Mike Masnick’s Techdirt Profile


About Mike MasnickTechdirt Insider

Mike is the founder and CEO of Floor64 and editor of the Techdirt blog.

He can be found on Twitter at http://www.twitter.com/mmasnick

Posted on Techdirt - 1 September 2015 @ 7:06am

FTC CTO: Full Disk Encryption Is Important In Preventing Crime

from the taking-a-stand dept

While the FBI and NSA continue their campaign to fight against allowing encryption for devices, it's clear that not everyone in the government agrees. It does appear that there's a bit of a fight going on within the administration over where to come down (as President Obama himself admitted), and in a recent blog post, it seems pretty clear where the FTC comes down in this debate. The FTC's CTO, Ashkan Soltani, who has long been a strong user-privacy advocate (and before joining the FTC helped in some of the reporting on the Snowden documents), wrote the blog post celebrating the virtues of full disk encryption and other "end user device controls." It starts out by noting that when he recently lost his own laptop, he wasn't that worried, thanks to the fact that it was encrypted.

Strong end-user privacy and security controls, such as device encryption and firmware passwords, not only protect personal information from unwanted access – they can also make it easier to recover lost or stolen devices as well.

Last month, I had the misfortune of having a personal laptop stolen.

Fortunately for me, while I was a bit bummed about losing my two-year-old laptop, I backup regularly and always enable disk encryption which is an important step to protect the information stored on the hard-disk from unwanted access by criminals, employers, or other actors (with the exception of very sophisticated adversaries).
He notes that this actually allowed him to help track down the device, because whoever ended up with the "useless" laptop tried to bring it to an Apple Genius Bar, which resulted in Soltani receiving an email.
Fast forward to a few weeks later, when I received an email to my personal account notifying me of an upcoming Apple Genius Bar visit. I was initially confused by the email but soon realized that it's probably the thief (or the undiscerning buyer) of my laptop trying to take it into Apple for repair – likely because they’re unable to use it without knowing the firmware password I set.

I immediately began calling local law enforcement and the nearby Apple stores notifying them of the theft and this development. After a few phone calls and the help of a fantastic Sergeant in the Local Crimes Unit of the Sacramento Police department, I was able to coordinate an agreement whereby Apple would notify law enforcement if the new user brought the machine in for repair. After an initial disappointment on account of the suspect skipping his Genius Bar reservation, a representative from Apple Customer Relations notified me that the device was brought into another store and they were coordinating with Sacramento Police Department to return it to me. I’m unclear as to whether they were able to track down the original thief.
And thus, the FTC's CTO makes it clear that full disk encryption has benefits beyond even just keeping your own data safe:
In the end, strong end-user controls like device encryption and firmware passwords not only protect sensitive info stored on the device, they also prevent criminals from utilizing stolen property. The more devices feature strong end-user controls, the less likely thieves can profit from their theft on the open market.
Given that the FBI is supposed to be interested in preventing crime, you'd think James Comey would support that kind of thing...

22 Comments | Leave a Comment..

Posted on Techdirt - 31 August 2015 @ 1:55pm

As India Goes After Google, A Simple Question: Do You Really Want Governments Deciding Search Results?

from the just-asking dept

Earlier this year, European antitrust authorities went after Google (hours after EU officials announced plans to harm American internet companies to "help" local internet companies). Google just last week responded to the initial claims, saying that "improving quality isn't anti-competitive." Of course, the more detailed response is still private, so we don't know the full extent of what's being discussed. And, now, it appears that India is going after Google based on similar charges, claiming that it somehow leverages its own position in rigging either search results or putting its own services ahead of competitors above the search results.

Based on the responses from 30 businesses spanning search, social networks, ecommerce, travel and content sites, the CCI director-general last week filed a report that accuses Google of abusing its dominant position to rig search outcomes, both the actual search result as well as sponsored links. This marks the first case globally where an antitrust body is formally raising such charges against Google.
It's a bit surprising to see Facebook apparently take part in this effort, because it can't be long until it's receiving similar scrutiny around the globe for its position in the social networking space. The article is a bit confusing, but from it, there seems to be a mishmash of different accusations, some of which are more nutty than others. The key one -- which is at the heart of the claims in the US and in Europe -- is that for certain searchers, Google puts its own services first, before the "organic" search results. So, for example, if you do a search on something local, it would show you Google's local information (built on top of Zagat's info) rather than a competing rating service. Or, it may highlight Google Maps over some competitor.

At least one company, Flipkart, appears to claim that its own "organic" search results depend on how much the company spends on buying ads on the site. Companies make this claim all the time and there has never been the slightest bit of evidence to support those claims. If any such evidence comes out, then that would be a serious issue, and Google should have to answer for it. However, given how frequently it's been shown to be baseless, it seems unlikely that Google is actually polluting its organic search results based on a company's advertising plans (in fact, Google has made it pretty clear that the folks who handle the search algorithm have absolutely no insight into the advertising side of the business).

The claims about Google promoting its own services (maps, local, flights, finance, etc.) over competitors still seems like a weird one. Promoting those so-called "one box" results, is (as the company has claimed) providing more useful services. You can see why other companies may get upset about it, but is there any actual consumer harm? That seems a lot harder to find.

The only argument I've seen that makes any sense at all in all of these accusations is that Google could present better results in its onebox area if it made use of its own internal algorithm (which conceivably could determine that another company's services rank better than Google's). But as we've said in the past about that exact suggestion: even if Google should make that change, it is really the government's job to determine what is "the best" way to present search results?

I have a lot of difficulty believing that bureaucrats in either Brussels or Mumbai are somehow going to have a better idea how to provide the best possible search results for consumers, than the folks at Google who spend all their time working on these issues. Instead, this seems like companies who are upset that they don't rank well enough in Google complaining, because Google is big. If Google is actually shown to be doing something that actively harms consumers, that's one thing. But all of these complaints still seem to rest on companies (not consumers) bitching that they don't like how high they rank in Google. Well guess what? I don't like how Techdirt ranks in Google either, but I don't go running to the government to complain about it.

36 Comments | Leave a Comment..

Posted on Techdirt - 31 August 2015 @ 12:45pm

Moral Panics And How 'The Kids These Days' Adapt: From Facebook 'Permanence' To Snapchat's 'Impermanence'

from the things-change,-people-adapt dept

It is funny to see how some people react to technology changes, almost always assuming that "new" is somehow bad, because it's different. Looking back through historical examples, they often look pretty funny. Last year, we wrote about an old moral panic in the NY Times from 1878 about two Thomas Edison inventions, the phonograph and the aerophone (basically a broadcasting system for the phonograph). It's somewhat hilarious to read these days:

Recently he invented the phone- graph, a machine that catches the lightest whisper of conversation and stores it up, so that at any future time it can be brought out, to the confusion of the original speaker. This machine will eventually destroy all confidence between man and man, and render more dangerous than ever woman's want of confidence in woman. No man can feel sure that wherever he may be there is not a concealed phonograph remorseless gathering up his remarks and ready to reproduce them at some future date. Who will be willing, even in the bosom of his family, to express any but most innocuous and colorless views and what woman when calling on a female friend, and waiting for the latter to make her appearance in the drawing-room, will dare to express her opinion of the wretched taste displayed in the furniture, or the hideous appearance of the family photographs ? In the days of persecution and it was said, though with poetical exaggeration, that the walls had ears.

Thanks to Mr. Edison's perverted ingenuity, this has not only become a literal truth, but every shelf, closet, or floor may now have its concealed phonographic ears. No young man will venture to carry on a private conversation with a young lady, lest he should be filling a secret phonograph with evidence that, in a breach of promise suit, would secure an immediate verdict against him, and our very small-boys will fear to express themselves with childish freedom, lest the phonograph should report them as having used the name of "gosh," or as having to "bust the snoot" of the long-suffering governess.
Beware! And, just a few days ago, someone on Twitter (I fear I can't find the tweet now) pointed me to this story from last year in the Atlantic, highlighting a similar moral panic in the NY Times, twenty years earlier, about this horrible device known as the telegraph. You see, it spreads information so quickly, we'll barely have time to think:
"Superficial, sudden, unsifted, too fast for the truth, must be all telegraphic intelligence. Does it not render the popular mind too fast for the truth? Ten days bring us the mails from Europe. What need is there for the scraps of news in ten minutes? How trivial and paltry is the telegraphic column?"
And, of course, things are little different today when it comes to new technologies. In fact, you could take the quotes above from the 19th Century NY Times and with very few changes, likely have them apply to modern internet services and social media -- and they would be little different from some of the stories that you do see in the press today.

And, just as was true of those two stories above, it turns out that the fearmongering is way off base, and the ability of people to adapt and change grows. Take the fears over Facebook, for example. Just five years ago, in 2010, the NY Times Magazine warned us all about the perils of the internet remembering everything we've ever done, and how you'll never be able to rid yourself of such a "permanent record." It discusses previous moral panics about the privacy impacts of certain technologies, but then pulls out the "but this time, it's different" card.
Technological advances, of course, have often presented new threats to privacy. In 1890, in perhaps the most famous article on privacy ever written, Samuel Warren and Louis Brandeis complained that because of new technology — like the Kodak camera and the tabloid press — “gossip is no longer the resource of the idle and of the vicious but has become a trade.” But the mild society gossip of the Gilded Age pales before the volume of revelations contained in the photos, video and chatter on social-media sites and elsewhere across the Internet. Facebook, which surpassed MySpace in 2008 as the largest social-networking site, now has nearly 500 million members, or 22 percent of all Internet users, who spend more than 500 billion minutes a month on the site. Facebook users share more than 25 billion pieces of content each month (including news stories, blog posts and photos), and the average user creates 70 pieces of content a month. There are more than 100 million registered Twitter users, and the Library of Congress recently announced that it will be acquiring — and permanently storing — the entire archive of public Twitter posts since 2006.
The author, Jeffrey Rosen, declares this a "collective identity crisis":
As social-networking sites expanded, it was no longer quite so easy to have segmented identities: now that so many people use a single platform to post constant status updates and photos about their private and public activities, the idea of a home self, a work self, a family self and a high-school-friends self has become increasingly untenable. In fact, the attempt to maintain different selves often arouses suspicion. Moreover, far from giving us a new sense of control over the face we present to the world, the Internet is shackling us to everything that we have ever said, or that anyone has said about us, making the possibility of digital self-reinvention seem like an ideal from a distant era.

Concern about these developments has intensified this year, as Facebook took steps to make the digital profiles of its users generally more public than private. Last December, the company announced that parts of user profiles that had previously been private — including every user’s friends, relationship status and family relations — would become public and accessible to other users. Then in April, Facebook introduced an interactive system called Open Graph that can share your profile information and friends with the Facebook partner sites you visit.
There are plenty more stories like this. Stories about how difficult it will be for the "Facebook generation" to run for office, given that all their childish antics will be online. Or stories about how people are living too much through their Facebook feeds, rather than just experiencing life.

And yet... people have a way of adapting. Venture capitalist Adam Besvinick, recently noticed that, in talking to recent college grads, they actually were having the opposite experience of what everyone was fretting about just a few years ago. And that's because they all started using Snapchat rather than Facebook for such things:
He later notes that some of those grads are now regretting that they don't have much tangible to hold onto about those memories. And, yes, as I'm sure someone is rushing to point out in the comments, Snapchat's "disappearing" images and videos don't really disappear, and they can (and often are) saved. But many are not. And they go away. And, yes, that's kind of like things were in the past, when people just experienced things, rather than share them all.

But it's important to note that everything adapts. Kids adapt. New services adapt. Societal norms and culture adapt. And things don't turn into some dystopian nightmare that some worry about.

So many people look at these new services and react with outrage because they're different, and because they're different and will create different kinds of experiences, they must be bad. But history has shown that people are pretty damn resilient, and are pretty good at figuring out how to do things in a way that best suits them. And some will fail. And some will make mistakes. But it's hardly a crisis deserving of a moral panic. These things seem to take care of themselves pretty well -- and then people start worrying about the opposite (e.g. not enough permanence) as compared to the original moral panic (e.g. too much permanence).

45 Comments | Leave a Comment..

Posted on Techdirt - 31 August 2015 @ 9:32am

Sony Pictures, Which Hyped Up 'Harm' Of Hack, Now Tells Court No Harm Done To Employees

from the thread-that-needle,-sony... dept

In the wake of the Sony Pictures hack, the company went somewhat ballistic in trying to describe just how "harmful" the hack was. It brought on famed lawyer David Boies to threaten anyone who published any information from the hack, claiming that it was a violation of the First Amendment (yes, it told the media that publishing news was a violation of the First Amendment). The company also (ridiculously) threatened to sue Twitter, claiming that Twitter would be held "responsible for any damage or loss arising from such use or dissemination by Twitter." Thoughout it all, Sony kept arguing that this hack was a complete disaster and incredibly harmful.

However, now, in court, Sony is suddenly forced to tap dance around those claims and argue that there has been no harm at all done to the employees of the company, who have filed a class action lawsuit against Sony Pictures for failing to protect their data. In a filing first highlighted by Eriq Gardner at The Hollywood Reporter, Sony Pictures insists that basically there has been no harm whatsoever and mocks the employees who say otherwise, noting that their "PII" (Personally Identifiable Information) disclosed was not particularly private in the first place.

Plaintiffs’ experiences in the wake of the cyberattack are entirely consistent with the empirical consensus just discussed. To start, the PII disclosed for each Plaintiff varies widely.... For example, Mathis asserts only that her name, SSN, and former (not current) home address were disclosed.... (Even on that score, she appears to be wrong. Plaintiffs cite no evidence that her SSN was disclosed. The sole document they cite... has the SSN of a different Mathis.) For his part, Forster believes an array of his PII was disclosed, including his SSN and birthday, as well as outdated bank information, an invalid driver’s license, and former medical insurance information (which he admits are “useless” or “worthless”)....

What is more, some Plaintiffs maintain active online presences, which means that much of the PII they claim was disclosed in the cyberattack already had voluntarily been made available online. For example, while Forster complains that his title, place of work, and dates on which he joined and left SPE were disclosed, he acknowledges that he had posted that information to LinkedIn and thus could not be harmed by its disclosure.... Levine likewise admits that he has “put a lot of [his] life online.” ... For him and others, a wide range of PII was available online prior to the attack.
The other line of defense? If there is any harm, who can really say that it actually came from the Sony hack, rather than any other recent hack?
Plaintiffs (and, undoubtedly, unnamed classmembers) have been exposed to multiple breaches and incidents of identity theft involving various permutations of their PII.... To prove that any injury—or even risk of future injury—is attributable to the cyberattack, each classmember would have to show that this cyberattack, and not another event, caused any incident of identity fraud.
The other problem is that the only actual loss that any of the plaintiffs show right now was an unauthorized purchase on a credit card, but the filing points out, this employee was fully reimbursed (i.e., no loss) and it's also not at all clear that it happened because of the Sony hack.
Similarly, while Corona claims that somebody made an unauthorized purchase using his credit card after the cyberattack on SPE (for which he was fully reimbursed), he acknowledges that he also had unauthorized purchases on his credit card before the cyberattack, and that he could only “guess” at the connection, if any, between the more recent unauthorized purchase and the cyberattack.
To be honest, Sony's argument here is pretty strong. Courts have pretty consistently rejected class action lawsuits over data breaches when there are no actual losses, or where the losses are purely theoretical. It seems very likely that the former Sony employees here are going to lose.

But... it does seem rather amusing to see Sony -- which went on and on and on about all the "damage" the leak was going to cause -- now have to argue that its own employees experienced no harm at all...

Read More | 20 Comments | Leave a Comment..

Posted on Techdirt - 31 August 2015 @ 8:13am

Official Portrait For Pope's US Visit... Being Investigated For Copyright Infringement

from the the-holy-copyright-infringement dept

The previous pope, Benedict XVI a few years ago made some waves by suggesting that intellectual property had gone too far, saying:

On the part of rich countries there is excessive zeal for protecting knowledge through an unduly rigid assertion of the right to intellectual property...
The current Pope may now be at the center of a copyright dispute as well. Apparently, Pope Francis is heading to the US in a few weeks. And, as a part of this, apparently someone asked Philadelphia pop artist Perry Milou to create an "official" portrait of the Pope for his tour. And he did:
As a story at Buzzfeed notes, that portrait is on nearly everything related to the Pope's official visit to Philadelphia. It's on the website of the group organizing the visit:
And it's being sold on all sorts of merchandise:
You can even buy the original painting, if you have $1 million to spare:
There's... uh... just one problem. Getty Images claims that the portrait is based on a photo that it holds the rights to, taken by Italian photographer Franco Origlia. You can see that photo here:
And the two images side by side:
And, yup, it seems pretty clear that Milou found that image and made his painting based on that.

And most normal people would agree that this should be perfectly fine. Creating the painting is absolutely transformative. It doesn't take away from the rights of the original photograph and certainly is not a replacement for the original photograph and might even make the original photograph more recognizable and more in demand.

But, we live in the real world where copyright extremists freak out about just about anything. And Getty, for one, has a reputation as quite the copyright troll.

And, tragically, Getty is probably remembering what happened the last time a well known "pop artist" created a big recognizable portrait of someone based on a photograph held by a news agency: the infamous Sheppard Fairey/Obama Hope poster, that was based on a photo by photographer Manny Garcia, but where the Associated Press held the copyright:
In that case, even though many believe that Fairey had a really strong fair use claim, Fairey himself fucked it up by destroying evidence and lying, pretending that he had used a different photograph as the base. This was a really bad decision, because it poisoned the waters for a nice fair use defense, and got Fairey in deeper hot water. And, eventually that case was just settled.

One hopes that, should Getty go legal, that Milou doesn't follow Fairey's lead, and actually mounts a strong fair use defense. One would think that, at the very least, he'd have the Pope on his side, and that can't hurt.

Of course, given the ridiculous freakouts about these people daring to paint portraits based on news photographs, we're still wondering why no one ever threatened to sue former President George W. Bush for his paintings of famous world leaders that were also based on Google Image search results. Remember this masterpiece by the former President painting Russian leader Vladimir Putin based on the first result in Google Images at the time?
Somehow, no one decided to sue President Bush...

50 Comments | Leave a Comment..

Posted on Techdirt - 28 August 2015 @ 7:39pm

Popehat v. James Woods SLAPP-down Match; Coming Soon To A Court Near You

from the can-i-get-front-row-seats? dept

A month ago, we wrote about actor James Woods bizarrely suing a trollish Twitter user who had been mocking Woods on the site. The whole lawsuit seemed ridiculous. The specific tweet that sent Woods over the edge was this anonymous user (who went by the name "Abe List") saying "cocaine addict James Woods still sniffing and spouting." Soon after our post on the subject, Ken "Popehat" White posted an even better takedown entitled James Woods Punches the Muppet. That post has now been updated with a brief note that White has now been retained to defend the anonymous Twitter user. And, if that gets you excited for what to expect in the legal filings, well, you don't have wait. As first reported by Eriq Gardner at the Hollywood Reporter, White has filed the John Doe's opposition to Woods' attempt to unmask the guy. And it's worth reading.

Problem number one with Woods' suit is laid out right at the beginning of the filing, which is that Woods himself has a habit of accusing others of using illegal drugs as well, just as Abe List did:

The filing shows other tweets from Woods that have similar words that Woods complained about Abe List using, such as "clown" and "scum." As the filing notes, it appears Woods thinks that he can use those insults towards others, but if anyone uses them towards him, it's somehow defamatory.
Plaintiff, an internationally known actor, is active on Twitter, a social media platform. There he is known for engaging in rough-and-tumble political debate. Plaintiff routinely employs insults like “clown” and “scum,” and even accuses others of drug use as a rhetorical trope....
But Plaintiff apparently believes that while he can say that sort of thing to others, others cannot say it to him. He has sued Mr. Doe for a derisive tweet referring to him as “cocaine addict James Woods still sniffing and spouting” in the course of political back-andforth.... He also complains, at length, that Mr. Doe has called him things like a “clown” and “scum.” Naturally, Plaintiff has himself called others “clown” or “scum” on Twitter.
The filing, quite reasonably, notes that these kinds of hyperbolic claims cannot be seen as defamatory, and since there's no legitimate claim here, there is no reason to do expedited discovery or to unmask Abe List, who is entitled to have his identity protected under the First Amendment.

Oh, and, not surprisingly, White will be filing an anti-SLAPP motion shortly, which may mean that Woods is going to have to pay for this mess that he caused.

The filing also notes that while Woods sent a subpoena to Twitter to try to seek Abe List's identity, the company turned it down as deficient. The full two page letter is in the filing below as Exhibit B, but a quick snippet on the First Amendment concerns:
Meanwhile, Woods has already filed a response in which he is still seeking to uncover the name of Abe List, and which repeats more ridiculous claims about the whole thing, starting off with the simply false claim that the original "cocaine addict" tweet was likely seen by "hundreds of thousands" of Woods' followers. That's wrong. They would only see if they followed both Woods and the Abe List account, which very few did.

The filing, somewhat hilariously, claims that calling someone "a joke," "ridiculous," "scum" and "clown-boy" are not protected by the First Amendment. Which makes me wonder what law school Woods' lawyers went to. Because that's just wrong:
AL's outrageous claim appears to be the culmination of a mlaicious on-line campaign by AL to discredit and damage Woods' reputation, a campaign which began as early as December 2014. In the past, AL has referred to Woods with such derogatory terms as a "joke," "ridiculous," "scum" and "clown-boy." ... Although AL's rantings against Woods began with childish name calling, it has escalated beyond the protections of free speech, i.e., the First Amendment does not permit anyone to falsely represent to the public that another person is addicted to an illegal narcotic.
Um... but Woods himself did exactly that (see above). It's standard hyperbolic speech, which is clearly not defamatory especially when mocking a public figure like Woods who has a history of using the same sort of hyperbolic insults on Twitter. Even more ridiculously, Woods' lawyers claim that by saying that the statement was a joke, that's Abe List admitting that he knew it was a false statement. I can't see that argument flying. I can see it backfiring big time once the anti-SLAPP motion is made.

So, what about those similar tweets made by Woods himself? His lawyers tell the court to ignore those piddly things.
... to the extent AL or TG attempt to argue that the Court should consider other statements on their Twitter accounts, or any previous tweets by Mr. Woods, the argument is a red herring. First, there is no reason any of Mr. Woods' followers, all of whom were exposed to the defamatory statements, would even bother to investigate the speakers and/or their Twitter sites to determine if they were reliable sources. As to Mr. Woods, we are not aware of any false statements of fact made by Mr. Woods and his sometimes sharp commentary on political matters is irrelevant to the allegations here.
Except, uh, again, Woods suggested someone smoked crack, just like Abe List joked that Woods was a cocaine addict. And, again, Woods and his lawyers are just wrong that all of Woods' followers would have seen Abe Lists' tweets. They're just factually wrong.

You never know how courts will rule in any particular case, no matter how ridiculous, but I have a hard time seeing how Woods gets out of this without having to pay two sets of lawyers -- his own and Ken White -- for filing a clearly bogus defamation case designed to shut up (and identify) an anonymous Twitter critic. No matter what, James Woods may not be a cocaine addict, but he has made it clear that he can dish it out but can't take it back when people make fun of him. What a clown.

Read More | 34 Comments | Leave a Comment..

Posted on Techdirt - 28 August 2015 @ 3:23pm

Universal Music Has No Sense Of Humor, Takes Down Hilarious Twitter Profile Pun Parody Of Nirvana Song

from the get-over-yourself-UMG dept

Earlier today Techdirt writer Tim Geigner pointed me to a YouTube video that used Twitter user names to create a punnish version of the 80s hit "Tainted Love" retitled Tweeted Love. It's pretty amusing:

In checking out the YouTube account of the guy who created it, Jim Mortleman, a more recent video posted just a few days ago popped up, entitled Nerdpunna - Smells Like Tweet Spirit. This was the same style video, using Twitter usernames to create an absolutely hilarious version of the famous Nirvana song. It was so well done (perhaps because Kurt Cobain's lyrics are so unintelligible) that I couldn't believe it had only around 2,000 views. So I tweeted it, joking that people should check it out before it got taken down.
A bunch of people started retweeting and linking to it, with many of them commenting on how great the video was or how funny it was. Even people who aren't Nirvana fans were talking about it. A few examples:
And there were many more like that. In short: the damn thing is really funny and super well done. After realizing that his video was suddenly getting an influx of traffic, the creator of it, Jim Mortleman (who says that the videos are actually a group project in finding the profiles, which he then puts together in the video) tweeted me that he was pretty sure he was safe because he'd been alerted that UMG was "monetizing" his video -- which is one of the options in YouTube for copyright holders if they want to make money on someone using their work, rather than taking it down.
From his YouTube screen, it actually showed that Universal Music had blocked the video in one country while monetizing it elsewhere:
However, just a few hours later, as the video started getting more and more attention, views and tweets... apparently Universal changed its mind -- and if you now visit the page, this is what you see:
Mortleman says that within YouTube it's now officially blocked in all countries. This is a ContentID match, rather than a direct takedown, though the company clearly made the decision to switch it from monetizing it to taking it down -- so someone made a decision.

And it's a hellishly stupid decision. The video was fantastic and didn't take anything away from the song. It certainly wasn't a replacement for the song and, if anything, was likely to draw a lot more interest to the song and remind people of its existence. I'm not a huge fan of the song, but have been humming it to myself all afternoon because of that video (which I ended up watching a few times).

Also, this seems like a pretty clear case of fair use -- though I imagine some will disagree. The hilarious use of twitter user names to create alternative lyrics to the song is quite transformative. No one was watching this video as a replacement for the original song, but because the video itself sort of celebrated the song with alternative lyrics made up entirely of Twitter profile names where "Here we are now, entertain us" because "Huey Long Gnarl Emma Talus" (if you haven't seen the actual video... it's much funnier in the way it was presented). And now it's all gone and you can't see it.

All because of copyright law and UMG's total lack of a sense of humor.

Even if you think the fair use case is bunk and that the video is infringing and UMG is totally, 100% in the right to do what it did, I'm curious how this helps UMG in any way, shape or form. It doesn't help them get any more money, and it just makes people pissed off. How is that a smart business decision?

Update: Jim has now posted a silent version of the video so you can see what it looks like, though it's really not the same effect (though you can try to line up the audio with it to try to replicate the effect):

47 Comments | Leave a Comment..

Posted on Techdirt - 28 August 2015 @ 2:32pm

American Teen Gets 11 Year Sentence For Pro-ISIS Tweets That Taught People How To Use Bitcoin

from the really,-now? dept

Earlier this summer, the DOJ proudly announced that a Virginia teenager, Ali Shukri Amin, had taken a plea deal for "providing material support to ISIL" (the terrorist organization that everyone outside of the US government calls ISIS). This is back in the news now that Amin has been sentenced to 11 years in prison. Let's get this out of the way: ISIS is clearly a horrific and dangerous organization. But does what Amin did really deserve 11 years in prison? The details of the case against him also seem to raise some serious First Amendment questions about what counts as "material support."

First: the one area where Amin's actions do seem fairly questionable are when he helped another Virginia teen travel to Syria, apparently to join ISIS. That part definitely seems like it stepped over the legal line. But, the rest of the charges against him seem... like a teenager using Twitter and other social media to discuss stuff he's interested in. Amin ran a Twitter account called @AmreekiWitness, which had about 4,000 followers. He tweeted pro-ISIS propaganda, but that still seems to be a form of protected speech, last I checked. And, his big "crime" appears to be linking to an article about why ISIS supporters should use Bitcoin.

The following are examples of the defendant's use of Twitter in furtherance of his conspiracy to provide material support to ISIL:
On or about July 7, 2014, using the @AmreekiWitness account, the defendant tweeted a link to an article he authored entitled "Bitcoin wa' Sadaqat al-Jihad" (Bitcoin and the Charity of Jihad). The link transferred the user to the defendant's blog, where the article was posted. The article discussed how to use bitcoins and how jihadists could utilize this currency to fund their efforts. The article explained what bitcoins were, how the bitcoin system worked and suggested using Dark Wallet, a new bitcoin wallet, which keeps the user of bitcoins anonymous. The article included statements on how to set up an anonymous donations system to send money, using bitcoin, to the mujahedeen.

On approximately August 1, 2014, the defendant showed support for ISIL and his desire to help garner financial support for those wanting to commit jihad. Through @AmreekiWitness the defendant discussed methods to provide financial support for those wanting to commit jihad and for those individuals trying to travel overseas.

On approximately August 19, 2014, the defendant showed support for ISIL and desire to support ISIL. The defendant tweeted that the khilafah needed an official website "ASAP," and that ISIL could not continue to release media "in the wild" or use "JustPaste." Through various tweets, the defendant provided information on how to prevent the website from being taken down, by adding security and defenses, and he solicited others via Twitter to assist on the development of the website.
The defendant also operated an Amreeki Witness page on the website ask.fm. The defendant used these accounts extensively as a platform to proselytize his radical Islamic ideology, justify and defend ISIL's violent practices, and to provide advice on topics such as jihadists travel to fight with ISIL, online security measures, and about how to use Bitcoin to finance themselves without creating evidence of crime, among other matters.

The defendant also created the pro-ISIL blog entitled, "Al-Khilafah Aridat." On this blog, the defendant authored a series of highly-technical articles targeted at aspiring jihadists and ISIL supporters detailing the use of security measures in online communications to include use of encryption and anonymity software, tools and techniques, as well as the use of the virtual currency Bitcoin as a means to anonymously fund ISIL.
Tweeting about Bitcoin and saying that ISIS needs a website is a crime? One that deserves over a decade in jail? Obviously, aiding ISIS in any way is incredibly stupid, but it seems like a pretty slippery slope to argue that teaching people how to use Bitcoin or saying that ISIS needs a website rises to the level of "material support for ISIS" by itself. It seems like such a definition could lead to many, many people at risk. If you disagree with US policy for dealing with ISIS and say so -- at what point does it cross over the line? It seems way too easy to twist this into criminalizing dissent, rather than actually supporting a designated terrorist organization.

I'm all for coming up with ways to stop the spread of ISIS, and to prevent further attacks by the group. But jailing an American teenager over his tweets seems... excessive.

Read More | 52 Comments | Leave a Comment..

Posted on Techdirt - 28 August 2015 @ 10:43am

Appeals Court Strikes Down Ruling Finding NSA Phone Records Collection Unconstitutional

from the well-that's-too-bad dept

Back in December of 2013, judge Richard Leon of the DC district court, ruled that the NSA's bulk metadata collection under Section 215 of the PATRIOT Act was unconstitutional and issued an injunction against it (though, recognizing the inevitable appeal, Judge Leon stayed the injunction). This was in the case brought by Larry Klayman and FreedomWorks.

Leon's ruling was detailed and thorough... but the DC circuit appeals court has overturned it and sent it back to the lower court, focusing mainly on the "standing" question that has been raised in basically every case against NSA surveillance. In short, the government says "if you can't prove that we spied on you directly, then you can't sue us over our spying on everyone generally." That seems sketchy for all sorts of reasons, and Judge Leon, in his original ruling pointed out how ridiculous it was, mocking the government's reliance on the Supreme Court ruling in "Clapper" (a case against James Clapper) where the Supreme Court basically agreed that you needed more evidence to show you had standing. Of course, that ruling only happened after the US Solicitor General lied to the Supreme Court about how defendants arrested using such data would be told how it was collected. Besides, here, Judge Leon noted, there was plenty of evidence that everyone's information was being collected.

Straining mightily to find a reason that plaintiffs nonetheless lack standing to challenge the metadata collection, the Government argues that Judge Vinson's order names only Verizon Business Network Services ("VBNS") as the recipient of the order, whereas plaintiffs claim to be Verizon Wireless subscribers. The Government obviously wants me to infer that the NSA may not have collected records from Verizon Wireless (or perhaps any other non-VBNS entity, such as AT&T and Sprint). Curiously, the Government makes this argument at the same time it is describing in its pleadings a bulk metadata collection program that can function only because it "creates an historical repository that permits retrospective analysis of terrorist-related communications across multiple telecommunications networks, and that can be immediately accessed as new terrorist-associated telephone identifiers come to light."

[....] Put simply, the Government wants it both ways. Virtually all of the Government's briefs and arguments to this Court explain how the Government has acted in good faith to create a comprehensive metadata database that serves as a potentially valuable tool in combating terrorism--in which case the NSA must have collected metadata from Verizon Wireless, the single largest wireless carrier in the United States, as well as AT&T and Sprint, the second and third-largest carriers.... Yet in one footnote, the Government asks me to find that plaintiffs lack standing based on the theoretical possibility that the NSA has collected a universe of metadata so incomplete that the program could not possibly serve its putative function. Candor of this type defies common sense and does not inspire confidence!
But, the appeals court just doesn't buy it. From the opinion by Judge Janice Brown:
The record, as it stands in the very early stages of this litigation, leaves some doubt about whether plaintiffs’ own metadata was ever collected. Plaintiffs’ central allegation is that defendants “violated the Fourth Amendment to the U.S. Constitution when they unreasonably searched and seized and continue to search Plaintiffs’ phone records . . . without reasonable suspicion or probable cause.” ... Plaintiffs have supported this claim with specific facts, notably: (1) The NSA operates a bulk telephony-metadata collection program; and (2) on April 25, 2013, the FISC issued an order requiring Verizon Business Network Services to produce its subscribers’ call detail records to the NSA on a daily basis from April 25, 2013 to July 19, 2013. However, plaintiffs are Verizon Wireless subscribers and not Verizon Business Network Services subscribers. Thus, the facts marshaled by plaintiffs do not fully establish that their own metadata was ever collected.
Judge Brown admits that Judge Leon explains why the government's own statements make it clear that its metadata collection goes beyond just Verizon Business Network Services, but doesn't think it's enough evidence. She also highlights how there is at least some more substantial evidence than in the Clapper/Amnesty International case that the Supreme Court ruled on, but still doesn't find it enough:
However, the burden on plaintiffs seeking a preliminary injunction is high. Plaintiffs must establish a “substantial likelihood of success on the merits.” ... Although one could reasonably infer from the evidence presented the government collected plaintiffs’ own metadata, one could also conclude the opposite. Having barely fulfilled the requirements for standing at this threshold stage, Plaintiffs fall short of meeting the higher burden of proof required for a preliminary injunction.
Instead, Judge Brown says that the lower court could try to determine if it's appropriate for Klayman/Freedomworks to be allowed to conduct discovery with the government to obtain more evidence that his phone record info was collected -- while admitting that's unlikely because "secret program" and all that.
On remand it is for the district court to determine whether limited discovery to explore jurisdictional facts is appropriate.... Of course, I recognize that, in order for additional discovery to be meaningful, one of the obstacles plaintiffs must surmount is the government’s unwillingness to make public a secret program.... It is entirely possible that, even if plaintiffs are granted discovery, the government may refuse to provide information (if any exists) that would further plaintiffs’ case. Plaintiffs’ claims may well founder in that event. But such is the nature of the government’s privileged control over certain classes of information. Plaintiffs must realize that secrecy is yet another form of regulation, prescribing not “what the citizen may do” but instead “what the citizen may know.”... Regulations of this sort may frustrate the inquisitive citizen but that does not make them illegal or illegitimate. Excessive secrecy limits needed criticism and debate. Effective secrecy ensures the perpetuation of our institutions. In any event, our opinions do not comment on the propriety of whatever privileges the government may have occasion to assert.
Got that? Excessive government secrecy sucks, but, hey, what can you do?

In a separate ruling, Judge Stephen Williams also says there's no standing, giving even more deference to the Supreme Court's ruling in the Clapper/Amnesty International case. While at least Judge Brown was willing to distinguish the two, Judge Williams sees no such distinction:
Here, the plaintiffs’ case for standing is similar to that rejected in Clapper. They offer nothing parallel to the Clapper plaintiffs’ evidence that the government had previously targeted them or someone they were communicating with (No. 3 above). And their assertion that NSA’s collection must be comprehensive in order for the program to be most effective is no stronger than the Clapper plaintiffs’ assertions regarding the government’s motive and capacity to target their communications
In fact, Judge Williams takes the odd position of adding in possible reasons why the NSA might not be collecting everyone's metadata to show why such an inference is unfounded:
The strength of plaintiffs’ inference from the government’s interest in having an effective program rests on an assumption that the NSA prioritizes effectiveness over all other values. In fact, there are various competing interests that may constrain the government’s pursuit of effective surveillance. Plaintiffs’ inference fails to account for the possibility that legal constraints, technical challenges, budget limitations, or other interests prevented NSA from collecting metadata from Verizon Wireless. Many government programs (even ones associated with national defense) seem to be calibrated or constrained by collateral concerns not directly related to the program’s stated objectives, such as funding deficiencies, bureaucratic inertia, poor leadership, and diversion to non-defense interests of resources nominally dedicated to defense. It is possible that such factors have operated to hamper the breadth of the NSA’s collection.
Basically, we can't assume that Verizon Wireless metadata was collected because, you know, maybe it wasn't. Maybe "bureaucratic inertia" meant the NSA really didn't care about Verizon Wireless. Who can really say?

The only "dissent" on the three judge panel comes from Judge David Sentelle, who says he basically agrees with absolutely everything Judge Williams says except for the idea that the case should be remanded to the district court for further discovery, saying the entire case should be dismissed outright.
Plaintiffs have not demonstrated that they suffer injury from the government’s collection of records. They have certainly not shown an “injury in fact” that is “actual or imminent, not conjectural or hypothetical.” ... I agree with the conclusion of my colleagues that plaintiffs have not shown themselves entitled to the preliminary injunction granted by the district court. However, we should not make that our judicial pronouncement, since we do not have jurisdiction to make any determination in the cause. I therefore would vacate the preliminary injunction as having been granted without jurisdiction by the district court, and I would remand the case, not for further proceedings, but for dismissal.


Without standing there is no jurisdiction. Without jurisdiction we cannot act.... Therefore, I agree with my colleagues that the issuance of the preliminary injunction was an ultra vires act by the district court and must be vacated. However, I believe we can do no more. I would remand the case for dismissal, not further proceedings.
So... that's not great. However, it also creates a pretty clear circuit split between the DC Circuit and the 2nd Circuit, which you may recall ruled that the ACLU and others had standing in a similar lawsuit. Given this clear circuit split, perhaps the Supreme Court can actually be persuaded to take up the case and fix the mistake it made in the Clapper case a couple years ago...

Read More | 21 Comments | Leave a Comment..

Posted on Techdirt - 28 August 2015 @ 9:33am

UK Music Collection Society PRS Sues SoundCloud

from the and-so-it-begins dept

There have been rumors for months that various elements of the legacy recording industry were gearing up to sue SoundCloud, the super popular and useful audio hosting site (we use it to host the Techdirt Podcast). In the last year or so, SoundCloud has been ramping up its efforts to appear super responsive to takedown requests, leading to ridiculous situations including the takedowns of public domain material, or of officially uploaded material. The company has also been completely ridiculous about fair use, telling users that it doesn't recognize it, since it's only a US concept.

As always, it appears that appeasing copyright extremists never gets you very far in the long run. The rumors for months are that, as with pretty much every other successful internet music-related service, the legacy players come asking for huge chunks of equity if you don't want to get sued. They basically demand companies bleed themselves dry, or be forced to be bled dry by a lawsuit. And now the lawsuits are starting. First up is not actually a record label, but PRS, the rather infamous UK music collection society that just recently told its members that it was keeping more of the money it collected, in order to funnel it into lawsuits. This is the same PRS that is so desperate to collect more money that it has gone after a woman who played music to her horses, a woman who sang to herself while stocking grocery store shelves and against a charity for daring to have children sing Christmas carols without paying up.

That lovely organization is now suing SoundCloud:

Our aim is always to license services when they use our members’ music. It has been a difficult decision to begin legal action against SoundCloud but one we firmly believe is in the best, long-term interests of our membership. This is because it is important we establish the principle that a licence is required when services make available music to users. We have asked SoundCloud numerous times to recognise their responsibilities to take a licence to stop the infringement of our members’ copyrights but so far our requests have not been met. Therefore we now have no choice but to pursue the issue through the courts.
PRS itself notes that SoundCloud is arguing that its service in the UK is protected by EU safe harbors as a host of content, rather than the publisher, but PRS isn't buying it. SoundCloud, in its response, notes that this follows a pattern of the recording industry to sue internet services as a negotiating tactic. As noted over at Music Ally:
“It is regrettable that PRS appears to be following this course of action in the midst of an active commercial negotiation with SoundCloud. We believe this approach does not serve the best interests of any of the parties involved, in particular the members of the PRS, many of whom are active users of our platform and who rely on it to share their work and communicate with their fanbase,” said a spokesperson.

“SoundCloud is a platform by creators, for creators. No one in the world is doing more to enable creators to build and connect with their audience while protecting the rights of creators, including PRS members. We are working hard to create a platform where all creators can be paid for their work, and already have deals in place with thousands of copyright owners, including record labels, publishers and independent artists.”
This is one of those fights where it's unlikely that there will be any winners, other than the lawyers. SoundCloud will eventually probably just pay up, and continue to make its platform less and less useful. And PRS may get a little bit more money in the short term at the expense of long term support of the platforms musicians need to embrace in this modern internet era.

43 Comments | Leave a Comment..

Posted on Techdirt - 28 August 2015 @ 8:18am

Bill That Was Supposed To Limit Police Drone Activity Changed By Lobbyist To Enable Weaponized Drones

from the this-won't-go-wrong-at-all... dept

North Dakota state representative Rick Becker had a good idea with his House Bill 1328, which would forbid the use of drones by law enforcement in the state without a warrant. A few other states have been looking at similar proposals, after there have been growing concerns about police using drones for surveillance activities. Virginia, for example, recently passed a law that requires a warrant for police drone use. So, good idea, Rep. Becker.

Except... in stepped Bruce Burkett, a lobbyist from the North Dakota Peace Officer's Association, who "was allowed by the state house committee to amend HB 1328" to now make it about legalizing weaponized drones for police. Yes, a "peace officer" representative just made it possible to weaponize drones. The trick? He amended the bill to make it only about "lethal weapons," which now opens the door to what police like to refer to as "less than lethal" weapons like "rubber bullets, pepper spray, tear gas, sound cannons, and Tasers" -- some of which have a history of leading to deaths, despite their "less than lethal" claims.

Even “less than lethal” weapons can kill though. At least 39 people have been killed by police Tasers in 2015 so far, according to The Guardian. Bean bags, rubber bullets, and flying tear gas canisters have also maimed, if not killed, in the U.S. and abroad.
Meanwhile, local police are still freaking out about the need to require a warrant. Check out this bit of police state nonsense:
Grand Forks County Sheriff Bob Rost said his department’s drones are only equipped with cameras and he doesn’t think he should need a warrant to go snooping.

“It was a bad bill to start with,” Rost told The Daily Beast. “We just thought the whole thing was ridiculous.”

Rost said he needs to use drones for surveillance in order to obtain a warrant in the first place.
Yes, we need to spy on your first, to then see if we should get a warrant to spy on you some more. That's not how this works.

And, now, while there will be warrant requirements for some uses -- though with broad exceptions including within 25 miles of the US/Canada border and for "exigent circumstances" -- the bill will (thanks to a lobbyist) allow the police to also experiment with weaponizing drones. If you thought the militarization of police wasn't screwed up enough, now you might need to worry about stun guns and rubber bullets hailing down from the sky...

Read More | 54 Comments | Leave a Comment..

Posted on Techdirt - 28 August 2015 @ 6:17am

Border Patrol Agent Forwarded All Emails To Someone Else's Gmail; Only Discovered When 'Civilian' Responded

from the oops dept

Intercept reporter Jenna McLaughlin alerts us to a rather stunning security mistake by a Customs and Border Patrol (CBP) agent, as outlined in some DHS released "incident reports" concerning "cloud data breaches." The very first one involves the CBP agent forwarding all of his email to a personal account, but messing up the configuration, so that it actually forwarded to someone else's Gmail account (someone with a similar name) -- and this mistake was only noticed when this "civilian" responded to an email he had received via this forwarding, and the response was sent to a wider mailing list of Homeland Security employees:

If you can't see that, here's what it says:
CBP reports that one (1) CBP user had an auto-forwarding rule setup to have emails sent externally to a civilian's personal Gmail account. There is a possibility that sensitive information to include Personally Identifiable Information (Pll) has been accidently sent out due to this rule. The incident was discovered when a civilian responded to a CBP user's email to a distribution list of other CBP/DHS users. The CBP user noticed the civilian's Gmail address and reported it to the FTO who then reported the incident to the CBP CSIRC. Upon investigation and confirmation from EaaS, one (1) CBP Border Patrol Agent who was on the email distribution list had an auto-forwarding rule setup within their Exchange account to a non-CBP/DHS user's personal Gmail account. The name of the Border Patrol Agent and the civilian are very similar, but it was determined that the Border Patrol Agent misconfigured the rule by using the civilian's personal Gmail address instead of his own. Technical remediation will include working with the EaaS team to implement a rule to disable the auto-forwarding rule and only allow it when requests are made to the Exchange team. The incident has been reported to the CBP Privacy Office and Joint Intake Center for action (assisting the user to have all government emails removed and confirmed).
It seems rather stunning that CBP/DHS didn't already have such a rule in place. Then again, this is Customs and Border Patrol, who has something of a history of not really giving a fuck because they can get away with doing whatever they want and no one ever does anything about it.

Later in the same report, it is revealed that this auto-forwarding from inside DHS to private accounts happened somewhat frequently. An investigation just a month after the incident above showed 771 such rules set in DHS staffers Exchange systems:
If you can't read that, it says:
DHS SOC reports that a total of 771 rules are configured in Exchange to auto-forward emails external to DHS. DHS SOC requested and received a list of 771 automated email forwarding rules created by DHS Email as a Service (EaaS) users. Auto-forwarding or redirecting of DHS email to address outside of the .gov or .mil domain is prohibited and shall not be used per DHS 4300A policy, section 5.4.6.i and poses a high risk of accidental disclosure of Pll, SBU, FOUO, LES, or classified data. The incident has been reported to the Joint Intake Center (JIC). Affected Components (CBP, FEMA, DHS HQ, and DC2) are asked to identify and remediate the rules.
Not sure about to you, but this doesn't make me feel much safer about DHS at all. And, remember, DHS is one of the government bodies currently looking to manage the government's cybersecurity efforts -- and they're considered the better option given just how little people trust the NSA or the FBI (the two other main contenders).

Read More | 34 Comments | Leave a Comment..

Posted on Techdirt - 28 August 2015 @ 3:20am

United In Flight WiFi Blocks Popular News Sites

from the because-we-said-so dept

So, just last month, we wrote about United Airlines idiotic inflight video system that forces you to install DRM on your own devices to watch a movie. And, now, it appears that the company is filtering out all sorts of news sites. The EFF's Nate Cardozo was on a flight yesterday when he started noticing that he couldn't get to certain tech websites, including Ars Technica and The Verge -- instead receiving messages they were blocked due to United's "access policy." The same was true for political news site Daily Kos. Eventually he even realized that United also blocks the NY Times (via his phone after the laptop battery ran out).

Both the terms of use that United has, as well as the company's FAQ about the service warn that "inappropriate or unsuitable for inflight viewing" websites may be blocked:
Of course, it's difficult to see what kind of content on any of those news sites would be considered inappropriate or unsuitable for inflight viewing. And, you know, it's letting through plenty of much sketchier sites like, uh, us at Techdirt. Basically, this makes no sense at all, and I'm sure that if United's PR people ever getting around to commenting on it, they'll say it was a "glitch" and that it won't happen again. But this is the kind of problem that you run into when you deem yourself able to control what people can and can't access online.

33 Comments | Leave a Comment..

Posted on Techdirt - 27 August 2015 @ 11:18pm

New Malware Attack Tries To Trick People By Pretending To Be EFF

from the who-are-they-targeting? dept

The Electronic Frontier Foundation has put out an alert noting that, as part of a larger spear phishing attack campaign, to try to gain control over computers, a group has created a fake EFF website, designed to trick people into thinking they're going to EFF's actual website, but really installing some pretty nasty malware.

Electronicfrontierfoundation.org was not the only domain involved in this attack. It seems to be part of a larger campaign, known as “Pawn Storm”. The current phase of the Pawn Storm attack campaign started a little over a month ago, and the overall campaign was first identified in an October 2014 report from Trend Micro (PDF). The group behind the attacks is possibly associated with the Russian government and has been active since at least 2007.

The attack is relatively sophisticated—it uses a recently discovered Java exploit, the first known Java 0-day in two years. The attacker sends the target a spear phishing email containing a link to a unique URL on the malicious domain (in this case electronicfrontierfoundation.org). When visited, the URL will redirect the user to another unique URL in the form of http://electronicfrontierfoundation.org/url/{6_random_digits}/Go.class containing a Java applet which exploits a vulnerable version of Java. Once the URL is used and the Java payload is received, the URL is disabled and will no longer deliver malware (presumably to make life harder for malware analysts). The attacker, now able to run any code on the users machine due to the Java exploit, downloads a second payload, which is a binary program to be executed on the target's computer.

Needless to say, don't visit the site unless you know what you're doing -- and also, a good reminder not to click on URLs in emails. Go directly to sites.

18 Comments | Leave a Comment..

Posted on Techdirt - 27 August 2015 @ 12:53pm

Techdirt Reading List: Data And Goliath

from the privacy-and-security dept

This is our second week of doing the Techdirt Reading List (don't miss last week's!). Once again, each week, we'll be discussing a book that we think our community might really enjoy. If you click on the Amazon link in this story and buy it that way, you'll also be supporting Techdirt in the process.

This week, the book of choice is famed computer security expert (and meerkat impersonator) Bruce Schneier's latest book, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.

Beyond having a damn good title, the book is a really fantastic discussion about the ways in which data is being collected and used these days -- sometimes for good reasons, but often with not nearly enough concern for security and privacy. It's not a "never give your data away" screed like some privacy extremists prefer, but rather a much more thoughtful look at the real tradeoffs involved, and suggestions on a way forward. The book notes that we shouldn't look at "surveillance" as being a tradeoff with "security." Instead, we should focus on security first, as that will always protect us more than surveillance. And with that, there should be much greater transparency in how data is used -- for both governments and corporations. With real transparency people can better understand the tradeoffs and have a better understanding of what data they're handing over in exchange for what benefits. For governments, there needs to be much greater oversight (real oversight) and accountability for what they're doing with our data.

There's obviously a lot more in the book, and some people may feel it doesn't go far enough, while others may feel it goes too far. But overall, it's a very thoughtful and thought-provoking discussion on how data is being collected all around us, and we haven't fully come to terms with what's happening and who's in control over that data. So, if you haven't read it yet, go check it out!

6 Comments | Leave a Comment..

Posted on Techdirt - 27 August 2015 @ 11:52am

AP Sues FBI Over Impersonating An AP Reporter With A Fake AP Story

from the stop-impersonating-us dept

Last fall, we wrote about how the FBI had set up a fake AP news story in order to implant malware during an investigation. This came out deep in a document that had been released via a FOIA request by EFF, and first noticed by Chris Soghoian of the ACLU. The documents showed the FBI discussing how to install some malware, called a CIPAV (for Computer and Internet Protocol Address Verifier) by creating a fake news story:

It later came out that the way the FBI used this was an undercover agent pretended to be an AP reporter and sent the suspect -- a 15 year old high school kid... -- a "draft" of the article to review. And when the kid opened it, the malware was deployed.

In response to this, FBI director James Comey defended the practice, saying that it was legal "under Justice Department and FBI guidelines at the time" and, furthermore, that this bit of deception worked. Comey also said that while guidelines had changed, and such impersonation would require "higher-level approvals," it was still something the FBI could do.

The AP has now sued the FBI, along with the Reporters Committee on Freedom of the Press (RCFP) over its failure to reveal any more details about this effort following a FOIA request. For reasons that are beyond me, even though it's the AP filing the lawsuit and the AP writing about the lawsuit, reporter Michael Biesecker apparently doesn't think its readers can handle the actual filing, so they don't include it (this is bad journalism, folks). However, you can read the actual lawsuit here.

In short, the AP made a FOIA request for documents related to this specific case above, as well as "an accounting of the number of times" that the FBI "has impersonated media organizations or generated media-style material" to deliver malware. The FBI said it was working on it, and then bizarrely told the AP that the request was being "closed administratively" because it was being combined with someone else's FOIA request, which left the AP reasonably confused, since they had not initiated that request and had no idea who had.
In a letter from Mr. Hardy dated December 10, 2014, the FBI stated that, even though the request had yet to be fulfilled, the AP Request was unilaterally “being closed administratively,” because the “material responsive to your request will be processed in FOIA 1313504-0 as they share the same information.”

The combining of Mr. Satter’s request with Request No. 1313504-0 occurred despite the fact that Mr. Satter had not filed Request No. 1313504-0 and was given no information about the identity of the requester underlying FOIA Request No. 1313504-0.
When the AP asked the FBI for more info, it was told that "the estimated completion time for large requests is 649 days." And still refused to reveal who had sent in the other FOIA request. The AP filed a formal appeal, and a week ago was told that there was nothing to appeal because the FBI had not completed Request No. 1313504-0 (which, again, the AP had not actually sent in). Hence the lawsuit.

The RCFP FOIA request received a somewhat more standard "no responsive records" response, to which the RCFP pointed out that the FBI was clearly lying, given that the earlier response (to the EFF FOIA, which kicked off this whole thing) showed that there was, in fact, such responsive results (I know this experience all too well).

And thus, both organizations are now suing to force the FBI to actually turn over the damn documents. Can't wait to find out all the national security reasons (or will they be redacted) for why the FBI won't respond, and why it combined the AP's FOIA request with some totally unknown party's.

Read More | 23 Comments | Leave a Comment..

Posted on Techdirt - 27 August 2015 @ 9:32am

SciFi Headline Turns Real: US Drone Kills ISIS Hacker

from the headlines-from-the-future dept

Welcome to your dystopian future. Reports from yesterday say that a US drone strike in Syria has killed a British-born computer hacker who had joined ISIS and was involved in that group's online activities:

A US air strike is believed to have killed a British citizen who rose to prominence within the Islamic State, officials have told the Guardian.

The Birmingham-born Junaid Hussain, who adopted the nom de guerre Abu Hussain al-Britani, had been a key figure within Isis’s so-called “Cyber Caliphate” before being killed in the strike in Syria, where he had travelled in 2013.
Remember when President Obama said (of Ed Snowden): "I'm not going to be scrambling jets to get a 29-year-old hacker." Apparently, that changes when the hacker is working for ISIS (and the hacker is only 21 years old).

There's no doubt that ISIS is a dangerous organization, but sending drones to go after hackers, even those targeting American interests, still feels like a pretty big overreaction.

104 Comments | Leave a Comment..

Posted on Techdirt - 27 August 2015 @ 8:22am

Tobacco Industry's Interest In Trade Negotiations? Totally Redacted

from the public-interest? dept

The folks at Corporate Europe Observatory (CEO) sent a freedom of information request to the EU Commission, asking for details of meetings that trade officials held with the tobacco industry. This matters, because the tobacco industry is one of the major abusers of trade agreements, repeatedly making use of the "corporate sovereignty" ISDS provisions to effectively sue any country passing anti-smoking health laws -- as was covered a few months back by John Oliver:

So, as new trade agreements are being negotiated -- especially since the powers that be tell us these agreements are designed to protect the health and well being of the public -- it seems that Big Tobacco's efforts in these negotiations is pretty relevant. After numerous delays and confusing responses, CEO finally received a response. And it's [redacted]. Well, not entirely, but basically anything useful is blacked out. Such as this lovely document, which is oh so revealing:
Democracy in action!

24 Comments | Leave a Comment..

Posted on Techdirt - 26 August 2015 @ 11:45am

Virginia Police Force BBC Reporters To Delete Camera Footage Of Police Pursuit Of Shooter

from the hello-first-amendment dept

The story of this morning's live "on air" shooting of a local TV news reporter in Virginia is horrifying on many, many levels. Like with many senseless killings, there are all sorts of "big questions" being raised, most of which aren't really appropriate Techdirt fodder, though I'm sure those of you interested in those things can find other outlets for them. However, one tangential story fits right into Techdirt's core areas of focus: apparently two BBC reporters who were covering the police pursuit of the apparent shooter (who then shot himself) were forced by police to delete their own camera footage. This is illegal. I don't know how many times it needs to be repeated. Even the DOJ has somewhat forcefully reminded police that they have no right to stop anyone from photographing or videotaping things, so long as they're not interfering with an investigation. And yet...

Two BBC reporters covering the police pursuit of Vester Lee Flanagan said that cops threatened to seize their car and camera if they didn't delete footage of site where the Flanagan shot himself. "Was too far away to get any good footage. One officer threatened to tow my car and take my camera," reporter Franz Strasser tweeted. "Watched me delete my one file, and let me go. Other officer apologized and said we have to understand." His colleague, Tara McKelvey, filmed the encounter.
It appears that the cops used the same bullshit excuse we've seen them use in the past: that it's "evidence."
But, as Strasser notes, if that's true, then why did the cops make them delete it?
As has been noted before, this is a clear violation of Constitutional rights, and the BBC and the reporters in question could file a civil suit against the police department, potentially winning a fair amount of taxpayer money because the police in Virginia are apparently unfamiliar with the First Amendment of the Constitution.

53 Comments | Leave a Comment..

Posted on Techdirt - 26 August 2015 @ 10:45am

Complaint To FTC Says It’s 'Deceptive' For Google To Not Recognize 'Right To Be Forgotten' In US

from the what-the...? dept

If you want an understanding of my general philosophy on business and economics, it's that companies should focus on serving their customers better. That's it. It's a very customer-centric view of capitalism. I think companies that screw over their customers and users will have it come back to bite them, and thus it's a better strategy for everyone if companies focus on providing good products and services to consumers, without screwing them over. And, I'm super supportive of organizations that focus on holding companies' feet to the fire when they fail to live up to that promise. Consumerist (owned by Consumer Reports) is really fantastic at this kind of thing, for example. Consumer Watchdog, on the other hand, despite its name, appears to have very little to do with actually protecting consumers' interests. Instead, it seems like some crazy people who absolutely hate Google, and pretend that they're "protecting" consumers from Google by attacking the company at every opportunity. If Consumer Watchdog actually had relevant points, that might be useful, but nearly every attack on Google is so ridiculous that all it does is make Consumer Watchdog look like a complete joke and undermine whatever credibility the organization might have.

In the past, we've covered an anti-Google video that company put out that contained so many factual errors that it was a complete joke (and was later revealed as nothing more than a stunt to sell some books). Then there was the attempt to argue that Gmail was an illegal wiretap. It's hard to take the organization seriously when it does that kind of thing.

Its latest, however, takes the crazy to new levels. John Simpson, Consumer Watchdog's resident "old man yells at cloud" impersonator, recently filed a complaint with the FTC against Google. In it, he not only argues that Google should offer the "Right to be Forgotten" in the US, but says that the failure to do that is an "unfair and deceptive practice." Really.

As you know by now, since an EU court ruling last year, Google has been forced to enable a right to be forgotten in the EU, in which it will "delink" certain results from the searches on certain names, if the people argue that the links are no longer "relevant." Some in the EU have been pressing Google to make that "right to be forgotten" global -- which Google refuses to do, noting that it would violate the First Amendment in the US and would allow the most restrictive, anti-free speech regime in the world to censor the global internet.

But, apparently John Simpson likes censorship and supporting free speech-destroying regimes. Because he argues Google must allow such censorship in the US. How could Google's refusal to implement "right to be forgotten" possibly be "deceptive"? Well, in Simpson's world, it's because Google presents itself as "being deeply committed to privacy" but then doesn't abide by a global right to be forgotten. Really.

“The Internet giant aggressively and repeatedly holds itself out to users as being deeply committed to privacy. Without a doubt requesting the removal of a search engine link from one’s name to irrelevant data under the Right To Be Forgotten (or Right to Relevancy) is an important privacy option,” Consumer Watchdog’s complaint said. “Though Google claims it is concerned about users’ privacy, it does not offer U.S. users the ability to make such a basic request. Describing yourself as championing users’ privacy and not offering a key privacy tool – indeed one offered all across Europe – is deceptive behavior.”
That's, uh, not how this all works. In his complaint to the FTC, Simpson's theory is laid out in all its kooky nuttiness. Basically, because in the past we didn't have technology, and things would get forgotten thanks to obscurity -- and because Google claims to support privacy, it must magically pretend that we still live in such an age, and agree to forget stuff people want it to forget. He'd also, apparently, like Google to get off his lawn.
Here is why the Right To Be Forgotten – or Right of Relevancy – is so important to protecting consumers’ privacy in the digital age: Before the Internet if someone did something foolish when they were young – and most of us probably did – there might well be a public record of what happened. Over time, as they aged, people tended to forget whatever embarrassing things someone did in their youth. They would be judged mostly based on their current circumstances, not on information no longer relevant. If someone else were highly motivated, they could go back into paper files and folders and dig up a person’s past. Usually this required effort and motivation. For a reporter, for instance, this sort of deep digging was routine with, say, candidates for public office, not for Joe Blow citizen. This reality that our youthful indiscretions and embarrassments and other matters no longer relevant slipped from the general public’s consciousness is Privacy By Obscurity. The Digital Age has ended that. Everything – all our digital footprints – are instantly available with a few clicks on a computer or taps on a mobile device.


Google’s anti-consumer behavior around privacy issues is deceptive. The Internet giant holds itself out to be committed to users’ privacy, but does not honor requests that provide a key privacy protection. Google explains: “We know security and privacy are important to you – and they are important to us, too. We make it a priority to provide strong security and give you confidence that your information is safe and accessible when you need it. We’re constantly working to ensure strong security, protect your privacy, and make Google even more effective and efficient for you.” Recently Google said, “Protecting the privacy and security of our customers’ information is a top priority, and we take compliance very seriously.” In its Privacy & Terms Technologies and Principles Google claims, “We comply with privacy laws, and additionally work internally and with regulators and industry partners to develop and implement strong privacy standards… People have different privacy concerns and needs. To best serve the full range of our users, Google strives to offer them meaningful and fine-gained choices over the use of their personal information.”

In other words the Internet giant aggressively and repeatedly holds itself out to users as being deeply committed to privacy. Without a doubt requesting the removal of a search engine link from one’s name to irrelevant data under the Right To Be Forgotten (or Right to Relevancy) is an important privacy option. Though Google claims it is concerned about users’ privacy, it does not offer U.S. users the ability to make this basic request. Describing yourself as championing users’ privacy while not offering a key privacy tool – indeed one offered all across Europe – is deceptive behavior.
This is an absolutely insane interpretation of "deceptive." A company that supports user privacy is not being deceptive just because its definition of privacy doesn't match your crazy definition. It's just a different policy. If Google had flat out said that it would support a "right to be forgotten" in the US and then refused to process any requests, that would be deceptive. But accurately stating what the company does is not deceptive, no matter what Simpson seems to think.

What about the "unfair" part of "unfair and deceptive"? I honestly can't summarize the logic because there is none. Apparently, some people might not like what searches on their name turn up, and that's bad and thus... unfair?
Not offering Americans a basic privacy tool, while providing it to millions of users across Europe, is also an unfair practice. Acts or practices by a business are unfair under Section 5 of the Federal Trade Commission Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.6 Here are some examples of people who have been harmed by Google’s refusal to honor Right of Relevancy or Right To Be Forgotten removal requests in the United States. Clearly there is no countervailing benefit in continuing to link to the items from search results. Consider these examples:
  • A young California woman was decapitated in a tragic auto accident. Photos from the grisly accident scene were wrongfully leaked by California Highway Patrol officers and posted to the Internet. A search on her name still returns the horrible photographs.
  • A guidance counselor was fired in 2012 after modeling photos from 20 years prior surfaced. She was a lingerie model between the ages of 18-20, and she had disclosed her prior career when she first was hired. Despite this, when a photo was found online and shown to the principal of her school, she was fired.
I don't see how any of this is "protecting consumers." It's seems quite the opposite, actually. It seems to be assuming that the public is made up of pure idiots who can't ever figure out context or understand that sometimes bad things happen. But that's not true. People learn and adapt and adjust to new technologies, even as people like John Simpson fear them. When cameras first started becoming popular they were banned from beaches because people might take photographs of other people there. But people grew up and realized that wasn't destroying anyone's privacy. Simpson has this weird infatuation not with protecting consumers, but with censoring the internet to keep the public from knowing factual information, because apparently he thinks the public can't handle it.

Last week, on On The Media, host Bob Garfield pointed out to Simpson how ridiculous all of this was, and Simpson doesn't have a single reasonable response. Garfield points out that public information, even embarrassing public information, is, by definition, not private information, and thus there's no privacy violation here. And all Simpson can do is pull his nostalgia gig about how things used to be different when people would forget your embarrassing things in the past. But that doesn't answer the question at all. It just makes Simpson seem totally out of touch with the modern world.

Read More | 50 Comments | Leave a Comment..

More posts from Mike Masnick >>