Posted on Techdirt - 28 September 2016 @ 3:15am
Whistleblower protections offered by the federal government are great in theory. In practice, they're a mess. This administration has prosecuted more whistleblowers than all previous administrations combined. The proper channels for reporting concerns are designed to deter complaints. Those that do use the proper channels are frequently exposed by those handling the complaints, leading to retaliatory actions that built-in protections don't offer an adequate remedy for.
Perhaps the ultimate insult is that the proper channels lead directly to two committees that have -- for the most part -- staunchly defended agencies like the NSA against criticism and any legislative attempts to scale back domestic surveillance programs. The House and Senate Intelligence Committees are the "proper channels," whose offered protections can only be seen as the hollowest of promises, especially after the House Intelligence Committee's lie-packed response to calls for Snowden's pardon.
What the federal government offers to whistleblowers is a damned if you do/don't proposition. Bypass the proper channels and brace yourself for prosecution. Stay within the defined lanes and expect nothing to change -- except maybe your security clearance, pay grade, or chances of advancement within the government.
Congress doesn’t have much legal power to protect intelligence community employees from such retaliation. The Pentagon’s inspector general website concedes Congress cannot “grant special statutory protection for intelligence community employees from reprisal for whistleblowing.”
In most cases of personal or professional retaliation, it ends up being the whistleblower’s problem, says Tom Devine, the legal director for the Government Accountability Project. “The problem is that whistleblowers making most complaints proceed at their own risk,” he said in an interview. “There are no independent due process protections for any intelligence community whistleblowers. And contractors don’t even have the right to an independent investigation unless there’s security clearance retaliation.”
The limited evidence that has surfaced about using the "proper" whistleblower channels suggests the protections granted by the government are mostly meaningless. The intelligence committees won't comment on the treatment of government employees who have approached them to blow the whistle. Government contractors working within the intelligence community are even more tight-lipped, suggesting even civilians are on their own when when attached to government programs or projects.
The few reports that have made it out into the open indicate it's almost impossible for a whistleblower to prove any actions taken against them post-whistleblowing are actually retaliatory. An Inspector General's investigation of a whistleblower's retaliation complaints determined that anything that had happened to the whistleblower could not be conclusively linked to the Defense Department employee's whistleblowing.
All that can be determined is that dozens of whistleblower complaints do make their way to the intelligence committees every year. But even this is based on the assertions of the House Intelligence Committee, which refused to provide any further details. The outcome of the whistleblowing remains under wraps and there are no publicly-released statistics that total the number of complaints, much less which percentage of complaints are found substantial and investigated further.
Government employees and contractors are just expected to trust the federal government which, given its response to whistleblowers over the past two decades, isn't going to nudge edge cases away from bypassing the laughable "protections" and proceeding directly to journalists willing to actually protect their sources.
16 Comments | Leave a Comment..
Posted on Techdirt - 27 September 2016 @ 11:44am
There's just something about adding the word "cyber" to "crime" that brings out the worst in legislators. A host a badly-written laws have been crafted to address everything from cyberbullying to hacking. These tend to be abused first by those in positions of power.
Nigeria's government recently enacted a cybercrime law which is, of course, being wielded by thin-skinned government officials to silence critics. The cyberstalking provision is the preferred attack vector, placing those targeted by unhappy government leaders at risk of being hit with a $22,000 fine and three years in prison.
Last month, the law was cited in the August 20 arrest of Musa Babale Azare who was detained in the capital, Abuja, by police from Bauchi state. He was accused of allegedly criticising the state governor, Muhammad Abdullah Abubakar, on social media, according to news reports. Azare, who uses Facebook and Twitter as platforms to criticize the actions and policies of Abubakar and his administration, said he was denied access to his lawyer, and that police did not have authority to arrest him outside Bauchi state jurisdiction.
Azare wasn't the only one hauled away by police for daring to publicly criticize officials -- although his trip (280 miles) was arguably the longest. (Azare was taken from Abuja back to Bauchi to be questioned.) Politicians could barely wait for the ink on the signatures to dry before deploying it against citizens who had raised their ire.
CPJ found that at least three other bloggers were prosecuted under the cybercrime act in the space of four months last year after they reported or commented on critical reports.
One "suspect" was refused release until he could come up with a 3 million naira ($9500) bail. Another writer -- a member of a national blogger's guild -- was denied bail three times and held for two weeks before charges were dropped. The third was denied bail and jailed for six months, with four of those spent in maximum security. All three of the cases CJP uncovered occurred within five months of the cybercrime law's passage, which seems to suggest it was crafted with the intent of curbing critical speech, rather than criminal activity.
The irony of this is that the freedom of expression and freedom of the press are both enshrined in the Nigerian Constitution. Laws can't be made that directly abridge those freedoms, but government officials seem to have crafted themselves a handy loophole that handily allows them to bypass citizens' constitutional protections.
4 Comments | Leave a Comment..
Posted on Techdirt - 27 September 2016 @ 10:44am
Smile, constituents: this man may become president.
Look at the mess that we're in. Look at the mess that we're in. As far as the cyber, I agree to parts of what secretary Clinton said, we should be better than anybody else, and perhaps we're not. I don't know if we know it was Russia who broke into the DNC.
She's saying Russia, Russia, Russia. Maybe it was. It could also be China, it could be someone sitting on their bed that weighs 400 pounds...
Look, anyone who refers to cybersecurity or cyberwarfare as "the cyber" is probably better off not discussing this. But Donald Trump, in last night's debate, felt compelled to further prove why he's in no position to be offering guidance on technological issues. And anyone who feels compelled to portray hackers as 400-lb bedroom dwellers probably shouldn't be opening their mouth in public at all.
With this mindset, discussions about what "the Google" and "the Facebook" are doing about trimming back ISIS's social media presence can't be far behind. Trump did note that ISIS is "beating us at our game" when it comes to utilizing social media. Fair enough.
But Trump's cybersecurity "plan" isn't actually a plan. What there is of it has to be compiled from a string of random, semi-related sentences. Apparently, the next cyberwar will pit tweens against 400-lb Russians...
I have a son. He's 10 years old. He has computers. He is so good with these computers, it's unbelievable. The security aspect of cyber is very, very tough. And maybe it's hardly do-able. But I will say, we are not doing the job we should be doing, but that's true throughout our whole governmental society. We have so many things that we have to do better, Lester and certainly cyber is one of them.
The problem isn't so much that Trump plainly has no idea what he's talking about or even the coherency to bluff his way through it. No one expects presidential candidates to be experts on every possible issue that might come up. But this has been the government's primary focus in recent years, and multiple high-profile hackings have only intensified that.
The problem is that Trump clearly has no interest in discussing these issues with those who can offer coherent, possibly-useful cybersecurity strategies. The more he speaks, the more he exposes his ignorance. Ignorance isn't unfixable. But Trump has done nothing over the past several months to close these (often significant) gaps in his knowledge. That's the scariest aspect of his presidential run -- the unwillingness to handle the boring but essential work of creating a platform composed of something more than half-formed thoughts and severely misguided jingoism that blames the rest of the world for somehow making America a worse country.
The mitigating factors are these:
Hillary Clinton's response may have been more coherent but hers suggests we should probably engage in more actual war than cyberwar to handle ISIS -- something's that gone oh so well for the past couple of decades. And she was ready to declare cyberwar on Russia after the DNC hacking, an idea that's not only stupid (seeing as the entity behind the hacking is still unknown) but an indication she'd be willing to wield government power to avenge embarassment.
Trump's power in office is likely to be far less than he obviously envisions it. Trump may be a rather extreme form of populist but those popular votes will be about as useful as Facebook likes when it comes to attempts to push his agenda past far more level-headed advisors and legislators.
Either way, voters are faced with choosing between the devil they sort of know and the devil other devils have been distancing themselves from for several weeks. In both cases, we're going to end up with a president who doesn't have the technical knowledge to deal with today's realities.
82 Comments | Leave a Comment..
Posted on Techdirt - 27 September 2016 @ 3:21am
Judges have pointed out to copyright trolls on multiple occasions that an IP address is not a person. Trolls still labor under this convenient misconception because they have little else in the way of "proof" of someone's alleged infringement.
Unfortunately, law enforcement agencies also seem to feel an IP address is a person -- or at least a good indicator of where this person might be found. This assumption leads to blunders like ICE raiding a Tor exit node because it thought an IP address was some sort of unique identifier. After having IP addresses explained to it by the EFF, ICE returned the seized hard drives and promised to make the same mistake in the future.
In another case, the Seattle PD raided a Tor exit node in search of a person downloading child porn. It didn't find the target it was looking for, but went ahead and demanded passwords so it could search files and logs at the unfortunate citizen's home before realizing it had the wrong person.
The EFF is kind of sick of having to explain the difference between an IP address and a person to government entities. It has put together a white paper [PDF] that should be required reading anywhere government employees feel compelled to act on "evidence" as useless as IP addresses.
Law enforcement’s over-reliance on the technology is a product of police and courts not understanding the limitations of both IP addresses and the tools used to link the IP address with a person or a physical location. And the police too often compound that problem by relying on metaphors in warrant applications that liken IP addresses to physical addresses or license plates, signaling far more confidence in the information than it merits.
These ill-informed raids jeopardize public safety and violate individuals’ privacy rights. They also waste police time and resources chasing people who are innocent of the crimes being investigated.
By acting on this bogus assumption, law enforcement agencies are wasting time and money. Plus, they're putting themselves in situations where innocent people could be killed over technical errors, seeing as warrant service these days usually involves militarized squads that value shock and awe tactics over minimizing collateral damage.
The white paper points out what should be obvious to anyone who considers themselves capable of solving "computer crimes:" an IP address is not only not a person, it's not even a physical location.
First, the technology was never designed to uniquely identify an exact physical location, only an electronic destination on the Internet.
At a local level, similar IP addresses may be assigned based on geography, albeit only indirectly. ISPs make decisions to allocate blocks of IP addresses to particular locations for a variety of reasons, with the goal of creating a network that efficiently delivers Internet traffic. The result may be that locations near each other feature similar IP addresses, but that is more often the product of where the provider has physical links and routers to a network than geography. For example, if an ISP has a fiber-optic link between two distant cities, the IP addresses assigned to those cities may be similar because it creates a more efficient network. A third city near one of those towns geographically may not share the same connection and it would thus likely have completely different IP addresses assigned to it.
In addition, IP addresses only identify the block of devices assigned to it, not the people utilizing them. Even in cases where there's only one resident at a physical address linked to an IP address, there's still a chance law enforcement may be going after the wrong person. As the paper explains, the pool of IPV4 addresses has been used up. In areas where users haven't been pushed to IPV6 addresses, IP addresses may be shared by more than one user (at more than one physical address) or reassigned to other users by service providers based on need and usage. As the paper states, IP addresses, unlike physical addresses, are not static.
The paper also points out that the use of bad analogies by law enforcement and courts has only made the misconceptions worse. Law enforcement agencies sometimes claim that IP addresses are every bit as unique as license plates. The metaphor fails because IP addresses can be shared or redistributed at private companies' discretion unlike license plates, which are government-issued and must remain tied to a registrant.
In short, the best analogy for an IP address is an anonymous informant's tip -- something that's basically hearsay until otherwise confirmed.
In a line of Supreme Court cases dealing with reliability and corroboration problems that arise whenever third parties provide tips to law enforcement, the court has made clear that police must do more to confirm the tips provided by anonymous informants before seeking a warrant or other process…
The question is: will law enforcement care enough about potential collateral damage to educate themselves on the problems of treating IP addresses as people… or will they decide that a combination of forgiveness (good faith exception, etc.) and easily-obtained immunity is preferable to gathering corroborating evidence and acting more cautiously?
Read More | 51 Comments | Leave a Comment..
Posted on Techdirt - 26 September 2016 @ 4:35pm
Hopefully some good news will follow the bad news handed out by the California Appeals Court earlier this year. In a ruling that did some serious damage to Section 230 protections and the First Amendment, the court decided to enforce an injunction against Yelp for a defamatory review -- despite Yelp not being an actual party to the lawsuit.
Dawn Hassell sued a former client over a defamatory review she allegedly posted on Yelp. The defendant, Ava Bird, never bothered to show up in court. Hassell secured a default judgment against Bird. All well and good, except for the fact that Hassell and the court brought Yelp into the equation, without ever giving the site a chance to respond to the proposed injunction.
This drive-by injunction opens the door for abuse by aggrieved parties. It allows plaintiffs to sue parties they're pretty sure won't show up in court, obtain default judgments, and use those judgments to force third parties to remove negative reviews, articles, etc. This eliminates any form of due process for third-party websites -- services that should be covered by Section 230 whether or not they voluntarily remove reviews. Yelp was never given a chance to respond to Hassell's allegations nor was it allowed to challenge the injunction she obtained.
Why the Appeals Court failed to see the potential for abuse or the due process issues raised is unclear. The good news is that the state's Supreme Court has agreed to review the decision. Eugene Volokh and a host of other free speech advocates and lawyers have filed a brief ahead of the Supreme Court's hearing, pointing out the host of negative consequences created by the lower court's misguided decision.
[T]he decision below offers plaintiffs a roadmap for violating these speakers’ rights. Say a business dislikes some comment in a newspaper’s online discussion section. The business can then sue the commenter, who might not have the money or expertise to fight the lawsuit. It can get a consent judgment (perhaps by threatening the commenter with the prospect of massive liability) or a default judgment. And it can then get a court to order the newspaper to delete the comment, even though the newspaper had no opportunity to challenge the claim, and may not have even heard about the claim until after the judgment was entered. This is directly analogous to what plaintiff Hassell did in this very case.
It's not as though shady reputation management outfits or thin-skinned entities need any encouragement to abuse the legal process to make criticism disappear. We've already seen abuse of both the DMCA process and the court system to push Google towards delisting reviews no court has actually found to be defamatory. The Appeals Court decision does nothing more than legitimize another shady tactic: suing someone who likely won't appear in court, but enforcing the judgment against a deeper-pocketed party who definitely would have made an appearance... if only they'd actually been named in the lawsuit.
The brief goes on to point out that orders like this -- predicated on arguments one party never had a chance to respond to -- are unconstitutional and cannot be enforced.
Yelp, Amazon, and other such sites cannot be ordered to remove an allegedly libelous post, without an opportunity to themselves dispute this restriction on their own speech rights. The Court of Appeal erred in treating Yelp as essentially lacking First Amendment rights here. See Pet. for Review 22 (copy of Court of Appeal opinion) (“Yelp’s factual position in this case is unlike that of the . . . appellants [in Marcus v. Search Warrants, 367 U.S. 717 (1961)], who personally engaged in protected speech activities by selling books, magazines and newspapers.”). A site such as Yelp or Amazon is, if anything, even more engaged in protected speech than a bookstore, and more like a magazine creator than just a magazine seller: It creates a coherent speech product—a Web page that aggregates readers’ comments—and distributes it to readers. That 47 U.S.C. § 230 immunizes Yelp from tort liability as a publisher for the material that it reproduces does not strip Yelp of its First Amendment rights as a creator and distributor of the speech aggregating the material.
It's almost unimaginable that this decision will be allowed to stand. It upends the legal process and creates a hostile environment for third-party content hosts in California. But it's impossible to claim this definitely will be overturned, what with the state's courts displaying an unfortunate amount of schizophrenia when handling Section 230-related cases. At stake here is the First Amendment, more than Section 230 protections, but both are definitely under attack. The Appeals Court has given plaintiffs a way to route around Section 230 and stifle speech hosted by services they'll never have to face off with in court.
16 Comments | Leave a Comment..
Posted on Techdirt - 26 September 2016 @ 2:44pm
Because an Ohio police department couldn't handle being (momentarily) mocked, it's now being sued by the man officers arrested after he created a spoof of the department's Facebook page.
Earlier this year, Anthony Novak parodied the Parma (OH) Police Department's Facebook page, posting obviously fake announcements from the faux department like the following:
The Parma Civil Service Commission will conduct a written exam for basic Police Officer for the City of Parma to establish an eligibility list. The exam will be held on March 12, 2016. Applications are available February 14, 2016, through March 2, 2016. Parma is an equal opportunity employer but is strongly encouraging minorities to not apply.
The test will consist of a 15 question multiple choice definition test followed by a hearing test. Should you pass you will be accepted as an officer of the Parma Police Department.
Other postings not quite as charming, but definitely as fake, included announcements of the PD's new roving abortion van, a "Pedophile Reform event," plans to arrest anyone caught outside between noon and 9 pm, and a ban on feeding the homeless to better serve the city's plan to eradicate the problem through starvation.
Novak did copy the department's logo and the Facebook page did look similar… right up until readers read the posts, or noticed the fake department's motto: "We No Crime."
Rather than leave this in Facebook's hands (or just leave it alone altogether), the Parma police decided to greet the situation head on. It came up with a charge to use to go after Novak: use of a computer to "disrupt, interrupt or impair" police services. Then it went after him, mustering far more force than would seem to be necessary to handle a bogus Facebook page. Jacob Sullum of Reason recaps the stupidity.
Parma police...launched an investigation that involved at least seven officers, a subpoena and three search warrants, and a raid on Novak's apartment, during which the cops surprised his roommate on the toilet and seized two hard drives, a laptop, two tablets, two cellphones, and two video game systems. After his arrest on March 25, Novak spent four days in jail before he got out on bail, and then he had to report weekly to a probation officer if he wanted to keep his freedom.
The charge was obviously bogus. Statements made in defense of the PD's actions mainly focused on the derogatory nature of the posts. But very little was said about how a Facebook page that was up for less than two days and gathered only 300 followers made it more difficult for the police to continue servicing the community. It would seem the diversion of seven officers to a stupid investigation with obvious Constitutional implications would be far more disruptive to public service.
While the Parma police obviously found a judge willing to overlook their extremely questionable assertions when signing warrants, it had no similar luck when attempting to prosecute Novak.
Someone in the Cuyahoga County Prosecutor's Office evidently had second thoughts about the case, because Novak was offered a plea deal under which the felony charge would have been reduced to an unspecified misdemeanor. Novak turned the offer down, by that point eager to have his day in court. By the time his trial rolled around, prosecutors had settled on the theory that Novak's Facebook gag had disrupted police services by generating phone calls to the police department—a grand total of 10 in 12 hours. The jury did not buy it, and everyone who was involved in the case should have known better than to let it get that far.
The end result is a lawsuit [PDF], which will definitely impair the community's trust in the police department. Novak alleges First, Fourth and Fourteenth Amendment violations -- all stemming from the warrants issued to the PD which, if determined to be bogus, support his Fourth and Fourteenth claims. As for the First Amendment, Novak's parody page was protected speech and the Parma police had no business using their powers to shut it down, much less arrest the page's creator.
As for the PD's supporting affidavits, they appear incredibly weak according to what's documented in the lawsuit. There was more made about the content of the page being "derogatory" than about the supposed criminal activity Novak (obviously didn't) engage in: disruption of government services.
That being said, it will be tough to prevent immunity from being awarded to most, if not all, of the participants in this censorious travesty. Unless the Parma police have specific guidance or training that encourages them to trample all over citizens' First Amendment rights, it's unlikely the allegations will survive a motion to dismiss. Then again, the PD didn't just tread lightly on Novak's free speech -- it steamrolled him with a trumped-up felony charge, seizure of all of his devices, and jailed him for four days. The city may find it more expedient to settle this quickly than take the chance of Novak prevailing completely.
The Parma PD should have limited itself to informing particularly stupid/gullible citizens that the parody page wasn't the real thing. Then it should have left it alone. Instead, it leveraged its power to avenge its hurt feelings, resulting in a tantrum that could prove to be very expensive.
Read More | 30 Comments | Leave a Comment..
Posted on Techdirt - 26 September 2016 @ 1:10pm
It's generally agreed that the state of security for the Internet of Things runs from "abysmal" to "compromised during unboxing." The government -- despite no one asking it to -- is offering to help out… somehow. DHS Assistant Secretary for Cyber Policy Robert Silvers spoke at the Internet of Things forum, offering up a pile of words that indicates Silvers is pretty cool with the "cyber" part of his title... but not all that strong on the "policy" part.
The industry, according to Silvers, is demanding that IoT security is tackled "from a DHS perspective," meaning a focus on public safety. And then he damned other government departments' efforts with faint praise.
"This is complex stuff, but it's not going to be regulatory or over prescriptive, it's not even going to be highly technical," he argued. "What we're going to be doing is drawing on the best approaches, pulling them together and elevating them to get the public's attention."
Shorter DHS: we're going to take what the private sector and other government agencies have accomplished, print it out on a few pages of DHS letterhead, and call it good. All Silvers is promising is the DHS's insertion into a crowded marketplace of vague ideas, many of them coming from other government agencies.
Even better, Silvers claimed the DHS's intrusion into this overcrowded space won't be "regulatory." This statement arrived shortly before Silvers suggested regulation was on its way.
“We have a small and closing window of time to take decisive and effective action,” Silvers said, “the challenge of addressing IoT security is outweighed only by the greater challenge of patching, or building on the security of already deployed systems. While some of this may sound like common sense, it’s an undeniable fact that some companies are not being held accountable,” Silvers said.
"Companies not being held accountable" sounds like the sort of thing the government would feel compelled to fix with regulation. As Kieran McCarthy of The Register points out, the DHS seems mostly concerned with ensuring it's cut in on the cybersecurity action.
The DHS's current plan seems to be little more than shoving their foot in the door: Silvers could not give a timetable for the principles, or even a consultation plan. He didn't highlight specific areas of concern, or point to the direction the DHS is expected to take.
Perpetually-increasing budgets are on the line here. Every agency wants a piece of the "cyber" pie, whether on the offensive or defensive side. The DHS is no different, even though its track record on cybersecurity is mostly terrible. (Its track record on "homeland" security isn't that fantastic either…) Its Election Cybersecurity task force is composed of state politicians, rather than security experts. And the Government Accountability Office has previously noted the DHS has no plans in place to protect government buildings from cyberattacks on access and control points -- despite having had nearly 15 years to do so.
In front of a group of professionals actually putting together best practices for the Internet of Things, the DHS has announced its willingness to coattail-ride its way into the cybersecurity future -- one promising to be full of government intrusion and steady paychecks. And, like others in the government who feel the government should do nothing more than make demands of the private sector, Silvers encouraged the forum attendees to "nerd harder." Or, at least, faster.
Silvers issued a call of action to attendees, urging them to “accelerate everything” they’re working on and tackle issues that pop up in cybersecurity in real time.
Thanks, bossman. There's nothing security professionals like more than being told how to do their jobs by government agencies without coherent future plans or the ability to secure anything more than a pension.
38 Comments | Leave a Comment..
Posted on Techdirt - 26 September 2016 @ 10:40am
Actress Junie Hoang may have lost her legal battle against IMDb for revealing her age, but the California Assembly is ensuring she'll win the war. Hoang sued IMDb for $1 million, claiming the publication of facts without her permission had resulted in her being a victim of Hollywood ageism. IMDb won the lawsuit, but Governor Jerry Brown has just signed a bill into law that will prevent sites like IMDb from publishing actors' ages.
California Gov. Jerry Brown on Saturday signed legislation that requires certain entertainment sites, such as IMDb, to remove – or not post in the first place – an actor’s age or birthday upon request.
The law, which becomes effective January 1, applies to database sites that allow paid subscribers to post resumes, headshots or other information for prospective employers. Only a paying subscriber can make a removal or non-publication request. Although the legislation may be most critical for actors, it applies to all entertainment job categories.
Quotes from actors' guild representatives and "industry leaders" present this as a positive change. Supposedly the removal of this information will result in fewer actors and actresses from being passed over for roles because they're "too old." Ageism may be an industry-wide problem but the correct solution would be to change Hollywood culture, not tap dance across the First Amendment.
“We are disappointed that AB 1687 was signed into law today,” said Internet Association spokesman Noah Theran. “We remain concerned with the bill and the precedent it will set of suppressing factual information on the internet.”
Michael Beckerman, the association’s president and CEO, also wrote in August for THR, about his opposition to the law.
“Requiring the removal of factually accurate age information across websites suppresses free speech,” Beckerman wrote. “This is not a question of preventing salacious rumors; rather it is about the right to present basic facts that live in the public domain. Displaying such information isn’t a form of discrimination, and internet companies should not be punished for how people use public data.”
That's the problem with this law: it shoots the messenger rather than addresses the underlying problem. The government as a whole has passed many laws aimed at reducing discrimination, but in this case, the California assembly decided the onus should be on data aggregators that have absolutely nothing to do with the process of casting films.
It's unlikely this law will survive a Constitutional challenge, seeing as it prohibits the publication of facts. While any website can voluntarily choose to withhold this information, adding the government into the equation makes it a form of censorship.
The crafters of this law are claiming this speech suppression will benefit the little guy (and girl) the most:
[California Assemblyman Ian] Calderon said the law was more for actors and actresses not as well known as big stars.
“While age information for Hollywood’s biggest stars is readily available from other online sources, this bill is aimed at protecting lesser known actors and actresses competing for smaller roles,” Calderon said in the release. “These actors should not be excluded from auditioning simply based on their age.”
Calderon is correct. Actors should not be excluded simply because of their age. But that's a problem studios need to solve. And if they can't and legislators like himself still feel compelled to step in, the law should target discriminatory hiring practices, not IMDb and other sites like it.
38 Comments | Leave a Comment..
Posted on Techdirt - 26 September 2016 @ 3:36am
More information is surfacing on the source of the NSA's hacking tools discovered and published by the Shadow Brokers. Just as Ed Snowden pointed out shortly after the tools first appeared online, the problem with sticking a stash of hacking tools on equipment you don't own is that others can access the tools, too… especially if an operative doesn't follow through on the more mundane aspects of good opsec.
Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed. Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.
Reuters has exclusive (but anonymous) interviews with personnel involved in the investigation which indicates other, more exculpatory theories are likely wrong.
Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.
But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews.
NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.
And what a mistake it was. Tools purchased or developed by the NSA's Tailored Access Operations (TAO) are now -- at least partially -- in the public domain. The other aspect of this unprecedented "mistake" being confirmed is the fact that the NSA couldn't care less about collateral damage.
That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said.
Three years of unpatched holes, one of them a zero day that affects a great deal of Cisco's networking equipment. Not only was TAO's operation security compromised, but so were any number of affected products offered by US tech companies.
However, investigators are still looking into the possibility that the tools were left behind deliberately by a disgruntled TAO operative. This theory looks far better on the NSA than another theory also being examined: that multiple operatives screwed up in small ways, compounding each other's mistakes and (eventually) leading to a public showing of valuable surveillance tools.
As for the official, on-the-record comment… no comment. The FBI and Director of National Intelligence declined to provide Reuters with a statement.
The NSA has long refused to acknowledge the inherent dangers of hoarding exploits and deploying them with little to no oversight. It's unclear whether this incident will change this behavior or make it a more-forthcoming partner in the Liability Equities Process. What is has proven is that the NSA makes mistakes like any other agency -- whether the tools were left behind accidentally or deliberately. It's just that when the NSA screws up, it exposes its willingness to harm American tech companies to further its own intelligence needs.
27 Comments | Leave a Comment..
Posted on Techdirt - 23 September 2016 @ 2:45pm
In which the government argues that avowedly suspicionless behavior is reasonable suspicion.
Carlos Velazquez was pulled over by Officer Ken Scott, a "traffic investigator" patrolling the Ft. Bragg military base in North Carolina. Scott observed Velasquez make a right-hand turn at a stop sign, then reverse course when he encountered a gate preventing traffic from entering the Ft. Bragg Special Operations Compound. The stop resulted in the search of the vehicle and, eventually, the discovery of illegal drugs.
Velazquez moved to suppress the evidence, arguing that the stop was suspicionless. The government disagreed, but Scott's own testimony indicates it was a suspicionless stop. Scott claimed the stop was justified because he believed Velazquez was "intoxicated or lost." That last part Scott himself ignored, even during his testimony as the government's sole witness. The actions Scott viewed as "suspicious" during his justification of the traffic stop were also actions Scott had witnessed numerous times while patrolling the area around the military base.
Lamont Road ends at an intersection with Manchester Road. At the time of this incident, if a driver turned right from Lamont onto Manchester, he would encounter a closed gate with a "Do Not Enter" sign. Id. at 1:09:20-1:09:30. If a driver turned left from Lamont onto Manchester, the road would take him towards various training areas and, ultimately, the town of Southern Pines. Id. at 1:10:20-1:10:29.
Officer Scott described this area as wooded with no lighting with minimal, if any, phone and radio signals. Id. at 1:10:39-1:10:49. Officer Scott also stated that there are no individuals in that area at night. Id. at 1:11:16-1:11:22. Officer Scott also testified that he has often assisted individuals who were lost in the area, including those following GPS. Id. at 1:12:17-1:12:36. Officer Scott stated that he had often received calls of lost individuals utilizing GPS where the GPS would take them off the main road. Id.; id. at 1:17:01-1:17:15. He also stated that there are no phone signals and radios often do not operate in this remote area. Id. at 1:10:50-1:10:55.
Officer Scott did not provide any details on how many suspicionless stops he has performed after viewing behavior he admittedly finds unsuspicious. There's also nothing in the decision that indicates Scott observed anything about Velazquez's behavior during the stop that would have added to his suspicions. Instead, as the court points out, everything Velazquez did was entirely normal, given what Officer Scott had observed during previous patrols.
Here, the evidence demonstrates that Velasquez was driving on a public road shortly after midnight on a Saturday morning. When he reached an intersection, he stopped completely and proceeded to make a right turn. After encountering a fence informing him he was not allowed to proceed further, Velasquez turned his vehicle around and proceeded down a public, albeit remote, road. At no time did Officer Scott observe any erratic driving, traffic violations, or other conduct that indicated Velasquez was intoxicated. There is no indication that there were concerns that Velasquez posed a threat to the physical security of the base or personnel or that he was seeking unauthorized access to the Special Operations Compound. Officer Scott's decision to pull Velasquez over appears to have been based entirely on his presence on a public road at night and his right turn at the intersection of Lamont and Manchester Roads. Given that Officer Scott was aware that individuals frequently became lost in this area and that GPS systems would often cause individuals to make wrong turns, these facts are insufficient to establish that Officer Scott's stop of Velazquez's vehicle was supported by reasonable suspicion of criminal conduct.
No one likes to lose a drug bust, but offering up an argument that basically amounts to "the lack of suspicious behavior made me suspicious" is even worse than the government's routine insistence that driving from state to state on paved highways is suspicious because criminals often travel from state to state on paved highways.
While officers are generally free to make up their own traffic laws to initiate suspicionless stops, the officer here apparently failed to come up with anything better than "possibly [and suspiciously] lost" after interacting with Velazquez. The officer lucked into a drug bust, but "fortuitous discovery" isn't a recognized Fourth Amendment exception (or, at least, it shouldn't be one -- see also: "good faith").
There are few activities that separate citizens from their Fourth Amendment rights faster than driving but, at least in this decision, the rights didn't evaporate quite as quickly as Officer Scott may have hoped. Away goes the evidence. With that dismissed during oral arguments, the government decided there was nothing left to prosecute, so the charges have been dropped as well.
When Dirty Harry acolytes bitch about "technicalities" putting drug dealers back on the streets, these are the sorts of things they're often unknowingly referring to: law enforcement's inability to stay within the confines of the law and the Constitution.
40 Comments | Leave a Comment..
Posted on Techdirt - 23 September 2016 @ 1:03pm
It's not like the NYPD's earned enough trust to be given the benefit of a doubt, but it's latest excuse as to why it can't come up with requested data sounds about as believable as a soaking wet teen's explanation as to why the family car is currently lying at the bottom of the backyard pool isn't his fault.
The New York City Police Department takes in millions of dollars in cash each year as evidence, often keeping the money through a procedure called civil forfeiture. But as New York City lawmakers pressed for greater transparency into how much was being seized and from whom, a department official claimed providing that information would be nearly impossible—because querying the 4-year old computer system that tracks evidence and property for the data would "lead to system crashes."
The system that "tracks" this information (apparently by tossing input into a pile of unsearchable bits) was considered top of the line in 2012. Sure, technology moves fast but certainly not fast enough to turn something the NYPD claimed would "revolutionize" evidence/property tracking into a hulking pile of sullen, un-queryable data four years later. As Sean Gallagher of Ars Technica points out, the system was submitted for consideration for the 2012 Computerworld Honors, which hands out awards to leaps forward in information technology.
NYPD officials, responding to city's Public Safety Committee, explained that the top-dollar tracking system wasn't actually a system at all.
NYPD's Assistant Deputy Commissioner Robert Messner told the New York City Council's Public Safety Committee that the department had no idea how much money it took in as evidence, nor did it have a way of reporting how much was seized through civil forfeiture proceedings—where property and money is taken from people suspected of involvement in a crime through a civil filing, and the individuals whom it is seized from are put in the position of proving that the property was not involved in the crime of which they were accused.
Where accountability is needed most, it almost always seems to go missing. Asset forfeiture -- in multiple, mostly-nefarious forms -- is a law enforcement tool seemingly handcrafted for abuse and exploitation. When the NYPD isn't seizing cash and cars simply because Officer Smith thought he spotted a fleck of marijuana somewhere in a three-mile radius, it's taking ownership of people's personal belongings (phones, cash, etc.) simply because they happened to be in their pockets when they were arrested.
The NYPD's inability to quantify its sketchy takings isn't surprising. There's nothing to be gained from keeping a tracking system like this in working order. The more data the NYPD can provide to overseers, FOIL-wielding citizens, and meddling defense lawyers, the more likely it is that someone will uncover abuse of the forfeiture process.
The NYPD isn't satisfied with simply being a closed book -- it's actively engaged in removing pages. At some point, someone on the inside must have needed some information and found the tracking system unworkable. But the cost of fixing it -- both in terms of the money paid to contractors and the potential "harm" done to a very profitable program -- was likely considered too much of an expense to bear. So, when faced with demands for data, the NYPD excuses its lack of info production with "the database ate our homework."
What data has been pried loose from the unwilling NYPD already shows it willingly lies to city officials about its asset forfeitures, as the Village Voice reports.
The NYPD's testimony was also disingenuous: As part of a FOIL request filed by the Bronx Defenders, the NYPD had already compiled and released figures that show the staggering amounts that it has seized.
At the hearing, the NYPD claimed that it only legally forfeited $11,653 in currency last year — that is, gone to court and actually made a case as to why the NYPD should be taking this money.
In the accounting summaries which the Bronx Defenders submitted as part of its testimony, the NYPD reports that as of December 2013, its property clerk had almost $69 million in seized cash on hand. This amount had been carried over from previous years, showing an annual accumulation of seized cash that has reached an enormous amount. The documents also show that each month, the five property clerk’s offices across the city took in tens of thousands of dollars in cash, ultimately generating over $6 million in revenue for the department.
And where did the Bronx Defenders get its numbers? The same software the NYPD claims can't produce these numbers.
The report that the NYPD released appears to have been generated through the same use of their database that the department now claims is technologically impossible.
At the point of the database's inception, the NYPD claimed it would provide "cradle-to-grave" tracking of seized property. Apparently "cradle-to-grave" is about as meaningless a phrase as "unlimited data:" both terminate far sooner than their descriptors would indicate.
It may be the software can't handle complex queries encompassing the entirety of its seizure records, but that's not an acceptable excuse. The problem should have been caught and fixed by this point. I'm pretty sure the NYPD has some way of tracking seized assets since it seems to have few concerns about bouncing checks when spending the proceeds. But it's sure as hell not going to turn this over to opponents of its sketchy seizure programs without a fight. So when it became apparent the database would provide next to nothing in terms of accountability, the NYPD considered that a feature, rather than a bug.
54 Comments | Leave a Comment..
Posted on Techdirt - 23 September 2016 @ 10:50am
Secrecy still continues to shroud law enforcement Stingray use, in large part because courts have been far too receptive to the government's insistence that the release of any details at all would result in the expensive tech being rendered instantly useless.
The NYPD has decided to go past the usual "law enforcement means and methods" obfuscatory tactics and push a rather novel narrative about why it would be "dangerous" for IMSI catcher info to make its way into the public domain. (I mean more so… I guess.)
Joseph Cox of Motherboard reports the NYPD's latest opacity play involves hoodie-wearing males operating laptops in underlit rooms and comic book supervillain-esque levels of coordinated criminal activity.
In a recent case, the New York Police Department (NYPD) introduced a novel argument for keeping mum on the subject: Asked about the tools it uses, it argued that revealing the different models of IMSI catchers the force owned would make the devices more vulnerable to hacking.
In the words [PDF] of the NYPD's Gregory Antonsen, hackers would be able to crack open Stingrays like OPM records if the department were to turn over Harris Corp. contract info and nondisclosure agreements to the New York branch of the ACLU in response to its FOIL request. Also: terrorism.
The purpose of this affidavit is to explain the reasons that disclosing the Withheld Records would cause grave damage to counterterrorism and law enforcement operations, and so could endanger the lives or safety of New Yorkers.
Additionally, disclosing the Withheld Records would reveal confidential and non-routine criminal investigative techniques, which would hamper ability to conduct operations and would permit perpetrators to evade detection. Moreover, disclosure of the Withheld Records would jeopardize the ability of NYPD to secure its information technology assets.
After detailing the use of Stingrays to perform a variety of heartwarming investigations (tracking down a missing elderly person, rescuing someone from sex trafficking, etc.), Antonsen gets down to business. According to the NYPD's theory, any information released about the NYPD's IMSI catcher contracts could be "scrutinized" by bad guys who would be able to infer from extremely limited information the extent of the department's cellphone-tracking capabilities. It's basically the mosaic theory, but without the mosaic.
But the far stupider assertion is the one made without any supportive citations -- just a far-fetched hypothetical.
The CSS technologies are also critical and essential information technology assets. As such, all CSS technologies require periodic software updates. Public disclosure of the specifications of the CSS technologies in the NYPD's possession from the Withheld Records would make the software vulnerable to hacking and would jeopardize ability to keep the technologies secure. Of great concern is that a highly sophisticated hacker could use the knowledge of CSS technologies to invade the CSS software undetected, thus creating a situation in which law enforcement personnel are lured into a situation based on a misleading cell-phone location and are then trapped and ambushed.
The ACLU's Chris Soghoian has responded [PDF] to the NYPD's assertions. As to the claims that providing contract information would somehow result in sophisticated criminals finding ways to route around this surveillance, Soghoian points out that every Stingray device -- no matter its capabilities -- can be defeated by even the dumbest thug… and all without having to scour a redacted invoice for clues.
The most effective countermeasure, which can be used by anyone at no cost is to simply turn off a phone or put it into airplane mode. This will thwart tracking by any model of Stingray. Knowing the models of Stingrays that the NYPD uses does not make this countermeasure more or less effective. It is 100% effective regardless of which models of Stingrays the NYPD uses.
Soghoian went easy on the "but criminals will beat our IMSI catchers" argument. The "but we'll be hacked" argument is treated with all the respect it deserves: none.
It would be a serious problem if the costly surveillance devices purchased by the NYPD without public competitive bidding are so woefully insecure that the only thing protecting them from hackers is the secrecy surrounding their model names.
He also chides the NYPD for making claims the federal government isn't even willing to make.
The Harris Corporation, which in addition to manufacturing Stingrays has been awarded public contracts for securing the President's communications and supplying secure radios used by the U.S. Army, is clearly capable of designing secure products for its government customers that does not rely on keeping secret the mere existence of the devices for their security.
Soghoian also points out that the release of other information would similarly have zero effect on the devices' capabilities. Because they spoof cell towers, it does criminals no good to know how many the NYPD has or even where they tend to deploy them. A cellphone can't tell it's connected to a BS "tower." And just because the NYPD may be more likely to deploy them in certain areas does not guarantee that avoiding those areas will allow criminals to avoid detection.
And this wonderful paragraph snarkily deflates the NYPD's paranoid ravings its tech officers deploy as justification for continued secrecy.
Inspector Antonsen also claims that knowing the number of Stingrays owned by the NYPD may enable an extremely well-resourced criminal group to orchestrate a greater number of simultaneous hostage situations than the number of Stingrays available to the NYPD. Even assuming that such a sophisticated criminal group made the unlikely decision to rely on its knowledge of the number of Stingrays in the possession to use cell phones in executing such a hypothetical event, knowing that number will not help them as it is almost certainly the case that one, if not multiple, federal law enforcement agencies would step in and assist the NYPD with their own cellular surveillance technology. Moreover, this hypothetical is no different from saying that at some point some criminal group may be able to overwhelm the number of police cars that the NYPD owns or the number of police officers on the force.
It's hard to believe law enforcement is still throwing out these tired arguments after nearly a decade of incremental exposure of Stingray information. The NYPD wants publicly-available information (Stingray names, suggested retail prices) to somehow be the first cat successfully stuffed back into the bag. Since it has no legitimate arguments to justify this cat stuffing, tech officers are resorting to hypothetical scenarios even the most-handwavingest of sci-fi writers wouldn't feel comfortable inserting into their speculative fiction.
Read More | 34 Comments | Leave a Comment..
Posted on Techdirt - 23 September 2016 @ 3:18am
The DOJ is finally addressing some long-ignored problems with the forensic evidence its prosecutors rely on. For two decades, FBI forensics experts handed out flawed testimony in hundreds of criminal cases, routinely overstating the certainty of conclusions reached by forensic examination. Of those cases, 28 ended in death penalty verdicts.
An earlier attempt to address issues with flawed science and flawed testimony swiftly ran aground. Federal judge Jed S. Rakoff very publicly resigned from a committee formed to examine these issues after he was informed by the attorney general's office that he wasn't actually supposed to be examining these issues.
Last evening, January 27, 2015, I was telephonically informed that the Deputy Attorney General of the U.S. Department of Justice has decided that the subject of pre-trial forensic discovery -- i.e., the extent to which information regarding forensic science experts and their data, opinions, methodologies, etc., should be disclosed before they testify in court -- is beyond the “scope” of the Commission’s business and therefore cannot properly be the subject of Commission reports or discussions in any respect.
Because I believe that this unilateral decision is a major mistake that is likely to significantly erode the effectiveness of the Commission -- and because I believe it reflects a determination by the Department of Justice to place strategic advantage over a search for the truth -- I have decided to resign from the Commission, effective immediately. I have never before felt the need to resign from any of the many committees on which I have served over the years; but given what I believe is the unsupportable position now taken by the Department of Justice, I feel I have no choice.
Caleb Mason of Brown, White & Osborn (the "White" is Popehat's Ken White) reports that the DOJ appears to be taking these problems more seriously. It has issued a directive [PDF] forbidding forensic experts from making claims about "scientific certainty" when presenting evidence.
Directive Number 1 provides that agencies must now “ensure that forensic examiners are not using the expressions ‘reasonable scientific certainty’ in their reports or testimony.” Yes, you read that right. The Department of Justice is telling its forensic expert witnesses to stop claiming “scientific certainty.” Why? Because for most forensic disciplines, there never was any, and DOJ is—after decades of resistance—admitting it.
One of the forms of evidence is fingerprints, the thing every law enforcement agency makes sure to obtain when booking suspects because it's supposedly so infallible. But like almost everything else law enforcement forensic experts claim are reasonably certain, scientifically-speaking, examination of prints no more guarantees a match than examining bite marks.
Fingerprint examiners look for “matching points” in prints, but believe it or not, there are no general standards for which points to look at, how many points to look at, or even what counts as a “point.” Not only are there no established standards, there isn’t even general agreement within the forensic analysis community. Some people like eight points, others ten, others twelve. Many examiners insist they can make an identification with just a single point.
Even more amazingly, in stark contrast to DNA matching, no one knows what the statistical likelihood is of two fingerprints sharing particular points, or whether that likelihood is different for different regions or features of the print. This is the crucial question for any identification methodology, because while each person’s fingerprints may be unique, the examiner doesn’t look at every molecule—the examiner looks at whatever five (or eight, or ten) “points” he or she chooses to look at.
Why is this process still so vague even after decades of reliance on it for identifying suspects? Well, it's because the DOJ won't allow anyone other than the government to take a look at the collected records. Researchers who may have been able to make better determinations on how many points are needed for more definitive matches (or how often false positives are returned by the database) have been locked out by the DOJ.
But the big fingerprint databases are controlled by DOJ, and DOJ has steadfastly refused to let researchers use them for the types of analyses geneticists do with DNA. That’s what makes print analysis so frustrating: the data exists, so fingerprint analysis could be a genuine scientific discipline, with publicly-available databases, peer-reviewed research, known error rates, and accepted methodologies. It could be a real body of knowledge about the differential rates of occurrence among populations of particular physical features of our fingerprints. Hopefully one day it will be. But it’s not now, as the DOJ directives finally acknowledge.
The DOJ's not offering to open up its fingerprint database for outside examination. But at least it's admitting it hasn't let anyone without a vested interest in successful prosecutions take a good look at the methods used by its forensic examiners or the collected evidence they're working with.
[As a bonus, here's another fantastic read by Caleb Mason: a Constitutional examination of Jay-Z's hit track, entitled "JAY-Z’S 99 PROBLEMS, VERSE 2: A CLOSE READING WITH FOURTH AMENDMENT GUIDANCE FOR COPS AND PERPS."]
Read More | 54 Comments | Leave a Comment..
Posted on Techdirt - 22 September 2016 @ 4:44pm
In a victory that's only sure to add more entities to the list of government agencies wishing Jason Leopold was dead, a federal judge has decided to roll back some of the opacity surrounding electronic surveillance.
US District Court Judge Beryl Howell said at a hearing Friday morning that absent an objection by government attorneys, the court would post to its website next week a list of all case numbers from 2012 in which federal prosecutors in Washington, DC applied for an order to install a pen register or a trap and trace device.
This is a response to a petition by Leopold and Vice to unseal court dockets containing electronic surveillance affidavits, orders, etc. The step forward towards more transparency is welcome news, but it appears the wheels of justice aren't grinding any faster. This petition was submitted to the court in 2013.
Default mode for nearly any case involving law enforcement surveillance is pitch-black darkness. The government asks for cases to be sealed with alarming (and annoying) frequency, often claiming the potential exposure of law enforcement means and methods would be detrimental to the business of catching criminals. This makes no sense considering the technology used is decades old and the methodology has been common knowledge for nearly the same length of time.
And yet, these requests are granted more often than not. Howell's district (Washington DC) presides over an extremely high percentage of sealed cases.
That traditional aversion to court secrecy has been overcome in the last few decades. To take but one example, the case name In re Sealed Case first appeared in 1981; it is now the most common case name on the D.C. Circuit Court of Appeals docket.
That may be changing. In addition to cutting loose a list of 2012 case numbers, Howell is looking to prevent the government from relying on the DC district to rubberstamp its secrecy requests.
At Friday's hearing, Howell approved a plan that would lay the groundwork for the systematic review and unsealing of a large volume of federal court documents related to the government's use of electronic surveillance.
This is a process that should have been put into place years ago. And, if implemented, should be spread to all federal court districts. The government asks for dockets to be sealed because it doesn't want to tip off those who are being surveilled. Fair enough, but that doesn't explain why dockets remained sealed for months or years after investigations have been closed.
Howell is asking for a response from government officials, so there's a chance it will still be months or years before the list of 2012 sealed cases is released. But if the review process changes (i.e., there actually is one), then indefinite docket sealing will no longer be the presumption.
10 Comments | Leave a Comment..
Posted on Techdirt - 22 September 2016 @ 2:40pm
Drive it like you
stole seized it.
Documents provided by Outside Legal Counsel show the department seized the Ostipow’s 1965 Chevy Nova SS on April 24, 2008, when the vehicle’s mileage was 73,865. [Sheriff William L.] Federspiel, who signed the vehicle title transfer form, sold the partially restored muscle car over a year later on June 4, 2009, for $1,500.
The vehicle’s title certificate filled out by Federspiel around the time it was sold says the mileage was 130,000 — 54,000 miles more than when the department seized the car.
The backstory to this seizure and extended joyride starts at the plaintiff's farm. In 2008, the sheriff's office obtained a warrant to search a second house on the Ostipow's property -- one in which their son lived. In the house, deputies found marijuana plants and seeds. The Ostipow's steadfastly maintain they knew nothing about their son's illegal activities. Presumably, they allowed him to live his own life in a house located some distance away from theirs. [Photo courtesy of Outside Legal Counsel]
Ostensibly there for drugs, deputies soon broadened their horizons.
Instead of only seizing the illegal plants and seeds, deputies seized essentially everything from the farmhouse, including, oddly, dozens of animal mounts being kept long-term at the farmhouse by Gerald because Royetta, his wife, simply didn't like these mounted animals in the main house.
But that is not all the deputies seized. The deputies also went out to outbuildings of the farmhouse and seized all the equipment, deer blinds, hundreds of tools, and many other items which lacked any realistic connection to the pot plants and seeds of Steven's grow. They even seized the '65 Nova and the car trailer it was on.
Not satisfied with cleaning out the farmhouse the Ostipow's son resided in (as well as every building surrounding it), the deputies returned with another warrant and cleaned out the Ostipow's house -- one located a half-mile away from the supposed grow operation. They found no illegal evidence, but that didn't stop them from taking plenty of their property, including the cash in Gerald Ostipow's wallet.
Then they just kept coming.
In the weeks that followed, deputies from the Saginaw County Sheriff's Office would arrive, off duty, in their personal vehicles and would continue to take more items long after the completion of the execution of the search warrants. No inventory tabulation exists for these items taken and there appears to be no records of these "self-help" items being officially sold.
The proceedings -- which have dragged on for eight years now -- never resulted in criminal charges against the Ostipows. After a trip up to the state Supreme Court, it was finally determined that Gerald Ostipow "should have been aware" of the grow operation taking place on his property. But it was also determined that Royetta's (Gerald's wife) interest in the belongings taken was free and clear. The Sheriff's office was ordered to return most the property it seized.
The problem is that the Sheriff's department no longer had the property it seized, including the vehicle it racked up 54,000 miles on.
However, the injury inflicted upon the Ostipows was not complete. After the final judgment was entered, it was discovered that all of the Ostipow's property had been sold by Sheriff Federspiel (he himself having signed the vehicle title transfer document for the Nova) and members of his department before there was a final determination about forfeitability of items seized and held.
The department's actions are indicative of an agency that seldom has trouble retaining anything it designates as "guilty" property. So secure was the sheriff's office in its belief that it would ultimately prevail -- despite never bringing criminal charges against the couple whose assets it seized -- that it moved ahead with converting the property to cash without having any legal right to do so.
The Ostipows are now suing [PDF] the sheriff and his deputies in federal court for blithely blowing past even the minimal protections granted to victims of asset forfeiture. In addition to $1 million+ in damages, the Ostipows are seeking declarations that the asset forfeiture processes deployed by the sheriff's department are Constitutional violations and the compelled released of documents requested by the couple in an earlier FOIA request.
Hopefully, Sheriff Federspiel will learn from this experience. Then again, he's already converted a seized Mustang into a department/personal vehicle and has gone on record with statements that portray his anti-drug efforts as shopping trips for his department.
Federspiel hopes his department will claim more vehicles through drug forfeiture or drunk driving laws to equip his six-person cadre of captains, lieutenants and sergeants by the end of his first term. “I don’t want to buy another vehicle for my command staff,” he says.
He’s targeted a 2008 black Cadillac Escalade which, if acquired, would become the mobile, anti-drug dealing billboard for Undersheriff Robert X. Karl.
Given that this is the voice of leadership in the department, it's hardly surprising deputies feel search warrants entitle them to grab as much as they can from citizens they either can't or won't bring charges against.
Read More | 74 Comments | Leave a Comment..
Posted on Techdirt - 22 September 2016 @ 10:45am
Apparently the legal battle between a bunch of contractors providing "smart meter" equipment to the city of Seattle and FOIA clearinghouse MuckRock isn't over. The last time we checked in, a judge had overturned his own hastily-granted injunction, relieving MuckRock of the impossible demands placed on it by miffed tech provider Landis+Gyr -- which included handing over the details of everyone who might have seen Landis+Gyr's documents and "retrieving protected information that may have been downloaded" from the site.
MuckRock was allowed to reinstate the documents and Landis+Gyr walked away from a debacle of its own making. Another contractor utilized by Seattle Power and Light (Ericsson) had pursued a similar injunction but dropped MuckRock from its complaint, following Landis+Gyr into battle against the entity that had released the documents to requester Phil Mocek: the city of Seattle.
But there's still one company pursuing a case against MuckRock. The EFF, on its way back into court to fight the tenacious litigant, points out that Elster Solutions, LLC is still hoping to hold MuckRock accountable for publishing documents received from the city of Seattle. But it's impossible to ascertain why it's going after MuckRock.
First off, Section 230 shields MuckRock from this sort of litigation.
Section 230 provides broad protections for online platforms such as MuckRock, shielding them from liability based on the activities of users who post content to their websites. Given that broad immunity, MuckRock cannot be sued for hosting public records sought by one of its users regardless of whether they contain trade secrets.
MuckRock isn't the correct target because it only hosts the documents. It did not demand them itself, nor did it actively participate in the posting of the documents. MuckRock's system is automated. Default user settings will, without addtional input or control, post all correspondence and responsive documents pertaining to public records requests routed through the site. This makes Mocek's request and published documents third party, user-generated content.
The other reason why Elster's decision to name MuckRock as a defendant is completely misguided is this simple fact:
MuckRock currently does not host any documents from the company, Elster Solutions, LLC, that are subject to the public records request.
Even if MuckRock were able to obtain these documents, it wouldn't be doing so directly -- which is exactly what Elster claims has happened or might possibly happen. It wants to prevent the release of unredacted documents to the site (via requester Phil Mocek), but its litigious attention should be solely focused on the entity releasing them, rather than the site hosting them. At this point, MuckRock doesn't have anything Elster wants to argue about, and yet, it's doing so anyway. Its complaint is not only seemingly unfamiliar with Section 230 protections, but also severely deficient. From the EFF's motion to dismiss [PDF]
The Court should dismiss MuckRock from the lawsuit due to the obvious deficiencies in in Elster’s allegations in the Complaint. With respect to MuckRock, the Complaint contains precisely the type of bare, conclusory, or formulaic allegations the Court said were insufficient in Iqbal. See Yates, 2014 U.S. Dist. LEXIS 71077, at *8 (“[b]are, conclusory and formulaic allegations of involvement do not state a claim for relief against a particular defendant”). The Complaint mentions MuckRock in only three paragraphs, and in all three instances fails to specify any conduct by MuckRock that underlies any purported claim against it. (See Complaint ¶¶ 2, 6, 18.) Paragraph 6 references MuckRock’s domicile and state of incorporation. Paragraph 18 merely recites that Phil Mocek made a request for certain documents. And paragraph 2 is an introductory paragraph vaguely alleging that Mocek “and/or” MuckRock submitted a records request.
This lawsuit shouldn't last for much longer. What's surprising is that it's lasted this long already.
Read More | 6 Comments | Leave a Comment..
Posted on Techdirt - 21 September 2016 @ 12:51pm
Cyrus Farivar of Ars Technica reports that another federal judge has found the warrant used by the FBI to deploy its Tor-busting malware is invalid. This finding isn't unique. Multiple judges in various jurisdictions have found the warrant invalid due to Rule 41, which limits execution of warrants to the jurisdiction where they were issued. But only in a few of the dozens of cases stemming from the FBI's child porn investigation has a judge ruled to suppress the evidence obtained by the FBI's NIT.
A federal judge in Iowa has ordered the suppression of child pornography evidence derived from an invalid warrant. The warrant was issued as part of a controversial government-sanctioned operation to hack Tor users. Out of nearly 200 such cases nationwide that involve the Tor-hidden child porn site known as "Playpen," US District Judge Robert Pratt is just the third to make such a ruling.
In other cases, judges have found the warrant invalid, but have granted the FBI the "good faith" exception or found that the information harvested by the agency's hacking tool isn't protected under the Fourth Amendment. In one particularly memorable case, the presiding judge wandered off script and conflated security and privacy, suggesting that because computer hacking is so commonplace, the FBI should be allowed to peek into compromised computers (and compromise them!) and extract whatever it can without worrying about tripping all over the Fourth Amendment.
With hundreds of cases all over the nation (and many more handed off to foreign law enforcement agencies) stemming from a single warrant, this collection of rulings is far from coherent. But, more often than not, judges have found that the reach of the FBI's NIT deployment far exceeded its Rule 41 grasp. That all could change by the end of the year, making future investigations handled in this manner (running seized websites to deploy hacking tools) much less likely to be successfully challenged in court.
Judge Pratt's ruling [PDF], however, did at least shut down the government's Third Party Doctrine arguments.
There is a significant difference between obtaining an IP address from a third party and obtaining it directly from a defendant’s computer.
If a defendant writes his IP address on a piece of paper and places it in a drawer in his home, there would be no question that law enforcement would need a warrant to access that piece of paper—even accepting that the defendant had no reasonable expectation of privacy in the IP address itself. Here, Defendants' IP addresses were stored on their computers in their homes rather than in a drawer.
Analogies to physical objects are seldom perfect, but Pratt's does better than most.
"Judge Pratt correctly interpreted the NIT's function and picked the correct analogy," Fred Jennings, a New York-based lawyer who has worked on numerous computer crime cases, told Ars. Jennings continues:
[Pratt] correctly points out that the usual analogies, to tracking devices or IP information turned over by a third-party service provider, are inapplicable to this type of government hacking. A common theme in digital privacy, with Fourth Amendment issues especially, is the difficulty of analogizing to apt precedent—there are nuances to digital communication that simply don't trace back well to 20th-century precedent about physical intrusion or literal wiretapping.
The evidence suppression will likely result in charges being dropped, as anything located on the defendant's devices would have stemmed from the invalid NIT warrant. Outcomes like these don't do much to appease the general public, as the actions alleged are often viewed as indefensible. But the ugliness of the crime has no bearing on the Constitution and the rules governing search warrants.
The FBI can't play by different rules just because the targets are less sympathetic. That's why the push back against the proposed Rule 41 changes is important, because alterations to jurisdictional limits won't solely be used to chase down the worst of the worst. It will greatly expand the reach of questionable search warrants and investigative tools and encourage magistrate shopping by law enforcement to lower the level of scrutiny their deficient affidavits might otherwise receive.
Read More | 10 Comments | Leave a Comment..
Posted on Techdirt - 20 September 2016 @ 2:34pm
The Intercept has obtained user manuals for Harris Corporation's IMSI catchers, colloquially known as Stingrays, thanks to an anonymous leaker. The documents appear to have come from a Florida law enforcement agency. This would be the public's first chance to see these documents in unredacted form. These operating manuals have been held onto tighter by law enforcement agencies than nondisclosure agreements or info on investigations utilizing this technology.
The documents show what's so attractive about Stingrays: their power and their ease of use.
Richard Tynan, a technologist with Privacy International, told The Intercept that the “manuals released today offer the most up-to-date view on the operation of” Stingrays and similar cellular surveillance devices, with powerful capabilities that threaten civil liberties, communications infrastructure, and potentially national security. He noted that the documents show the “Stingray II” device can impersonate four cellular communications towers at once, monitoring up to four cellular provider networks simultaneously, and with an add-on can operate on so-called 2G, 3G, and 4G networks simultaneously.
The tech can be deployed easily thanks to a relatively user-friendly interface and offers an array of tools to be used that go beyond simply tracking the location of a targeted phone. Not only can these devices snag every phone that happens to be in range of the device, but the IMSI catcher can force every phone in the area to come down to its level, so to speak.
In order to maintain an uninterrupted connection to a target’s phone, the Harris software also offers the option of intentionally degrading (or “redirecting”) someone’s phone onto an inferior network, for example, knocking a connection from LTE to 2G.
However one might feel about the lawfulness of deploying mass surveillance to track -- in most cases -- a single suspected criminal, there has to be at least some concern that law enforcement can downgrade paying customers' connections while performing an investigation.
The user's manual [PDF] uses telco jargon almost ironically, referring to targeted phones as "subscribers" (who haven't intentionally signed up for law enforcement tracking) and the towers officers will be spoofing as "providers" (the cell companies whose connection will be replaced/downgraded as law enforcement sees fit). Lists of "subscribers" and "providers" can be imported and exported. "Subscribing" numbers can be given nicknames to more easily separate them from the countless other cell phone numbers swept up during the device's deployment.
Much of what's in the documents isn't exactly surprising. A lot of this has been sniffed out by FOIA requesters and defense lawyers, but until this point, the underlying details have mostly been implied -- read between redactions and parsed from deliberately-obtuse law enforcement testimony.
Harris can't be happy these documents have leaked. A warning on the Gemini control software manual [PDF] states that Harris must be allowed to challenge any disclosure of the contents of these documents -- which presumably includes law enforcement compliance with defense production requests. Law enforcement agencies can't be happy either, as it shows just how much power many of them have at their fingertips. But nothing stays a secret forever, especially when the surveillance technology in question has gone from overseas deployment against enemy combatants to chasing down fast food thieves in local neighborhoods.
Three can keep a secret if two of them are dead, as the saying goes. With hundreds of law enforcement agencies deploying cell tower spoofers thousands of times, the FBI's bullshit nondisclosure demands are apparently no replacement for a pile of silenced corpses.
Read More | 18 Comments | Leave a Comment..
Posted on Techdirt - 20 September 2016 @ 3:23am
German website Netzpolitik might be headed for another treason investigation. The German government went after the site once for publishing leaked documents detailing mass surveillance operations and it may do so again after its latest publication.
The site has obtained a classified report from the country's intelligence oversight office that shows the BND (Germany's intelligence service) illegally collected and stored data and information obtained via its partnership with the NSA.
The report’s executive summary describes serious violations of the law [emphasis added]:
The BND has illegally and massively restricted my supervision authority on several occasions. A comprehensive and efficient control was not possible.
Contrary to its explicit obligation by law, the BND has created [seven] databases without an establishing order and used them (for many years), thus disregarding fundamental principles of legality. Under current law, the data saved in these databases have to be deleted immediately. They may not be used further.
Although this inspection was only focused on the BND station in Bad Aibling, I found serious legal violations, which are of outstanding importance and concern core areas of the BND’s mission.
The BND has collected personal data without a legal basis and has processed it systematically. The BND’s claim that this information is essential, cannot substitute a missing legal basis. Limitations of fundamental rights always need to be based on law.
German (constitutional) law […] also applies to personal data which the BND has collected abroad and processes domestically. These constitutional restrictions have to be strictly abided by the BND.
Some of what was illegally gathered and stored was obtained via the NSA's XKeyscore program, which harvests email, online chats, and browser histories in bulk. The report notes that the indiscriminate collection of data and communications was subject to very little in the way of minimization, resulting in plenty of non-targets being swept up in the dragnet and their data/communications dumped into the BND's databases.
Because of its […] systematic conception, XKEYSCORE – indisputedly – collects […] also a great number of personal data of irreproachable persons. The BND is not capable of substantiating their number […]. In one case I checked, the ratio was 1:15, i.e. for one target person, personal data of fifteen irreproachable persons were collected and stored, which were – indisputably – not required by the BND to fulfill its tasks […].
The collection and processing of these data are profound violations of [the] BND law.
These infringements of constitutional rights are conducted without any legal basis and thus harm the constitutional right of informational self-determination of irreproachable persons. Furthermore, these infringements of constitutional rights result from the inappropriately – and thus disproportionately – large scale of these measures, i.e. the inappropriately large number of irreproachable persons surveilled […].
Not only did the BND harvest in bulk, but it also passed on this 1:15 collection unminimized to the NSA.
The amazing part of this leaked report is that it only details the violations of a single BND collection outpost. There are seven more in Germany yet to be examined. On top of that, the oversight body couldn't even get a clear picture of the illegal activities occurring at this single station. There were just too many of them.
This "storage and processing of personal metadata in VERAS is subject to the BND law and subsidiarily to the Federal Data Protection Act". But in many aspects the Data Protection Commissioner was hindered from examining the data properly. When requesting only the retained data of individuals protected by fundamental rights, the database had too many be displayed. Thus, she gradually reduced the time frame: "90 days, 30 days, 1 day". Still too many hits:
In none of the these cases, the system was able to display the hits because the number exceeded the limit of 15,002 – not even in the case of the least possible time restriction of one day.
This means the Federal Data Protection Commissioner was not able to examine the contents of the massive meta data retention. Additionally, she was not able to check how the BND used personal data, because: There are no logs.
The BND is neither aware of the kind or the scope of logs, nor was it technologically possible to access the log data of VERAS 6. Further, there existed no technical capability to analyze the logs.
Unfortunately, the violations found by the Data Protection Commissioner have since been codified into law. The BND is harvesting even more than it was when it was inspected, having just finished a 300 million euro revamp of its surveillance tech. Much like here in the US pre-Snowden, the oversight in Germany is relatively toothless. Whatever exists will be actively thwarted by intelligence agencies (the report states that BND deleted logs the Commissioner asked to examine) or by other legislators who are always willing to sacrifice the public's rights for national security.
16 Comments | Leave a Comment..
Posted on Techdirt - 19 September 2016 @ 9:34am
If you're going to argue against YouTube, Spotify, etc. and the supposed wholesale screwing of artists, it helps if:
A. You're not a former member of an entity with decades of experience in screwing artists, and
B. You have some grasp of basic economic concepts.
Paul Young, a former director of licensing for Universal Music Group, has an op-ed posted at The Hill decrying the unfairness of streaming services and the wrongness of the DMCA. But any point he's trying to make is buried under ignorance and the demand that some artists be treated more equally than others.
The music community’s grievances are the following: (1) The DMCA allows internet service providers to build ad-based businesses built upon infringing content that the artists cannot effectively police through “notice and take down” procedures; (2) If and when service providers pay the artists, it’s on the providers’ hopelessly complex terms, resulting in payments that offer fractions of pennies per view; (3) Service providers offer “free” teaser music to the public when copyright owners should have the absolute right to control distribution of their music.
(1) The DMCA sucks, but it sucks the way studios and labels wanted it to. Now they don't like it and they want to change it to suck in a different way. They're also arguing for "notice and STAY down," which works out great for labels/studios… unless they're inadvertently targeting their OWN site with unvetted DMCA notices.
(2) "Hopelessly complex terms" are included in almost every royalty agreement. Service providers don't have a monopoly on this behavior.
(3) If copyright owners want "absolute control," they're free to pull their music, movies, etc. from services they don't like. Not many have, because not many are willing to give up this revenue stream they constantly claim isn't paying enough. As for the artists themselves, they have no "absolute control" -- not if they're signed to a label. Young may be writing about screwed artists, but he's really only interested in protecting the "rights" of gatekeepers.
He confirms this by claiming major labels deserve to be treated better than other copyright owners.
Free music streaming is fair only for original, home-based music. However, what the public streams mostly comprises of premium, professional content. This content is expensive to create, risky to market and requires many behind-the- scene professionals.
It's OK for service providers to screw the little guy. But don't mess with the majors. They have oh-so-many mouths to feed -- mouths that are more deserving of revenue than creators that don't cut them in on the deal. Young wants a better deal for artists, but with a caste system attached.
Every minute, 400 hours of footage is uploaded to YouTube, much of it synched to copyrighted music. [Note: citation needed.] This gives YouTube a distinct advantage over Spotify, Tidal, Apple Music and other services that do not offer user-generated streaming of works they do not control.
Much of this YouTube footage is monetized with paid ads. YouTube retains a minimum of 45 percent of this revenue, at prices it sets (but does not reveal), irrespective of the content’s creation costs.
Major label music should "pay" more -- whether it's a premium in subscription fees or a larger cut of advertising revenue payouts. Why? Because it costs more to make. But production costs have little to do with pricing -- and that includes advertising revenue.
If we lived in Young's world, tickets to "Paranormal Activity" (production budget: $450,000) would be $5 and tickets to "Avatar" (production budget $425,000,000) would be $4,700. [Productions costs taken from here.] Buying My Bloody Valentine's "Loveless" would bankrupt music fans just as certainly as it nearly financially destroyed the label that released it, while Owl City's basement-produced hit album could presumably be had for a handful of pocket change.
Young -- and the label he worked for -- appear to believe the internet owes them a living. But just them. Not the rest of these shabby artists the labels are unwilling to gatekeep for.
Once Young has finished deliberately misunderstanding how markets work, he moves on to the point of his op-ed, which begins with him recycling the stupid "built on the backs of artists" trope that presumes no service provider could ever become successful without engaging in copyright infringement. Then he goes right off the rails.
I would argue for stronger, industry-wide measures: a complete repeal of the safe harbor provisions of the DMCA and a prohibition on any unauthorized uploading of the property of others.
The first part is insane. Young actually wants service providers to be fully responsible for the actions of their users. Like the ongoing attacks on Section 230 of the CDA, this is a very lazy, very dangerous attempt to paint targets on the backs of those who have money, rather than perform the more difficult work of targeting the users who actually commit copyright infringement, make defamatory statements, etc.
This line of thinking says labels and studios need do nothing more than bitch loudly and expect everyone else to solve their problems -- whether it's websites, legislators, or internet service providers. This is how they "protect" their artists. By complaining stupidly and demanding the internet be torn apart and rebuilt to their specifications, damn the collateral damage.
The second part is just moronic. Every site prohibits unauthorized uploadings. Active efforts are made to police uploaded content and any site that wants to stay alive for long sets up a DMCA agent to respond to takedown notices. But it's never enough. Young apparently feels current prohibitions just aren't prohibitive enough, as though there were a magical tech solution somewhere that might prevent any unauthorized uploading from taking place ever again, if only service providers weren't so busy raking in billions on the backs of major label artists.
The whole op-ed is an embarrassment. But, unfortunately, it's par for the course in major label/studio arguments. It's worse than the blind leading the naked. It's the ignorant leading the angry. It's short-sighted rent-seeking by people who somehow think they can force more revenue out of service providers by destroying the protections that have allowed them to prosper.
46 Comments | Leave a Comment..
More posts from Capitalist Lion Tamer >>