About Tim Cushing

Posted on Techdirt - 15 August 2022 @ 08:24pm

Illinois Department Of Corrections Benchslapped For Spending Years Failing To Improve Medical Care For Prisoners

In the space of less than a week, two federal courts have come down hard on prison systems for treating prisoners like meat suitable for nothing more than processing by the so-called justice system.

In Mississippi, a federal judge yanked control of a prison away from local officials, placing the Raymond Detention Center into receivership after the county had failed, for years, to implement court-ordered improvements. Hinds County’s Raymond Detention Center has been under a consent decree since 2016. And in those six years, it has only managed to comply with three of the decree’s 92 requirements.

The situation had gotten so out of hand, prisoners literally ran one part of the detention center. Since local officials seemed incapable of doing anything other than passing the buck, the federal court took the buck into its own hands, delivering the RDC into the hands of a court-appointed receiver — something that has happened less than 10 times in the last 60 years.

That happened July 29th. On August 5th, a federal court in Illinois declared the Illinois Department of Corrections (IDOC) to be in contempt of court for failing to implement ordered reforms for more than three years. And the problems prompting the reforms were more than a decade old at that point, as CJ Ciaramella reports for Reason.

A federal judge ordered the IDOC to create the comprehensive reform plan in 2019 as part of a settlement in a 2010 lawsuit by inmates and several law firms against the IDOC alleging inadequate health care, dental care, and mental health treatment. But the monitor found “a wide gap” between what the agency believes it accomplished and actual progress. Furthermore, the monitor says the IDOC failed to send 80 percent of the information it requested.

The contempt order [PDF] is short and to the point. It only runs two pages and says little more than this:

For the reasons stated in open court, the Court finds defendants in contempt for their failure to complete an implementation plan as required by the Consent Decree and their failure to comply with this Court’s orders respecting an implementation plan.

The real dirt is in the 292-page(!!) monitor’s report [PDF], which details all the ways the IDOC continues to harm the health of incarcerated persons.

Despite being aware of the problems since 2010 and ordered in 2019 to fix these deficiencies, the IDOC has done next to nothing. The monitor’s report — delivered to the court in June 2022 — says the IDOC, despite what it argues in court, has barely made a dent.

There is a wide gap between what IDOC believes it has accomplished and the findings of the Monitor. The Monitor is concerned that this lack of acknowledgement of poor performance will be a barrier to forward progress. IDOC asserts substantial compliance on 30 provisions of the Consent Decree while the Monitor agrees with only three of these assertions. This gap is very concerning.

IDOC continues to fail to provide the evidence supporting their asserted compliance. Moreover, IDOC asserts that substantial compliance of a single facility warrants a substantial compliance score. The Consent Decree is clear that substantial compliance requires systemic compliance and non-serious violations.

Fudging the numbers is a non-starter. The IDOC itself is a non-starter. Very little has been done, but the IDOC wants credit for the bare minimum of compliance it has somehow managed to achieve over the last three years.

And the easiest thing to comply with — requests for documentation — wasn’t even satisfactory. The monitor requested records and the IDOC couldn’t even produce those, strongly suggesting evidence of compliance is missing because there is no actual compliance.

The Monitor did not receive data requested from IDOC to verify compliance with the Consent Decree. The Monitor’s document request for this report was sent 1/21/2022 and included 113 items. The Monitor requested delivery by mid-March 2022. IDOC was also requested to inform the Monitor if the information was not available. IDOC provided information responsive to only 21 of the items requested (18.5%).

The monitor goes on to note there is no apparent leadership when it comes to the ordered reforms. The chain of command is filled with interim posts and buck-passers. The IDOC committed to expanding staffing to meet the requirements of the consent decree, but so far has done nothing but post openings. As a result, staffing has actually dropped by 110 persons since the consent decree was put in place. And the IDOC refuses to cooperate with the monitor to achieve compliance, restricting its interactions to a few short conference calls where the IDOC claimed everything was moving along expediently.

The IDOC has failed to hire properly credentialed physicians and has tried to obscure the dearth of medical professionals employed by the system. In one case, a single physician was appointed as medical director to oversee medical care of nearly 5,000 inmates spread across four facilities.

When help is spread this thin, bad things become worse things. IDOC was already non-compliant. Medical care attrition was never competently addressed, leading to a downturn (bad to worse) in response to medical help calls, COVID-19 protocol compliance, dental care, and management of the increasing needs of the IDOC’s aging prisoners.

Prisoners suffering from mental illness were routinely ignored. Some were placed in solitary, exacerbating existing conditions. Some were given paperwork to sign (DNRs, living wills) they had no mental competency to comprehend. Dementia victims were punished solely for exhibiting symptoms of their illness. In other cases, they were ignored completely, and suffered from mistreatment, abuse, and a denial of their basic needs.

There are far too many people in positions of power who believe whatever happens to prisoners is something they deserve for committing crimes. This over-simplification declares prisoners to be subhuman — unworthy of even basic care.

But this ignores several things. It ignores pretrial detainees who can’t afford bail and must remain incarcerated despite being the supposed recipients of a presumption of innocence. It ignores the unfortunately large number of Americans who have been falsely imprisoned or convicted. It ignores those forced into extended incarceration by insane drug policies and overly zealous prosecutors who stack charges and argue vociferously against anything resembling mercy.

And it ignores the obligations the government takes on when it imprisons people at a rate far exceeding that of other “free” countries. These are wards of the state. On the outside, they had their choice of medical care and the opportunity to seek it at any given moment. On the inside, they have one choice: whatever the facility provides. And when that’s inadequate, they can’t take their business elsewhere. When the government fails to provide basic medical care, it violates rights. Unfortunately, prisoners are ill-equipped to argue on their own behalf and forced by federal court precedent to utilize internal remedies that seemingly can be ignored at will by prison administrators with zero repercussions.

A couple of federal court remedies in less than a month does not a movement make. But perhaps it signifies a shift in courtroom thinking — one showing judges are more willing to protect the rights of prisoners, even if this change of heart follows years of neglect.

Posted on Techdirt - 15 August 2022 @ 01:56pm

NSO Group Finally Figures Out How Many European Countries It Does Business With

European lawmakers wanted answers after months of investigations and reporting made it clear exploit developer NSO Group was involved with some seriously shady customers. Facing lawsuits, sanctions, and the Israeli government’s belated attempt to ensure NSO didn’t continue to generate bad press in perpetuity, the EU began asking questions.

For some reason, NSO didn’t have answers. A cutting-edge tech company responsible for some of the most clever phone hacks ever sold to government agencies somehow couldn’t provide a straightforward answer to a simple question. When asked how many EU members NSO sold its products to, its lawyers could only say “at least five” and promise to come back later when they finally managed to track down this apparently extremely elusive information.

NSO Group has returned with a more accurate answer. It seemingly takes about six weeks to count higher than five but NSO has put in the time and effort to ensure EU lawmakers have something more than the vague (and obviously low) estimate the company previously decided to provide in lieu of actual data.

The EU legislators were tasked to know the identity of NSO customers in Europe at present and were surprised to discover that most of the EU countries had contracts with the company: 14 countries have done business with NSO in the past and at least 12 are still using Pegasus for lawful interception of mobile calls, as per NSO’s response to the committee’s questions.

In response to the legislators’ questions, the company explained that at present NSO works with 22 “end users” security and intelligence organisations and law enforcement authorities in 12 European countries.

This answer was provided during the EU Committee’s visit to Israel, during which they spoke directly to NSO personnel, who were apparently able to deliver a more accurate count of countries. This count includes two former customers, but NSO apparently refused to divulge which countries are no longer welcome to use its malware.

Perhaps it feels like it shouldn’t out former customers just in case it’s able to sell to them again once the heat dies down. Or maybe it didn’t feel like providing a more detailed list because one member of the EU Committee was a Catalan legislator whose phone was targeted by NSO’s Pegasus malware.

While this revelation arrived much faster than, say, the FBI’s fourth year of silence on its miscount of encrypted phones in its possession, it’s still much slower than the near-immediate delivery of information NSO and its lawyers definitely had access to when questioned by EU legislators in June. The only conceivable reason for this delay was damage control by NSO, which likely had to tell European customers it would be divulging this information but would do what it could to keep their names out of the news.

I’d love to see exactly when two countries went from “current” to “former” customers. And I wouldn’t at all be surprised if the sudden termination of their contracts correlate with the EU Commission’s investigation.

Posted on Techdirt - 15 August 2022 @ 10:45am

Ring Partners With Cop Reality Show Producer To Produce New Third-Party Generated Clip Show

Ring wants to bring you a cop show without most of the cops — “America’s Funniest Home Videos” but all the footage has been recorded by Amazon’s home surveillance products. Here’s Deadline’s inadvertently cheery reporting of Ring’s new charm offensive: one it hopes will win hearts, minds, and market share by showing America just what sort of wacky footage can be gathered with always-on cameras.

Wanda Sykes is knocking on the door of syndication with a new series that features videos taken from Ring doorbells.

The comedian is to host Ring Nation, a new twist on the popular clip show genre, from MGM Television, Live PD producer Big Fish Entertainment and Ring.

The series, which will launch on September 26, will feature viral videos shared by people from their video doorbells and smart home cameras.

It’s a television take on a genre that has been increasingly going viral on social media.

The series will feature clips such as neighbors saving neighbors, marriage proposals, military reunions and silly animals.

Sounds fun. It also sounds (as Deadline says) “synergistic.” By “synergistic,” Deadline possibly means “opportunistic.”

Amazon owns both MGM Television and Ring. Producers of the show claim the show will be “hilarious” and “uplifting” and will somehow bring families together by giving them a chance to bond over footage it doesn’t cost a cent for either of these entities to produce.

What isn’t highlighted in Deadline’s article are the more problematic aspects of Ring and its absurdly close relationship with law enforcement. It also doesn’t highlight the problematic aspects of the two production companies that have teamed up to bring “Ring Nation” to life. Here’s Edward Ongweso Jr., reporting for Motherboard:

The show is being produced by MGM Television, which is owned by Amazon, and Big Fish Entertainment, which ran another dystopian reality show: a piece of copaganda called Live PD which centered on commentary of police footage. 

According to Deadline, the show will feature lighthearted viral content captured on Ring cameras, such as “neighbors saving neighbors, marriage proposals, military reunions and silly animals.” These types of videos frequently go viral online, but hardly represent the reality of what Ring is used for. Besides home surveillance, Ring is a source of surveillance video for police departments in the U.S. and abroad. 

A&E’s “Live PD” was a police reality show that ran from 2016-2020. Following the murder of George Floyd by Minneapolis police Derek Chauvin, the producers decided to pull the plug… temporarily. It appears the producers believe America is ready for another cop reality show and has brought it back (under a new name).

Most problematically, “Live PD” destroyed footage of Texas deputies tasing a black man to death during an arrest. According to the show’s producers, this was not an attempt to destroy evidence. It pointed to its agreement with the sheriff’s department, which allowed the show to destroy an “unaired footage” after 30 days. The caveat was “unless needed for an investigation.” Apparently, the sheriff’s department felt this incident needed no investigation. The end result was the indictment of Sheriff Robert Cody for evidence tampering — something aided and abetted by “Live TV.”

So, it’s clear the new show will not be playing clips showing police engaged in misconduct that happen to have been caught by Ring cameras. It will not be highlighting Ring’s insanely close relationship with law enforcement, which makes cops subservient to Ring’s PR team and rewards them with cheap or free cameras to hand out to citizens with the implicit understanding that recipients will give cops access to footage without needing to seek a warrant.

It also won’t point out cops can still access footage without warrants or customer notification by approaching Ring directly and asking it to search footage stashed in its cloud storage. It won’t mention the company’s experimentation with facial recognition AI and license plate reader capabilities. It definitely won’t be showing any of the “hilarity” that results when poorly-secured home surveillance cameras are hijacked by malicious hackers. And it certainly won’t inform viewers or Ring customers that lawmakers and law enforcement officials are making moves to turn privately-owned cameras into extensions of government surveillance networks.

No, this will be paid programming — advertising disguised as entertainment. It will be reputational rehab for a company that wants to be part of everyone’s lives, but has chosen to focus on creating law enforcement partnerships rather than serving their end users. Hopefully, this program will go nowhere quickly, buried under a wealth of far more worthwhile programming available pretty much everywhere.

Posted on Techdirt - 12 August 2022 @ 03:45pm

Leaked NSO Group Presentation Details Malware’s Ability To Turn On Cameras, Mics To Surveil Targets

Israel’s foremost purveyor of malware, NSO Group, has undergone nearly a yearlong reckoning. A leak last summer appeared to show NSO customers were routinely targeting journalists, activists, members of opposition parties, and, in one case, the ex-wife of a Dubai ruler.

That NSO Group was shady wasn’t a new fact. Its decision to sell malware to abusive governments had been criticized for nearly a half-decade. But the data leak made this a problem too big to ignore. The US government responded by blacklisting NSO. The Israeli government — which had been instrumental in helping NSO Group secure contracts with human rights abusers — finally decided it was time to limit who NSO could sell its products to.

But how much did the Israeli government know? A presentation obtained by Haaretz appears to show the government knew the malware could perform surveillance that was illegal under local laws but still chose to grease the wheels for NSO sales to governments far less concerned about the rights of their constituents.

NSO’s flagship product — Pegagus — was capable of delivering zero-click exploits. Once a phone was infected, NSO customers were free to do as they pleased. They could intercept text messages and listen in on phone calls. And they could commandeer devices to make them much more than passive interception points.

Details and screenshots of a prototype version of the Pegasus spyware designed for Israeli police back in 2014 reveal the tools and far-reaching capabilities of a system that was slated to be deployed in everyday police work.

The spyware’s suite of tools, which were supposed to be presented to the security cabinet headed by then-Prime Minister Benjamin Netanyahu, included various capabilities sought by police – ranging from listening to any phone call on an infected phone, reading text messages, to remotely opening the microphone and the camera without the phone owner’s knowledge.

Haaretz says the presentation was produced to be shown to the Police Brigadier General Yoav Hassan, the newly appointed head of “signals intelligence.” The signals intelligence group operated outside the bounds of domestic law, targeting foreigners as a compartmentalized, “extra-territorial” surveillance operation.

This information may have been presented to this secretive division of Israel’s national police force. It’s not clear whether NSO’s presentation was ever given to government officials overseeing this program. If so, government officials chose to ignore the dangers posed by Pegasus deployment, which included giving NSO customers access to capabilities that were illegal under Israeli law.

Israeli law may not apply elsewhere in the world, but these not-so-legal features of NSO’s Pegasus malware were apparently presented to Israel’s federal police, who utilized a version of Pegasus called “Seifan” to engage in surveillance. Whether or not the police ever used these features, the features were presented as options by NSO as it pitched its goods to Israeli law enforcement.

Another capability of Seifan mentioned in the presentation is the interception of incoming and outgoing phone calls. Besides this ability, which seems to be relatively routine in the world of intelligence surveillance, there is another one known in the professional parlance as “volume listening” and is considered much more intrusive.

In simple terms it means real time wiretapping to a device’s surrounding through the remote activation of the device’s microphone. This type of wiretapping requires an order from a district court president or their deputy.

Placing a microphone in private areas to intercept all conversations in range isn’t normal investigative behavior. Intercepting communications between suspects is one thing. Becoming an unseen and uninvited guest in someone’s home or place of business is quite another — the sort of thing courts are often extremely hesitant to approve.

But if you can achieve the same thing with a targeted phone, the ends become a justification for the means. And the means become impossible to trace, buried beneath technical jargon, redacted filings, and parallel construction.

Whether or not this feature was enabled for Israeli police post-purchase is unknown. But, according to information obtained by Haaretz, these features were part of the demo version delivered to law enforcement by NSO.

Documents in Haaretz’s hands attest that throughout the relevant time, the police signals intelligence division and NSO personnel tested the product in conjunction with a number of “operational requirements.”

Overall, the product presented then incorporates many features that are reportedly part of the Pegasus system, as well as some that are absent from the versions that have recently been sold to other governments in recent years.

This is the version Israeli law enforcement may have deployed against Israeli citizens. While the government continues to claim any local abuses of NSO malware were minimal, the fact is that oversight of domestic surveillance in Israel is, at best, almost nonexistent.

According to a cyber-technology expert, Israel is the only nation in the world to which oversight does not apply. Or, to put it another way, “On a principle level, NSO is free to sell services and technology to Israel, with no restrictions whatsoever on the technology it can sell it.”

Israeli law enforcement officials continue to insist all use of Pegasus spyware was legal and court-approved. It also claims, according to Haaretz, it blocked features that allowed access to phone cameras and mics at will. But that claim remains little more than a self-serving deflection. The Israeli government allowed Israeli law enforcement a considerable amount of leeway to chase down criminals and national security threats. Just because something is illegal doesn’t mean cops won’t break the law to achieve their goals. And the Israeli police’s statements, which have become increasingly defensive over the past few months, suggest there’s a lot it isn’t telling us.

Most telling is the federal police’s insistence that critical reporting somehow harms officers’ ability to investigate criminal acts.

The grave damage caused by reports of this sort have harmed and are still harming severely the ability of the police to act against grave crimes, prevent violations of the law, thwart them and bring the transgressors to court. 

Words on a website are not new legislation, mandates, or any other curtailment of current police activities. This is nothing more than proactive whining meant to encourage readers to consider critical reporting a threat to public safety. It’s cowardly, disingenuous, and, above all, a distraction from questions the Israeli government (federal police and their overseers) have refused to answer directly.

Posted on Techdirt - 11 August 2022 @ 03:33pm

Cop Official Complains Cops Are Unfairly Hated, Refuses To Recognize Law Enforcement’s Lack Of Accountability

This op-ed for Police1, written by longtime law enforcement officer/official Booker Hodges (currently the chief of the Bloomington, MN police department), may have its heart partially in the right place but it’s wrong in all the wrong places.

Entitled “Why we need to talk about the blueprint for hate,” the op-ed belatedly calls for more community-oriented policing. That’s a good thing but it’s buried under a self-serving sermon to the converted that says the real problem here is the public’s unwillingness to treat cops as minor deities among mere men.

There’s a flaw in this argument. And it’s one legislators and police officials have used to agitate for “blue lives matter” laws. The logical flaw is this: people are not subject to any form of legally recognizable “hate” simply because of where they work.

Over the past few years, we have had to deal with protecting peaceful protesters from rioters and criminals who sought to take down our democracy, even when some of those peaceful protesters wanted to abolish our profession. We have been placed in the middle of so many conflicts that it has almost become commonplace to use our profession as the whipping board, meaning even when we do the right thing, we do the wrong thing! At the center of the majority of these conflicts is hate.

Throughout human history, many conflicts have been centered around hate and we as a species have perfected what I call the “blueprint for hate.” The blueprint for hate looks like this: You categorize a group of people by their occupation, race, gender, religion, political beliefs, or you fill in the blank as being “them and they.” Once these people are categorized as “them and they,” you lump them all together and they are no longer respected or viewed as individual humans but as a monotheistic group.

Next, you highlight the most extreme, completely unrepresentative negative behavior or act made by individuals of the “them and they” as normal and representative of all members of the group. Then you continually highlight the unrepresentative behavior so those who are not in the “them and they” group develop an unfavorable opinion of those who are in the group.

After this is done you start to dehumanize those in the “them and they” group so it becomes acceptable to those who are outside the group to harm and disparage those who are “them and they.”

The first paragraph is a long-term cop whining about having to respect the rights of people who don’t respect cops. Too bad. That’s the deal here in the United States. And you’ve had decades to get used to it. If this isn’t working for you, nothing is forcing you to continue taking the public’s money to half-ass a job you no longer enjoy.

The rest of it is the co-opting of history in hopes of making cops appear to be a group worthy of federal protection. I don’t believe Chief Hodges is actually advocating for hate speech law expansions but his rhetoric (especially the part where he places “occupation” ahead of legally recognized elements like race, gender, and religion) tracks closely with that deployed by people who believe cops are a historically marginalized group deserving of additional legal protection from their critics.

Piled on top of all this is an undeniable lack of self-awareness. The law enforcement “community” has, for years, encouraged an “us vs. them” mentality — something enforced by its insistence that only cops are allowed to have opinions on cops and the persistence of the unofficial “thin blue line” that not only separates them from the worst of us (order vs. chaos) but from everyone who relies on them to do the job they’re paid to do while expecting a bare minimum of respect for their rights from law enforcement officers.

See also, this incredible meme (h/t @Krubuntu):

But this op-ed is at its most tone deaf when it appeals to the nonexistent authority of the “bad apple” theory of policing: the effort to distance law enforcement (the occupation) from the worst of its ranks by suggesting problematic officers are over-represented by critics (the few “bad apples”) rather than being the most visible symptoms of an underlying disease.

Over the past few years, out of literally hundreds of millions of interactions with our neighbors, the most extreme, unrepresentative behaviors by a few of those in our profession have been continually highlighted and portrayed as the norm.

What’s ignored here is what causes these “extreme, unrepresentative behaviors” to rise to the surface where they’re immediately noticeable. Cops who end up splashed all over the front pages aren’t dealing with “unfair” discussions of their first screw-up. Many have been sued multiple times and/or have been the subject of multiple complaints. Some have even been fired but been given their jobs back (or hired by other law enforcement agencies).

Cops don’t begin their careers with egregious rights violations. They start small and see what they can get away with. Once it becomes obvious the repercussions of their actions will be minimal, if not completely nonexistent, their violations become bigger and bolder. Sooner or later, they do something too big to ignore. And that’s when law enforcement officials, like the one writing here, say things like what’s said above in an effort to downplay the problematic environment that produced this supposed outlier as well as to draw attention away from the accountability they’ve refused to impose on the officers they lead.

Even when accountability is imposed — often via civil rights lawsuits, officers are shielded by multiple forms of immunity. If a lawsuit manages to bypass immunity arguments, officers are almost always indemnified by the localities that employ them. The public gets nothing from this process. It pays to defend officers against allegations and pays again when juries find in favor of the person suing or cities decide to settle.

Just because most cops don’t end up making headlines does not mean the law enforcement community is healthy. Cops who behave badly are protected by officers who choose not to violate rights. That doesn’t make their defenders good cops. It just makes them slightly less awful than those who consider misconduct to be an essential part of police work.

And Chief Hodges is wrong about this, too: it isn’t hate cops are feeling. It’s anger. The fact that police officials can’t tell the two apart is no less problematic than the broken cop culture they still somehow feel obliged to defend.

Posted on Techdirt - 11 August 2022 @ 10:53am

WhatsApp Again Affirms It Will Not Break Encryption To Appease Government Entities

The debate over end-to-end encryption continues in the UK. It’s really not much of a debate, though. government officials continue to claim the only way to prevent the spread of child sexual abuse material (CSAM) is by breaking or removing encryption. Companies providing encrypted communications have repeatedly pointed out the obvious: encryption protects all users, even if it makes it more difficult to detect illicit activity by certain users. It’s impossible to break encryption to detect criminal activity without breaking it for every innocent user as well.

Sometimes the UK government argues with itself. The Information Commissioner’s Office put out a report earlier this year that stated encryption was essential to children’s online safety, directly contradicting assertions by other UK government entities which claimed breaking encryption was the only way to protect children.

At the center of this debate is WhatsApp, the popular messaging service that has provided end-to-end encrypted messaging since early 2016. And since that point, multiple governments have tried to get WhatsApp to ditch encryption or, at the very least, provide them with backdoors. That includes the UK government, which made its request only a few months after WhatsApp finished rolling out its end-to-end encryption.

WhatApp rejected the UK government’s request in 2017. That hasn’t stopped the UK government from repeatedly approaching the company in hopes of talking it out of its encryption. And nothing has changed for WhatsApp, which has again made it clear it’s not interested in compromising user security on a country-by-country basis.

Will Cathcart, who has been at parent company Meta for more than 12 years and head of WhatsApp since 2019, told the BBC that the popular communications service wouldn’t downgrade or bypass its end-to-end encryption (EE2E) just for British snoops, saying it would be “foolish” to do so and that WhatsApp needs to offer a consistent set of standards around the globe.

“If we had to lower security for the world, to accommodate the requirement in one country, that … would be very foolish for us to accept, making our product less desirable to 98 percent of our users because of the requirements from 2 percent,” Cathcart told the broadcaster. “What’s being proposed is that we – either directly or indirectly through software – read everyone’s messages. I don’t think people want that.”

It’s good to see WhatsApp take this stand (again), even as the voices clamoring for the end of encryption are now claiming its primary purpose is to allow distributors of CSAM to escape justice. It’s pretty tough to take a principled stand when opponents are accusing you of siding with child molesters.

And the pressure isn’t going to let up. The UK government still believes it is entitled to encryption backdoors. The European Union, which the UK recently exited, has expressed the same desire for broken encryption, using the same disingenuous phrase trotted out so often by the likes of FBI Director Chris Wray: “lawful access.”

But simple refusals like these allow companies to call governments’ bluffs. If governments can’t get the backdoors they want, they’ll have to decide whether they want their citizens to have access to encrypted communications. And while it may seem some governments don’t want their citizens to enjoy this protection, very few have been willing to eject popular services that won’t comply with their demands.

Posted on Techdirt - 10 August 2022 @ 01:32pm

Ron Wyden Calls Out Federal Court System For Failing To Redact Sensitive Personal Information

We entrust plenty of our personal data to the US government at all levels. And, at all levels, they fail to protect this information on a far too regular basis.

For instance, there’s the Office of Personnel Management hacking. Well, hackings. It happened twice, with the second breach being worse than the first. The two hackings not only exposed unencrypted Social Security numbers, but (with the second hacking) information about federal employees’ mental health problems, past arrests/bankruptcies, contacts/relatives, and any struggles these employees might have had dealing with drug/alcohol addiction.

Then there’s the FBI, which was hacked by a teenager who used the handle “penis” on Twitter. This hacker made off with (and made available) the personal info of thousands of FBI agents.

And there’s the IRS, which gathers a ton of financial and personal data from Americans while failing to thwart nearly constant hacking attempts aimed at, um, liberating this information.

But there’s a part of the federal government that doesn’t even need to be hacked to cough up personal information that would be of interest to identity fraudsters: the US federal court system. The federal court system continues to ignore its own mandates and expose sensitive information, as Tonya Riley reports for CyberScoop.

“Federal court rules — required by Congress — mandate that court filings be scrubbed of personal information before they are publicly available,” Sen. Ron Wyden, D. Ore., wrote Thursday in a letter to Roberts, first shared with CyberScoop. “These rules are not being followed, the courts are not enforcing them, and as a result, each year tens of thousands of Americans are exposed to needless privacy violations.”

The letter follows a recent report by the court system’s top policy-making body showing that the body has been inconsistent in enforcing existing privacy rules and enacting new ones. For instance, the recent report cites a 2015 study, which found that of the nearly 4 million documents posted during a one-month period in 2013, nearly 5,500 included “one or more un-redacted SSNs.”

The court system hasn’t exactly been forthcoming about this shortcoming, as Wyden’s letter [PDF] points out. Apparently, mandates affecting federal entities are not necessarily mandatory. They can be complied with if and when the entity feels like doing so.

Twenty years ago, when Congress required federal courts to publish court records online, it required the Supreme Court to establish rules to protect the privacy and security of Americans “whose information was contained in public court records.” Congress also required the courts to report back every two years to describe whether the rules were in fact protecting Americans’ privacy and security. The judiciary has produced a total of three reports, one in 2009, one in 2011, and then one in June of 2022, five months after my office asked for copies of the old reports.

So, that’s one act of compliance followed by more than a decade of non-compliance — a streak of failure that only ended because Senator Wyden started asking questions.

Its oversight is similarly lacking. The Federal Judicial Center has only twice examined the problem (2010 and 2015) and both times from “significant violations” of this rule. Extrapolating from the latest report, Wyden speculates that if the problems observed seven years ago (5,437 cases of exposed info in 3.9 million court records) are representative of the whole, nearly a half-million documents containing personal data have been uploaded to the PACER system since 2015.

Wyden can do the math. The Federal Judicial Conference (and the court system it oversees), however, doesn’t believe this adds up to a problem. A potential half-million violations is apparently no big deal.

The Judicial Conference has willfully and deliberately failed to address the privacy problems documented by the FJC study. According to the report, the results of this 2015 FJC study were presented to the Judicial Conference’s Standing Committee in 2016, after which the judges on that Committee determined that “no amendments to the privacy rules were warranted.”

The lack of changes to the privacy rules would be fine if the rules were actually followed. But they aren’t. And that means either the rule needs to be changed to include meaningful consequences for discovered violations or the original rule actually needs to be enforced by those with the power to punish violators.

The Judicial Conference appears unwilling to change. It claims it cannot redact full Social Security numbers because this (and other sensitive info) is often used in bankruptcy cases and it wants the rule to be “consistent” across all court cases. It insists on this despite the fact that redaction is anything but consistent across all levels of the court system.

It has also refused to redact everything but the first name and last initial of parties in Social Security and immigration cases — something that would head off exploitation of the sensitive information often included in these cases. Supposedly, the Judicial Conference doesn’t believe it should “tell courts how to write their opinions.”

But that is the Judicial Conference’s job. It makes rules judges and clerks have to follow. A rule is already in place. But it is frequently ignored and the Conference has done nothing but shrug about the potential damage done to US citizens who are required to hand over sensitive info but do so with the understanding that anything exploitable will be redacted in accordance with the federal court system’s own rules.

And the court system has responded with more than decade of do-nothingness, inviting taxpayers to roll the dice when engaging in civil cases. That’s an unacceptable abdication of responsibility. Hopefully, by making this public, Senator Wyden will finally see some accountability and ongoing compliance from a system that just doesn’t seem to care what happens to those utilizing it.

Posted on Techdirt - 10 August 2022 @ 10:45am

West African Court Says Nigerian Government’s Seven-Month Twitter Ban Was Unlawful

Last June, the president of Nigeria, Muhannadu Buhari, issued a tweet that looked a lot like a call for genocide in response to often violent anti-government protests:

Many of those misbehaving today are too young to be aware of the destruction and loss of lives that occurred during the Nigerian Civil War. Those of us in the fields for 30 months, who went through the war, will treat them in the language they understand.

Twitter responded by blocking this thinly veiled call for violence. In response, the Nigerian government said something incomprehensible about Twitter “undermining Nigeria’s corporate existence.” Then it blocked Twitter indefinitely. And it backed that up with more nonsense: a newly enacted requirement that all social media services operating in Nigeria obtain a license from the government.

“Indefinitely” turned out to be about seven months. The ban was lifted after Twitter agreed to register with the Nigerian government, appoint a local representative, comply with Nigerian “tax obligations,” and grant the government access to a communications portal that would allow government officials to contact Twitter directly when offended by something Twitter did.

It was seven months of pure censorship, all in response to Twitter blocking a tweet that appeared to call for violence. The problem wasn’t what was blocked. The problem was who was blocked. The move made it clear no one was allowed to criticize Nigeria’s president: not tacitly, as in Twitter’s removal of the tweet, nor directly, via a platform that is very popular with Nigerian citizens and had been used in the past to organize anti-government protests.

Twitter is one of the main outlets Nigerians have to criticize their government, and around 20% of the population have an account on the platform. It has played a large role in political discourse in the country: for example, in 2020, the platform was used by activists to organize the largest protests in a decade in the country, against police brutality

The ban has been lifted, thanks to Twitter’s concessions. But the court victory detailed here by the EFF is still important, as it will make it easier for Twitter to contest future censorship efforts by the Nigerian government.

The Economic Community of West African States (ECOWAS) Court has ruled that a seven-month ban on Twitter by Nigerian authorities in 2021 was unlawful and infringed freedom of expression and access to media. The court, which is a political and economic union of fifteen West African countries, has directed Nigeria to ensure that the unlawful suspension does not happen again, in an important decision for online rights across the region.  

Nigerian citizens may have been muted by their government, but plenty of others were willing to speak for them in court.

ECOWAS joined several cases challenging the Twitter ban,  including prominent Nigerian NGO Paradigm Initiative, Media Rights Agenda, the Centre For Journalism Innovation & Development, International Press Centre, Tap Initiative for Citizens Development and four journalists, represented by Media Defence. Along with Access Now and the Open Net Association, EFF filed a joint application to file as amicus curiae in the case against the ban, brought by the Socio-Economic Rights and Accountability Project (SERAP).

The decision says such a ban must not occur again. It also instructs the Nigerian government to amend any laws that give the government the power to unilaterally ban internet services and social media platforms. While the Nigerian government may still find some way to silence critics and foreign service providers, it won’t find it nearly as easy to defend these moves in court. And if it does decide to go internet nuclear, it will need to find a much better reason than the “this threatens the something-or-other” it offered last time.

Posted on Techdirt - 9 August 2022 @ 08:08pm

Appeals Court: ‘Frisking’ A Vehicle Is Completely Normal And Not Any Sort Of Rights Violation

Welcome to America, where not only are people subject to frisks by cops when things seem reasonably suspicious, but their vehicles are as well.

A “Terry stop” is generally understood to apply to a person. When cops have enough reasonable suspicion, they can stop a person, ask questions, and pat them down to search for contraband and/or weapons.

Here’s how Wikipedia defines a “Terry stop:”

Terry stop in the United States allows the police to briefly detain a person based on reasonable suspicion of involvement in criminal activity. Reasonable suspicion is a lower standard than probable cause which is needed for arrest

The Wikipedia article goes on to note that other forms of Terry stops include traffic stops and the hassling of people utilizing public transportation like buses.

It’s well-established that driving a car on public roads greatly decreases a person’s expectation of privacy in their car’s contents. Additionally, “plain view” — the theory that cops are free to observe anything a passerby could see by walking near the vehicle — applies, allowing cops to move forward with more intrusive searches if contraband is seen by cops peering through a car’s windows.

But does that necessarily mean more intrusive efforts — one’s that don’t include entering a car but doing more than a passerby would — are subject only to reasonable suspicion, rather than the slightly higher bar of probable cause?

This decision [PDF] by the Eight Circuit Court of Appeals says yes. The only thing cops need to, in essence, “frisk” a car is reasonable suspicion.

Randy Dabney was arrested and hit with drug trafficking charges as the result of a traffic stop. He attempted to have the evidence seized from his vehicle suppressed, arguing that cops did not have enough reasonable suspicion to justify their initial cursory “search” of his vehicle.

There was enough suspicion to frisk Dabney, the court says. And that suspicion extends to his car, which cops “frisked” by shining flashlights through its windows in order to see what was contained in areas the officer believed to be inherently suspicious. This all happened even though the arresting officer admitted suspicion has dissipated and Dabney was free to go.

[Officer Zach] Pugh walked back to the truck and motioned for Dabney to step out. With Dabney’s consent, Pugh frisked him for weapons. When that didn’t turn up anything of note, Pugh asked Dabney for permission to search his truck. He refused, but Pugh searched anyway. Pugh testified that, by that point, he had already decided to let Dabney go, which meant that Dabney could return to his truck and access any weapons hidden in the cab.

Notably, Officer Pugh did not inform Dabney he was free to go. And he appears to have performed a non-consensual search of a vehicle that he, at that point, did not consider to contain contraband. But the officer did the search because he could. And he found something.

While another officer stood outside with Dabney, Pugh began searching areas of the truck where a weapon could be hidden. Pugh noticed a hole in the driver’s door where a speaker should be. In the dark, he couldn’t make out what was inside. He shined his flashlight and discovered a “rather large bag” containing a “white crystalline substance.” Pugh pulled the bag out of the hole and saw that it contained several smaller baggies. The officers arrested Dabney, who waived his Miranda rights and admitted that the bag contained heroin, meth, and cocaine. The drugs recovered in this stop led to Counts 1 and 2 in the second superseding indictment.

There’s a lot that’s concerning here. First, the officer stated he was willing to let Dabney go but chose to perform an additional search. Second, the search was not “plain view,” nor was it the equivalent of a frisk. The officer turned on a flashlight, taking him beyond what people would expect from passersby, who likely would not aim a flashlight into a car they do not own. Then Dabney reached into the vehicle and took out a baggie of contraband, reaching into a car as though it was nothing more than Dabney’s pockets, which had already been patted down at that time.

What looks like an intrusive search performed without consent or probable cause is declared to be nothing more than a “frisk,” albeit one that involved an inanimate object rather than suspicious living, breathing person.

Two lower levels agreed with the cops. This was a frisk of a car, albeit one seemingly unjustified by reasonable suspicion or concerns about officer safety after the driver had been patted down.

Dabney moved to suppress the drugs and his confession, arguing that Pugh’s search of his truck violated the Fourth Amendment. The magistrate judge who presided over the evidentiary hearing disagreed, concluding that Pugh had a reasonable suspicion that Dabney was armed, making his Terry frisk of Dabney’s truck legal. The district judge agreed and adopted the magistrate judge’s report and recommendation.

Free to go but still searched and arrested. The Eight Circuit says there’s nothing wrong with this.

Dabney […] argues that even if Pugh was justified in searching the truck, he exceeded the lawful scope of that search. First, Dabney says that the stereo hole was not large enough to contain a weapon. If that were true, Pugh’s search might have been unlawful. See Minnesota v. Dickerson, 508 U.S. 366, 373 (1993) (Terry searches “must be strictly limited to that which is necessary for the discovery of weapons which might be used to harm the officer or others nearby.”) (quotation omitted). But the district court, adopting the recommendation of the magistrate judge, found that the stereo hole was big enough to hold a gun. Dabney has given us no reason to think that this finding was clearly erroneous.

Second, Dabney argues that Pugh unlawfully exceeded the scope of his search by shining a flashlight into the stereo hole. Essentially, he claims that the moment Pugh realized that there wasn’t a weapon in the stereo hole, he was required to stop looking. But officers don’t violate the Fourth Amendment by using “a flashlight to facilitate their observations.” United States v. Sanders, 87 F. App’x 83, 86 (10th Cir. 2004). We held as much in United States v. Cummins, 920 F.2d 498, 502 (8th Cir. 1990) (holding that officer was entitled to shine flashlight into a suspect’s car during a Terry stop).

So, that’s it. A car can be frisked. This can happen despite a cop admitting in court he had no reasonable suspicion to search the person or his car further. A flashlight deployed to peer into places not actually in plain view is considered an acceptable “frisk” of the car’s… um… pockets.

That’s the jurisprudence. It’s backed by precedent. And it upholds everything that came before it. Your car is your pants when it comes to traffic stops. And even when cops admit they have no reason to search further, there’s a good chance they can get their further searches to stick by claiming reasonable suspicion existed at some point and justified even searches cops admitted were apparently unjustifiable. Good luck with that, drivers located in the Eighth Circuit.

Posted on Techdirt - 9 August 2022 @ 10:50am

It Takes A Village Of Third Party Surveillance Tech Providers To Raise A Child

As surveillance tech has become cheaper, it has become ubiquitous. Lots of people believe they can solve education-related problems, and most frequently their “solutions” involve tech replacing people and AI replacing common sense.

Even before the COVID pandemic forced most students to engage in studies remotely, human problems were being addressed with inhuman, error-prone tech. AI was deployed to monitor students’ use of school devices, flagging anything that seemed problematic and serving up curious students to law enforcement for doing things like responding to a Facebook quiz posted by local vape shop.

Going beyond social media and internet use monitoring, more cameras and more tech made its way onto campus, subjecting students to facial recognition tech and AI that mistook broom handles for guns and “aggression detecting” mics that mistook slammed locker doors for gunshots.

With kids at home, surveillance ramped up. School was still in session and school administrators, who rely heavily on grades and attendance to secure funding, deployed whatever they could to ensure students logged into classes and paid attention to whatever useless information was being handed out by instructors.

Spyware not only observed students’ online activities — recording everything from head movements to keystrokes — but they peered into students’ homes: something never before considered normal by American citizens. Cameras were enabled and educators/administrators were allowed to observe students in their own rooms and listen in on conversations between students and family members.

COVID restrictions have been in regression for months. But the surveillance tech adopted to monitor remote-learners isn’t going anywhere. Rather than consider it to be an aberrational response to an extremely unusual situation, schools appear to want pervasive surveillance to be the new baseline for the educational experience. It seems schools would like students to believe they’re worthy of nothing more than always-on suspicion, as Pia Ceres reports for Wired.

This is what high school teachers see when they open GoGuardian, a popular software application used to monitor student activity: The interface is familiar, like the gallery view of a large Zoom call. But instead of seeing teenaged faces in each frame, the teacher sees thumbnail images showing the screens of each student’s laptop. They watch as students’ cursors skim across the lines of a sonnet or the word “chlorofluorocarbon” appears, painstakingly typed into a search bar. If a student is enticed by a distraction—an online game, a stunt video—the teacher can see that too and can remind the student to stay on task via a private message sent through GoGuardian. If this student has veered away from the assignment a few too many times, the teacher can take remote control of the device and zap the tab themselves.

As the article points out, school-endorsed spyware use ramped up as the pandemic kept kids out of school. GoGuardian may be one of the less oppressive options, unfortunately. Other spyware installed by administrators allowed educators to view and control screens, monitor students’ speech and activities while they were in their own homes, and decide a student was cheating on a federal or state-mandated test just because their actions were outside of the AI’s narrow parameters.

But when administrators should be dialing back use of intrusive software, they’re instead embracing it as the future of education. Mission creep is combining with the limitations of spyware to subject students to surveillance that goes far beyond monitoring school activities.

One associate principal I spoke to for this story says his district would receive “Questionable Content” email alerts from Gaggle about pornographic photos and profanities from students’ text messages. But the students weren’t texting on their school-issued Chromebooks. When administrators investigated, they learned that while teens were home, they would charge their phones by connecting them to their laptops via USB cables. The teens would then proceed to have what they believed to be private conversations via text, in some cases exchanging nude photos with significant others—all of which the Gaggle software running on the Chromebook could detect. Now the school advises students not to plug their personal devices into their school-issued laptops.

There’s no automatic off switch once school hours are over. Administrators still have access to all activities involving school-issued equipment. But, as this anecdote points out, the surveillance covers personally owned devices used by students during off hours schools have no business trying to police. And even if they don’t act on this information, they still have access to it — something that would definitely come as a surprise to students and parents who believe the surveillance ends when the school day ends.

But there’s an even more serious problem facing school students now that the Supreme Court has dumped Roe v. Wade and LGBTQ rights remain under attack. Can school administrators utilize spyware like this to alert parents (and cops) about students seeking information on abortions or their sexuality? According to the statements and direct comments given to Wired, Gaggle won’t permit that to happen. Representatives said the company does not track terms related to these issues by default. Further, Gaggle VP of Marketing, Paget Hetherington, says the company would reject requests from schools to track this information.

But Gaggle isn’t the only player in the school surveillance game. And statements from a marketing department should always be taken with as much salt as you can physically carry.

Finally, nothing said by this company or others explains why it’s necessary to continue to engage in pervasive surveillance of students when most of them will be attending classes in person. While I can understand that schools have an obligation to ensure school-issued devices don’t become hosts for malware and possibly illegal content, there is a lot schools can do to mitigate this without 24/7 access to issued computers and any devices temporarily attached to them.

More posts from Tim Cushing >>