Capitalist Lion Tamer’s Techdirt Profile

capitalisliontamer

About Capitalist Lion TamerTechdirt Insider

List of blogs started with enthusiasm, which now mostly lie dormant:

[reserved for future use]
http://5k500k.wordpress.com

[recently retired]
http://capitalistliontamer.wordpress.com

[various side projects]
http://cliftonltanager.wordpress.com/
http://bl0wbybl0w.wordpress.com/
http://thepenismadeoutofspam.wordpress.com/



Posted on Free Speech - 18 August 2017 @ 6:46am

Louisiana's Criminal Defamation Law Abused Again, But This Time The Gov't Gets Away With It

from the don't-insult-the-king(s) dept

Louisiana has a bad law that needs to be taken off the books. (Well, it probably has several but this discussion will only deal with one.) Previous court decisions have ruled the law unconstitutional but somehow it lives on to be a vehicle of harassment by law enforcement, often at the encouragement of government officials.

This would be Louisiana's criminal defamation law. This was the law (ab)used by Sheriff Jerry Larpenter of Terrebonne Parish to shut down an online critic by raiding the blogger's home and seizing several electronic devices. The target of the supposed defamation was a board commissioner -- someone who wasn't actually covered by the law, which only provides for charges when the person allegedly defamed is not a public figure.

A federal appeals court recently stripped Sheriff Larpenter of his immunity for abusing this law. It stated the outcome bluntly in the first sentence of its opinion.

Some qualified immunity cases are hard. This case is not one of them.

The court points out both the Supreme Court of the United States and Louisiana's highest court have reached the same conclusion: the law cannot be applied to speech targeting public officials.

Concluding that "[i]t is for the [state] Legislature to correct [§§ 14:47-49's] constitutional infirmity"—namely, "its overbroad application" as identified in Garrison—the Louisiana Supreme Court held §§ 14:47-49 "to be unconstitutional insofar as they attempt to punish public expression and publication concerning public officials, public figures, and private individuals engaged in public affairs." Id. at 668; see also State v. Defley, 395 So.2d 759, 761 (La. 1981) (observing that § 14:47 "is unconstitutional insofar as it punishes public expression about public officials").

Since Snyder, the Louisiana legislature has not revisited §§ 14:47-49. The Louisiana Supreme Court's holding as to the reach of § 14:47 therefore remains the law of the land.

Not that anyone appears to have noticed. Sheriff Larpenter ignored two high court rulings to bring charges under the law in a way that specifically violated these court findings. But Larpenter isn't the only law enforcement official abusing the law. And far from the only government official in general.

The Fifth Circuit Court of Appeals has handled another case springing from the unconstitutional application of the state's criminal defamation law. While the findings aren't nearly as favorable to the appellant, the decision [PDF] does point out the law cannot legally be used the way it has been in this case.

Just like the Larpenter case, this one begins with offended public officials.

Sometime before April 16, 2012, the Livingston Daily Times published an opinion piece titled “Sue Happy Seven Councilmen,” which discussed complaints about the Livingston Parish Council’s misuse of public funds. A URL link to the piece was posted on a separate Facebook page maintained by the Livingston Daily Times. The Facebook post was open to public comment. Using a pseudonym, someone posted “critical comments” about three Council members—James R. Norred, Jr., Cynthia G. Wale, and Chance McGrew Parent (the “Council Defendants”). McLin alleges that the statements “merely constituted criticism of official conduct of public officials.”

Even if the comments were defamatory (something the court doesn't discuss), the correct response would be a civil suit, not criminal charges. But if the state legislature isn't actually going to repeal the shitty law, the following sort of things are going to keep happening.

On April 20, 2012, Parent filed a report with the Livingston Parish Sheriff’s Office (“LPSO”) alleging that the anonymous Facebook user had “posted a comment in regards to numerous elected counsel [sic] members.” In response, LPSO Detective Benjamin Thomas Ballard obtained subpoenas to Facebook and Charter Communications. The subpoena responses linked McLin’s home address to the Facebook account that posted the critical comments. Ballard obtained a search warrant for McLin’s home, and he and LPSO Detective Jack R. Alford, Jr. executed the search warrant on June 11, 2012. Ballard and Alford confiscated electronic devices and equipment, and a forensic analysis purportedly linked one of the confiscated computers to the anonymous Facebook user.

Anyone could have put a stop to this. But no one did, not even officers who -- as another federal court put it when dealing with this stupid statute -- are "presumed to know the law."

Upon receiving this information, Ballard, Alford, and other officers (together with Sheriff Jason Gerald Ard, the “Officer Defendants”), and the Council Defendants (together with the Officer Defendants, the “Defendants”) met on August 16, 2012, to discuss pursuing criminal charges against McLin. Some of the officers urged that criminal defamation charges under Louisiana’s criminal defamation statute—Louisiana Revised Statute § 14:47—were warranted. The Council Defendants asked to pursue the charges against McLin and “swore out criminal complaints” contending that they were each subjected to criminal defamation as a result of comments McLin allegedly posted to Facebook.

Thin skins and stupid laws are great for generating civil rights lawsuits. McLin turned himself in after finding out three arrest warrants had been sworn out. The district attorney dropped all charges four months later. McLin has a good case, one would think. According to the court, the lawsuit should be allowed to continue...

The factual allegations in McLin’s complaint sufficiently plead that the Defendants lacked probable cause to prosecute McLin for violating the Louisiana criminal defamation statute. McLin alleges that the anonymous Facebook comments—posted to a news story about Council members and the Council’s misuse of public funds—did not amount to criminal defamation but rather “merely constituted criticism of official conduct of public officials.” Speech criticizing the official conduct of public officials is protected by the First Amendment and does not constitute criminal defamation.

McLin further alleges that, upon linking the comments to him, and with knowledge that McLin’s comments were protected by the First Amendment, the Defendants met and conspired to create falsified affidavits for the purpose of obtaining arrest warrants on charges of criminal defamation. See Rykers v. Alford, 832 F.2d 895, 898 (5th Cir. 1987) (“[A]n officer charged with enforcing Louisiana law[] can be presumed to know that law.”). On these facts, which must be taken as true, we conclude that McLin’s complaint adequately alleges an unreasonable seizure because the Defendants could not have believed they had probable cause to arrest him.

Unfortunately, all the good news for McLin ends there. The court still grants immunity to the officers on the Fourth Amendment claims basically because McLin turned himself in rather than wait around to be arrested.

Here, we cannot say that every reasonable officer would understand that McLin was seized for purposes of the Fourth Amendment. To date, neither the Supreme Court nor the Fifth Circuit has decided that an officer’s acceptance of a voluntary surrender to an arrest warrant constitutes a Fourth Amendment seizure. And there is no a “robust consensus of persuasive authority”: only one circuit—the Eleventh—has found a seizure in these circumstances in a published opinion, and a majority of circuit courts have not yet weighed in. Although we now hold that McLin was seized, reasonable officers might not have understood that accepting McLin’s surrender to the arrest warrants, without imposing further pre-trial restrictions, constituted a seizure.

This decision contrasts sharply with the opinion released by Louisiana's district court. Both deal with the same law -- one twice ruled unconstitutional -- and yet no one abusing the law will suffer any ill effects. McLin did the cops a favor by showing up at their place with his hands ready for cuffing. And for that, he can't sue law enforcement officers who sought arrest warrants based on a law they should have known couldn't be used to bring charges against McLin.

Louisiana has enough rights violating going on at any given time. There's no reason legislators should allow this law to remain on the books any longer. The only thing it does is encourage people the law doesn't apply to (public figures) to work with compliant law enforcement agencies to shut down criticism.

Read More | 14 Comments | Leave a Comment..

Posted on Techdirt - 17 August 2017 @ 1:34pm

North Carolina Election Agencies First Learned They'd Been Hacked From Leaked Documents Published By The Intercept

from the accelerated-disclosure dept

At the time, the documents leaked by NSA contractor Reality Winner -- showing Russian interference in the recent election -- didn't seem to be of much importance. They showed something that had long been suspected, but also showed the NSA performing the sort of surveillance no one really disapproves of. The documents were in the public's interest, but weren't necessarily of the "whistleblower" variety.

That aspect of the documents hasn't changed, but public interest in the unauthorized disclosure certainly has. In a post for Emptywheel, Marcy Wheeler takes on an NPR story about actions taken by electoral agencies as a result of the leak.

The company that provided the software for the poll books is VR Systems — the company that the document Reality Winner leaked showed had been probed by Russian hackers.

[S]usan Greenhalgh, who’s part of an election security group called Verified Voting, worried that authorities underreacted. She was monitoring developments in Durham County when she saw a news report that the problem pollbooks were supplied by a Florida company named VR Systems.

“My stomach just dropped,” says Greenhalgh.

She knew that in September, the FBI had warned Florida election officials that Russians had tried to hack one of their vendor’s computers. VR Systems was rumored to be that company.

Now, there's an investigation underway in North Carolina, linked directly to the documents leaked by Reality Winner. Josh Lawson, general counsel for the state's board of elections, said it first learned about the hacking from the Intercept's article.

Which makes you wonder when the federal government was going to get around to notifying affected state agencies. When local agencies are learning about Russian hacking from leaked documents rather than straight from the source, the downward flow of pertinent information seems to be more than a little broken.

Not that this news will do Winner any good as she heads to court. As noted by Ed Snowden earlier, and reaffirmed here by Marcy Wheeler, any positive outcomes resulting from leaked documents can't be raised by the defendant.

Last week, Magistrate Judge Brian Epps imposed a protection order in her case that prohibits her or her team from raising any information from a document the government deems to be classified, even if that document has been in the public record. That includes the document she leaked.

The protective order is typical for leak cases. Except in this case, it covers information akin to information that appeared in other outlets without eliciting a criminal prosecution. And more importantly, Winner could now point to an important benefit of her leak, if only she could point to the tie between her leak and this investigation in North Carolina.

With the protection order, she can’t.

This is generally how things go in espionage cases. This is what Snowden detractors ignore when they argue he should just return home and face a "fair trial." There are no fair trials in espionage cases. In Winner's case, the order is so broad it forbids her legal reps from discussing any classified document or any document they believe might be classified (or derived from classified documents), even if those documents have been leaked and published by journalistic entities.

The info in the leaked documents led to an investigation. This may excuse the leak in the minds of those whose first encounter with evidence of Russian hacking came from a site known for publishing leaks, rather than the federal government performing the surveillance that uncovered it. But this is of no use to Reality Winner, or any leaker in her position. No matter how much good may result from unauthorized disclosures, the government only cares about the authorization.

11 Comments | Leave a Comment..

Posted on Techdirt - 17 August 2017 @ 11:53am

Palantir's Law Enforcement Data Stranglehold Isn't Good For Police Or The Policed

from the all-the-problems,-none-of-the-accountability dept

Palantir has made government surveillance big business. It's a multi-billion dollar company built mainly on government contracts. Its tech prowess and computing power have made it the go-to company for data harvesting and many of its most loyal customers are local law enforcement agencies.

Mark Harris of Wired has put together a fascinating expose of the company's work with US law enforcement based on documents obtained via FOIA requests. What's uncovered does little to alter Palantir's reputation as an enemy of personal privacy. What's added to this rep isn't any more flattering: the documents show Palantir handles data carelessly, ties customers into overpriced support/upgrades, and otherwise acts as though it has to answer to no one.

In one case, files marked as sensitive by a Long Beach drug squad detective were still accessible by other officers who shouldn't have had access. Multiple emails to Palantir failed to resolve the issue. Making it worse was the fact the problem couldn't be contained in-house. When agencies sign up for Palantir services, they're given heavily-discounted rates if they allow their data to be shared with other law enforcement agencies. Detectives hoping to protect sensitive sources and undercover cops from outside access were finding out their employers had signed that option away in exchange for cheaper initial pricing.

That's just the beginning of Palantir problems uncovered by these public document requests:

In the documents our requests produced, police departments have also accused the company, backed by tech investor and Trump supporter Peter Thiel, of spiraling prices, hard-to-use software, opaque terms of service, and “failure to deliver products” (in the words of one email from the Long Beach police). Palantir might streamline some criminal investigations—but there’s a possibility that it comes at a high cost, for both the police forces themselves and the communities they serve.

These documents show how Palantir applies Silicon Valley’s playbook to domestic law enforcement. New users are welcomed with discounted hardware and federal grants, sharing their own data in return for access to others’. When enough jurisdictions join Palantir’s interconnected web of police departments, government agencies, and databases, the resulting data trove resembles a pay-to-access social network—a Facebook of crime that’s both invisible and largely unaccountable to the citizens whose behavior it tracks.

Palantir encourages the use of predictive policing. By analyzing data from past incidents and arrests, agencies are supposed to be able to identify "hot spots" where criminal activity is likely to occur and step up patrols in those areas. There are several problems with this approach, not the least of which is the latent encouragement of profiling by officers patrolling these areas, who are likely to view everyone they approach as a criminal suspect, rather than someone who just lives or works in a software-generated "hot spot."

But the problems go deeper than that with Palantir involved. Predictive policing is data-driven. But it is also a victim of circular logic. If predictive policing doesn't appear to be having much effect, the usual solution is to feed it more data. Palantir's predictive algorithms are particularly data-hungry. Officers patrolling hot spots are required to fill out heavily-detailed encounter reports, detailing everything they can about the person spoken to, as well as anything else observed in that area. This is all fed into Palantir's predictive policing software.

At this point, the gathering of data became so streamlined, law enforcement agencies have begun allowing Palantir to swallow up other law enforcement databases -- namely CLETS (California Law Enforcement Telecommunications Systems) -- and allow it to crunch idata into something actionable. Sure enough, Palantir's software has coughed up… something. But tips as bad as these should come from unvetted informants and questionable eyewitnesses, not multimillion dollar programs.

In February 2013, JRIC was tasked with tracking down Christopher Dorner, an ex-LAPD officer who had embarked on a series of shootings targeting law enforcement officers. The effort involved dozens of agencies across the state. “We used Palantir extensively to address that [and] were active 24/7 until he was caught or killed,” remembers Jackson. “We found that processing clues was a big challenge.”

In fact, on two separate occasions, police shot at trucks misidentified as belonging to Dorner, injuring three civilians.

A larger problem, at least in terms of personal privacy, is the potential for abuse. Smaller data silos meant unauthorized use/access of law enforcement databases could at least be somewhat mitigated by the limitations of the database itself. Now, with multiple agencies tied together through Palantir's data sharing (along with its swallowing of existing law enforcement databases), those wishing to abuse their access have a much larger dataset to dig through.

In the end, someone has to pay for all this data. And, man, will they ever. Obtained documents and interviews with officials show Palantir seduces law enforcement with low introductory prices before ratcheting up the fees once they have nowhere else to go.

According to LA County contracts, when JRIC committed to the full Palantir system in October 2011, the LASD paid around $122,000 each for 20 Palantir “cores”: packages of already-configured computer servers bundled with preinstalled software. That price was approximately $19,000 less per core than Palantir charged the federal government. According to paperwork for the pilot program, LASD received a “special discount because it [would] be the first in the LA basin to use this software.”

[...]

Palantir’s customers must rely on software that only the company itself can secure, upgrade, and maintain. Although the letter noted Palantir had not provided JRIC with any of its requested (but unspecified) metrics by spring 2016, the company is set to receive annual maintenance payments of nearly $2.5 million from the fusion center through the spring of 2019.

That's taxpayer money being fed to a single-source contractor whose end goal is to tie everyone to everyone else using steep discounts predicated on data sharing. And it appears to be drowning in data, with no customer able to point to positive, real-world changes that can be conclusively linked to Palantir's law enforcement software. But it's too late to do anything about it. In California, law enforcement agencies bought cheap and surrendered control. It's likely happening elsewhere in the nation, but the paper trail has yet to be exposed. Citizens, of course, are the ones paying for all of this, not only with their tax dollars but with their individuality, having been reduced to data points in a stream of alleged criminal activity held by a private party that's probably already imagining secondary markets for its law enforcement data stores.

13 Comments | Leave a Comment..

Posted on Techdirt - 17 August 2017 @ 6:36am

Aspiring Actor Forges Court Order To Delist Content, Gets Busted By Judge, Forges Court Order To Delist Article About Contempt Charges

from the love-to-be-wrong-on-the-internet-all-the-time dept

Eugene Volokh (along with Public Citizen's Paul Levy) has made a cottage industry of sniffing out bogus/fraudulently-obtained court orders demanding the delisting of unflattering content. Much of this seemed to be the work of desperate reputation management "gurus," who had over-promised and under-delivered in the past. Abusing the DMCA process only goes so far. Sometimes you need to lie to judges to get things done.

Sometimes you just need to pretend you're the judge. Convicted sex offender Abraham Motamedi forged a court order awarding himself legal fees and the delisting of content indicating he was a convicted sex offender. When called on it, Motamedi claimed he had nothing to do with it while also claiming the order was legit. These two viewpoints cannot be resolved logically. If it was legit, Motamedi would have had to appear in court to obtain it. If it wasn't legit, then assertions otherwise won't suddenly make a nonexistent case appear on a Michigan court's docket.

Forgeries continue, as Eugene Volokh reports. A man who attempted to use a forged court order to vanish content from the internet appears to have doubled down.

In April, I mentioned two prosecutions for such forgeries, including a prosecution of one Garner Ted Aukerman, who was convicted of contempt of court based on a judge’s finding that he was responsible for “a fraudulent court order [that] has never been entered by [the] court”:

"Apparently Mr. Aukerman has taken [an] order setting the matter for hearing and deleted the middle section of that order in which he generated [in context, I think this means “inserted" -EV] the detail concerning the court’s findings and orders. A hearing was never held, those findings were never made and the order is completely fraudulent."

Then, Monday, I saw that someone had submitted a takedown request to Google, asking that it remove (among other things) my April post, a copy of the forged court order, and a court order from a different Ohio court that declared Aukerman to be a vexatious litigant and thus requiring him to get leave of court before filing lawsuits.

Perhaps no layperson understands the flow of legal documents quite like a vexatious pro se litigant. By "understand," I mean, has at least a passing familiarity with their general appearance and what they should contain. Still, even the most vexatious of litigants isn't going to be able to produce a fake court order targeting actual legal experts and get away with it.

Garner Aukerman apparently tried to muddle his judicial interlopment by trying to make the fake court order look like it was part of Aukerman's criminal prosecution. Aukerman's case has a sealed docket which makes it a little tougher to determine which of the several documents accompanying his takedown request doesn't belong. Unfortunately for Aukerman, his supposed delisting order confuses two legal issues in a way no real judge would.

The first part of the order provides for the sealing of criminal records after a certain amount of time has passed. This is legitimate. But the order goes on to demand the "sealing" of Volokh posts and posted documents about Aukerman's past bogus legal work, calling them "defamatory." Well, there are defamation cases and post-release criminal record expungement, but they aren't interchangeable and no judge is going to randomly declare some internet content to be defamatory for the hell of it while reminding a convict of his expungement rights.

Even if that part were struck, post-release expungement would only remove the government's official records pertaining to Aukerman's conviction. It has no power to demand the rest of internet participate in the expungement. There's no right to be forgotten law in the United States and, for better or worse, the internet tends to remember things long past the point the government itself has officially forgotten about them.

Volokh contacted the issuing court and discovered (to no one's surprise) the court hadn't actually issued this order. He also spoke to Aukerman, who claimed what he sent to Google was nothing more than a proposed order. Even if true, there's no point submitting a proposed order because no one's under any legal obligation to do anything until a judge approves it... unless the real point is to try to push one past Google's takedown review team and hope it doesn't notice the obvious fakery.

14 Comments | Leave a Comment..

Posted on Techdirt - 17 August 2017 @ 3:34am

FOIA Lawsuit Filed Over DOJ Data Complainant Is Pretty Sure Doesn't Even Exist

from the press-SEND-to-undermine-presidential-credibility dept

Benjamin Wittes of the Lawfare blog has filed a FOIA lawsuit against the DOJ, hoping to force the government to put its documents where the president's mouth is. [h/t Pwn All The Things]

Back in February, President Trump made the following assertion before a joint Congressional session:

“According to data provided by the Department of Justice, the vast majority of individuals convicted of terrorism and terrorism-related offenses since 9/11 came here from outside of our country.”

But what data? That's what Wittes is seeking. As he pointed out in April, it appears the president generated this assertion completely out of firing synapses and airborne vibrations.

I'm going to be very blunt here: I not only believe that the White House made up "alternative facts" about the substance of this matter in a Presidential address to a Joint Session of Congress, I don't believe that the National Security Division of the Justice Department provided any data or analysis to the White House that could reasonably be read to support the President's claim. In other words, I believe the President was lying not merely about the underlying facts but about his own Justice Department. Or, in the alternative, I believe it's possible that the Office of the Attorney General may have supported the White House's claim. But I think it extraordinarily unlikely that the folks at NSD actually provided data in support of this presidential statement.

Other authors at Lawfare examined the claim in detail, finding that when people extradited to America to face charges were excluded from the count, the ratio of foreign-born terrorism convicts dropped to 18-21% of the total -- not anywhere near a "vast majority."

Beyond that, there's likely zero data available to support Trump's claim. Wittes notes the DOJ doesn't actually track where convicts are born, and certainly doesn't do so when foreigners are booted from the country by immigration enforcement, only to be dragged back to face criminal charges.

Wittes filed a FOIA request for the numbers the DOJ supposedly "provided" to the president. So far, he's heard nothing back. His requests have been acknowledged but no further processing has been done, not even a determination as to whether he'd qualify for a fee waiver. Now, he's suing [PDF].

Wittes refers to this as the "friendliest lawsuit ever," given that it's not being fired off in hopes of liberating documents the DOJ would rather not part with, but instead to give the DOJ an opportunity to state -- on the record -- that it has none of the information Trump claimed was handed over to him. It would give the DOJ a way to contradict the president's claims without looking like it's intentionally undermining the president's assertions. Considered from this angle, it might be the sort of lawsuit the DOJ might welcome -- although if it was truly interested in disputing the president's statement, it might have chosen to provide Wittes with a more substantive response, rather than wait until it became a problem for the judiciary.

Read More | 12 Comments | Leave a Comment..

Posted on Techdirt - 16 August 2017 @ 10:42am

Impostor Sending Out DMCA Notices In Chaturbate's Name Now Targeting Techdirt URLs

from the doubling-down dept

A couple of weeks ago, I wrote about a long series of questionable DMCA notices I thought had been issued by online onanism portal Chaturbate. The takedown requests appeared to have been generated by a faulty algorithm with no human vetting involved. Many of those I examined appeared to target names of Chaturbate broadcasters, but without any of the precision one normally associates with the word "target." Sites named for delisting included geographical research, an Amazon page for a book about the Hadron Collider, track meet records collections, and even Chaturbate itself.

After some discussion with Chaturbate, it was determined someone is filing notices in Chaturbate's name, but without Chaturbate's official blessing. The scattershot, extremely prolific approach was now harming Chaturbate's reputation, tying it to bogus DMCA notices targeting all sort of non-infringing content. (I have since updated the original post to reflect the my conversations with Chaturbate and offer my apologies for naming the wrong party in the original post.)

Whoever's performing these bogus takedowns hasn't stopped. Chaturbate's legal rep has been asking Google for more details on the impostor requests. Google is looking into it, but so far has only provided an incredibly long list of likely auto-generated Gmail addresses as the source of these bogus notices, which now number into the thousands.

While we continue to work towards discovering who's behind these bogus notices, there have been some interesting developments. First, the impostor is now including Techdirt URLs, including the original post and my user page, in their takedown requests.

Second, whoever's doing this appears to have read my post. The issuing party has changed from Chaturbate LLC to Multi Media LLC. This is the name Chaturbate uses when it issues takedown requests. I never used the name in the updates to the post but did link to an example of a genuine Chaturbate takedown notice, as supplied to me by Chaturbate's representatives.

This would seem to indicate whoever's behind the bogus takedowns is aware multiple parties are trying to expose them. The DMCA notices containing Techdirt URLs contain almost nothing but adult-themed URLs, suggesting the TD pages may have been added in an attempt to bury the story. It still could be a faulty algorithm is flagging anything containing words like "Chaturbate," but the relative lack of unrelated sites suggests a slightly more targeted approach is being taken, even though there's still an emphasis on quantity over quality.

The other theory is the post hasn't been read, but the impostor has received challenges from Google when submitting notices under the Chaturbate LLC name. A little research may have uncovered the fact Chaturbate's legitimate takedown service only issues takedowns under the Multi Media LLC name.

If the impostor is reading these posts, they might want to remember the perjury side of it doesn't cover the URLs targeted for takedown, but rather the assertion they represent the rightsholders listed in the notices. According to Chaturbate, this impostor doesn't. All rights are retained by each individual Chaturbate broadcaster and Multi Media LLC makes no claims otherwise when issuing takedown notices on behalf of its clients. The impostor, however, makes these claims for several performers in each takedown request and does so under the names of companies they don't work for or represent. We're still trying to find out who's behind this and will keep you posted as this investigation proceeds.

29 Comments | Leave a Comment..

Posted on Techdirt - 16 August 2017 @ 3:23am

Proposed Law Would Turn US Borders Into Unblinking Eyes With A Thirst For Human DNA

from the all-the-bad-lawmaking-in-one-large-PDF dept

Some senators are looking to turn US borders into the equivalent of London: cameras everywhere and a host of new incursions into travelers' and visitors' privacy. Cyrus Farivar of Ars Technica "outed" the not-yet-introduced bill -- titled "Building America's Trust Act" [wtf] -- since the supporting lawmakers have yet to formally announce their plans to make the US a worse country to live in, much less visit.

The one-pager [PDF] for the bill [PDF] (which is 186 pages long) makes it clear what the objective is: more surveillance, more boots on the ground, and green lights for law enforcement agencies located anywhere within 100 miles of the nation's borders. The bill calls for more judges, prosecutors, law enforcement officers, and inspectors, as well as walls, levees, fences -- whatever might further separate the US from its bordering neighbors (but only the southern one, apparently).

First off, there will be an increase in aerial surveillance. The bill calls for an increase in manned flight hours, as well as mandating drone flights at least 24 hours a day for five days a week. This would be in addition to increased use of surveillance equipment that can be mounted on vehicles or carried by humans. The DHS will also be allowed to draft the National Guard to perform border patrol duties and construct fences and walls and set up/monitor surveillance equipment.

The list goes on and on. (And on.) Customs and Border Patrol (and any agencies assisting it) will be exempted from 30 state and federal laws governing (among other things) use of public land should it be determined these ecology-protecting statutes "interfere" with the CBP's border patrolling efforts. The bill would also exempt border security efforts from the normal federal bidding process, allowing agencies to use non-competitive means to hire employees and source contractors. The bill would also raise staffing levels, providing for signing bonuses of up to $10,000 per new hire and an expanded waiver of the CBP's polygraph test requirement.

The law would allow border security agencies to obtain Defense Department surveillance gear, with an eye on round-the-clock surveillance in some form and increased gathering of biometric information. More specifically, the bill asks for this:

The Secretary shall create a system or upgrade an existing system (if a Department system already has capability and capacity for storage) to allow for storage of iris scans and voice prints of aliens that can be used by the Department, other Federal agencies, and State and local law enforcement for identification, remote authentication, and verification of aliens. The Secretary shall ensure, to the extent possible, that the system for storage of iris scans and voice prints is compatible with existing State and local law enforcement systems that are used for collection and storage of iris scans or voice prints for criminal aliens.

This will be fed by the DHS's biometric entry-exit collection, meaning it won't just be foreign visitors adding to the pile of biometric data. The law calls for the program to be put in place at all high traffic ports of entry (including major airports) within two years. As we've seen from previous pilot programs, there's no good way to ensure US persons aren't swept up in the biometric scanning. All we have are assurances these "inadvertent" collections will be siloed off from the DHS's foreigner collection.

Customs authorities will also be given power to demand biometric info from visa applicants and DNA will be collected from all detained immigrants, whether or not they're criminally charged. This information will then be shared with the State Department and the FBI.

From there, the law adds other politically-charged stipulations, like an entire subsection entitled "Stop Dangerous Sanctuary Cities Act." Also of note: the bill would allow law enforcement to seize everything from cash to bitcoins if they're suspected to be "criminal proceeds." It also strips away any mens rea protection from accusations of money laundering, allowing the government to seize money/charge suspects with a federal crime whether or not they knowingly engaged in criminal activity.

The whole package is basically a 186 pages of surveillance expansion and xenophobic legalese. The sole benefit of the bloated bill is it consolidates so many anti-foreigner objectives into a single PDF, saving opponents the trouble of having to track a few dozen similarly-minded bills. The limits on the collection and use of biometric data are almost nonexistent and there's nothing in it specifically ordering agencies to keep US citizens out of the data pile. A number of law enforcement agencies have already offered their endorsement of the bill, suggesting it's spent some time being circulated among proponents. Now, it's in the hands of the rest of the county where it's unlikely to see as unqualified support. It's a Patriot Act but for the border -- a hysteria-based bill that panders to the president's desires.

Read More | 62 Comments | Leave a Comment..

Posted on Techdirt - 15 August 2017 @ 6:46pm

Saudi Government Looking To Jail More Citizens For 'Harming Public Order' With Their Religious Tweets

from the perpetual-crackdown-mode dept

The internet may be an amazing communication tool, but it's also a handy way for governments to keep an eye on their citizens. Saudi Arabia uses the internet for multiple things -- mainly monitoring dissent and controlling communication.

An expansive cybercrime law, coupled with longstanding statutes outlawing criticism of the official religion, have made it easy for the Saudi government to jail critics and cut off communications platforms. Bloggers have been imprisoned and encrypted services asked for technical details presumably in hopes of inserting the government into private conversations.

The prosecution of speech the government doesn't like continues, as Reuters reports:

A group of Twitter users will be indicted in Saudi Arabia on charges of harming public order for threatening the "safety and moderate ideology of society" through extremism, according to a statement on state news agency SPA.

The country's chief prosecutor summoned the Twitter users on Sunday, the statement said, without naming them or specifying how many were accused.

The substance of the offending tweets can only be speculated about. Presumably, they violated the kingdom's self-image and/or that of the prevailing religion. More statements were made by officials, but none of them offered clarity on the tweets' content. Instead, they were contradictory statements using the Saudi version of "We're big supporters of free speech, but.."

In a separate statement, Public Prosecutor Sheikh Saud bin Abdullah al-Muajab said he respected freedom of opinion but asserted his office's power to pursue cases against those who promote hatred or sectarianism, or mislead public opinion.

"Misleading public opinion" becomes a much vaguer complaint when the government defines what the public's opinion should be and enforces it with dissent-crushing laws. There's no church/state separation at play either, so religious leaders are pretty much political leaders, and "misleading public opinion" could be nothing more than a disagreement over interpretations of a religious text. In most countries, the worst that might happen is a ruined Thanksgiving dinner. Over there, it's jail time and a possible beating.

In an absurd twist, Saudi Arabia will host 2020's G20 summit -- an annual gathering of world leaders, most of which hail from a freer world. Because of this, some leaders will be hesitant to condemn the Saudi kingdom for its continued oppression of speech. If things don't change tremendously over the next few years, participating in the G20 summit will amount to tacit approval of the Saudi government's abuses and will legitimize ongoing censorship.

10 Comments | Leave a Comment..

Posted on Techdirt - 15 August 2017 @ 11:55am

Court Says CFAA Isn't Meant To Prevent Access To Public Data, Orders LinkedIn To Drop Anti-Scraper Efforts

from the perverting-a-bad-law dept

Some good pushback against the CFAA (Computer Fraud and Abuse Act) has been handed down by a federal court. LinkedIn, which has frequently sued scrapers under both the CFAA and DMCA, just lost an important preliminary round to a company whose entire business model relies on LinkedIn's publicly-available data.

hiQ Labs scrapes LinkedIn data from users whose accounts are public, repackages it and sells it to third party recruiters and HR departments, allowing companies to track employee skills and get a read on which employees might be planning to jump ship.

LinkedIn didn't care much for another business piggybacking on its data (and likely cutting back ever so slightly on the number of third parties it sells this data to), so it sued hiQ, alleging the scraping of publicly-available data violated the CFAA. This has completely backfired. hiQ has obtained an injunction preventing LinkedIn from blocking its scraping efforts. [h/t Brad Heath]

In short, the court finds the hardships are all on hiQ's side: if LinkedIn blocks the scraping, the company will likely close. The decision [PDF], importantly, notes this isn't what the CFAA was put in place to guard against. It also adds that if it sided with LinkedIn's arguments, the internet itself would suffer.

In summary, the balance of hardships tips sharply in hiQ's favor. hiQ has demonstrated there are serious questions on the merits. In particular, the Court is doubtful that the Computer Fraud and Abuse Act may be invoked by LinkedIn to punish hiQ for accessing publicly available data; the broad interpretation of the CFAA advocated by LinkedIn, if adopted, could profoundly impact open access to the Internet, a result that Congress could not have intended when it enacted the CFAA over three decades ago.

And there's more bad news for LinkedIn:

Furthermore, hiQ has raised serious questions as to whether LinkedIn, in blocking hiQ's access to public data, possibly as a means of limiting competition, violates state law.

LinkedIn tried to argue continued access by hiQ would threaten its own business, mainly through supposed violations of its customers' privacy. It notes many of its users (50 million to be exact) have deployed LinkedIn's "Do Not Broadcast" option, which limits notifications about changes to accounts. Out of the 50 million users, LinkedIn claims three have alleged harm from third-party data collection. LinkedIn says hiQ's scraped determinations about poachable employees could harm users whose accounts remain public, but are utilizing the "Do Not Broadcast" feature.

The court is not entirely unsympathetic to LinkedIn's arguments. But it is mostly unsympathetic, partially because LinkedIn appears to be vastly overstating the privacy concerns of its users...

These considerations are not without merit, but there are a number of reasons to discount to some extent the harm claimed by LinkedIn. First, LinkedIn emphasizes that the fact that 50 million users have opted into the "Do Not Broadcast" feature indicates that a vast number of its users are fearful that their employer may monitor their accounts for possible changes. But there are other potential reasons why a user may opt for that setting. For instance, users may be cognizant that their profile changes are generating a large volume of unwanted notifications broadcasted to their connections on the site. They may wish to limit annoying intrusions into their contacts.

Second, LinkedIn has presented little evidence of users' actual privacy expectation; out of its hundreds of millions of users, including 50 million using Do Not Broadcast, LinkedIn has only identified three individual complaints specifically raising concerns about data privacy related to third-party data collection. Docket No. 49-1 Exs. A-C. None actually discuss hiQ or the "Do Not Broadcast" setting.

...and partially because LinkedIn doesn't appear to care all that much about its users' privacy.

Third, LinkedIn's professed privacy concerns are somewhat undermined by the fact that LinkedIn allows other third-parties to access user data without its members' knowledge or consent. LinkedIn offers a product called "Recruiter" that allows professional recruiters to identify possible candidates for other job opportunities. LinkedIn avers that when users have selected the Do Not Broadcast option, the Recruiter product respects this choice and does not update recruiters of profile changes. However, hiQ presented marketing materials at the hearing which indicate that regardless of other privacy settings, information including profile changes are conveyed to third parties who subscribe to Recruiter. Indeed, these materials inform potential customers that when they "follow" another user, "[f]rom now on, when they update their profile or celebrate a work anniversary, you'll receive an update on your homepage. And don't worry – they don't know you're following them." LinkedIn thus trumpets its own product in a way that seems to afford little deference to the very privacy concerns it professes to be protecting in this case.

As for the alleged CFAA violations, the court find nothing that agrees with LinkedIn's legal theory public information anyone can access somehow turns into unauthorized access when a company accesses it via a scraper.

A user does not "access" a computer "without authorization" by using bots, even in the face of technical countermeasures, when the data it accesses is otherwise open to the public.

But it goes further, laying down in explicit detail how ruling in LinkedIn's favor would severely damage open access on the internet.

Under LinkedIn's interpretation of the CFAA, a website would be free to revoke "authorization" with respect to any person, at any time, for any reason, and invoke the CFAA for enforcement, potentially subjecting an Internet user to criminal, as well as civil, liability. Indeed, because the Ninth Circuit has specifically rejected the argument that "the CFAA only criminalizes access where the party circumvents a technological access barrier," Nosal II, 844 F.3d at 1038, merely viewing a website in contravention of a unilateral directive from a private entity would be a crime, effectuating the digital equivalence of Medusa. The potential for such exercise of power over access to publicly viewable information by a private entity weaponized by the potential of criminal sanctions is deeply concerning...

[T]he CFAA as interpreted by LinkedIn would not leave any room for the consideration of either a website owner's reasons for denying authorization or an individual's possible justification for ignoring such a denial. Website owners could, for example, block access by individuals or groups on the basis of race or gender discrimination. Political campaigns could block selected news media, or supporters of rival candidates, from accessing their websites. Companies could prevent competitors or consumer groups from visiting their websites to learn about their products or analyze pricing. Further, in addition to criminalizing any attempt to obtain access to information otherwise viewable by the public at large, the CFAA would preempt all state and local laws that might otherwise afford a legal right of access (e.g., state law rights asserted by hiQ herein). A broad reading of the CFAA could stifle the dynamic evolution and incremental development of state and local laws addressing the delicate balance between open access to information and privacy – all in the name of a federal statute enacted in 1984 before the advent of the World Wide Web.

The case will still proceed forward, but the outlook isn't that bright for LinkedIn. It has been ordered to drop any anti-circumvention efforts it put in place within 24 hours and rescind the cease-and-desist orders it sent to hiQ. On top of there being zero chance it will prevail on its CFAA claims, the company will now have to defend itself against state law counterclaims by hiQ. This legal effort -- probably deployed in hopes of achieving a quick settlement -- is going to add up to real dollars in legal fees alone.

Read More | 28 Comments | Leave a Comment..

Posted on Free Speech - 15 August 2017 @ 9:47am

Defending Hateful Speech Is Unpleasant But Essential, Even When Violence Is The End Result

from the theater-for-fire-shouters dept

A weekend full of ugliness has resulted in the predictable: calls for the government to step in and do something about "hate speech." For some reason, a bunch of people decided the removal of a statue commemorating the loser of the First American Civil War was something they simply couldn't abide with, even though the "history" they were seeking to "preserve" generally celebrates the last holdouts against the abolishment of slavery.

It's not as though they were seeking to preserve history a government might feel like erasing. No one involved in the protest of the Robert E. Lee statue removal sought to build the US equivalent of the Holocaust Museum and needed the stone homage to serve an appropriate place of dishonor among the rest of the relics. This devolved into violence -- first hand-to-hand altercations, but later involving a vehicle driven directly into a crowd of counter-protesters, resulting in multiple injuries and one death.

While the president issued a tepid "hate and violence are bad" statement, people all over the internet were taking this as an indication free speech in this country has gone too far. (His second statement, delivered two days later, was much better.) Predictably, those attacking entities like the ACLU (which defended the white nationalist assemblage's right to hold a protest of the statue's removal) were mainly interested in shutting down speech they didn't like, while somehow preserving the sort of the speech they did like.

Glenn Greenwald has a long post at The Intercept detailing the misguided attacks on the ACLU as a result of its defense of the white nationalist protesters. As he points out, the left -- despite its reputation for tolerance of all races, creeds, colors, and sexes -- is a frequent supporter of government regulation of speech. Many on the left still cling to the mistaken belief the government has already outlawed "hate speech," when it has done nothing of the sort.

Those on the right would like to see the ACLU kicked out of Constitutional discussions as well. Greenwald notes the ACLU has been similarly attacked for such things as arguing for due process rights for accused terrorists.

The problem is: rights are rights. Those availing themselves of Constitutional rights usually aren't sympathetic protagonists. But it's the worst of the worst that need defending. No one starts throwing around stupid legislation when tepid, middle-of-the-road statements are made. No one fires off bogus lawsuits when unoffensive statements are delivered.

Many on both sides -- right and left -- find this concept hard to grasp. Some people believe there's a legal bright line between speech and hate speech, when in most cases, it's just a subjective measurement of how much these people empathize with the disputed statements. Hypocrisy abounds. Unfortunately, hypocrisy isn't limited to the rank-and-file. Legislators are able to at least threaten serious damage to the First Amendment by writing and sponsoring bills targeting the "worst of the worst." But most are written so broadly and badly, they can't survive a constitutional challenge.

Even our president partakes in the speech hypocrisy. He has threatened to open up libel laws and refers to any source of info he doesn't like as "fake news." But he still enjoys the First Amendment protections he's reluctant to extend to his opponents, even as he extols police brutality or encourages supporters to attack protesters.

That the worst speech needs the most defending isn't news to anyone here at Techdirt. This point has been made repeatedly. But every time something like what happened in Charlottesville happens, the point needs to be driven home again.

Some believe the curbing of speech would somehow prevent violence. But words and actions are two different things. We have plenty of laws in place to deal with assault and vehicular homicide. What we don't need is more laws regulating speech in response to criminal activity. Certainly some of the people making the nastiest statements are also perpetrators of violence. But laws that criminalize speech extend culpability from doing to simply thinking.

There's a huge gap between defending someone's right to speak and defending what they're saying. As some people need to be constantly reminded, free speech is not speech without consequences. Ignorant, nasty, brutish statements deserve the criticism they receive. What they shouldn't be met with is calls for the government to step in and tell everyone what sort of speech is permitted. Those protesting the statue's removal had every right to be heard, no matter how ridiculous their arguments and beliefs.

It also should be clear (but often isn't) that defending someone's First Amendment rights isn't the same thing as defending their actions. It's not even something as minimal as complicity. The ACLU stepping up to defend the white nationalist's right to assemble doesn't not make them an enabler of the violence that followed. That violence was the end result was possibly to be expected, but allowing the government to selectively revoke certain citizens' rights as a precaution isn't really the path we want to go down.

Finally, there's one more point to consider when calling for the curtailment of free speech for the "worst of the worst:" it is utterly ineffective, even if it "works." Here's Greenwald:

How can anyone believe that neo-Nazism or white supremacy will disappear in the U.S., or even be weakened, if it’s forcibly suppressed by the state? Is it not glaringly apparent that the exact opposite will happen: by turning them into free speech martyrs, you will do nothing but strengthen them and make them more sympathetic?

The last thing anyone needs is for the worst of worst to become cause celebres because of their odious viewpoints. No one should be in a hurry to make it more difficult to easily recognize small-minded, hateful people. Their ignorance should always be on display. Burying them just makes them more dangerous and more apt to resort to violent means to make their points.

318 Comments | Leave a Comment..

Posted on Techdirt - 14 August 2017 @ 3:44pm

Lawyer: Yahoo Lost Sec. 230 Immunity Because It Didn't Hand Over Personal Info; Court: GTFO

from the please-allow-me-to-entertain-you-with-my-legal-theories dept

Sometimes litigants start out with a good case... or at least a credible one. Then they ruin it by getting creative. The day-to-day work of adjudicating may be a bit dry, but novel legal arguments rarely provide anything more than entertainment for bystanders.

Lawyer and author Thomas Hall originally sued three individuals for alleged online harassment. According to his first complaint, Hall had drawn the ire of supposed white supremacists who bombarded him with hundreds of "threatening and disparaging emails." Hall sought a restraining order against the three defendants, but apparently needed a bit more personal info before he could get that order approved. [via Eric Goldman]

That's when he got creative. Having received no help from Yahoo in identifying the people behind the alleged harassment campaign, Hall decided to sue Yahoo as well. That's when the case went from credible to WTF. From the decision [PDF]:

On August 29 2014, Hall filed the instant action against Lund, Jessop, and Dunk for intentional infliction of emotional distress, libel, false light invasion of privacy, and invasion of privacy. In addition to those named or identified in the previous harassment action, Hall named as a defendant derHoaxster@gmail.com (derHoaxster), and alleged that derHoaxster had “published multiple statements disparaging Plaintiff as dishonest in his law practice and in his personal life.” Hall also named Yahoo as a defendant, based on allegations that Yahoo had published or republished threatening and defamatory statements made by Lund, Jessop, Dunk, and derHoaxster.

Yahoo, naturally, claimed it had done no such thing. It also pointed out postings by third parties were the third parties' problem, not Yahoo's. Hall, however, argued Yahoo could be proven to be responsible for the supposed republished content. The court humored him. Hall did not fail to disappoint.

On July 17, 2015, Hall filed a first amended complaint (FAC) that included the same causes of action alleged in his initial complaint as well as a new fifth cause of action against Yahoo for intentional interference with contract. In the new cause of action, Hall alleged that Yahoo had flooded his America Online (AOL) email account with more than 2000 emails denigrating AOL’s services. Hall’s FAC also alleged that Yahoo was not shielded by the CDA because Yahoo had failed to identify the users of the screen names who had posted defamatory statements about him, and that Yahoo itself was the “content provider” of those statements.

This was Hall's attempt to peel back Yahoo's Section 230 immunity. It's an interesting theory -- Yahoo's failure to identify strips it of immunity. It's also one without any legal basis. This amended complaint didn't do much for Hall. Yahoo responded with one of its own under California's anti-SLAPP law. In support of its motion, Yahoo submitted an affidavit stating it did not create any of the content in its forums, bulletin boards, chatrooms, etc.

Hall simply doubled down.

Hall opposed the demurrer and anti-SLAPP motion, arguing that Yahoo was not shielded from liability under the CDA because it had not provided, in response to Hall’s discovery requests, telephone numbers for the users of the screen names “pddunk@yahoo.com” and “derHoaxster@yahoo.com.”

The anti-SLAPP motion was granted and Hall appealed. The appeals court takes particular interest in Hall's bizarre Section 230 theories.

Hall’s argument that Yahoo was required to identify the persons who posted the objectionable content by providing the names, addresses, telephone numbers, or other identifying information for such persons is legally unsupported. The CDA contains no such requirement, and Hall cites no authority that construes the statute to impose such a requirement. Delfino v. Agilent Technologies, Inc. (2006) 145 Cal.App.4th 790 (Delfino), a case on which Hall relies, undermines rather than supports his position. The court in Delfino concluded that because “there was no evidence that Agilent [the interactive computer service provider] played any role whatsoever in ‘the creation or development’ of” the objectionable content that was the subject of the action, it clearly satisfied the third element required for a finding of CDA immunity. (Id. at p. 807.) Here, there was undisputed evidence that Yahoo was not responsible, in whole or in part, for the content of the emails and posts that are the subject of Hall’s claims. The trial court accordingly did not err by granting the anti-SLAPP motion.

As the court points out earlier in the decision, Yahoo's declaration that it did not post or publish the allegedly defamatory content went uncontested by Hall. Instead, Hall picked his misunderstanding of Section 230 as the hill to die on. On top of having his lawsuit dismissed (both for failure to state a claim and under California's anti-SLAPP law), Hall will now be paying Yahoo's legal cost.

The decision here is another reminder of two things:

1. There is still no federal anti-SLAPP law, something that would greatly discourage baseless lawsuits like these from being brought in federal court. It would also discourage the same behavior in state courts, which is where this one was filed.

2. Section 230 provides important protections for service providers who are almost always the easiest party to find and serve, even if they've done nothing else but provide a platform for people to speak their minds.

Read More | 44 Comments | Leave a Comment..

Posted on Techdirt - 14 August 2017 @ 11:55am

Former NSA Official Argues The Real Problem With Undisclosed Exploits Is Careless End Users

from the sorry-about-all-the-ransomware dept

As leaked NSA software exploits have been redeployed to cause computer-based misery all over the world, the discussion about vulnerability disclosures has become louder. The argument for secrecy is based on the assumption that fighting an existential threat (terrorism, but likely also a variety of normal criminal behavior) outweighs concerns the general public might have about the security of their software/data/personal information. Plenty of recent real-world examples (hospital systems ransomed! etc.) do the arguing for those seeking expanded disclosure of vulnerabilities and exploits.

Former Deputy Director of the NSA Rick Ledgett appears on the pages of Lawfare to argue against disclosure, just as one would have gathered by reading his brief author bio. Ledgett's arguments, however, feel more like dodges. First off, Ledgett says the NSA shouldn't have to disclose every vulnerability/exploit it has in its arsenal, an argument very few on the other side of the issue are actually making. Then he says arguments against exploit hoarding "oversimplify" the issue.

The WannaCry and Petya malware, both of which are partially based on hacking tools allegedly developed by the National Security Agency, have revived calls for the U.S. government to release all vulnerabilities that it holds. Proponents argue that this would allow patches to be developed, which in turn would help ensure that networks are secure. On its face, this argument might seem to make sense—but it is a gross oversimplification of the problem, one that not only would not have the desired effect but that also would be dangerous.

At this point, you'd expect Ledgett to perform some de-simplification. Instead, the post detours for a bit to do some victim-blaming. It's not the NSA's fault if undisclosed exploits wreak worldwide havoc. It's the end users who are the problem -- the ones who (for various reasons) use outdated system software or don't keep current with patches. This isn't a good argument to make for the very reasons outlined in Ledgett's opening paragraph: software vendors can't patch flaws they're unaware of. This is where disclosure would help protect more users, even if it meant the loss of some surveillance intercepts.

Then Ledgett argues the NSA's leaked exploits weren't really the problem. If they hadn't been available, the malware purveyors just would have used something else.

The actors behind WannaCry and Petya, believed by some to be from North Korea and Russia, respectively, had specific goals when they unleashed their attacks. WannaCry seemed to be straightforward but poorly executed ransomware, while Petya appeared to have a more sinister, destructive purpose, especially in the early Ukraine-based infection vector. Those actors probably would have used whatever tools were available to achieve their goals; had those specific vulnerabilities not been known, they would have used others. The primary damage caused by Petya resulted from credential theft, not an exploit.

This is undoubtedly true. Bad actors use whatever tools help them achieve their ends. It's just that these specific cases -- the cases used by Ledgett to argue against increased disclosure -- were based on NSA exploits vendors hadn't been informed of yet. The patches that addressed more current vulnerabilities weren't issued until after the NSA told Microsoft about them, and it only did that because its toolset was no longer under its control.

Ledgett also points out that the NSA does better than most state entities in terms of disclosure:

Most of the vulnerabilities discovered by the U.S. government are disclosed, and at the National Security Agency the percentage of vulnerabilities disclosed to relevant companies has historically been over 90 percent. This is atypical, as most world governments do not disclose the vulnerabilities they find.

Maybe so, but there's not much honor than just being better than the worst governments. Ledgett only says the NSA is better than "most." This doesn't turn the NSA into a beacon of surveillance state forthrightness. All it does is place it above governments less concerned about the security and wellbeing of their citizens.

Ledgett then goes back to the well, claiming a) the two recent attacks had nothing to do with the NSA, and b) disclosing vulnerabilities would make the NSA less effective.

WannaCry and Petya exploited flaws in software that had either been corrected or superseded, on networks that had not been patched or updated, by actors operating illegally. The idea that these problems would be solved by the U.S. government disclosing any vulnerabilities in its possession is at best naive and at worst dangerous. Such disclosure would be tantamount to unilateral disarmament in an area where the U.S. cannot afford to be unarmed… Neither our allies nor our adversaries would give away the vulnerabilities in their possession, and our doing so would probably cause those allies to seriously question our ability to be trusted with sensitive sources and methods.

The problem here is that Ledgett ignores the obvious: leaked NSA tools helped create the problem. The NSA never disclosed these vulnerabilities to affected software vendors -- at least not until it became obvious it could no longer keep these tools secret.

I'm guessing the NSA is already living through the last part of Ledgett's paragraph. A set of effective, still-undisclosed vulnerabilities being digitally spirited away and dumped into the public's lap probably makes it less likely foreign surveillance partners will be sharing their malware toolkits with the NSA.

This leads right into another argument against vulnerability hoarding: it has been shown with complete clarity that the NSA can't guarantee its exploits will never be used by criminals and malicious governments. The leak of its toolkit shows any suggestion that only the "good guys" will have access to undisclosed vulnerabilities is both ignorant and arrogant. The NSA isn't untouchable. Neither are all the surveillance partners the NSA has shared its tools with.

In the end, it's the private sector's fault, according to Ledgett. The solution is for vendors to write better software and end users to patch more frequently. This is good advice, but not an absolution of the NSA's vulnerability secrecy.

The NSA needs to do better balancing its needs and the security of the general public. Very few people are arguing the NSA should have zero undisclosed exploits. But the exploits dumped by the Shadow Brokers affected older versions of Microsoft system software dating back to Windows XP and they still weren't patched until the exploits had already been made public. These were exploits some in the NSA thought were too powerful, and yet, the NSA did nothing until the malware offspring of its secret exploit stash were taking down systems all over the world.

29 Comments | Leave a Comment..

Posted on Techdirt - 14 August 2017 @ 3:25am

DEA Looking To Buy More Malware From Shady Exploit Dealers

from the ends-and-something-about-means dept

The DEA -- like other federal agencies involved in surveillance -- buys and deploys malware and exploits. However, it seems to do better than most at picking out the sketchiest malware purveyors to work with.

When Italian exploit retailer Hacking Team found itself hacked, obtained emails showed the company liked to route around export bans through middlemen to bring the latest in surveillance malware to UN-blacklisted countries with horrendous human rights records. It also, apparently, sold its wares to the DEA -- an agency in a country with only periodic episodes of horrendous human rights violations.

Maybe there's a shortage of exploit sellers, but it would be nice to see a US agency be a bit more selective about who it buys from, rather than jumping into the customer pool with Saudi Arabia, Sudan, and Egypt. But the DEA has done it again. Emails obtained via FOIA by Motherboard show the DEA attempting to get in bed with another questionable malware purveyor.

The Drug Enforcement Administration held a meeting with the US sales arm of NSO Group, a controversial malware company whose products can remotely siphon data from iPhones and other devices, according to internal DEA emails obtained by Motherboard.

The news highlights law enforcement agencies' increased interest in using hacking tools and malware, as well as NSO's efforts to enter the lucrative US market.

The problems with NSO are multitudinous. Not only have its iPhone zero-days been used to target a dissident in the United Arab Emirates, but the Mexican government apparently deployed NSO malware on several occasions, each time with highly-questionable targets.

Privacy International has uncovered NSO malware in operation in Mexico, targeting journalists, lawyers, soda tax supporters [?!]... even children. Some of the targets were investigating government corruption. Others were investigating the mass disappearance of 43 schoolchildren from Iguala, Mexico. The deployment methods were at least as troubling as the demographics of those targeted.

The targets received SMS messages that included links to NSO exploits paired with troubling personal and sexual taunts, messages impersonating official communications by the Embassy of the United States in Mexico, fake AMBER Alerts, warnings of kidnappings, and other threats. The operation also included more mundane tactics, such as messages sending fake bills for phone services and sex-lines. Some targets only received a handful of texts, while others were barraged with dozens of messages over more than one and a half years.

This is what governments are doing with NSO's malware. Certainly NSO can't be expected to prevent end users from using its malware for evil, but it could be more selective about who it sells to. Perhaps the pitch to the DEA was viewed as a step towards legitimacy. But the DEA entertaining offers from NSO should be viewed as a step backwards for an agency that already has a few issues with its malware deployment.

Joseph Cox of Motherboard makes it clear the obtained emails don't show any purchases from NSO. But they do show the agency is interested in its wares. The lack of concerns about the source are par for the course. The DEA can't seem to find the time to deliver required Privacy Impact Assessments for its malware/exploit deployment and routinely thwarts its oversight. Buying from shady dealers is just another component of the DEA way.

15 Comments | Leave a Comment..

Posted on Techdirt - 11 August 2017 @ 7:39pm

Court Tells Government Sticking FOIA Waivers In Plea Agreements Is Probably A Bad Idea

from the stripping-vehicles-of-accountability-one-perp-at-a-time dept

Criminal defendants entering in plea agreements can waive all sorts of rights, including appeals of sentences and evidence challenges. The government trades rights for years, in the interest of securing convictions. But can someone be asked to sign away their FOIA rights? The government clearly thinks so. This is from a recent D.C. Appeals Court decision [PDF]:

In March 2007, William Price pled guilty in the Western District of Missouri to two offenses involving production and receipt of child pornography. In exchange for a favorable sentencing recommendation from the government, Price entered into a plea agreement that included a waiver of his rights under FOIA to records connected to his case. He was sentenced to fifty years’ imprisonment and is currently incarcerated.

[...]

Specifically, Price agreed to

waive[] all of his rights, whether asserted directly or by a representative, to request or receive from any department or agency of the United States any records pertaining to the investigation or prosecution of this case including, without limitation, any records that may be sought under the Freedom of Information Act, 5 U.S.C. § 552, or the Privacy Act of 1974, 5 U.S.C. § 552a.

The court notes FOIA waivers are neither "common nor unheard of."

A recent study of the various kinds of waivers included in plea agreements found that, in 2009, 25% of robbery plea agreements and 23% of arson plea agreements contained a FOIA waiver.

Price did end up submitting an FOIA in 2011. But it wasn't directly related to the case. He was seeking documents related to his ex-wife, from whom he'd obtained a privacy waiver. The FBI denied the request, claiming Price was attempting to indirectly circumvent his waiver agreement.

The government also claimed the FOIA lawsuit Price filed pro se wasn't actually an FOIA lawsuit. The court disagrees.

The government argues that this suit is an attempt by Price to challenge his conviction or sentence that turns on whether his waiver was knowing, voluntary, and intelligent. We see it differently. This is a FOIA suit in which we are asked to determine de novo whether the FBI lawfully withheld records that Price requested.

The court doesn't have much sympathy for the plaintiff's argument that the FBI's denial creates another FOIA exemption, one that isn't statutorily-supported. The court points out it does nothing of the sort. The FBI is only denying records to Price, but those records can still be accessed by another person. As such, they are not covered by a phantom exemption, but rather Price himself is forbidden from accessing these records via a contract he signed with the government.

As the court points out, allowing Price to access these documents despite his plea agreement with the government would result in FOIA chaos. When FOIA lawsuit settlements are obtained, requesters often agree to the receipt of certain documents, rather than everything they've sought. The agreement states they cannot pursue the denied documents or engage in further litigation over these denied documents. If contracts like these aren't honored, the government would never offer to settle FOIA litigation because plaintiffs could just file new requests for denied documents and engage in further litigation despite having agreed explicitly to refrain from further requests and lawsuits. It's a good point, albeit one that ignores the fact most plaintiffs don't have unlimited funds for FOIA litigation, whereas the government's litigation funding will never dry up, no matter how many litigants it does battle with.

But the court does have a problem with FOIA waivers in general. As the court sees it, the waiver serves no purpose in terms of adjudicating criminal defendants.

More fundamentally, in responding to Price’s public policy-based challenge, the government has not pointed us to any legitimate criminal-justice interest served by including a waiver of FOIA rights in Price’s plea agreement. Amicus argues, and all parties agree, that a “prosecutor is permitted to consider only legitimate criminal justice concerns in striking [a plea] bargain—concerns such as rehabilitation, allocation of criminal justice resources, the strength of the evidence against the defendant, and the extent of [a defendant’s] cooperation with the authorities...”

[...]

Indeed, all the government says is that “the public interest in the efficient and effective prosecution and conviction of sex offenders . . . is considerable and outweighs whatever public interest may exist in the [contents of the] investigation and prosecution files of [a] single defendant.” Appellee Br. 36. But how? Certainly litigating FOIA disputes in court can be burdensome for the parties involved, as the government notes, see id. at 46, but in what way do FOIA waivers actually support “efficient and effective prosecution”? The government leaves us to guess.

The government's first reason for securing FOIA waivers? The people we lock up get bored and make us do extra work.

When pressed at oral argument about what legitimate criminal-justice purpose FOIA waivers might serve, the government simply responded: “Prisoners frankly have a lot of time on their hands and they write a lot of FOIA requests, and it is a burden to agencies especially like the FBI . . . .”

The government also claimed a lack of FOIA waivers would undercut the "finality" of agreed-to plea deals. The court finds this argument ridiculous.

[I]n another point gone missing from the government’s brief and raised by its counsel only at oral argument, FOIA waivers may occasionally promote the government’s legitimate interest in finality. But as best we can tell, FOIA waivers promote finality only by making it more difficult for criminal defendants to uncover exculpatory information or material showing that their counsel provided ineffective assistance. That argument takes the finality interest too far. After all, a defendant can never waive his right to bring a colorable claim of ineffective assistance of counsel, even though such claims undermine finality.

The court also points out the government didn't raise either of these arguments in its brief. In general, appeals courts are extremely uninterested in new legal arguments raised at the last minute, especially when years of litigation have come and gone before they even view the cases.

But it goes further than that. The court says FOIA is a vehicle of government accountability that must remain open to criminal defendants. In some cases, it's the only way for defendants to gain access to documents relevant to their prosecution.

FOIA thus provides an important vehicle for vindicating significant rights—and for keeping prosecutors honest. Indeed, in some cases it provides the only vehicle. And the government, at least in this case, has not told or shown us how taking that tool away from criminal defendants serves the interests of justice compared to the harms those waivers cause.

The court sums up its decision by calling out the government for attempting to further tilt an already-slanted legal playing field.

[T]his uneven power dynamic lurks in the background in cases like these and calls for a careful consideration of Price’s claim. Here Price has shown, through real-world examples, that enforcing a FOIA waiver would make it harder for litigants in his position to discover potentially exculpatory information or material supporting an ineffective-assistance-of-counsel claim. This is especially true given that, “with rare exceptions, only the waivor” in such cases “has the requisite knowledge and interest to lodge a FOIA request in the first place.” Amicus Br. 27. On the other side of the scale, the government has offered us nothing more than the unsupported blanket assertion that FOIA waivers assist in effective and efficient prosecution, without any support or explanation how. Under these particular circumstances, and based on the briefing in this case, we have little trouble in concluding that the public interest in enforcing Price’s waiver is outweighed by the harm to public policy that enforcement would cause.

But even as it strips away the government's blanket assertions, the court reminds readers (and potential litigants) that it's not offering a blanket of its own.

To be clear, we do not hold that FOIA waivers in plea agreements are always unenforceable. We simply hold that the government may not invoke Price’s FOIA waiver as a basis for denying him access to the records he requests because, in this case, the government has given us no adequate rationale for enforcing this waiver in light of the public-policy harms Price has identified. That’s it.

So, FOIA waivers will remain part of plea agreements. But this instructive ruling should give defendants some guidance on how to better challenge these waivers.

Read More | 34 Comments | Leave a Comment..

Posted on Techdirt - 11 August 2017 @ 3:22am

ACLU Tells Court Long-Term Cell Site Location Tracking Should Require A Warrant

from the people-like-cellphones-much-more-than-they-like-their-government dept

The Supreme Court is going to take a look at the Fourth Amendment implications of warrantless access to historic cell site location information. The outlook for a Fourth Amendment win isn't particularly hopeful, given that there's no circuit split to be resolved. The lone holdout was the Fourth Circuit -- which originally had problems with the long-term collection of location information -- but that court reversed its earlier decision to align with other circuits which have addressed the issue.

That doesn't mean no one should try! Who knows what the court might decide, especially given the shifting telecommunications landscape. After all, it has managed to budge the 4th a wee bit now and then, even in decisions that were mostly punts or calls for the aggrieved to take it up with their Congressional reps.

The ACLU has filed a brief [PDF] on behalf of the appellants, pointing out what should be obvious: cell site location info isn't Just Another Third Party Record. It's a proxy tracking system for law enforcement, which can access this data without warrants. And it's only getting more precise every day.

Service providers have long retained location information for the start and end of incoming and outgoing calls. Today, those companies increasingly also retain location information related to the transmission of text messages and routine internet connections—which smartphones make virtually constantly to check for new emails, social media messages, weather updates, and other functions. The information recorded can include not only cell site and sector, but also estimated distance of the phone from the nearest cell site. Id. Location precision is also increasing as service providers deploy millions of “small cells,” “which cover a very specific area, such as one floor of a building, the waiting room of an office, or a single home.” United States v. Graham, 824 F.3d 421, 448 (4th Cir. 2016) (en banc) (Wynn, J., dissenting in part and concurring in the judgment) (citation omitted); see also Hoy, supra, at 69-70. All told, a typical smartphone connects to cell towers hundreds of times a day, generating a densely pixelated matrix of data points documenting the user’s movements. The volume and precision of that data will grow steadily in coming years, generating ever more granular locational information.

The ACLU notes Congress itself has granted consumer protections for CSLI, giving customers control over who has access to this data. Unfortunately, multiple courts have ruled that, since cell providers have access to the info and customers are at least somewhat aware their phones must connect to towers to provide service, this information can be obtained by the government with only a subpoena. (And, obviously, without the customer's consent.) In some rulings, this has been extended to real-time location tracking, with law enforcement officers basically shoulder-surfing telco computers for pings.

The brief draws a connection between virtual location tracking with CSLI and the Supreme Court's Jones decision, which dealt with long-term tracking of individuals with concealed GPS tracking devices. That decision didn't quite establish a warrant requirement, but did suggest warrantless long-term location tracking raised a number of Fourth Amendment issues.

Allowing law enforcement agencies to use service providers as tracking devices is a problem. It shouldn't really make a difference whether it's long-term or short-term, but the tremendous amount of location data automatically gathered can provide an extremely in-depth examination of someone's life, all through the magic of third-party records.

Worse, long-term tracking through CSLI exposes even more of a person's movements to the government. Phones go places cars don't. A suspect could "opt out" of GPS data collection by walking, using public transportation, or riding in vehicles without tracking devices. But people's phones go everywhere they go. Having this wealth of information on tap is a boon for law enforcement. Obtaining a warrant isn't some sort of insurmountable obstacle. The world has changed incredibly since 1979, which is when the Supreme Court created the Third Party Doctrine out of thin air. If nothing else, this case should give it the opportunity to take another look at a decision headed into its fourth decade and see if it still remains relevant in a world where almost every citizen carries around a proxy government tracking device wherever they go.

Read More | 12 Comments | Leave a Comment..

Posted on Techdirt - 10 August 2017 @ 1:32pm

Report Shows CBP Officers Rarely Punished For Abusive Actions

from the zero-accountability-in-the-Constitution-free-zones dept

Here's how the CBP is defending our borders -- even before the Trump Administration's "surge:"

Everyone they detained was an American citizen, coming back to the US after attending a wedding of a cousin. They were treated terribly, put in a cold room with no food or drinks, and no information on what was going on. CBP demanded they hand over their electronics, and made it clear they might not get them back. The thing is, this isn't a unique situation. As the report notes, there's almost no oversight over CBP actions, allowing them to act with impunity. In the report, the story is told of a 4-year-old girl, an American citizen, who was detained for 14 hours, in a cold room, without being allowed to speak to her parents and given no food beyond a cookie. And then she was deported. Even though she was a US citizen. She was allowed to come back weeks later, but now has symptoms of post-traumatic stress disorder.

And that was at the Canadian border. Down south, treatment of citizens and (especially) non-citizens is even worse. The CBP has a vast amount of power but very minimal oversight. The fact that they deal with non-citizens frequently tends to result in a "They're not Americans, so who cares?" attitude.

In 2013, the American Immigration Council studied data on complaints against the CBP. What it found was depressing, if unsurprising.

The data, which the Immigration Council acquired through a Freedom of Information Act (FOIA) request, covers 809 complaints of alleged abuse lodged against Border Patrol agents between January 2009 and January 2012. These cases run the gamut of physical, sexual, and verbal abuse. Although it is not possible to determine which cases had merit and which did not, it is astonishing that, among those cases in which a formal decision was issued, 97 percent resulted in “No Action Taken.” On average, CBP took 122 days to arrive at a decision when one was made. Moreover, among all complaints, 40 percent were still “pending investigation” when the complaint data were provided to the Immigration Council.

The most common complaint was physical abuse, occurring in nearly 40% of the studied cases with excessive force following close behind with 38% of reports. This should be expected, as the CBP is a law enforcement agency. Many US law enforcement agencies believe the most effective response to almost any situation is violence, and they deploy it frequently in various forms.

Complaints about CBP officers are notoriously difficult to substantiate. It's not that the complainants are more unreliable than complaints against other agencies. It's that there's usually a language barrier to be dealt with and the odds of the complainant having been whisked into Mexican/Canadian cornfields are much higher. No other agency has the power to deport its unhappy customers.

Three years later, the Immigration Council has compiled another report [PDF] based on FOIAed documents covering complaints from 2012 to 2015]. There has been no improvement.

This data, obtained through a Freedom of Information Act (FOIA) request, includes 2,178 cases of alleged misconduct by Border Patrol agents and supervisors that were filed between January 2012 and October 2015. These cases range from instances of verbal abuse, to theft of property, to physical assault.

Even though assessing which cases did or did not merit disciplinary action was not feasible with the information CBP provided, the overall findings of this report are still remarkable. For example:

95.9 percent of the 1,255 cases in which an outcome was reported resulted in “no action” against the officer or agent accused of misconduct.

The complaints contain allegations of many forms of abuse, with “physical abuse” cited as the reason for the complaint in 59.4 percent of all cases.

“No action” was the outcome of many complaints against Border Patrol agents that alleged serious misconduct, such as running a person over with a vehicle, making physical threats, sexually assaulting a woman in a hospital, and denying medical attention to children.

A 1.1% "improvement" in sustained complaints is nothing more than expected variance. However, physical abuse appears to be on the upswing, jumping nearly 20% in the last three years. Again, the sheer amount of alleged abuse -- and the allegations themselves -- make for harrowing reading. Here's a small sampling of complaints against CBP officers.

Border Patrol agent allegedly placed Taser in the mouth of a U.S. citizen, resulting in injury (Tombstone, AZ)

Border Patrol agent allegedly beat, kicked, and made a UDA [“Undocumented Alien”] (a citizen of Ecuador) eat dirt while he was apprehended (Imperial Beach, CA)

Border Patrol agent allegedly verbally abused and threatened a UAC [“Unaccompanied Alien Child”] with rape and either a weapon or [self-defense] spray (Laredo, TX)

Border Patrol agent allegedly put a gun to a UAC’s [“Unaccompanied Alien Child’s”] neck and threatened to kick and kill him (Weslaco, TX)

A UDA [“Undocumented Alien”] alleges she was raped by two male Border Patrol agents prior to her apprehension by a female Border Patrol agent (Casa Grande, AZ)

Taken altogether you have an agency that has little fear of reprisal for its actions. Bolstering this is an opaque complaint process exacerbated by language barriers. On top of it, there's the general dehumanization of everyone the CBP interacts with, which only encourages staff to treat people like meat, rather than with any sort of restraint or dignity. Sitting all the way above it on the federal organizational chart is a president who's decided to make anyone without US citizenship a scapegoat for overstated leaps in criminal activity. It's only going to get worse. And considering how long the CBP has been able to escape punishment for its behavior, there's really no reason to append "before it gets better" to the previous sentence.

Read More | 27 Comments | Leave a Comment..

Posted on Techdirt - 10 August 2017 @ 12:00pm

Warner/Chappell Issues Copyright Claim Over YouTube Video Deliberately Containing None Of Its Music

from the phantom-menace dept

Warner/Chappell's DMCA takedown arm is so damn proactive it can kill YouTube videos containing as little as 0% of its IP. A clip of Star Wars posted to YouTube sans overbearing John Williams soundtrack was targeted by Warner/Chappell, the owner of the rights to John Williams' Star Wars compositions.

>

Here's Jeremy Hsu of Wired with more details.

Fans of the YouTube channel Auralnauts, which posted the doctored Star Wars scene in 2014 as a tongue-in-cheek tribute to the emotional power of Williams’ score, loved it for that weirdness. But another set of viewers—those with the rights to the movie’s soundtrack—tuned in to these sounds of silence and heard something else: the ka-ching of a cash register.

That’s what the Auralnauts discovered earlier this summer when they received word that Warner/Chappell—the global music publishing arm of Warner Music Group—had filed a monetization claim on their “Star Wars Minus Williams” video through YouTube's Content ID System. That’s right: The copyright holder was claiming ownership of something that wasn’t there.

There are several theories to what went wrong here, although Warner engaging in kneejerk copyright claims with zero pre-claim vetting doesn't appear to be the frontrunner. First, a clip of music sounding a lot like a John Williams piece opens the video. But the piece is written and composed by Gustav Holt -- and is "copyright-free" according to Wired. The studio behind Star Wars had no objection to the clip, so it's not related to the visual content. That leaves Warner, possibly motivated by a faulty trigger in its Content ID auto-scanning. There's also a four-second loop of Williams' score appended to the end of the video, which may have pulled the Content ID trigger as well. But even if so, there are still problems with Warner and YouTube's Content ID system because the wrong piece of music was named in Warner's copyright claim.

[T]he Warner/Chappell claim incorrectly identified the “Star Wars Main Title” track as being present in the Auralnauts video. The single brief Williams excerpt used by the Auralnauts actually comes from a track titled “The Throne Room and End Title.”

Whatever the case is, the claim was obviously bogus. But it shows how fragile an ecosystem YouTube can be for those using it as a revenue stream. Even when wrong about pretty much everything, Warner was still able to siphon this video's profits from the Auralnauts. The Auralnauts challenged Warner -- which the article points out is something that happens in less than 1% of content claims -- but it didn't matter. In fact, it's unlikely anyone at Warner even bothered to read the challenge before issuing a rejection.

That leaves the Auralnauts in the difficult position of risking their entire channel to continue disputing Warner's obviously erroneous copyright claim.

[I]f a copyright claimant such as Warner/Chappell does not back down from its claim, the video is likely to get taken down from YouTube entirely—and in that event, the Auralnauts would also be penalized by the platform as a copyright scofflaw and barred from some privileges, such as linking to their own store. Three such takedowns and YouTube will delete your channel.

Despite the constant complaints about YouTube being some sort of infringement wonderland, the odds are stacked almost completely in favor of legacy industry copyright holders. Nothing happens to Warner if it continues to file bogus claims. But those targeted by claims are expected to just let the bogus claims happen because challenging claims is a great way to damage your own YouTube account.

23 Comments | Leave a Comment..

Posted on Techdirt - 9 August 2017 @ 3:03am

Company Storing Families' Personal Data Blocks Users/Researchers Informing It Of A Security Flaw

from the blockchain,-but-for-ignoring-your-problems dept

It must be repeated over and over: people who discover security flaws and report them are not the enemy. And yet, company after company after company treat security researchers and concerned users like criminals, threatening them with lawsuits and arrests rather than thanking them for bringing the issue to their attention.

Kids Pass -- a UK company providing discounts for families attending restaurants, theaters, and amusement parks -- had a problem. Any user could access any other user's personal information just by altering numbers linked to user IDs in the URL. A concerned user told security researcher Troy Hunt about the flaw. (via Boing Boing)

[J]ust this weekend I had a Twitter follower reach out via DM looking for advice on how to proceed with a risk he'd discovered when signing up to Kids Pass in the UK, a service designed to give families discounts in various locations across the country. What he'd found was the simplest of issues and one which is very well known - insecure direct object references. In fact, that link shows it's number 4 in the top 10 web application security risks and it's so high because it's easy to detect and easy to exploit. How easy? Well, can you count? Good, you can hack! Because that's all it amounted to, simply changing a short number in the URL.

Here's the example the user passed on to Hunt:

Hunt told the user to stop doing anything -- including accessing other users' information -- and immediately inform the company. The user did as instructed, contacting the company via Twitter direct message. Shortly thereafter, the user informed Hunt Kids Pass had blocked him on Twitter.

Hunt then made an attempt to speak to someone at Kids Pass… only to find out he had been blocked as well, most likely for having the gall to retweet the concerned user's message about the security flaw.

The responsible, ethical approach -- notifying a company of a security flaw as soon as possible -- was being treated like some sort of trollish attack on Kids Pass' Twitter account. From all appearances, the company simply wanted everyone to shut up about the flaw, rather than address the concerns raised by userw.

It was only after Hunt asked his followers to contact the company on his behalf that Kids Pass finally unblocked him and told everyone the "IT department was looking at it."

The belated reaction doesn't make up for the initial reaction. And Kids Pass has shown it has little interest in addressing security flaws until the problem becomes too public to ignore. Hunt points to a blog post by another security researcher who informed Kids Pass last December about its insecure system -- including the fact it sent forgotten passwords in plaintext via email to users. He heard nothing back, finally publishing his discoveries in July.

If you want people to be good web citizens and report breaches and flaws, you can't treat them like irritants or criminals when they do. Securing users' personal info is extremely important, but some companies seem to feel they should be able to handle it however they want and mute/sue/arrest those who point out how badly-flawed their systems are.

22 Comments | Leave a Comment..

Posted on Techdirt - 8 August 2017 @ 11:54am

Months Later, VP Mike Pence Ready To Turn Over Private Emails, Explain What An AOL Account Is

from the as-transparent-as-he's-forced-to-be dept

Months after he left office to become Trump's running mate, former Indiana governor Mike Pence is finally releasing emails from his personal AOL accounts. This sort of thing would normally be reserved for only the wonkiest of public records wonks, but the Trump campaign spent a great deal of time deriding Hillary Clinton for using a personal email account to handle official State Department email.

It's slightly more of a big deal, thanks to Pence's efforts to keep these emails from becoming public. He went to court late last year to protect the content of certain emails from being released. Pence's lawyer actually argued the court had no business telling the governor's office what can and can't be redacted. So much for the idea of checks and balances.

As the result of multiple requests and multiple lawsuits, Pence is now releasing most of what [his lawyer says] is contained in his AOL accounts.

Pence attorney Karoline Jackson said in a recent email to the state's legal counsel that “a complete electronic production of state records" from Pence's time as governor had been delivered to the state as of June 23.

The office of Pence's successor, Gov. Eric Holcomb, said the records consist of state-related emails from two AOL accounts Pence used as governor.

"Our office is now in the process of reviewing the records, and we anticipate being in a position to provide copies of records that are responsive to pending (public record) requests soon," Holcomb spokeswoman Stephanie Wilson said.

So, according to his own spokespeople, Pence will finally be complying with the state's public records law. Not that he didn't try to be a dick about it.

Previously, Pence had only provided some of his AOL emails to the state, and those he did provide were in paper form, making them difficult to search.

Fortunately for those requesting the emails, the new, full batch will come in electronic form, which will greatly assist them in finding the contents they're interested in. According to the WHAS11 report, there are more than 50 open records requests targeting Pence's AOL emails.

While this doc dump will result in far more transparency than Pence is used to, there are still some concerns about what's being withheld. Rather than have his former office review the emails before turning them over to requesters, Pence had his private lawyer take a look at them instead. That's not really the way things are supposed to work for public officials. This will make redactions and withheld documents more difficult to challenge, as there's another layer -- a non-government layer -- of vetting separating requesters from their requested documents.

There's also a good chance whatever's being looked at is incomplete. Public officials who use private email for official business are supposed to forward all work-related emails to government servers for storage. At this point, there appears to be no indication Pence has done that. Instead, a privately-employed lawyer has been picking through what's left in two private AOL accounts and everyone involved is claiming, without supporting evidence, they're living up to the letter and spirit of Indiana's open records laws.

46 Comments | Leave a Comment..

Posted on Techdirt - 8 August 2017 @ 3:25am

Federal Court Strips Immunity From Sheriff Who Tried To Silence A Critic By Having Him Arrested

from the his-own-worst-enemy dept

Late last summer, a Louisiana sheriff decided to use a long-dormant, unconstitutional criminal libel law to track down an online critic and search his home. Not that anyone had really been using the law to criminally charge people for libel, but if you don't take a bad law off the books, sooner or later someone's going to abuse it.

Sheriff Jerry Larpenter was the abuser. A blogger who had problems with the parish's incestuous relationship with its insurance provider -- a firm that employed Sheriff Larpenter's wife -- was the target. Larpenter apparently tired of the blog's well-investigated criticism and found a judge compliant enough to sign a warrant for him. (The sheriff bypassed the on-duty judge and had it signed by the off-duty judge, suggesting he's engaged in more than one inappropriately-cozy relationship with a government entity.) He went to the blogger's house and seized five phones and two computers, one of which belonged to the blogger's children.

The judge who signed the warrant unsurprisingly found the warrant to be valid when challenged by the blogger. A Louisiana appeals court, however, saw things differently. In a unanimous ruling, the three judges declared the warrant to be unconstitutional. The ruling said the criminal defamation law could not possibly apply in this situation, as the target of the alleged libel (Tony Alford -- parish insurance provider and board commissioner) was a public figure.

This opened the door for a civil rights lawsuit against the sheriff. In a decision [PDF] handed down late last month, federal judge Lance M. Africk strips Sheriff Larpenter of his qualified immunity. The first sentence makes it clear just how far out of the bounds of constitutionality Sheriff Larpenter has wandered. (via the Volokh Conspiracy)

Some qualified immunity cases are hard. This case is not one of them.

Sheriff Larpenter tried to make the case about town insurance agent Tony Alford, who he maintained filed the original defamation claim. The court doesn't care for this argument much for two reasons. First, Alford is indeed privately employed by the insurance company, but he is also the president of the local board of commissioners and the company he works for provides insurance coverage for Terrebonne Parish. It points to the Louisiana Appeals Court decision finding the warrant unconstitutional, which directly addresses the issue and finds Tony Alford to be a public figure for the purposes of defamation proceedings.

But that's merely the procedural part of finding out whether Louisiana's outdated criminal libel law could possibly apply. The better stuff comes later in the decision.

The Court concludes that the facts and circumstances known to Sheriff Larpenter at the time that he directed Detective Prestenbach to get the search warrant for the Andersons' home would not have led a prudent person to believe that the items sought by the warrant constituted evidence of a crime, because no prudent person would believe that Jennifer Anderson's statements about President Alford could constitutionally form the basis of a crime. President Alford is a public official, and Jennifer Anderson's statements on Exposedat and the John Turner Facebook profile addressed core concerns about his fitness for public office. The complaint shows that Sheriff Larpenter was aware of the specific content of Jennifer Anderson's statements about President Alford from the very beginnings of the investigation.

[...]

Moreover, the complaint shows that the criminal investigation into Jennifer Anderson's statements did not uncover a scintilla of evidence to suggest that Jennifer Anderson's speech—regardless of its veracity—was made with actual malice. As such, it is not surprising that Detective Prestenbach's affidavit in support of the search warrant lacked any factual allegations to support an assertion of actual malice. In fact, Detective Prestenbach's acknowledgment in the affidavit that Exposedat featured public documents to support the claims made on it suggested just the opposite: even if false, the statements were not made with actual malice.

[...]

As the Louisiana Court of Appeal concluded, Jennifer Anderson's speech "is not a criminally actionable offense"—and any prudent person would have known so. Accepting the factual allegations in the complaint as true and construing them in the light most favorable to the Andersons, Sheriff Larpenter's directive to Detective Prestenbach to obtain a search warrant for the Andersons' home resulted in a violation of the Andersons' Fourth Amendment rights, as the warrant lacked the requisite probable cause.

The sheriff tried to argue he "reasonably relied" on the magistrate's judgment in approving the warrant. This attempt to pluck a "good faith" defense out of a bad faith effort goes nowhere.

The Court notes that Detective Prestenbach's affidavit for the search warrant for the Andersons' home—a warrant he obtained at the direction of Sheriff Larpenter—failed to mention the material fact that President Alford serves as the head of the Terrebonne Parish Levee and Conservation District Board of Commissioners—and hence is a public official. Notwithstanding, a reasonably well-trained officer in Sheriff Larpenter's position would have known that Detective Prestenbach's affidavit would inevitably fail to establish probable cause, because longstanding U.S. Supreme Court and Louisiana Supreme Court case law precluded the application of § 14:47 to Jennifer Anderson's statements. "[A]s an officer charged with enforcing Louisiana law," Sheriff Larpenter "can be presumed to know the law" of Louisiana, including the law's well-established constitutional reach. Rykers v. Alford, 832 F.2d 895, 898 (5th Cir. 1987). More to the point, "[p]olice officers can be expected to have a modicum of knowledge regarding the fundamental rights of citizens." See also Saldana v. Garza, 684 F.2d 1159, 1165 (5th Cir. 1982). In this instance, a judge's issuance and affirmance of the search warrant for the Andersons' home will not shield Sheriff Larpenter from potential civil liability for his conduct.

The sheriff will also have to answer to First Amendment retaliation claims. Larpenter argued the injury suffered by the blogger was minimal, perhaps even nonexistent. Again, the court finds little it likes about the sheriff's spin.

Sheriff Larpenter attempts to minimize Jennifer Anderson's injury as a result of his actions. In his view, because the Andersons got their property back and because the property was never searched by law enforcement—the Andersons' computers and cellphones were impounded and sealed after their seizure while the Andersons challenged the legality of the search warrant—Jennifer Anderson did not suffer an injury sufficient to chill a person of ordinary firmness. However, Sheriff Larpenter is missing the bigger picture: the injury was inflicted at the time of the execution of the search warrant. By searching the Andersons' home and seizing the Andersons' property in the first place, Sheriff Larpenter sent a message to Jennifer Anderson—a message that he also allegedly told a news outlet and broadcast to his community: "If you're gonna lie about me and make it under a fictitious name, I'm gonna come after you." To the Court, that message—if you speak ill of the sheriff of your parish, then the sheriff will direct his law enforcement resources toward forcibly entering your home and taking your belongings under the guise of a criminal investigation—is inseparable from the injury and would certainly chill anyone of ordinary firmness from engaging in similar constitutionally protected speech in the future.

Larpenter now must face this legal action on his own, with no shield between him and the allegations. The facts of the case are pretty damning and Larpenter's best bet now is to find some way to settle before the monetary pain gets worse.

Read More | 32 Comments | Leave a Comment..

More posts from Capitalist Lion Tamer >>