Posted on Techdirt - 27 July 2016 @ 2:36pm
The FBI's surreptitious recording devices -- scattered around three California courthouses -- raised a few eyebrows when the recordings were submitted as evidence. The defense lawyers wondered whether the devices violated the conversants' expectation of privacy, admittedly a high bar to reach considering their location near the courthouse steps -- by every definition a public area.
The defense team cited a Supreme Court decision involving phone booths, hoping to equate their clients' "hushed tones" with closing a phone booth door. Small steps like these -- used by everyone -- are attempts to create privacy in public areas, but courts are very hesitant to join defendants in erecting privacy expectations in public places.
A judge presiding over one the cases (involving alleged bid rigging for auctioned property) thought there might be something a bit off about the location of the FBI's devices.
Although Breyer held off on ruling, he expressed at least gut-level discomfort with the notion of government agents listening at the courthouse door.
"Let's say I was out of that courthouse that day, I used the staff entrance and I turned my law clerk," the judge said. "I wouldn't know [about that recording], would I, unless the government turned it over?"
Judge Phyllis Hamilton, in her denial [PDF] of a motion to suppress the recordings, is similarly hesitant to condone the FBI's eavesdropping, but can't find enough of a reasonable expectation of privacy to prevent the recordings from being admitted as evidence. (via FourthAmendment.com)
First off, the conversations captured during these particular recordings showed the defendants made very little effort to speak in the "hushed tones" suggested by their defense team.
The recordings at issue intercepted defendants’ communications that were made at a normal conversational volume level, not in hushed or whispering tones. Many conversations were conducted by participants in loud voices, sometimes laughing out loud. In particular, the audio recording of a conversation among a group of about eight to ten men on August 17, 2010, at the Fallon Street bus stop, which was played for the grand jury during the indictment presentation in United States v. Florida, et al., CR 14- 582 PJH, reflects that the participants had to project their voices and yell to be heard over the sound of a nearby jackhammer…
In the video footage accompanying many of the audio recordings, including the video clip that was played for Witness 1 and the grand jury, the participants are not seen appearing to whisper or covering their mouths when having audible conversations that can be heard on the recording.
The judge goes on to point out that these conversations could be overheard by many passersby, including the steady traffic of law enforcement personnel to and from the building. And when efforts were made to speak in quieter tones, the FBI's microphones were apparently unable to obtain audible recordings of these discussions.
However, the judge agrees that the location of the devices is somewhat questionable.
While the court agrees with defendants that it is at the very least unsettling that the government would plant listening devices on the courthouse steps given the personal nature of many of the conversations in which people exiting the courthouse might be engaged, it is equally unrealistic for anyone to believe that open public behavior including conversations can be private given that there are video cameras on many street corners, storefronts and front porches, and in the hand of nearly every person who owns a smart phone.
Given the facts of this case -- that the defendants apparently made little to no effort to prevent their conversations from being overhead -- this conclusion is likely the right one. But it goes on to suggest that no private conversation held in a public place can be considered to have an expectation of privacy, no matter what steps conversants might take to prevent being overheard. If even a slim possibility exists that someone other than those engaged in the conversation might be able to hear it, then there is no expectation of privacy.
Read More | 26 Comments | Leave a Comment..
Posted on Techdirt - 27 July 2016 @ 1:03pm
Law enforcement is still trying to break into iPhones and still using the All Writs Act to do so. A sex trafficking prosecution involving the ATF has resulted in a suspect being ordered to cough up his, um, fingerprint, in order to allow investigators to access the contents of his phone. Matt Drange of Forbes has more details [caution: here there be ad-blocker blocking]:
Prosecutors hoped that the search, conducted on an iPhone 5s by special agent Jennifer McCarty of the Federal Bureau of Alcohol, Tobacco, Firearms and Explosives, would help them piece together evidence in an alleged sex trafficking case involving a man named Martavious Keys. Keys had the iPhone with him when he was arrested on May 19, according to recently unsealed court filings. A week later, on May 26, prosecutors asked the judge in the case to force Keys to open the device with his fingerprint, unlocking a potential trove of information including emails, text messages, contacts and photos stored on the device that could be used as evidence.
While courts generally agree that a fingerprint is non-testimonial -- despite its ability to unlock all sorts of testimonial stuff -- there aren't too many courts willing to extend that coverage to passwords. There are exceptions, of course, but items held in someone's mind are given a bit more deference than those at their literal fingertips.
And that's likely why the All Writs-compelled fingerprint access hasn't allowed the ATF inside Keys' phone. The feds can force Keys to place his finger on the iPhone screen all they want, but it likely won't unlock the device. Apple's security requires a passcode as well as a fingerprint if it's been more than 48 hours since the phone was last unlocked. The time elapsed between when the phone was seized and the order obtained for Keys' fingerprint added another layer of security to the phone -- one not so easily defeated with All Writs orders.
Keys is no one's idea of a sympathetic party. He allegedly forced two teen girls, aged 14 and 15, to have sex with men for several hours a day by drugging them into submission. Whether or not his phone contained more evidence is unknown. It's unclear from the recently unsealed documents whether federal investigators found another way into the device after the application of Keys' fingerprint failed to unlock the phone.
And that's sort of a problem. The government is using All Writs orders for a great many things these days, often during sealed cases and with little to no transparency. The fact that Congress apparently authorized this as a fill-in for things warrants couldn't necessarily reach has made the use of All Writs requests both indispensable and easily-abused. The fact that Congress authorized this in 1789 -- with no conceivable idea of the form "papers" would take over the next 200+ years -- usually seems to work in the government's favor.
A bit more transparency would go a long way to assuage concerns about abuse, but overuse/abuse of the 1789 Act is likely the reason there isn't more transparency. If the court decides it's going to compel Keys to turn over his passcode as well (assuming the phone hasn't already been cracked), at least it won't have to toss him in jail if he doesn't. Keys is already behind bars awaiting trial for his sex trafficking indictment. On one hand, that lowers the coercive value of imprisonment. On the other hand -- if he refuses and is hit with a contempt order -- he'll remain in jail indefinitely, even without having been found guilty of anything more than contempt of court.
20 Comments | Leave a Comment..
Posted on Techdirt - 27 July 2016 @ 9:34am
How do we know the CFAA is a terrible law? Because even "civilians" abuse it. Or at least try to.
Back in April, the Colorado Republican Committee's (CRC) Twitter account tweeted out something a bit concerning after Ted Cruz nailed down all 34 delegates at a committee assembly in Colorado Springs.
If you can't see the tweet, it says:
We did it. #NeverTrump
The tweet was taken down minutes later and the official Twitter account explained that someone with "unauthorized access" had posted the tweet and it was not a reflection of the Colorado GOP's official stance.
This led to a brief internet wildfire, where CRC reps were interviewed by reporters about the tweet and enraged Trump supporters [also: 4chan] -- believing the fix was in -- began posting threatening messages to and about Colorado GOP leaders. So far, so internet.
The CRC took this a step further though, attempting to sue the "Doe" with allegedly "unauthorized access" for breaching the "threat to public health or safety" clause of the CFAA. The original complaint [PDF] shows the CRC is perhaps far better at electioneering than investigating.
Over the next three weeks, the CRC conducted an investigation into the origin of the tweet. CRC was able to confirm that the fraudulent tweet was sent using the Twitter for iPhone app, but was not able to determine the identity of the responsible individual.
Armed with info that anyone else could have obtained in seconds rather than weeks, the CRC decided it could mass email the perp into turning themselves in:
On April 19, 2016, the CRC sent an e-mail to all individuals who had at one point been authorized to access to the @cologop account asking that they identify themselves by 5:00pm on Wednesday, April 20, 2016 if they were responsible for the fraudulent tweet.
Unsurprisingly, this failed to uncover the perpetrator. It also made it clear that, until this point, the keepers of the official Twitter account never considered that telling formerly authorized users not to use the account is way less effective than actually revoking their access by changing the password.
The court was unimpressed with the original complaint and ordered the plaintiffs to show cause or GTFO. The amended complaint [PDF] contains much more detail, including the supposed expenses incurred as a result of the short-lived tweet. Apparently, everyone involved in the "investigation" spent "hours" determining that someone used an iPhone to send the tweet.
CRC’s internal staff spent hours communicating with its past and present thirdparty vendors to ascertain if any of their personnel accessed CRC’s Twitter account.
CRC’s internal staff also spent hours communicating to Twitter over the phone and through emails.
CRC’s officers and staff spent time responding to the press over the tweet.
Some of those hours were billable, so to speak.
At least 70 percent of Kohli’s time for the week following the assembly and convention and at least 25 percent of the following week was spent responding to the aftermath of the tweet, including making numerous phone calls and emails about CRC’s progress in identifying the anonymous tweeter, determining who had access to the @cologop Twitter account, and answering media requests. This resulted in a loss to CRC of at least 70 percent of his time for one week and 25 percent of him time for another week. Since his annual salary is $65,000, this loss totals at least $1,187.50.
Internet molehill having been sufficiently mountained, the amended complaint goes on to detail the threats received by CRC officials before trying to claim these threats were somehow induced by a tweet that, itself, was not threatening in any form.
Defendant’s conduct in sending the fraudulent tweet caused damage to CRC in the form of death threats to its officers and employees, closure of its offices, and harm to its reputation.
The threats received by the CRC, its officials, and personnel constituted a threat to public health or safety within the meaning of 18 U.S.C. § 1030(c)(4)(a)(i)(IV).
And there's the CFAA tie-in.
Even with certain deficiencies addressed, the CRC still can't assemble a claim that the court can move forward with. The judge has dismissed the complaint in its entirety, pointing out that just because certain things happened after another thing happened doesn't mean the first thing that happened (the bogus tweet/"unauthorized access") is directly responsible for statements made by a bunch of other internet denizens. (h/t Raul)
CRC argues that its Amended Complaint cures the defects addressed in the Court's Order to Show Cause, specifically: (i) it identifies time spent by its staff investigating the unauthorized access as the "loss" that it suffered under 18 U.S.C. § 1030(e)(11), (g); and (ii) that the "threat to public health or safety" required by 18 U.S.C. § 1030(c)(4)(A)(i) and (g) is satisfied by allegations that it was reasonably foreseeable that the publication of the unauthorized message would induce third parties to respond with threats of harm to CRC officers. Although the Court accepts the first proposition, it finds the second to be deficient as a matter of law.
In the Order to Show Cause, the Court previously addressed why 18 U.S.C. § 1030(g)'s "involves" language requires a plaintiff to allege that the unauthorized computer access itself poses a risk to public health or safety, and that the requirement is not satisfied by an allegation that the unauthorized access indirectly caused such a risk to emerge from another source. CRC's response cites to various cases that have used the term "caused" in discussing other provisions of the Act.
The Court finds these cases to be off-point and unpersuasive.
Fortunately, the court takes the CFAA's public health and safety clause and presents a narrow reading of it -- somewhat of a rarity in CFAA-related cases.
As discussed previously, the threat requirement might be met if the unauthorized access disables computers or deletes data essential to providing medical treatment, public utilities, or emergency response services, but not where the unauthorized access has a benign primary effect but induces others to harmful acts. For example, a user who hacks into the social media account of a classmate and encourages him or her to commit suicide might be liable for engaging in conduct posing a risk to health and safety, but a user who hacks into the same classmate's account and merely taunts the classmate for being unattractive cannot be said to have engaged in conduct threatening public health and safety even if the now-despondent classmate reacts to the taunting by committing suicide. Such example entails the user specifically employing the unauthorized access to bring about the risk to public health, and in such circumstances, the use of a predominantly criminal statute to afford civil relief might be proper. The latter example draws upon the complex, wide-ranging, and sometimes attenuated principles of tort causation, importing that sprawling and imprecise inquiry into a statute that was clearly intended to have a narrow, focused reach.
While the fallout of the bogus tweet may have been inconvenient and surrounded by threats from irate GOP members (oh, and 4chan...), the tweet itself was not threatening nor did it call for threats to be made. That one led to the other is undeniable, but it was in no way definitely foreseeable that the tweet would have this effect.
The CRC's complaint is, at best, an expensive windmill tilt, tossed into court solely for the purpose of exposing the "unauthorized" tweeter to angry CRC officials. It has nothing to do with CFAA violations -- which were apparently added to make a federal case out of the CRC's failure to address its own operational security issues until it was too late.
Read More | 10 Comments | Leave a Comment..
Posted on Techdirt - 25 July 2016 @ 3:23am
Yahoo's in the middle of another national security-related courtroom battle, albeit somewhat inadvertently. Its response to a discovery order in a drug dealer's trial has left the defense wondering exactly how the hell it complied with it. Joseph Cox of Motherboard has more details.
Defense lawyers in the case claim that six months of deleted emails were recovered—something which Yahoo's policies state is not possible. The defense therefore speculates that the emails may have instead been collected by real-time interception or an NSA surveillance program.
United States Magistrate Judge Maria-Elena James, from a San Francisco court, granted the defense's motion for discovery in an order filed on Wednesday.
Russell Knaggs, the accused drug dealer, apparently utilized a Yahoo email account to hook up suppliers in Colombia with buyers in Europe. To add to the difficulty level, Knaggs did this while serving time for another drug bust. The method used was not all that uncommon. Everyone shared a single email account and composed draft messages. Each party would log into the account, read the draft message left for them, and compose a draft of their own in response. No emails were sent. All drafts were then deleted from both the "Draft" folder and the "Trash."
According to Yahoo, there was no way for Yahoo to retain these messages. Except that it did and turned them over to law enforcement, suggesting ongoing surveillance, rather than the recovery of communications from the account.
After receiving requests from UK police and the FBI in September 2009 and April 2010, Yahoo created several “snapshots” of the email account, preserving its contents at the time—and revealing the messages. But the defense alleges there should have been nothing for law enforcement to find.
Yahoo's explanation is that the recovered emails were copies created by the email service's “auto-save” feature, which saves data in case of a loss of connectivity, for example. The company has filed several declarations from a number of its staff, but the defense said some of those contradicted each other, and it wants more information.
Here's what the defendant's tech expert had to say in his testimony [PDF].
With regard to Yahoo‟s “snapshot” and its process of “retriev[ing emails] from the servers because their auto-save function systematically preserved edits made over time,” Abramson says the descriptions Yahoo gives of its auto-save feature are inconsistent, contradictory, and furthermore “do not align with [Abramson‟s] understanding of such programs.” Abramson contends Yahoo‟s statements “do not in fact agree with common technical principles. The timing of e-mail data saved between 2 minutes and several seconds is not consistent.” Abramson Rpt. at 8. He asserts that “[a] more plausible explanation for the e-mail information provided to law enforcement is that the e-mail account of Mr. Knagg‟s [sic] was under surveillance and through the immediate efforts of surveillance, Yahoo was able to capture the email information and provide it to law enforcement.”
The defense wants several things from Yahoo, including source code, in hopes of sussing out the methods used to capture and preserve these draft messages. Yahoo would rather not give this information up. The judge, while somewhat sympathetic to Yahoo's arguments, also notes it's the company's own inconsistent explanations that have led to this situation.
The Court agrees with Yahoo that Petitioner's requests are somewhat broad; however, the Court also agrees that Yahoo‟s seemingly conflicting responses up to this point create a situation where Petitioner cannot be certain he understands the process of information gathering he seeks to challenge. While Yahoo believes that Petitioner seeks information that is cumulative given its interrogatory responses, it would appear that the requested discovery would not necessarily be cumulative, but might instead provide clarity to Petitioner regarding Yahoo‟s data-gathering methods. Additionally, since the documents Petitioner requests are potentially the same ones that helped Chan “clarify” her previous statement and better understand the data-gathering process, it would appear that these documents could help Petitioner gain a better understanding of the system as well, and could help to prove or disprove one of the grounds of his appeal, as is the purpose of his discovery request. The Court also notes that Chan‟s responses up to this point do not provide the sort of personal knowledge or foundational information for the Court or Petitioner to be able to adequately assess her responses. Consequently, Petitioner's request for documents and a 30(b)(6) deposition is appropriate rather than ordering further interrogatory responses.
The list of items the defense wants has been scaled back by the judge, but what remains will still provide a glimpse into Yahoo email's inner workings, including any evidence of targeted or bulk surveillance methods put into place by the company. Whether or not we'll get to see it is another matter, as the judge will consider instituting a protective order if the information produced is deemed too sensitive.
What it sort of looks like is possibly illegal surveillance being covered up with parallel construction. The problem with this theory is that Yahoo has been more than a little resistant to broad surveillance requests. That doesn't completely rule out complicity, but it would definitely be a risky move for a private company to cover for government wrongdoing. When (and if) more details are provided, we'll know more. If nothing else, it may indicate draft messages are indiscernible from sent messages, at least when it comes to Yahoo's servers.
Read More | 31 Comments | Leave a Comment..
Posted on Techdirt - 22 July 2016 @ 6:15pm
Judge Alex Kozinski pointed out the obvious in a Ninth Circuit Appeals Court decision:
There is an epidemic of Brady violations abroad in the land. Only judges can put a stop to it.
Brady evidence -- possibly exonerating evidence that prosecutors are required to turn over to the defense -- is far too frequently withheld and/or buried. The punishments for violating this requirement are almost nonexistent. The prosecution hates to see wins become losses. And the government in general -- despite declaring fair trials to be the right of its citizens -- hates to play on a level field.
A federal judge withdrew from a forensic evidence committee because the government told him it wasn't his job to point out the severely-flawed pre-trial forensic evidence discovery procedures deployed by prosecutors. Judge Rakoff called the government out in his resignation letter.
The notion that pre-trial discovery of information pertaining to forensic expert witnesses is beyond the scope of the Commission seems to me clearly contrary to both the letter and the spirit of the Commission’s Charter… A primary way in which forensic science interacts with the courtroom is through discovery, for if an adversary does not know in advance sufficient information about the forensic expert and the methodological and evidentiary bases for that expert’s opinions, the testimony of the expert is nothing more than trial by ambush.
"Trial by ambush" will continue unabated. Prosecutors will shrug off the minimal punishments for withholding evidence. The DOJ will continue to argue that it's allowed to erect as many roadblocks as it wishes in front of defendants.
The DC Appeals Court has allowed the DOJ to retain another aspect of its "trial by ambush" strategy, as reported by Mario Machado of Fault Lines.
The D.C. Court of Appeals declared that the federal government will not have to disclose the contents of a guide that determines when its prosecutors should disclose evidence to the accused. The Department of Justice’s “Blue Book” stays in-house, at least for the time being.
The "Federal Criminal Discovery Blue Book" was crafted after DOJ prosecutors were blasted by a judge for their actions in the prosecution of Senator Ted Stevens.
In nearly 25 years on the bench, I have never seen anything approaching the mishandling and misconduct I have seen in this case.
Brady material was withheld from the defense, something that would have never been discovered without an FBI whistleblower stepping forward. The new guidelines were supposed to make things better. Very little seems to have changed since its introduction. And no one on the defense side of the fight has any idea what prosecutors are required to do under these guidelines.
The National Association of Criminal Defense Lawyers (NACDL) tried asking the government for a copy. This was denied. So, it filed a FOIA request for the "blue book." This, too, was denied, with the government claiming its internal guidelines for ensuring a fair fight were not subject to FOIA requests. From the DC Appeals Court decision [PDF].
The Department refused to disclose the Blue Book, invoking the Freedom of Information Act’s Exemption 5, which exempts from disclosure certain agency records that would be privileged from discovery in a lawsuit with the agency. The Department maintained that the Blue Book fell within the attorney work-product privilege, and therefore Exemption 5, because it was prepared by (and for) attorneys in anticipation of litigation.
This claim is laughable. Of course it's for litigation. But it's not for any specific litigation. It's for use in all DOJ prosecutions, which makes it more aligned with general information, rather than a narrow slice of "attorney work-product." The NACDL pointed this out.
The NACDL argued that the Blue Book fell outside the work-product privilege because it had a non-adversarial function, to wit: the training and education of the DOJ’s vaunted prosecutors. It also argued that its disclosure was fair game because it was not drafted with a specific litigation in mind, but ultimately the Court sided with the federales, who fought tooth and nail to keep the book under wraps.
One part of the judicial system has seen the contents of the "blue book" (other than DOJ prosecutors): the district court. An in camera presentation to both the lower court and the appeals court has allowed both to reach the decision they have. But will it result in the courts holding the DOJ to their own super-secret standards? Of course not.
Judges are presented with evidence obtained through discovery. They have no idea whether all of it is present or if the DOJ followed its own instructions for handing over Brady material to the defense. The judges' viewing of this internal document will not result in greater accountability.
Handing these guidelines over to defense lawyers, however, would give them more avenues to challenge withheld evidence and other perceived violations in disclosure. The government doesn't like this idea and claims that a more level playing field would severely hamper its prosecutions. One is inclined to agree with the DOJ's claim about hampered prosecutions, although not for the reasons it states.
DOJ thus argues that disclosing the Blue Book would “essentially provide a road map to the strategies federal prosecutors employ in criminal cases.” Id. It contends that disclosure would afford anyone who wanted to read the Blue Book (including opposing counsel) “unprecedented insight into the thought processes of federal prosecutors.” Disclosure thus would “undermine the criminal trial process by revealing the internal legal decision-making, strategies, procedures, and opinions critical to the Department’s handling of federal prosecutions.” In addition, it would “severely hamper the adversarial process[,] as DOJ attorneys would no longer feel free to memorialize critical thoughts on litigation strategies for fear that the information might be disclosed to their adversaries to the detriment [of] the government’s current and future litigating positions.”
In other words, the fight might be slightly fairer, and the government won't be having any of that. The DC Circuit is now completely complicit in the government's "trial by ambush" plans.
Read More | 18 Comments | Leave a Comment..
Posted on Techdirt - 22 July 2016 @ 2:33pm
The administration's brief flirtation with converting occupying forces back into police departments is apparently over. In the wake of the Ferguson protests, the administration announced its plan to rein in police departments which had been availing themselves of used military gear via the Defense Department's 1033 program. This itself was short-lived. A year later, the administration mustered up enough enthusiasm for another run at scaling back the 1033 program, but it has seemingly lost some steam as Obama heads for the exit.
The images of police greeting protesters with assault rifles, armored vehicles, grenade launchers, and officers who appeared to mistake the Midwest for downtown Kabul apparently was a bit too much. It looked more like an occupation than community-oriented policing -- something every administration has paid lip service (and tax dollars) to over the past few decades while simultaneously handing out grants that turned police officers into warfighters.
That's all off the table now. Two recent shootings of police officers have effectively dismantled the dismantling of militarized police forces.
The White House will revisit a 2015 ban on police forces getting riot gear, armored vehicles and other military-grade equipment from the U.S. armed forces, two police organization directors told Reuters on Thursday.
Shortly after the recent shooting deaths of police officers, President Barack Obama agreed to review each banned item, the two law enforcement leaders said.
That could result in changes to the ban imposed in May 2015 on the transfer of some equipment from the military to police, said Jim Pasco, executive director of the Fraternal Order of Police, and Bill Johnson, executive director of the National Association of Police Organizations.
The law enforcement lobbyists met with the President and Vice President, and it appears Obama has sent the administration's chief legal counsel to "review" the ban. The law enforcement organizations claim police need greater protections now, even though the recent clustering of officer deaths doesn't put the nation on track for anything more than an average year of on-duty deaths.
But, while the chance of being killed in the line of duty remains steady, agencies are pushing for a return to pre-2015 levels of military gear, including tracked vehicles and grenade launchers "to deal with riots." It doesn't appear that any words were wasted discussing the underlying causes of the protests officers are now facing -- none of which will be resolved with increased police militarization. Put someone in war gear and they're going to be pretty sure they're in a war, rather than serving the public as a trusted member of the community.
33 Comments | Leave a Comment..
Posted on Techdirt - 22 July 2016 @ 1:04pm
Yet another politician can be added to the list of people who think police officers just don't have enough protections as is. Following in the footsteps of legislators in New Jersey and Minnesota -- along with Rep. Ken Buck (CO) -- Texas governor Greg Abbott has decided it's time to treat attacking officers as a "hate crime."
Texas Gov. Greg Abbott (R) wants the targeted killing of a police officer to be deemed a hate crime in Texas and urged lawmakers to send him such a bill to sign during next year’s legislative session.
Abbott announced Monday his plan to lobby for adding his Police Protection Act to Texas law. Along with extending hate-crime protections to law enforcement, the measure would also increase criminal penalties for any crimes in which the victim is a law enforcement officer and “create a culture of respect for law enforcement by organizing a campaign to educate young Texans on the value law enforcement officers bring to their communities,” according to a statement from Abbott’s office.
Nothing "creates a culture of respect" like handing beneficiaries of a host of "extra rights" even more protection in the form of stiffer penalties just because the victim was wearing a certain uniform. As Fault Line's JoAnne Musick points out, "hate crime" laws are generally enacted to provide greater protections for historically underprotected classes, not those already in positions of power.
Are police an otherwise vulnerable group? Is violence against an officer intended to hurt or intimidate the entire police community? Are crimes against officers underreported and in need of encouragement to prosecute them? Plain and simple, the answers are no. Police are not particularly more vulnerable. In fact, they are better trained and greater equipped to protect each other and themselves. Crimes against police are rarely underreported. They are most definitely heavily prosecuted – as they should be. So, why is there a need to create a special class?
The Dallas shooting that left five officers dead is the only reason this call for legislation even exists. It's a kneejerk reaction that shifts even more power to the powerful. It's sure to gather support from legislators because who could possibly be opposed to punishing cop killers? Add to that the further consolidation of power it represents and there's very little chance someone won't run this up the legislative flagpole. After all, the governor himself is calling for legislation, so it's guaranteed to become law if it hits his desk. That's an easy win -- something legislators like almost as much as jingoism and "tough on crime" posturing.
Rather than address the issues that have led to this (seeming) flashpoint (despite the recent murders of police officers, numbers are still on track for another "normal" year in on-duty officer deaths), politicians like Abbott have decided to give law enforcement yet another tool to use to significantly harm anyone who doesn't immediately comply with their commands. And this is in a state that already adds years to sentences if the crime victim is a police officer.
[A] simple assault is a class A misdemeanor carrying a punishment of up to one year in jail; however a simple assault against a police officer is a third degree felony punishable up to 10 years in prison.
That's the current law. Abbott wants something above and beyond this. Simple assault, under current Texas law, includes simply threatening someone or "provocatively" making physical contact. Push back when being arrested? That's assault. Accidentally bump an officer's elbow while attempting to comply with a frisk? Assault. The law already encourages prosecutors to pile on. This would make it even worse.
The underlying issues, which have prompted a horrifically violent reaction, aren't going to be mitigated by giving law enforcement and prosecutors even more leverage. Greg Prickett -- a 20-year veteran of law enforcement -- points out that the current miserable state of affairs can't be blamed on anything other than law enforcement's own actions over the past few decades. According to Prickett, this is what's prompted the shooting of law enforcement officers.
It’s simple, really. It is militarization of the police coupled with a lack of accountability for their actions.
Law enforcement has shifted away from being an integral part of the communities they serve and opted instead to view themselves as an occupying force in a war zone. The weapons and vehicles are repurposed military gear. Officers' training goes heavy on force deployment. Very rarely are tactics like de-escalation or actual community-oriented policing given any priority. While there's no condoning the actions of people who kill cops, the reality is that law enforcement itself has shown over the years that its preferred method of communication is violence. It's the only thing it truly understands.
Governor Abbott may think he can reverse this course by throwing more prison time at certain criminals, but it's not going to stop people from killing cops. All it's really going to do is give officers and prosecutors a way to inflict maximum pain for the most minimal injury or perceived slight.
32 Comments | Leave a Comment..
Posted on Techdirt - 22 July 2016 @ 11:58am
Last week's one-sided "hearing" on encryption -- hosted by an irritated John McCain, who kept interrupting things to complain that Apple hadn't showed up to field false accusations and his general disdain -- presented three sides of the same coin. Manhattan DA Cyrus Vance again argued that the only way through this supposed impasse was legislation forcing companies to decrypt communications for the government. The other two offering testimony were former Homeland Security Advisor Ken Wainstein and former NSA Deputy Director Chris Inglis.
Not much was said in defense of protections for cellphone users. Much was made of the supposed wrongness of law enforcement not being able to access content and communications presumed to be full of culpatory evidence.
But one of the more surprising assertions was delivered by a former government official. Wainstein's testimony [PDF] -- like Vance's -- suggested the government and phone makers start "working together." "Working together" is nothing more than a euphemism for "make heavy concessions to the government and prepare to deliver the impossible," as Patrick Tucker of Defense One points out. Wainstein says phone manufacturers must do more than theorize that weakened encryption would harm them or their companies. They must hand over "hard data" on things that haven't happened yet.
Kenneth L. Wainstein, a former assistant attorney general for national security at the Department of Justice, told lawmakers that the burden is on technology companies and privacy advocates to show how backdoors would harm user security, rather than on law enforcement to prove that altering the encryption scheme would be safe.
“For the tech industry and civil liberties groups, this means laying out technically specific support for the contention that a government accommodation would undermine the integrity of default encryption. They should provide hard data that demonstrates exactly how—and how much—each possible type of accommodation would impact their encryption systems. It is only when Congress receives that data that it can knowledgeably perform its deliberative function and balance the potential cybersecurity dangers posed by a government accommodation against the national security and law enforcement benefits of having such an accommodation in place,” he said.
The only thing harder than proving a negative is proving how badly things might go if backdoors are inserted or companies are required to retain encryption keys.
As usual, the "smart guys" are ahead of the curve on this bizarre demand. Last year, multiple encryption experts collaborated on a research paper [PDF] that laid out the problems that would result from government-mandated access.
In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates. We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today's Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today's Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws.
So, if Wanstein is looking for answers, he already has them. So does James Comey. So does Cyrus Vance. (Although, to be fair, Vance hasn't really feigned much concern for tech companies or their customers.) They just don't like the answers they've received. This is why they continue to claim that a perfectly safe, government-mandated encryption backdoor is just a "smart guy" breakthrough away. Any day now, someone at Apple or Google will shout "Eureka" and hand over the unicorn Comey, et al insist must exist.
Read More | 67 Comments | Leave a Comment..
Posted on Techdirt - 22 July 2016 @ 9:41am
Welcome to Bordertown, USA. Population: 200 million. Expect occasional temporary population increases from travelers arriving from other countries. Your rights as a US citizen are indeterminate within 100 miles of US borders. They may be respected. They may be ignored. But courts have decided that the "right" to do national security stuff -- as useless as most its efforts are -- trumps the rights of US citizens.
Wall Street Journal reporter Maria Abi-Habib - a US-born citizen traveling into the States with her valid passport -- discovered this at the Los Angeles International Airport. Her Facebook post describes her interaction with DHS agents who suddenly decided they needed to detain her and seize her electronics.
The DHS agent went on to say she was there to help me navigate immigration because I am a journalist with The Wall Street Journal and have traveled to many dangerous places that are on the US' radar for terrorism.
It's generally a good idea to be wary when government employees suddenly offers to "help."
But after pushing me to the front of a very long line at immigration, she then escorted me to the luggage belt, where I collected my suitcase, and then she took me to a special section of LAX airport. Another customs agent joined her at that point and they grilled me for an hour - asking me about the years I lived in the US, when I moved to Beirut and why, who lives at my in-laws' house in LA and numbers for the groom and bride whose wedding I was attending.
Abi-Habib was very cooperative. She answered all of the agent's questions and remained calm despite this interaction being far from ordinary. It didn't matter. The DHS decided to flex its "our border, our rules" muscle.
[T]hen she asked me for my two cellphones. I asked her what she wanted from them.
"We want to collect information" she said, refusing to specify what kind.
"Collect information." That's intrusion and surveillance that serves no discernible purpose. The DHS was obviously hoping Abi-Habib would remain as cooperative as she had during the previous questioning. But Abi-Habib disappointed the DHS agent by suggesting she should talk to the phones' owner about her search plans, rather than just hope a lengthy, suspicionless detention would prompt Abi-Habib to relinquish consent.
"You'll have to call The Wall Street Journal's lawyers, as those phones are the property of WSJ," I told her, calmly.
She accused me of hindering the investigation - a dangerous accusation as at that point, they can use force. I put my hands up and said I'd done nothing but be cooperative, but when it comes to my phones, she would have to call WSJ's lawyers.
She said she had to speak to her supervisor about my lack of cooperation and would return.
Obstruction is an actual crime. This wasn't an empty threat. I mean, it was an empty threat in the way that government officials hand out threats they have no intention of following through with as a means of coercion, but it was not empty as in "without enforceable consequences." It was meant to make Abi-Habib more receptive to granting the DHS permission to search the phones. But behind the threat is an actual criminal statute that could have turned this from a detention to an arrest. And all because the DHS didn't want to obtain consent for its search from the phones' actual owner.
Abi-Habib called the DHS agent's bluff. The DHS relented.
The female officer returned 30 minutes later and said I was free to go.
Abi-Habib's post closes by noting she doesn't fit any terrorism profile and offers security tips for those traveling in and out of the US -- like leaving everything behind that could be searched/seized, or travel with a recently-wiped phone.
The DHS's actions here are disturbing. It suggests agents dig through devices on a regular basis, even when there's a complete lack of suspicion. Laws and court rulings confirm there is a lowered expectation of privacy at US borders, but the agency's refusal to follow through with a search of the devices makes it clear agents are looking to hassle people they think won't fight back -- either during the detention, or after the fact with lawsuits and/or public discussions of their treatment. It's incidents like these that show many public security efforts by government agencies are almost entirely ornamental. It's the illusion of security, rather than an actual protective effort. Border agents dig around in people's stuff just because they can, not because they need to.
60 Comments | Leave a Comment..
Posted on Techdirt - 21 July 2016 @ 4:18pm
An interesting ruling out of Georgia states that an unconventional method to determine a cell phone's owner is not a search under the Fourth Amendment. The appeals court decides [PDF] that the information obtained has no expectation of privacy.
Because Hill had no reasonable expectation of privacy in the information at issue – his own name, date of birth, and phone number – we agree with the state there was no search under the Fourth Amendment, and accordingly we reverse.
The background is this: James Brandon Hill exited a taxi cab without paying, leaving his phone behind. The cab driver reported this to the police and an officer dialed 911 to obtain the owner's info. The court doesn't touch the issue of abandonment -- which would likely have made the search legal. But its decision that the method used to obtain this info isn't a search seems to be a bit off.
While the information received may have had no expectation of privacy, an officer accessing a cell phone without a warrant is questionable under the Supreme Court's Riley decision. As noted above, the warrantless search still likely would have survived a motion to suppress as the phone was abandoned in the cab. In fact, Hill does not challenge the seizure of the phone -- only the search.
The Third Party Doctrine is in play here, what with this information being handed over to a service provider in exchange for phone service. The opinion quotes Orin Kerr in support of its Third Party Doctrine assertions.
Consistent with this distinction, we have held in a case involving a landline phone that the Fourth Amendment “protects only the content of a telephone conversation and not the fact that a call was placed or that a particular number was dialed.” Stephenson, supra, 171 Ga. App. at 939 (citation and punctuation omitted). See generally Orin S. Kerr, Applying the Fourth Amendment to the Internet: A General Approach, 62 Stan. L. Rev. 1005, 1019 (II) (A) (2010) (originating telephone number is non-content information analogous to return address on envelope).
But that applies only to phone call routing info, not the user's personal information. It's a good thing this citation isn't a direct comparison because Orin Kerr doesn't agree with the court's decision on the search issue.
Held: Calling 911 from a phone is not a “search” because it only obtains non-content information about the phone that is not protected under Smith v. Maryland.
I don’t think that reasoning works, as it’s mixing up two different questions: (1) whether calling from the phone is a search of the phone, and (2) whether, once the call is placed, receiving the number dialed at 911 is a search of the number. I think calling 911 is a search because of (1), not because of (2). Calling 911 pushes out the number from the phone, and I think that forced revealing of the number should count as a search of the phone.
The decision's implications go much further than this one-off case where an abandoned phone was discovered and "forced" to reveal user info by a law enforcement officer. Think Stingrays. From the opinion:
The fact that it was a law enforcement officer, rather than Hill, who placed a call from the phone does not change our conclusion that the information obtained was not subject to Fourth Amendment protection. Cases from other jurisdictions illustrate this point. In United States v. Skinner, 690 F3d 772, 777-778 (II) (A) (6th Cir. 2012), for example, the United States Court of Appeals for the Sixth Circuit held that law enforcement agents could take action to cause a cellular phone to emit information from which they could track it without running afoul of the Fourth Amendment, because the defendant did not have a reasonable expectation of privacy in the location data emitted from the phone.
If this isn't a search, then the use of an IMSI catcher isn't a search, even though it involves the manipulation of a person's phone by law enforcement to obtain information otherwise not immediately obtainable.
As for the Riley decision, the court decides use of the phone is not the same as accessing the phone's contents.
Here, in contrast to Riley, the officer did not access any files on Hill’s phone, which was protected by a passcode. He “did not attempt to retrieve any information from within the phone,” United States v. Lawing, 703 F3d 229, 238 (II) (A) (ii) (4th Cir. 2012), but instead used the phone in a manner that caused it to send Hill’s telephone number to a third party, the 911 dispatcher. We do not construe Riley to prohibit an officer in lawful possession of a cellular phone from placing a call on that phone in an attempt to obtain identifying information about its owner. Moreover, we do not construe Riley to recognize a legitimate expectation of privacy in identifying, non-content information such as the person’s own phone number, address, birthdate, simply because that information was associated with a cellular phone account rather than a landline phone account or a piece of physical mail.
While historical cell site location info is generally considered to be free of expectations of privacy under the Third Party Doctrine, real-time access of this same information is still under discussion in several courts. Making the argument that law enforcement manipulation of a person's cell phone to extract information not otherwise immediately obtainable suggests that this particular court would look favorably on the use of Stingray devices to locate cell phones. After all, the phone's location is a third-party record, even though it's not a third-party record that isn't normally obtainable as it's being generated.
It's a limited ruling from a state appeals court, but it still shows advances in surveillance tech will be granted a lot of leeway by judges because of a decision nearly four decades old at this point (Smith v. Maryland, 1979). Had the court come to the conclusion it was a search, it wouldn't have saved Hill (because he abandoned his phone), but it at least would have recognized it's one thing to obtain third-party records from a third party. It's quite another when the government uses a closed loop to obtain the same info.
Read More | 41 Comments | Leave a Comment..
Posted on Techdirt - 19 July 2016 @ 4:13pm
A bizarre case comes out of the Texas court system -- landing squarely in the middle of a legal Bermuda Triangle where illegal searches meet civil asset forfeiture… and everything is still somehow perfectly legal. (via FourthAmendment.com)
The facts of the case: police officers arrested Miguel Herrera and seized his 2004 Lincoln Navigator. An inventory search of the vehicle uncovered drugs and the state moved to seize the vehicle itself as "contraband" using civil (rather than criminal -- this is important) asset forfeiture. Herrera argued that the stop itself was illegal and anything resulting from it -- the drugs and the civil seizure of the vehicle -- should be suppressed.
The Supreme Court of Texas examines the facts of the case, along with the applicable statutes, and -- after discarding a US Supreme Court decision that would have found in Herrera's favor -- decides there's nothing he can do to challenge the seizure. He can't even move to suppress the evidence uncovered following the illegal stop -- the same search that led to the state seizing his vehicle under civil forfeiture statutes.
The presiding judges spend several pages (including two concurrences) discussing the aspects [PDF] of this case in detail, but cannot bring themselves to exclude the evidence obtained from the illegal search, much less return Herrera's vehicle to him.
First, the court decides that the deterrent effect of suppressing the evidence is outweighed by the cost to society.
In this case… the exclusion of admittedly relevant evidence imposes a substantial social cost. Here, the vehicle and the evidence found within it are indisputably relevant—if the state shows by a preponderance of the evidence that the vehicle was “used or intended to be used in the commission of” a felony under the Controlled Substances Act, then it is “contraband.” If it qualifies as contraband under Chapter 59, then it “is subject to seizure and forfeiture.”
Additionally, applying the exclusionary rule here ostensibly results in returning a vehicle “used or intended to be used” in the commission of drug crimes to its owner. See CODE CRIM. PROC. art. 59.01(2)(B)(i). Applying the rule to Chapter 59, therefore, would likely have the undesirable effect of politely handing such vehicles—or computers, money, weapons, or whatever else—back to those who might put them to criminal use.
The court moves on to dismiss the Supreme Court's 1965 decision (One 1958 Plymouth Sedan v. Pennsylvania), suggesting not only that things have changed too much over the past 50 years to consider it relevant, but also -- unbelievably -- that the seizure of a person's assets via civil forfeiture is not a form of punishment.
[T]he legal and jurisprudential landscapes have changed significantly since Plymouth Sedan was decided in 1965, weakening some of the opinion’s underpinnings. For one thing, Plymouth Sedan was decided at “a time when [the Supreme Court’s] exclusionary-rule cases were not nearly so discriminating in their approach to the doctrine,” yet more recently the Court has “abandoned the old, ‘reflexive’ application of the doctrine, and imposed a more rigorous weighing of its costs and deterrence benefits.” Thus, the Court’s more recent jurisprudence, and its now well-established cost-benefit analysis, controls our analysis. And, as discussed, the “deterrences against [illegal searches] are substantial—incomparably greater than the factors deterring warrantless entries when Mapp [and Plymouth Sedan] [were] decided.”
Finally, in Plymouth Sedan, the forfeiture proceeding’s “object, like a criminal proceeding, [was] to penalize for the commission of an offense against the law.” See 380 U.S. at 700. Chapter 59 forfeitures, on the other hand, are expressly civil and non-punitive; indeed, “[i]t is the intention of the legislature that asset forfeiture is remedial in nature and not a form of punishment.”
It's hard to see how civil asset forfeiture isn't a form of punishment. Without having to prove an asset was illegally obtained or used in criminal activity, the state can simply take cars, money, houses, etc. away from citizens simply by providing a limited amount of evidence suggesting these might have been related to criminal activity. And if the state is wrong, it's still a long, uphill battle for anyone seeking to have their property returned. This is even admitted by the court in the same paragraph.
While this provision certainly relates to criminal activity, it does not require any proof that a person committed a crime—it only requires that the state prove by a preponderance of the evidence that the property is contraband.
The court then concludes that neither the Fourth Amendment nor the state's civil forfeiture statutes provide a remedy for Herrera -- at least not one the court is willing to grant.
Even if the state is not statutorily empowered to unlawfully seize contraband, (and it is not), what is the remedy for failure to comply with article 59.03(b)? Herrera argued in his motion to suppress—and argues now—that the remedy is exclusion. Yet what is the source of this exclusionary remedy? As discussed above, it is not the Fourth Amendment. The constitutional rule applies only when its deterrence benefits outweigh its heavy social costs, and that is not the case here. Nor does Chapter 59 provide for exclusion. To start, article 59.03(b) deals with seizure of the property to be forfeited; it does not concern itself with other evidence that might be used to prove property is subject to forfeiture. Thus, we reject Herrera’s argument that evidence found during the seizure should be excluded under article 59.03(b).
Moreover, while article 59.03 appears to limit officer conduct as to seizure of property subject to forfeiture, it does not provide a remedy—much less exclusion—for a violation of that apparent limitation. Articles 59.03(a) and (b) provide for how property subject to forfeiture may be seized. Article 59.03(c) requires the peace officer who seized the property to provide the attorney representing the state with a sworn statement including, among other things, “a list of the officer’s reasons for the seizure.” In the forfeiture proceeding, that attorney must then “attach to the notice [of seizure and intended forfeiture] the peace officer’s sworn statement.” See CODE CRIM. PROC. art. 59.04(b). Yet, despite providing fairly detailed notice requirements such as these, Chapter 59 never mentions excluding or suppressing property subject to forfeiture, even if such property is unlawfully seized…
By finding no remedy workable or worthwhile in the face of societal cost, the Texas Supreme Court has given law enforcement another way to salvage evidence obtained by illegal searches: simply seize the "container" (house, car, boat, etc.) the evidence was discovered in.
As defense attorney John Wesley Hall notes in his post on the case, this decision will also encourage more questionable asset forfeitures because the court here has declared it's unwilling to entertain notions of deterrence when dealing with "non-punitive" civil seizures.
I disagree with the lack of deterrence because the seizure for forfeiture is immediate, before booking, and it’s part and parcel of the police arsenal to punish the defendant before trial; that along with a high bail. Besides, the police help finance their drug enforcement operations with forfeitures, even when there’s no prosecution. It’s contingent fee law enforcement.
It's a state Supreme Court decision, so it's precedential. That's the bad news. The (potentially) good news is that it touched on an issue previously handled by the US Supreme Court, so it could be pushed up the judicial ladder back in the direction the ignored decision emanated from. Of course, this Supreme Court has been very inconsistent on Fourth Amendment issues and seems particularly willing to punt on issues it would rather not address directly.
Read More | 90 Comments | Leave a Comment..
Posted on Techdirt - 19 July 2016 @ 2:27pm
Section 230 is not completely screwed! A California appeals court decision has upheld Yelp's immunity to defamation claims, running contrary to findings in two other lawsuits recently decided that state. Eric Goldman has the background on the case.
The lawyer-plaintiff is Lenore Albert. Her Yelp page. She claims a former employee orchestrated a social media attack on her business, including posting fake disparaging reviews on her Yelp page plus this image (which she claims isn’t clearly demarcated as user content instead of Yelp-sourced content)...
Albert also claims that Yelp further screwed up her page when she refused to advertise with it. She sued Yelp for defamation, tortious interference and intentional infliction of emotional distress. The lower court granted Yelp’s anti-SLAPP motion. The appeals court affirmed.
After deciding that posted reviews were not commercial speech (which would not be covered by the state's anti-SLAPP statute) and of public interest (the plaintiff being a lawyer involved in foreclosure proceedings), the court moves on [PDF] to solidly stake out the extensive coverage of Section 230 protections for service providers.
Since Yelp is an internet service provider, it is immunized, under section 230 of the Telecommunications Act of 1996, for defamation contained in any third party reviews on a Yelp page pertaining to a given business. The case law on this point is conclusive…
All doubt is removed when we examine two of the most extreme cases illustrating the immunizing effect of section 230, Barnes v. Yahoo!, Inc. (9th Cir. 2009) 570 F.3d 1096 (Barnes) and Carafano v. Metrosplash.com, Inc. (9th Cir. 2003) 339 F.3d 1119. These cases involved more than simple defamatory third party comments. Rather, in both cases third parties were able to use a website to cast the plaintiff in a decidedly negative false light. In Barnes, the ex-boyfriend of the plaintiff posted revenge porn on the website. The court held the website itself was still immune under section 230. (Barnes, supra, 570 F.3d at p. 1103 [to hold the website responsible would be to treat it like a publisher in contravention of section 230].) And in Carafano, the court held a dating website could not be held responsible for a third party’s virtual impersonation of an actress on the site. Of course, section 230 certainly does not immunize third parties who actually write defamatory posts to a website. (E.g., Bentley Reserve LP v. Papaliolios (2013) 218 Cal.App.4th 418 [former tenant could be liable for postings on Yelp about landlord]), but the website itself is unreachable.
The court also dismisses several other accusations by Albert, noting that Yelp has never solicited defamatory/misleading reviews and acts in good faith to remove defamatory or misleading postings when notified. It also points out that Albert's claim that Yelp itself creates misleading/defamatory reviews is not supported by any available evidence.
The plaintiff has asked for the opportunity to amend her complaint (not a bad idea, considering every allegation was rebuffed), but the court points out that the anti-SLAPP statute would be completely useless if complainants were allowed to rewrite their pleadings in light of a court's decision.
As this court recently pointed out, when a complaint is attacked by an anti-SLAPP motion, it cannot be amended so as to add or omit facts that would take the claim out of the protection of the anti-SLAPP statute. In the instant case, the plaintiff sued the ubiquitous business review internet service Yelp, alleging three causes of action which are unmeritorious. On appeal she posits she might be able to amend to allege other causes of action, at least two of which, unfair competition and false advertising, might arguably have merit given the Second District’s recent decision in Demetriades v. Yelp, Inc. (2014) 228 Cal.App.4th 294 (Demetriades) [suit based on Yelp’s statements about itself].) But whether they have merit cannot be reached in this case. Given the rule against amendments to add or omit facts in anti-SLAPP cases, we must affirm the judgment based on the three causes of action actually alleged.
While the decision does affirm what's already assumed about Section 230 protections, it's good to see these protections reaffirmed -- especially given recent highly-questionable decisions emanating from that area of the country. Yelp will recover the costs of its appeal, and if Albert still has money to blow, she's welcome to sue the people who posted the negative material, rather than the website hosting it.
Read More | 3 Comments | Leave a Comment..
Posted on Techdirt - 19 July 2016 @ 11:49am
No sooner had the ink dried on the Second Circuit Appeals Court decision regarding Microsoft and its overseas servers than new legislation designed to undercut the court's finding has been printed up by the DOJ and presented to the administration.
Microsoft successfully argued that the US government couldn't force it to unlock a server in Dublin, Ireland, so it could rummage around for evidence. Nor could the DOJ force the company to act on its behalf, performing a search of its overseas servers for documents the US government couldn't access otherwise.
Since that decision obviously just won't do, the DOJ has presented proposed legislation [PDF] that would alter existing Mutual Legal Assistance Treaties (MLATs) so the agency can do the very thing a court just said it couldn't do.
The details are discussed in, um, detail over at the Lawfare blog by none other than a former DOJ lawyer (David Kris). Needless to say, the post skews towards "supportive," but the analysis is thorough and offers some excellent insight on what the DOJ hopes to open up -- and what it's willing to concede in return for this new power.
The law would limit searches to communications from non-US citizens located abroad and only for criminal investigations. This would prevent the altered MLATs from being used by US agencies to gather intelligence, restricting them only to gathering evidence of criminal activity. That being said, for every concession made, there's a DOJ land grab.
The heart of the proposed legislation is section 4, which allows for executive agreements between the U.S. and foreign governments. Where a satisfactory agreement is in place, the barriers to access in the Wiretap Act, Stored Communications Act, and criminal Pen Register statute are removed (by section 3).
Of all the places to remove existing limits, the DOJ has chosen three of its most-abused laws/statutes. The Wiretap Act has been rendered toothless by the DEA's collusion with a judicial rubber stamp in California and used by the DOJ to push American telcos into doing its spying for it. The Stored Communications Act was just another (failed) angle of attack for the DOJ in its fight against Microsoft. And the Pen Register Act has been used as a cover for Stingray deployments by multiple law enforcement agencies, all with the tacit approval of the FBI, which still acts as a middleman in every IMSI catcher purchase by local PDs.
From there, the DOJ offers a melange of legal authorities to govern its searches of foreign servers.
The foreign orders authorized by the agreement must meet several specific requirements. First, they must pertain to the “prevention, detection, investigation, or prosecution of serious crime, including terrorism.” This means that affirmative foreign intelligence gathering is out of bounds. Conceptually, the idea here seems similar to the split in FISA’s two definitions of “foreign intelligence information,” 50 U.S.C. 1801(e)(1)-(2).
Second, the foreign orders must use a “specific” identifier such as a name or account as the “object of the order.” This comes from the USA Freedom Act’s amendments to FISA, designed to prevent bulk collection, 50 U.S.C. 1841, 1861.
Third, the orders must be “based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation,” and must be subject to “review or oversight” by a judge or other “independent authority.” These elements seem to be derived in part from several U.S. constitutional requirements—e.g., those governing a stop and frisk (Terry v. Ohio, 392 U.S. 1 (1967)), the definition of probable cause (Illinois v. Gates, 462 U.S. 213 (1983)), the requirements for a search warrant (including particularity and a neutral and detached magistrate, see Maryland v. Garrison, 480 U.S. 79 (1987)), and a proportionality requirement.
At first blush, these would seem to subject DOJ requests to multiple forms of oversight. But it most likely won't. The self-written loopholes allow for plenty of "search first, ask permission later" action.
Of course, the requirements are not exactly the same as those the Fourth Amendment would compel—for example, the reference to “review or oversight” by a judge or other “independent authority” would seem to permit after-the-fact review by a Parliamentary body rather than advance review of orders by a judge.
On top of that, the folding in of FISA language allows the FBI, et al to interpret "criminal investigation" very loosely.
Note, however, that counter-intelligence, expressly including counter-terrorism but also probably including counter-espionage, is included, because the language refers not only to “investigation” and “prosecution,” but also to “prevention” and “detection” of crime.
So, despite saying the MLAT alterations would be limited to investigatory work, rather than intelligence gathering, the new agreements could be read as permitting both. And, despite restricting agencies from using foreign government to obtain data or communications they otherwise wouldn't be able to access, the proposal does allow these entities to provide US agencies with data and communications involving US persons. Sure, there are minimization procedures, but they're apparently tied to restrictions built into foreign governments' laws rather than our own, and auditing for abuses of this access is limited to a review every half-decade -- hardly the sort of thing that stops abuse in its tracks.
And the minimization procedures deployed by foreign governments when handing over info on US persons are tied to a bunch of exceptions -- the usual parade of horrors agencies use to justify intrusive surveillance.
[A] foreign government “may not disseminate the content of a communication of a U.S. person to U.S. authorities unless it is relevant to the “prevention, detection, investigation, or prosecution of serious crime, including terrorism, or necessary to protect against a threat of death or serious bodily harm to any person,” and also “relates to significant harm, or the threat thereof, to the United States or U.S. persons, including but not limited to crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud.”
So, it can't be used for anything not included on the "serious crimes" list, which doesn't leave much. There's not a whole lot of criminal activity that can't be squeezed into this laundry list. Moving violations? Jaywalking? Lord knows anything drug-related will still be considered "dangerous," even if most of the threat is composed of overreacting drug warriors lobbing flash bangs into cribs at 5 am.
Obviously, the DOJ wasn't just going to stand by and let the Second Circuit determine how it's going to operate. This bill may have been a long time in the works, but its public debut is impeccably timed.
Read More | 34 Comments | Leave a Comment..
Posted on Techdirt - 19 July 2016 @ 8:44am
Jason Leopold is back in court (is he ever NOT there?) battling the NSA and the DOJ's Office of Legal Counsel (OLC) over the release of documents related to the NSA and FBI's surveillance of federal and state judges. The two parties had already been told to do more looking around for responsive records by Judge Tanya Chutkan, who rejected their original request for summary judgment last July.
The two agencies went back and performed another search. And still came up empty-handed.
Let me rephrase that: the two agencies went back and performed another "search." Here's what that "search" actually entailed, as described in the opinion [PDF].
The search that OLC ultimately conducted pursuant to the court’s July 2015 Memorandum Opinion and Order proceeded as follows:
[A]n OLC attorney asked an OLC Deputy Assistant Attorney General and an OLC Senior Counsel, both of whom are senior attorneys with long tenures in OLC (the Deputy Assistant Attorney General joined the Office in 1989; the Special Counsel joined the Office in 1998, departed for nine years in 2001, and rejoined the Office in 2010) and have close familiarity with OLC’s work on national security and surveillance matters, . . . whether they were aware of any classified or unclassified OLC projects concerning the “propriety of surveilling federal or state judges,” regardless of whether the project resulted in final legal advice. (Id. ¶¶ 6, 9).
“This inquiry yielded no responsive records.” (Id. ¶ 9).
According to the OLC, asking a couple of people if they've heard anything about a surveillance program is the same thing as actually searching its own files using keywords and phrases relevant to the subject matter.
In addition, the OLC claimed that actually searching for these documents would bring its slowly-moving FOIA machinery to a near halt.
Colborn avers that searching OLC’s paper files, the email files of departed OLC attorneys and the hard drives of departed users “likely would take several years and the diversion of resources from other FOIA requests,” which “would result in a dramatic increase in [OLC’s] FOIA processing backlog.”
Judge Chutkan didn't find either of these excuses persuasive. As for the OLC's claim that asking a few in-house lawyers about a surveillance program qualifies as a search for responsive documents, the judge had this to say:
The court agrees with Plaintiff, and finds that the senior attorneys’ responses to this inquiry do not provide sufficient basis to reasonably conclude either that OLC is unlikely to possess responsive records or that responsive records are unlikely to be found by a more in-depth search. Moreover, the court finds that asking all current OLC attorneys if they had, or were aware of, any draft legal memoranda or opinions relating to the propriety of surveilling federal or state judges – as was done here after Plaintiff filed his opposition brief – was also insufficient.
Judge Chutkan points out that there's way too much turnover in staff at the OLC to consider asking all current counsel whether or not they've heard of a program to be an adequate substitute for an actual records search. The latter method wouldn't be nearly so dependent on individuals' memory, or whether those who might be familiar with the surveillance program were still working for the agency.
As for its complaint about "diverted resources" and its FOIA processing backlog, the judge similarly has no sympathy.
The court finds that Defendants have not established that searching the email files of departed OLC attorneys would be unduly burdensome. While Colborn avers that it “likely would take several years and the diversion of resources from other FOIA requests” to search for responsive documents among OLC’s paper files, hard drives and emails, he does not break out the time and resources that would be required to search only the emails of departed OLC attorneys. (Id.). Given that these emails and their attachments can be searched using an eDiscovery tool without needing to open each email and its attachments individually, and in the absence of any representations from Colborn or any other declarant regarding the burden associated with running such searches separate and apart from searching OLC’s paper files and hard drives, Defendants have not demonstrated that doing so would constitute an undue burden.
So, for a second time, Judge Chutkan is forced to tell the OLC how to do its job.
Accordingly, the court hereby ORDERS OLC to use the Clearwell eDiscovery tool referenced in the Fourth Colborn Declaration to search the email files of departed OLC attorneys, as well as any attachments to those emails, for any draft legal memoranda or opinions relating to the propriety of surveilling federal or state judges.
Everyone seems to know what tools are available and how to use them… except the agency "responding" to the FOIA request. A search will finally be performed -- after two motions to dismiss, several misspent tax dollars, and an FOIA requester forced to use the court system to get an agency to do its job correctly.
Read More | 14 Comments | Leave a Comment..
Posted on Techdirt - 19 July 2016 @ 3:33am
No better way to celebrate the 50th anniversary of the Freedom of Information Act than filing a lawsuit claiming an agency is refusing to comply with it. FOIA enthusiast Ryan Shapiro has done exactly that, suing the DOJ [PDF] for the FBI's continued refusal to perform anything more than a cursory search, using its most outdated software, for responsive records.
Foia requests to the FBI are processed by searching the Automated Case Support system (ACS), a software program that celebrates its 21st birthday this year.
Not only are the records indexed by ACS allegedly inadequate, Shapiro told the Guardian, but the FBI refuses to search the full text of those records as a matter of policy. When few or no records are returned, Shapiro said, the FBI effectively responds “sorry, we tried” without making use of the much more sophisticated search tools at the disposal of internal requestors.
“The FBI’s assertion is akin to suggesting that a search of a limited and arbitrarily produced card catalogue at a vast library is as likely to locate book pages containing a specified search term as a full text search of database containing digitized versions of all the books in that library,” Shapiro said.
Shapiro went meta to prove this point. Along with a handful of requests for documents about the FBI's "mosaic" theory, Shapiro also requested processing notes on the requests themselves. The FBI "failed" to locate much in the way of responsive documents, thanks to its insistence on using 21-year-old software, rather than more modern tools it has at its disposal.
The DOJ -- despite using millions of tax dollars to fund better search tools -- continues to insist it only needs to perform the bare minimum when searching for responsive documents. The software old enough to buy its own booze only searches for terms entered by FBI agents handling cases, not the text included in the files themselves.
It's not that the DOJ doesn't have the capability to perform a more in-depth search. It just feels it doesn't have to do anything more than a cursory surface scan for responsive documents. Whatever fails to turn up in this search is withheld without actually having to be declared "withheld" and justified with a FOIA exemption. Rather than present FOIA requesters with something they can challenge in court, the FBI simply claims it performed a search and shrugs at the lack of responsive files.
This non-responsiveness didn't impress Judge Randolph Moss back in January and it's that decision Shapiro is hoping will help him prevail in this lawsuit.
The FBI's use of an outdated system -- seemingly solely for the purpose of generating as few responsive files as possible -- is well-documented. And yet, there's almost no way to force the FBI to perform thorough searches -- utilizing the multiple tools and databases it has access to -- without dragging the DOJ to court. The FBI knows this, and knows that its unwillingness to utilize its internal FOIA tools is an easy way to discourage FOIA requests, as there are only a few filers with the means to pursue a lawsuit against the government. And any decision by a judge ordering the FBI to perform a more thorough search will be taken by the agency as only applying to the case at hand.
Of course, the FBI will do anything it can to keep Shapiro from obtaining more documents. Shapiro is the FBI's "mosaic" theory defined. The agency seems to fear his ability to pull together information from multiple, overlapping requests. And the DOJ has gone so far as to claim his dissertation research (involving the government's handling of animal rights activists) is a threat to national security. So, it will continue fighting for its "right" to deliberately perform inadequate document searches and maintain its non-responsive status quo.
Read More | 12 Comments | Leave a Comment..
Posted on Techdirt - 18 July 2016 @ 1:02pm
Nearly one year to the date from Sacramento mayor Kevin Johnson's filing of a lawsuit against his own city and a local journalist to block the release of emails from his personal Gmail account, a judge has ordered him to turn over most of the emails he's been fighting to withhold.
[T]his past Friday, Krueger ruled that Johnson and the city must make public 79 of the remaining 113 emails and records. Ballard Spahr, the firm that represents the mayor pro bono, needs to turn them over by July 18.
Johnson had long argued that emails from his personal account weren't subject to public records laws -- even those in which government business was discussed. And, indeed, the city has no policy in place preventing officials from using personal email accounts to conduct official business. However, that's not the same thing as saying these emails can't be obtained with public records requests.
When that argument failed to keep the emails from being released, Johnson's lawyer raised the good old "attorney-client privilege" as a shield against public disclosure. Judge Krueger shot that down as well.
During the hearing, Humphreys was steadfast in his lobbying to keep some of the records secret. He contested that, since Ballard Spahr had reviewed firsthand many of the emails and attachments in question, they were clearly protected from disclosure because of “attorney-client privilege”—a phrase he repeated ad nauseam.
Eventually, Krueger schooled him on the law. “Every document that an attorney has seen does not fall under attorney-client privilege,” the judge explained—adding that this was legal fact no matter how many times Humphreys made a “talismanic recitation of those words.”
In the end, it's a win for the Sacramento News & Review, which was one the parties named in Mayor Johnson's email-blocking lawsuit. Given the nature of the disputed emails, it's easy to see why Johnson wanted to keep them out of the public's hands. Many of the communications cover Johnson's takeover of the National Conference of Black Mayors -- a leadership position he held tenuously, briefly, and under a considerable amount of criticism.
Johnson's 2015 attempt to obtain an injunction against his own city followed his admission that he had destroyed several public records (in this case, text messages) responsive to requests pertaining to the city's $500 million sports arena.
Even though this legal battle has pried loose a few hundred emails over the past year, it's still only a small percentage of Mayor Johnson's "official business" communications safely stashed away in his personal account.
“We’ve been fighting in court for a year over a small batch of records that ended up in the hands of the City Attorney,” Garvin wrote. “The much bigger problem is the thousands and thousands of emails that Johnson has refused to turn over, which were generated by his OMKJ email accounts.”
Politicians are particularly adept at keeping their communications away from the public. Kevin Johnson is the rule, rather than the exception. Fortunately, the lack of internal policies forbidding this activity isn't preventing courts from finding responsive communications have been improperly withheld. But these findings come at a great expense for public records requesters -- many of which will abandon their requests rather than spend thousands of dollars in legal fees to obtain documents that rightfully belong to the public.
12 Comments | Leave a Comment..
Posted on Techdirt - 18 July 2016 @ 11:46am
We've seen plenty of bogus DMCA takedowns and legal threats issued in order to silence critics. Paul Alan Levy has gotten ahold of a weird, long-delayed lawsuit [PDF] filed by an Australian financier against an unknown blogger who wrote a single critical post about him nine years ago.
There is somebody on the other side of the Pacific Ocean who has a strongly negative perspective on Nicholas Assef, the head honcho at an Australian financial services firm called Lincoln Crowne – or at least, somebody held such views nine years ago. We know at least that much because, in 2007, an anonymous individual created a small Google blog, using the URL lincolncrowne.blogspot.com, and posted a “warning” urging people who were considering doing business with Assef and his company to do their due diligence first. And even though the blog is buried deep in the Google search results for someone entering a search using lincoln crowne as the search string (currently, it is on the tenth page of results), Assef is plainly rankled by this criticism.
How Assef came across this single post, floating in the internet backwater, is a mystery. But there it is. Before suing the Doe behind the single-post "blog," Lincoln Crowne tried suing Google for defamation in Australia, presumably to use local laws to route around Section 230 protections. It didn't work. Google briefly took down the blog post before restoring it.
Having failed in this attempt, Lincoln Crowne is now trying to sue the anonymous blogger, using a poorly-constructed lawsuit with more than a few deficiencies. It not only claims the content is defamatory, but that the defendant's URL is a violation of its trademark. It's a mess, which is somewhat surprising because the firm is being represented by lawyers who seem otherwise competent.
Levy provides more insight into the suit's multiple flaws.
The trademark claim is based on the proposition that use of the company name in the third-level domain for the blog constitutes infringement. The complaint asks the court to exercise supplemental jurisdiction over the defamation claim, which is based on the allegation that everything written in the blog is a lie (does that include “and” and “the”?). The defamation claim is a bit odd because the statute of limitations for defamation is only one year, and the suit was filed eight years after publication. And the trademark claim is even worse – the blog is simple criticism, without selling any rival products. and there is a Ninth Circuit decision on point: Bosley Medical v. Kremer (a case that I handled), saying that non-commercial gripe sites are outside the scope of the Lanham Act. And even if the site had some commercial aspect, what likelihood of confusion about source could be caused by a blog that is headlined BEWARE LINCOLN CROWNE & COMPANY and then “Warning Warning Warning - Nick Assef"?.
Those aren't the only problems. In addition to these spurious claims, the complaint also shifts targets in midstream. The defendants listed on the first page of the suit only include "Does 1-10." Out of nowhere, the lawsuit suddenly starts targeting Google.
Also odd is the fact that the default judgment order is sought against Google, which is not a party to the lawsuit and is not in default and which, in any event, could not have been sued for defamation. It is unclear whether plaintiffs have alerted Google to the fact that they are seeking an order from the judge directed at Google rather than at the anonymous blogger.
As Levy points out, this sort of thing is common in the Ninth Circuit, where many tech companies are located. Sneaky plaintiffs file against one party and then pepper their complaints with requests for default judgment against better-heeled corporations.
Not only that, but the Ninth Circuit seems to enjoy circling this particular bogus lawsuit drain -- much more so than Levy does.
I find it tiresome to have to keep going back to courts in the Ninth Circuit to make these arguments: once we win in a circuit, I prefer to preserve Public Citizen's scarce resources by moving on to other jurisdictions. But if nobody speaks up, the win becomes a dead letter and future lawyers then start citing the lower court decision in self-justification.
A bogus lawsuit -- running unopposed (as it were) -- can do just as much damage as a legitimate one. And this one is pure frivolity. Even if the long-expired statute of limitations on defamation claims is ignored, the trademark allegations are nothing for Lincoln Crowne's representation to be proud of. In order to demonstrate the "harm" a personal blog showing up 10 pages into a Google search is doing to its business, the company actually had to use "lincoln crowne blogspot" as its search terms to get anything incriminating to show up on the first page. As Levy notes, the likelihood of the average consumer adding the word "blogspot" to their search for Lincoln Crowne hovers at a steady 0%.
It wasn't until seven years after the offending post appeared that Lincoln Crowne showed any motivation to secure its own Blogspot-hosted blogs in an attempt to combat the single negative post it had come across, so it's not as if the company has faced an uphill battle against a determined blogger for nine years straight.
Either way, the likelihood of confusion is nil and the post itself -- even if considered defamatory -- isn't Google's problem (although the plaintiff would really like it to be) and dates back further than the statute of limitations can be stretched.
It's clear from the lawsuit that Lincoln Crowne is just hoping to stick Google with something by injecting wording that asks for the company to be held responsible should the actual Doe defendant fail to appear. That's not proper litigation. That's opportunism.
Read More | 11 Comments | Leave a Comment..
Posted on Techdirt - 18 July 2016 @ 10:40am
Given the cultural phenomenon that is Pokemon Go, it was only a matter of time before security-conscious government agencies would be forced to confront the inevitable: that their employees would be joining in the quasi-AR madness.
Kristan J. Wheaton of the Sources and Methods blog was handed an apparently official document from the Defense Department that lays down several common sense rules for employees throwing imaginary balls at imaginary creatures. (A screenshot of the original document can be seen in Thomas Rid's tweet, embedded at the bottom of this post.)
One of my contacts (Thanks!) within the intel community put together a tip sheet for friends and family and, having read it, it sounds like good advice for anyone who wants to play Pokemon Go with a reasonable level of safety and privacy. Remember, it is a tip sheet and is designed to be helpful, not comprehensive. If it is not covered here, just remember D2S2 – Don’t Do Stupid Stuff.
Considering the source, the list of do's and do not do's is straightforward and on point. And, as Wheaton points out, good advice for anyone playing the game, not just those with high-level security clearances chasing down rarities behind CIA filing cabinets.
In short, make sure you're downloading the authentic application, be aware your location will be recorded, and -- more importantly, given the nature of DoD components -- the photos taken during Pokemon hunts might accidentally reveal something meant to stay hidden.
Be mindful of your surroundings when using this augmented reality (AR) mobile game, especially when taking pictures of Pokemon during the capture process. Note what's in the foreground and background, including reflective surfaces and information revealing identity and or location (street signs, vehicle license plates, Government buildings, etc.). Disabling AR makes Pokemon easier to catch! The location where you take a picture of a Pokemon is also likely embedded in the picture's metadata.
In addition, the DoD suggests employees use something other than their personal Google account to log in and to select usernames that do not reflect their IRL names.
Some classic military-industrial complex paranoia surfaces in the penultimate bullet point, however.
When physically visiting Pokestops and gyms, maintain awareness of your surroundings. Travel with a buddy or remain in your vehicle with the doors locked. It is not necessary to physically enter the real-world establishment where a Pokestop or gym is located, you may be able to interact with the Pokestop/gym from the curb or even across the street.
While there have been reports of strongarm robberies at bogus Pokestops, the whole "situational awareness" vibe adds far more cloak-and-dagger than seems absolutely necessary.
The full list at Wheaton's blog is worth a read, though, whether you're a normal citizen or a DC insider neck deep in redacted drone strike reports/Rattatas.
14 Comments | Leave a Comment..
Posted on Techdirt - 18 July 2016 @ 9:36am
Last Friday's hearing on encryption was hosted by the Senate Committee on Armed Services and a visibly-irritated John McCain. McCain is no fan of encryption and, apparently, no fan of Apple. Kieren McCarthy of The Register reports (and delivers a stellar headline).
Opening the Committee on Armed Services' hearing on cybersecurity this morning, McCain went out of his way to note that Cook has declined the senator's invitation to give testimony alongside three opponents of end-to-end encryption on the company's iPhone.
"I must note for the record that these were not our only invited guests," McCain said.
"This committee extended an invitation to Apple CEO Tim Cook to offer his perspective on these important issues. He declined. I hope he will reconsider in the future so that this committee can benefit from the widest possible variety of perspectives."
"Widest possible variety." The other three "guests" included noted encryption opponent Cyrus Vance, former Bush Homeland Security Advisor Ken Wainstein, and -- producing the only measured take on the issue -- former NSA deputy director Chris Inglis. So, the deck was stacked, and Apple likely felt its testimony would be largely undercut by having to defend itself against baseless assertions and wild allegations, like it did at the last hearing it attended.
Back in April, the "intelligence commander" of the Indiana State Police, Charles Cohen, suggested Apple had provided iOS source code to the Chinese -- something it wasn't willing to hand over to the US government. So, while attempting to speak about the issue at hand, Apple's reps had to address idiotic statements like these instead.
That's where I was going to conclude my comments. But I think I owe it to this committee to add one additional thought. And I want to be very clear on this: We have not provided source code to the Chinese government. We did not have a key 19 months ago that we threw away. We have not announced that we are going to apply passcode encryption to the next generation iCloud. I just want to be very clear on that because we heard three allegations. Those allegations have no merit.
Thanks, but no thanks. McCain and others attending the hearing pretend the encryption problem can be solved by "working together." But Manhattan DA Cyrus Vance used part of his testimony to basically accuse Apple of offering encryption-by-default just to spite the government. The others testifying didn't go quite as far as Vance did in portraying the company as the enemy of justice, but there was really nothing in it for Apple. There's no "working together" going on here, not if the committee offers three invitations to people opposed to encryption (or at least far more sympathetic to law enforcement's requests) but the only outsider asked to attend is one that spent the running time of the last hearing listening to ignorant statements and wild allegations.
Not having Apple to kick around obviously bothered McCain.
As the hearing progressed and McCain was faced with the fact that all three panelists were effectively saying the same thing, he grew increasingly frustrated at the failure of Cook to serve as a legislative punching bag and repeatedly referred to his absence.
His committee "has subpoena power" McCain grumpily noted, implying that he would compel Cook to attend a future kangaroo court. And at the end of the hearing, McCain still wouldn't let the matter drop and complained that it was "unacceptable" that Cook had failed to attend.
That's what passes for "working together" in Washington. Threats of forced attendance at upcoming hearings where tech representatives can be sat on one side and angrily glared at when not attempting to defend themselves from speculative assertions and allegations.
19 Comments | Leave a Comment..
Posted on Techdirt - 18 July 2016 @ 8:30am
The United States Senate Committee on Armed Services held a hearing about
the coming darkness cellphone encryption Friday morning. There was almost no attempt made to address both sides of the issue, most likely because Senator John McCain -- who headed up the "discussion" -- has already made up his mind on how this problem should be handled.
Testimony -- all from government officials -- was presented, with Manhattan DA Cyrus Vance leading off. Vance's tune hasn't changed. Encryption is still (apparently) an insurmountable problem and the only "answer" runs directly through Congress. Vance spent most of his speaking time [PDF] criticizing Apple and suggesting its decision to provide encryption by default on its phones was done purely to spite him and the government.
Given Apple’s own statements about the security of iOS 7, shortly after Apple’s reengineering of its phones to prevent search warrant access by law enforcement, I asked it in a letter dated March 2015, whether there was a bona fide security reason to make its new operating system, iOS 8, warrant-proof. Apple chose not to answer me, but in March of this year, the House Judiciary Committee compelled Apple to answer the same question. That Committee asked Apple the following question, in writing, “Was the technology you possessed to decrypt these phones”—and the clear reference is iOS7 phones and their predecessors—“ever compromised?” Apple’s written response was: “The process Apple used to extract data from locked iPhones running iOS 7 or earlier operating systems was not, to our knowledge, compromised.” (Emphasis added.)
Apple’s answer to this crucial question shows what we have long suspected: That Apple’s method of data extraction under iOS 7 posed no documented security problems. That being so, then there should be no unreasonable security risk going forward if we return to the procedure where court-ordered warrants can be honored by extracting responsive data off of smartphones.
In Vance's view, encryption protocols should not be altered until they've been compromised -- a view that aligns nicely with his presumption that the government should always have access to phone contents but runs counter to good security practices. Vance wants Apple to go back to holding the encryption keys and be on hand to unlock the door whenever the government asks.
Vance is still pushing his "encryption is a godsend to criminals" narrative -- based on little more than same single recorded prison phone call he referenced months ago. Vance may have a pile of cellphones law enforcement can't break into, but that hardly suggests a majority of criminals are gravitating towards encrypted services. The rise in the number of encrypted communications methods will benefit some criminals, but even high-profile terrorist attacks have been coordinated and planned using methods still open to interception and investigation.
The solution is legislation, according to the DA. Vance provides a list of prior legislation crafted to aid law enforcement as support for his theory the government should be allowed access to phone contents. However, his list covers only records collected and stored by third parties -- not the content and communications he's seeking access to.
Federal regulation is already important in the communications industry. When telephone companies went from using copper wires to using fiber optics and digital signals, the police could no longer use their old techniques of executing wiretap orders, and so Congress passed the Communications Assistance for Law Enforcement Act (CALEA), mandating that telecom providers build into their systems mechanisms for law enforcement to install court-ordered wiretaps. CALEA has worked. It has saved lives, and it has withstood Constitutional challenge. It has not stifled innovation, as its opponents feared…
Here are a few other examples: DEA regulations require all U.S. pharmacies to maintain paper and electronic prescriptions bearing the name of the patient and prescriber, drugs dispensed, and dates filled. FTC regulations require any business that checks a customer’s identification to maintain and provide victims and law enforcement with transaction records relating to identity theft. State regulations require private schools to maintain student data records, including records of attendance and suspected child abuse. I could go on.
The point is that companies in nearly every industry are required by law to maintain voluminous customer records and produce criminal evidence when they receive a court order. When your introduction of goods and services into the stream of commerce overlaps with public safety, this is the price of doing business in the United States.
In other words: the government should have access to iPhone contents because it has access to other stuff. It's a clumsy comparison at best. At worst, it's a blueprint for unprecedented government intrusion. Vance may be trying to demonstrate that the government has historically had access to a wealth of information thanks to regulators and the Third Party Doctrine and should continue to be granted access, but this inept analogy is worse than apples-to-oranges. Connecting Vance's dots suggests he views personal data and communications as just another set of records "collected" by cellphone providers. He may not openly suggest these are nothing more than "third party" records, but he obviously believes private corporations "owe" this sort of access to the government.
Vance says he doesn't want a legislated encryption backdoor, but his solution is basically a legislated encryption backdoor.
My Office’s proposed solution is to enact a federal statute providing that data on any smartphone made or sold in the United States must be accessible—not by law enforcement, but by the maker of the smartphone’s operating system—when the company is served with a valid search warrant. And if a person or entity such as Apple offers encryption software, it has to have the ability to provide data in response to a judicial order.
The backdoor may be located at the company's headquarters, but it's a backdoor all the same.
His testimony also suggests more legislation might be needed to further subvert encryption. Like James Comey, Vance suggests harder nerding will make the impossible possible.
This solution is limited to data at rest on smartphones. It would not affect encryption of data in motion. I cannot at this time offer a technical fix to address data in motion. I am confident, however, that engineers from industry and government, working together in good faith, can find one.
"Good faith." That's hilarous. The only time law enforcement is interested in a "good faith" discussion is when it's trying to salvage an illegal search.
Vance -- like Comey -- believes all concessions must come from the private sector. That's how he defines "working together." He's also concerned a 12-month study from a Congressional committee won't address the issue fast enough.
Twelve months of taking testimony resulting in non-binding recommendations in a report will not adequately address the urgency of the problem that local law enforcement faces. Time is not a luxury that local law enforcement, crime victims, or communities can afford.
With a nod to civil liberties:
Our laws require speedy trials. Victims require justice. And criminals must be held accountable before they can reoffend.
I would think that if you don't have the evidence -- if it's on phones that can't be broken into -- you just don't have the evidence. I sincerely hope people aren't being locked up until Congress creates the backdoor Vance is looking for. Of course, we know that is happening, but hopefully not on the scale Vance suggests with his list of police-resistant devices still being held by law enforcement agencies (who assume they contain evidence of criminal activity).
The end result of the encryption study can't be determined at this point. But given the nature of this committee -- and its decision to only present one side of the issue -- it appears its greatest purpose may be nothing more than buying time until backdoor/ban legislation is reintroduced.
Vance's side hasn't budged an inch. While deference is continually paid to the "smart people" at tech companies, it's only done so under the assumption that they're just holding out on the government. The solution Vance, et al want is supposedly possible, even if it isn't. Any arguments to the contrary are continually treated as deliberate antagonism, rather than basic facts. Backdoored encryption -- no matter who holds the keys -- is a security problem. And it's not going to go away, no matter how many times the same arguments are repeated.
Read More | 25 Comments | Leave a Comment..
More posts from Capitalist Lion Tamer >>