Capitalist Lion Tamer’s Techdirt Profile

capitalisliontamer

About Capitalist Lion TamerTechdirt Insider

List of blogs started with enthusiasm, which now mostly lie dormant:

[reserved for future use]
http://5k500k.wordpress.com

[recently retired]
http://capitalistliontamer.wordpress.com

[various side projects]
http://cliftonltanager.wordpress.com/
http://bl0wbybl0w.wordpress.com/
http://thepenismadeoutofspam.wordpress.com/



Posted on Techdirt - 26 May 2015 @ 3:58pm

Financial Info On 100,000 Taxpayers Now In The Hands Of Criminals, Thanks To The IRS's Weak Authentication Processes

from the time-for-everyone-to-start-lying-about-their-first-pet's-name dept

The government that wants so badly to be the world's leading cyberwarfare force still seems largely unable to fence in its own backyard. In Yet Another Breach™, the sensitive financial information of thousands of Americans is now in the hands of criminals.

The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.

These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.
So, not actually "hacking," per se, as much as the gaming of system just begging to be gamed. The information criminals needed to obtain this data may have been "specific" to each registered taxpayer, but it was also information that rarely, if ever, changed.
This sort of authentication, called knowledge-based authentication, is highly vulnerable to fraud. It's based on information that never changes, and such data is widely available to anyone willing to pay for it from stolen financial information marketplaces. The transcripts that were fraudulently downloaded were likely made accessible due to leaked Social Security numbers and other personal data from any one of the many recent data breaches, including those at health insurers Anthem and CareFirst. In fact, security reporter Brian Krebs reported on the risks inherent in the IRS' transcript request system way back in March. He warned taxpayers to sign up for accounts on IRS.gov if only to prevent someone from creating a fraudulent account for their records first.
The IRS is reassuring Americans that its "core systems" remain secure, something of little comfort to the 100,000 taxpayers who will be receiving mea culpa letters (and free credit monitoring) from the agency over the next few weeks. What the IRS considers to be adequate protection is apparently not nearly adequate enough. Once the data is out there, verification information can be used to gain access to credit cards, bank accounts or anywhere else the same sort of canned questions are presented during the signup process. The 50% success rate suggests unique personally-identifiable information isn't necessarily all that unique.
In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles.
The IRS is quick to add that 23 million records were "safely" downloaded during this same time period, which isn't really the comforting statement it means it to be. All this means is that millions of downloads weren't linked to "questionable" email domains. That's not the same thing as 23 million downloads going to the actual owners of that information.

The IRS is vowing to "strengthen its protocols" going forward. This is the only response it can offer, unfortunately. Stronger processes are needed, but additional steps and more obscure verification questions will manifest themselves as hurdles a certain percentage of taxpayers won't be willing to leap for online IRS access. Going paperless won't seem nearly as advantageous, not when a motherlode of financial information can be pulled out of the ether by cybercrooks armed with the fruits of years of financial breaches, both public and private.

9 Comments | Leave a Comment..

Posted on Techdirt - 26 May 2015 @ 11:47am

Cox Claims Rightscorp's 'Extortionate' Lawsuit Really A Backdoor Way To Get Subscribers' Info

from the cox-blocked dept

Rightscorp (via two music publishers) has dragged Cox into court to test its novel (read: legally unsound) theory that complying with the DMCA means cutting off service to "repeat infringers." The theory itself is largely untested, but far from promising. But that isn't stopping BMG and Round Hill Music (with Rightscorp as a not-so-silent partner) from taking a flyer on a bad legal bet. Certainly, the theory would be advantageous to the shakedown efforts Rightscorp generously refers to as a "business model," but, so far, the only thing being offered as "evidence" of repeat infringement is Rightscorp's own declarations.

Those declarations are highly suspect. Cox has filed an opposition to Rightscorp's Motion to Compel that highlights the anti-piracy company's extortion-esque tactics.

In a statement that leaves little to the imagination, Cox notes that Rightscorp is “threatening” subscribers with “extortionate” letters.

“Rightscorp is in the business of threatening Internet users on behalf of copyright owners. Rightscorp specifically threatens subscribers of ISPs with loss of their Internet service — a punishment that is not within Rightscorp’s control — unless the subscribers pay a settlement demand,” Cox writes (pdf).
Cox has refused to participate in Rightscorp's quasi-legal activities. While the company is not opposed to passing on infringement allegations, it did ask Rightscorp to remove the threatening language (cutting off service, $150,000 per infringement claim) first. Rightscorp refused to do so. This impasse is obviously unacceptable to Rightscorp, which depends on the (very) occasional settlement payment to keep its business barely afloat.

As Cox points out, Rightscorp has decided the best course of action is to maintain its unsteady perch on the edge of legality. In the filing, Cox alleges that Rightscorp tried to make the ISP a "business partner" in its shakedown attempts.
“Rightscorp had a history of interactions with Cox in which Rightscorp offered Cox a share of the settlement revenue stream in return for Cox’s cooperation in transmitting extortionate letters to Cox’s customers. Cox rebuffed Rightscorp’s approach,” Cox informs the court.
But that's not the only legally-dubious tactic the "cutting edge" anti-piracy firm has deployed. It's also attempting to use this lawsuit's discovery process to sidestep subpoena limitations.
The motion lays bare one of Plaintiffs’ primary reasons for bringing this lawsuit. Plaintiffs seek to circumvent the Cable Privacy Act process and instead use discovery in this case to force Cox to reveal, en masse, PII for possibly tens of thousands of Internet subscribers who Plaintiffs speculate might be violating their copyrights. The Cable Privacy Act expressly prohibits Cox from disclosing its subscribers’ PII, for good reason: Internet subscribers have a compelling privacy interest in the confidentiality of their personal information, which can of course be vulnerable to exploitation for myriad improper purposes. If a copyright holder earnestly believes that an unnamed Internet subscriber is infringing upon its copyrights, the proper course is to bring a “John Doe” lawsuit against the subscriber and then to use third-party subpoena power to obtain identifying information from the user’s Internet Service Provider. That legitimate procedure allows notice to the subscriber and an opportunity for the subscriber to act to protect his or her rights. It also relieves the ISP of the unfair responsibility of adjudicating which of the two competing interests (the subscriber’s or the accuser’s) should trump the other.

[...]

Plaintiffs nominally (Rightscorp in reality) claim to have identified “approximately 150,000” infringers, including several hundred “egregious infringers,” among Cox’s subscribers. But Plaintiffs apparently have only IP addresses to go on. (Doc. 72, Corrected Br. at 3.) Plaintiffs have not filed any “John Doe” lawsuits against Cox customers and have not sought information from Cox by subpoena. More importantly, Plaintiffs do not seek, and have not sought, leave to add “John Doe” defendants in this case.

[...]

The practical dynamics of this motion are suspect: If there are 150,000 infringers among Cox subscribers, as Plaintiffs claim, why would they limit themselves (at least for now) to just 500 “egregious infringers”? Will Plaintiffs seek to depose or serve Rule 45 subpoenas on those 500? Will Plaintiffs now seek to add those 500 as co-defendants? Why do Plaintiffs want a blank-check “open order” to continually demand that Cox reveal more identities at later stages in this action? When tested in practical terms, Plaintiffs’ motion makes no sense, and their arguments plainly are an obvious pretext for some other motive.
"Pretext for some other motive" basically describes the entirety of Rightscorp's business model. It subpoenas ISPs for subscriber info, under the unspoken pretext that further legal action is in the offing. But instead of suing file sharers, the company instead uses the information to harass subscribers into paying "settlements" for alleged infringement.

Despite the damning claims made by Cox, the court has partially granted the questionable Motion to Compel. The ISP has been ordered to turn over the "Top 250 IP Addresses recorded to have infringed in the six months prior to filing the Complaint." This distinction is important, because as Cox points out in its opposing motion, the plaintiffs' constantly-widening net had managed to drag in alleged infringers whose infringement didn't occur until after the lawsuit was filed.
Plaintiffs’ stated justifications for their extraordinary request do not help Plaintiffs’ cause. Plaintiffs acknowledge that they “must establish direct infringement of the copyrighted works asserted in this case,” and imply that their motion serves that end. (Doc. 72, Corrected Br. at 4.) But that implication is illogical because Plaintiffs seek PII for 500 subscribers of the 150,000 supposedly implicated here. Surely Plaintiffs are not prepared to concede that their claims fail for the works that the other 149,500 subscribers allegedly infringed. Notably, of the 500 allegedly “egregious infringers” the Plaintiffs hand-picked, 250 allegedly infringed after this lawsuit was filed. (Doc. 72, Corrected Br. at 4.) Those subscribers’ alleged infringements, therefore, cannot have formed a basis for Plaintiffs’ claims in this suit. And nowhere do Plaintiffs even assert that Rightscorp sent purported DMCA notices to Cox with respect to those particular subscribers.
Cox has come out swinging in the early going, and its assertions confirm much of what has been written about Rightscorp and its tactics. This aggressive stance should help uncover plenty of damning details, none of which should have a positive effect on Rightscorp's shriveling stock price.

Read More | 18 Comments | Leave a Comment..

Posted on Techdirt - 26 May 2015 @ 9:41am

There Aren't Many Ways To Do Online Reputation Management Right, And This Isn't One Of Them

from the just-bad,-not-evil dept

A couple of weeks ago, Eric Goldman posted an article at Forbes discussing an attempt by a company called Infringex to get him to remove a post from his personal blog. The notice sent to Goldman was riddled with mangled legal terminology ("infringement of defamation") and misconceptions (defamation is "the taking of someone's reputation") and was signed by Randi Glazer, the supposed "victim" of a post by "perma-guest" blogger, Venkat Balasubramani.

As Goldman points out, he was under no legal compunction to entertain this request -- if only for the reason that a request was all it was.

It further says that my actions are “unjust” and asks me to “please be kind” and remove the content. However, the notice is cagey about any alleged legal violations.
The services offered by Infringex carry no legal weight. This much was admitted to me by Alex Marshall, the owner of the company. He refers to his company's offerings as "self-help documents" that help enforce "common law rights." In order to avoid "unauthorized practice of law," he says his company does not assist in the selection of documents or otherwise advise customers of their legal rights.

Instead, he portrays his company's services as a slightly-more-official-looking way to send requests to remove content. Infringex's services start at $140 -- a price that seems a little high for "Would you kindly…" letters to site owners. As confirmed by Marshall, there are no refunds for the documents' failure to get content removed. Marshall points to the site's terms of use, which clearly state that users are on their own (and out $140+) if the requests are unsuccessful.
6. OUTCOMES. The parties agree the self-help forms provided by INFRINGEX do not constitute professional legal advice and may not be appropriate for every legal situation. INFRINGEX asserts and you hereby accept that there is no guarantee the use of the self-help forms provided by INFRINGEX will result in a successful outcome to your legal matter.
The terms of use also point out that takedown requests may result in negative backlash, as well as Infringex being unable to prevent anyone else (including the target of the original request) from reposting the disputed content.

Is asking site owers nicely (but sternly) to remove content worth $140 and up? I asked Marshall this question. He said Infringex "adds value" by being able to find the right person to contact for content removal, as well as being rather skilled at navigating circuitous systems meant to discourage those seeking content removal. (He cites Facebook, in particular, as being more than a little opaque in this area.)

But despite being upfront with me -- as well as in the site's terms of use -- that Infringex has no legal basis for most of its request letters and that most recipients are completely free to ignore these takedown attempts with no negative consequences, the site itself sends mixed messages. On its "Services" page, it states that Infringex offers "legal documents," something it clearly (and admittedly, by its own Chief Officer) does not do.

You can hire a lawyer and begin legal proceedings, or you can choose to send an affordable legal document to address the problem right now with infringex.com. Send them a legal document designed to give you a quick resolution.
But there's nothing "legal" about these documents. Anyone can send one for any reason, provided they pay the fee. The hodgepodge of legal lingo, along with the "professional" border, are designed to give receipients of these notices the impression that they are in possession of some sort of legal order.


Unfortunately, the services Infringex offers are basically useless. The company's success (what there is of it) relies heavily on ignorance -- both on the part of the sender and the receiver. The sender has to believe an Infringex document will be more effective than anything he or she could accomplish on their own. At the other end, those receiving these requests need to believe these documents carry far more legal weight than they actually do.

Marshall admits his services are greatly dependent on the wholly-voluntary cooperation of those receiving these requests. Despite this, he claims his documents are successful nearly 40% of the time. He sent me a selection of (redacted) letters from compliant entities as evidence of Infringex's successes. Unfortunately, before sending these, he asked me to abandon my ethics and professionalism in exchange for releasing this info.
BTW Tim,
When we have some time next week, I could forward to you proof of website owners and administrators complying with our requests. But if I do that, I would expect you to write a favorable article on us ;))
This may have been a joke that badly missed its mark (note the winking emoticon) or it may have been a genuine request. (His response to my response indicates it was more of the latter.) I informed Marshall that he was free to withhold the documents if this was the only way I'd get to see them. He seemed to quickly realize he'd made an egregious error and immediately agreed to send the documents (embedded below) no matter how flattering or unflattering the resulting post ended up being.

There's not much that can be gleaned from the documents provided, as Marshall obviously desires to protect the privacy of those involved. Fair enough. No business offering content takedown services should willingly part with sensitive client or recipient information. But in terms of establishing Infringex as a successful entity, it's more hearsay than actual evidence.

While Infringex's services may be of only marginal use, my emails and phone conversations with Marshall -- combined with my own research -- lead me to believe this is just a bad business model (aided and abetted by some questionable muddying of legal waters) rather than a low-level scam operation or a shady offshore entity selling unneeded services of dubious legal provenance while keeping itself out of harm's way by incorporating in Bermuda, etc.

Marshall cites some reputation problems with his family's business (not Infringex) -- ones he spent "years" cleaning up -- as the driving force behind his current endeavors. No further details are forthcoming, but Marshall portrays this reputational damage as intentional sabotage by competitors. Whatever the truth is, it helps explains why he would choose to pursue the career he does.

Marshall has since responded to Goldman's Forbes post, offering a rebuttal to his criticism. The rebuttal is in need of a rebuttal, but I'd rather just point out something Infringex has changed in response to Goldman's criticisms. The "press release" notes that it has "edited its site to better serve users," but fails to specify exactly what has been edited. Ken White (Popehat) tracked down the change.

The word "ordered" in the following sentence on its defamation removal page has been replaced with "asked."
They will be asked to DELETE and REMOVE the blog, post or review, immediately.
This is an improvement, but Infringex really should stop insinuating its services are on par with actual legal services provided by actual law officers, or that its documents have any legal basis whatsoever.

What I can say in defense of Infringex (that goes past the faint praise damnation of "NOT A SCAM!") is that its owner seems sincere in his desire to help people, even if his site portrays his company's services as more valuable than they actually are.

The other thing I can say in his defense is that these quasi-legal documents, being hawked for $140 minimum, are no worse than some of the bogus cease-and-desist orders we've covered here at Techdirt. Infringex is misguided and badly in need of some legal coaching on defamation and other undesirable content. The lawyers signing these C&Ds -- and issuing them on law firm letterhead -- have no excuse for being as clueless as some random internet dude with a half-baked reputation management service. Bogus takedown demands issued by these lawyers are usually more expensive while being no more legally-sound than Infringex's documents. But they carry with them a legal heft that often prompts victims of this bullying behavior to capitulate immediately. These lawyers similarly rely on the ignorance of others for their success, but they do so with complete awareness of their disingenuous and harmful actions. They screw the people on both ends of these interactions. Their clients often find the criticism and content they want buried spreading uncontainably across the internet. Their targets often find themselves having to hire lawyers of their own or simply living unenjoyable lives marred by the omnipresent threat of always-impending legal action.

Infringex -- for what it's worth -- can't bully people into submission or sue anyone on behalf of its customers. But it can lead the uninformed to seek removal of content they have no legal right to "order" taken down. Because of this, the service is more likely to be abused by those who wish to bury criticism or past embarrassments. Because Infringex is clearly not a legal entity, it is under no obligation to advise against deploying abusive takedown requests. But as is pointed out above, the world is full of lawyers who apparently feel they're similarly under no obligation to refuse to aid and abet in legally-groundless bullying tactics.

Infringex's services are dubious. Its press releases and blog posts bear an unfortunate resemblance to outsourced content farming. Its grasp on the legal issues it's tangling with are tenuous at best. Its attempt to portray itself as both a legitimate alternative to legal action as well as a decidedly-not legal entity sends mixed messages -- perhaps willingly. But it is not evil.

Unfortunately, because of its shortcomings, it will tend to attract the sort of people who know they have no legal basis for their takedown requests, but hope that an official-looking document might scare a few people into compliance. That's a problem and -- as its services are contstructed and sold -- one it will never be able to fix in its current state.

Read More | 21 Comments | Leave a Comment..

Posted on Techdirt - 26 May 2015 @ 5:57am

Obtained Emails Show FBI's General Counsel Briefly Concerned About Privacy Implications Of License Plate Readers

from the but-hey,-it's-a-great-program-with-loads-of-support! dept

According to documents obtained by the ACLU, the FBI briefly had a crisis of (4th Amendment) conscience while putting together its license plate reader program. How it talked itself out of its privacy concerns remains secret, as do any policies or guidelines addressing potential privacy issues. All we have so far is a heavily-redacted email in which the FBI's General Counsel is noted as struggling with the issue.

Effective and transparent regulation and oversight are critical if the FBI is to continue to develop and buy license plate readers for FBI programs around the country. The FBI’s own lawyers seemed to agree, at least in part. An email exchange from June 2012 shows that the FBI temporarily stopped its purchases of license plate readers based on advice from its Office of General Counsel, which indicated that it was “wrestling with LPR privacy issues.” The documents do not show what “privacy issues” were identified or what happened next.
From the obtained emails:

The Office of the General Councel [sic] (OGC) is still wrestling with LPR privacy issues. The reason the AD stopped our purchase [redacted] cameras was based on advice from the OGC. Once these issues have been resolved… hopefully this Summer… we expect to be back. The program is still growing and we enjoy tremendous field support.
While this one notes the OGC's concerns, the rest of the emails seem cheerily unconcerned. Even this "wrestling" is surrounded by uptempo statements about the program's growth and popularity.

What's also made clear in the obtained emails is that ELSAG North America was chosen as the FBI's ALPR vendor in a less-than-open bidding process.
An undated document explains the need for a less than full and open bidding process for the FBI’s acquisition of license plate readers, noting that ELSAG will provide an ALPR system “custom designed for a specific concealment to fulfill an unmet operational need.” The FBI’s Operational Technology Division “has invested an estimated $400k in labor to design, develop, and test of [sic] ELSAG deployment solutions.”
Other emails hint at the existence of a DOJ policy on FBI ALPR usage, but that document has yet to be released to the public. From what IS included in these email exchanges, it would appear the DOJ's policy is very sympathetic to the arguments made by the FBI's Video Surveillance Unit (VSU).

The [redacted] memo is close. It should be issued by the DOJ within a week or so, and per [redacted] should be favorable to VSU's position.
While it's nice to see the FBI slowed its ALPR acquisitions ever-so-briefly to consider privacy implications, it would be more enlightening to see the OGC's thought processes, as well as the resulting policies governing the usage of license plate readers. For that matter, it would nice to see the DOJ's decision on the matter, which appears to be even more expansive than the FBI's internal conclusions. But both of those remain securely in the hands of the respective agencies, hidden from the public whose privacy was briefly considered before being rationalized away in two separate legal memorandums.

Read More | 12 Comments | Leave a Comment..

Posted on Techdirt - 22 May 2015 @ 7:39pm

Paper Says Public Doesn't Know How To Keep Score In Privacy Discussion While Glossing Over Government Surveillance

from the noting-the-obvious-while-ignoring-the-elephant-bugging-the-room dept

Lawfare -- a blog primarily devoted defending the practices of spy agencies -- has released a paper authored by Benjamin Wittes and Jodie Liu that theorizes that the public's concern over privacy encroachments are -- if not overblown -- then failing to properly factor in the privacy "gains" they've obtained over the past several years.

The theory is solid, but the paper fails to differentiate between what sort of privacy losses people find acceptable and which ones they don't -- mainly by leaving privacy invasions by government entities almost completely undiscussed. It opens by quoting a scene from an old Woody Allen film in which the protagonist attempts to "hide" his purchase of porn at a magazine stand by purchasing several unrelated (and presumably uninteresting) magazines at the same time. This leads to the conclusion that people's ability to enjoy porn in private has risen with the advent of the internet, while simultaneously opening them up to data harvesters and internet companies less interested in personal privacy than selling users to advertisers.

True enough, but there's a big difference between exposing that information to the Googles of the world, rather than the surveillance agencies of the world. On one hand, Google and its competitors provide something in exchange for the privacy loss -- tailored ads, relevant search results, email, document creation platforms, etc. And there are still those -- a steadily-growing minority -- that realize Google's privacy invasions are often inseparable from the government's privacy invasions (via court orders, subpoenas and NSLs) and work hard to keep their personal information away from both. What the government offers in exchange for access to much of the same info is intangible: "security." While one might recognize the value of the first exchange, it's harder to sell the latter tradeoff, especially since intelligence agencies are much, much better at scooping up information than they are at disseminating it.

A huge amount of technological development follows this basic pattern. Google and Microsoft and Yahoo! enable you to search for information privately—with data collection by the companies and possible retrieval by other actors as a consequence. Amazon lets you buy all sorts of products with nobody the wiser—but with your purchase history stored and mined for patterns.

Your smartphone lets you put all this capability in your pocket and take it with you— and thus also lets you use it more and record your location along the way. That information too is then subject to retrieval. Facebook allows you to identify discrete groups of people with whom you want to share material—yet it stores your actions for processing and retrieval as you go. In our mental tabulation of gain and loss, we tend to count only one side of the ledger, pocketing what we have won as though it were of no privacy value while bemoaning what we have given up.

Even more mischievously, when we do acknowledge the gains, we tend to redefine them as gains in something other than privacy. We define them, most commonly, as mere convenience or efficiency gains—a dismissive description that implies we have won something inconsequential or time-saving while giving up something profound. But the construction leaves us with a distorted and altogether-too-bleak outlook on technology’s impact on our lives. Yes, technology involves gains in convenience and efficiency, but those are not the only gains.

To reiterate, we do not argue here that technology is necessarily privacy-enhancing in the aggregate, or that technology does not erode privacy. Rather, our general point is that the interaction between technology and privacy is less clear-cut than the debate commonly acknowledges, that we don’t keep score well, and that the actual privacy scorecard is a murky one.
The paper does make the solid argument that technology has resulted in greater individual privacy -- provided it's measured on the scale the paper's authors present. In one example, the authors point to a teen's desire to discuss a sexual or health issue as being more "private" because of access to medical websites and forums where information can be obtained with relative anonymity -- something a doctor's office can't completely provide.

But medical records are private information, governed by a specific set of laws. If anything, the online search is less private because these websites are not subject to patient privacy laws. Someone inquiring about a teen's visit to a health clinic would be frozen out, but any number of entities can access web-related information without facing similar statutory roadblocks.

While there are some good points made, the paper is undermined by the authors' insistence that Americans just don't know how to properly balance their privacy concerns. The implication -- given author Benjamin Wittes' frequent defense of government surveillance -- is that if the public can't weigh privacy gains and losses correctly in the context of private corporations, it certainly can't be expected to make informed decisions when it comes to government surveillance. And it's true that most citizens aren't likely to rigorously examine their fears of privacy erosion.

The paper does very little to compare privacy "violations" by internet entities to government surveillance programs, choosing instead to focus almost entirely on the tradeoffs made by people who hand over a certain amount of personal info for the privilege of watching porn or googling STD symptoms without having to involve another living, breathing person. It's presented as being in favor of a "more rigorous balance sheet" when it comes to personal privacy, but then fails to closely examine government surveillance concerns. There's another tradeoff being performed here -- without the input of those surveilled and who receive almost nothing tangible in exchange for the privacy erosion. Because of this, there's little comparison between the Googles and the NSAs of the world.

You don't hand a government the tools of totalitarianism and a long leash and simply assume it will end well. Google, et al may be similarly close-fisted when it comes to producing specifics on the use of personal data, but they also don't bear the same obligation to the American public that the US government does. Even if Google is more intrusive than the NSA, it still is only one of many platform providers and there are options (admittedly not many and not easily achieved) for avoiding its data-gathering efforts. The government provides no such options, other than forgoing the use of phones, the internet, etc.

I think the paper does add to the discussion of privacy gains and losses, but the authors' unwillingness to honestly approach government surveillance efforts in the same context blunts its impact. It quotes privacy advocates like the ACLU and EFF on the subject of data harvesting by private companies, but doesn't address the similar concerns they've raised about the erosion of privacy by government actions.

There's an attempt being made here to paint the government as no worse (and possibly even better) than private companies' data harvesting efforts, albeit by way of omission rather than by comparison. It's disingenuous to depict the public as ignorant of their privacy "gains" against the domestic surveillance backdrop, while omitting any mention of similar privacy erosions at the hand government intelligence agencies. Wittes opens his post on the paper by claiming American and European privacy debates "keep score very badly" and then points to a paper that leaves key parties in the privacy debate almost wholly unmentioned. I'm all for an open discussion about privacy gains and losses, but a paper that focuses solely on interactions with private companies -- while claiming the public can't keep score -- isn't much of an addition to the debate.

Read More | 25 Comments | Leave a Comment..

Posted on Techdirt - 22 May 2015 @ 10:41am

Once Again, Just Because Someone Used Backpage.com For Trafficking, Doesn't Mean Backpage Is Liable

from the the-sort-of-'win'-no-one-feels-great-about dept

The criminal activity alleged may be horrific, but that's a non-factor when it comes to the consideration of protections afforded to website owners who host third-party content. The ongoing lawsuit against Backpage.com, filed by victims of sex trafficking (who were minors at the time), has reached an end. (Until appealed, of course.)

The arguments deployed by the plaintiffs were nothing new. In numerous cases, ranging from defamation claims to alleged prostitution of minors, plaintiffs have made similar arguments. The theory -- unsupported by law or common sense -- that website owners should be held legally responsible for the postings of others isn't novel. But it has yet to find a court willing to advance the theory. Why? Because doing so would result in the following sort of ridiculousness, which, while ridiculous, would chill free speech and cause many website owners to get out of the website-owning business.

In their lawsuit against Backpage.com, the plaintiffs—three women who were forced into selling sex as teenage runaways—argued similarly, saying that because their trafficker found clients on Backpage, the website was responsible for their exploitation. But by this logic, Facebook is guilty whenever anyone posts a threat there, Craigslist is culpable should a landlord want "females only," and Reason is guilty should any of you folks broker a drug deal in the comments. Thankfully, section 230 of the Communications Decency Act, passed in 1996, established that the Internet doesn't work this way.
A federal district court in Massachussetts addresses the multiple allegations by the plaintiffs in their argument seeking to find Backpage.com responsible for the postings of others, and finds that even in the totality, it fails to rise to the level needed to strip the site of its Section 230 protections.
Singly or in the aggregate, the allegedly sordid practices of Backpage identified by amici amount to neither affirmative participation in an illegal venture nor active web content creation. Nothing in the escorts section of Backpage requires users to offer or search for commercial sex with children. The existence of an escorts section in a classified ad service, whatever its social merits, is not illegal. The creation of sponsored ads with excerpts taken from the original posts reflects the illegality (or legality) of the original posts and nothing more. Similarly, the automatic generation of navigational path names that identify the ads as falling within the “escorts” category is not content creation. The stripping of metadata from photographs is a standard practice among Internet service providers. Hosting anonymous users and accepting payments from anonymous sources in Bitcoins, peppercorns, or whatever, might have been made illegal by Congress, but it was not. Backpage’s passivity and imperfect filtering system may be appropriate targets for criticism, but they do not transform Backpage into an information content provider.
Summing it up -- after dismissing all claims -- the court notes that the sexual trafficking of children is abhorrent, but that Section 230 protections aren't a sliding scale to be applied with varying amounts of force depending on the severity of the alleged actions.
To avoid any misunderstanding, let me make it clear that the court is not unsympathetic to the tragic plight described by Jane Doe No. 1, Jane Doe No. 2, and Jane Doe No. 3. Nor does it regard the sexual trafficking of children as anything other than an abhorrent evil. Finally, the court is not naïve – I am fully aware that sex traffickers and other purveyors of illegal wares ranging from drugs to pornography exploit the vulnerabilities of the Internet as a marketing tool. Whether one agrees with its stated policy or not (a policy driven not simply by economic concerns, but also by technological and constitutional considerations), Congress has made the determination that the balance between suppression of trafficking and freedom of expression should be struck in favor of the latter in so far as the Internet is concerned. Putting aside the moral judgment that one might pass on Backpage’s business practices, this court has no choice but to adhere to the law that Congress has seen fit to enact.
This is buttressed by a quote from another decision, quoted earlier in the discussion of the plaintiffs' claims -- one that deals specifically with another abhorrent criminal act.
Child pornography obviously is intolerable, but civil immunity for interactive service providers does not constitute “tolerance” of child pornography any more than civil immunity from the numerous other forms of harmful content that third parties may create constitutes approval of that content. Section 230 does not limit anyone’s ability to bring criminal or civil actions against the actual wrongdoers, the individuals who actually create and consume the child pornography. Here, both the neighbor [who created the child pornography] and the moderator of the Candyman web site have been prosecuted and are serving sentences in federal prison. Further, the section 230(e)(1) exemption permits law enforcement authorities to bring criminal charges against even interactive service providers in the event that they themselves actually violate federal criminal laws.
In essence, just because it's easier to pursue site owners than criminals, and that any recovery of damages may seem more likely, doesn't make it the correct path for retribution. Those who trafficked these plaintiffs are the wrongdoers, not the site that hosted these criminals' ads.

Read More | 14 Comments | Leave a Comment..

Posted on Techdirt - 21 May 2015 @ 3:49pm

Man Who Deactivated Facebook Account To Dodge Discovery Request Smacked Around By Disgruntled Court

from the I-fought-the-law,-but-swung-and-missed-badly,-and-it-was-over-before-it-began dept

Social media. So popular. And so very, very incriminating. The less-than-illustrious history of many a criminal who felt obliged to generate inculpatory evidence via social media postings has been well-detailed here. But what if you want to hide your indiscretions and malfeasance? If you've posted something on any major social network, chances are it will be found and used against you.

On May 19, 2014, Brannon Crowe sued his employer, Marquette Transportation. Crowe claimed that, in April 2014, he had an accident at work that “resulted in serious painful injuries to his knee and other parts of his body.” Crowe sued for pain and suffering, medical expenses, lost wages, past and future disability, and other special damages.

But Crowe may have unwittingly shot himself in the foot (or maybe the knee). The reason? Facebook.
Around the time Crowe suffered his injuries, he sent a Facebook message to a friend saying that he had actually hurt himself while on a fishing trip. How Marquette Transportation got its hands on the message is unclear.

Nonetheless, the message led Marquette Transportation to seek other Facebook information from Crowe in discovery. On October 17, 2014, Marquette Transportation specifically requested “the Facebook history of any account(s) that [Crowe] had or has for the period commencing two (2) weeks prior to the incident in question to the present date.”
Crowe presented a variety of novel defenses in hopes of escaping Marquette Transporation's examination of his Facebook account -- one of which was that he had no Facebook account.
Plaintiff objects to this Request as vague, over broad and unduly burdensome. Plaintiff further objects to the extent this Request seeks information that is irrelevant and not reasonably calculated to lead to the discovery of admissible evidence. Notwithstanding said objections and in the spirit of cooperation, plaintiff does not presently have a Facebook account.
Note the qualifier "presently."
Crowe later testified in his deposition that he stopped having a Facebook account “around October” of 2014.
Oddly coincidental.
Marquette served its written discovery upon Crowe’s counsel on October 17, 2014. (Rec. doc. 16-1 at p. 1). Crowe’s Facebook records from the “Brannon CroWe” account indicate that account was deactivated on October 21, 2014. Counsel for Marquette is entitled to explore the timing of this deactivation.
"Stopped having" actually meant "deactivated his account." Crowe didn't go so far as to delete the account, which might have made the damning post a bit more difficult to recover. But he wanted to keep his account alive for use at a later date. This didn't escape the court's notice.
The same Facebook records indicate that the account was accessed routinely by an iPhone with an IP address of 108.215.99.63 beginning well before the alleged accident up to and including on the date of deactivation. On January 7, 2015, the account was reactivated by the same iPhone with the same IP address. Counsel for Marquette is entitled to explore these matters, particularly given the current dispute over the status of Crowe’s iPhone service and whether he was able to and did send “text messages” to others at points in time when he claimed to be unable to do so.
Crowe's shovel-wielding skills far outpace his ability to hide incriminating information. But as is the case with shovel wielders, even the most efficient can do little more than dig holes of increasing depth. When this foolproof plan to thwart Marquette Transportation's discovery request failed, Crowe deployed Plans B, C and D, with similar results.
Similarly, counsel for Marquette is entitled to analyze the thousands of pages of Facebook messages Crowe exchanged with others, including his co-worker, Robert Falslev, particularly given his testimony that his account: (1) did not use a capital “W” in its name, (2) that it was hacked, and (3) that he did not send one particular Facebook message to Falslev stating he was injured fishing, rather than on the Marquette vessel.
Crowe's counsel, now presumably righteously pissed, produced the records sought by Marquette -- in bulk.
Pursuant to the Court’s Order quoted above, Crowe, through counsel, has now submitted to the Court for in camera review an astonishing 4,000-plus pages of Facebook history from the account “Brannon CroWe.” While the Court has made a preliminary review of certain of these materials, it is not about to waste its time reviewing 4,000 pages of documents in camera when it is patently clear from even a cursory review that this information should have been produced as part of Crowe’s original response. This production makes it plain that Crowe’s testimony, at least in part, was inaccurate. That alone makes this information discoverable.
The court may not be interested in looking through Crowe's obviously very active (before it suddenly, suspiciously wasn't) Facebook account, but I would imagine Marquette's lawyers will find the time to do so. But even in Crowe's self-inflicted dark cloud, there's a silver lining -- albeit one brought about by his desire to save his (supposedly hacked-with-a-capital-W) Facebook account, rather than see it (and the incriminating post) vanish into the ether.
Crowe may have inadvertently saved himself at least some trouble with the Court by deactivating his account rather than deleting it. This duty to preserve evidence in litigation extends to social media information and is triggered when a party reasonably foresees that evidence may be relevant to issues in litigation. As soon as he placed the source of his injuries at issue, Crowe triggered the duty to preserve. Deleting relevant social media data can result in sanctions against the deleting party because the information is not recoverable, which implicates spoliation of evidence issues. In contrast, Crowe’s Facebook data was still accessible upon a simple re-login.
The court won't offer Crowe much sympathy in the future, but it's not likely to pursue sanctions. That's about all there is in terms of good news. The effort made to hide the evidence doesn't make Crowe look any less guilty. Social media platforms are bad places to do bad things. Even swift deletions can be recovered with timely court orders and an internet's worth of cached pages and third-party content aggregators often assures that deleted postings will live on in one form or another.

Read More | 5 Comments | Leave a Comment..

Posted on Techdirt - 21 May 2015 @ 2:51pm

Court Reminds Police That Refusing A Search Isn't Inherently Suspicious Behavior

from the only-criminals-exercise-their-rights? dept

It really shouldn't take a judge's order to make this clear to law enforcement officers: a citizen invoking their rights isn't doing anything illegal, suspicious or otherwise signalling an involvement in criminal activity. These are simply their rights and they can choose to assert (or waive) them as they see fit.

But that's what it takes, because almost anything that isn't an immediate capitulation to a law enforcement officer's demands is often met with dubious actions, arrests and deployment of force.

Deborah Barker was arrested for methamphetamine possession after an Oregon police officer performed a warrantless search of the contents of her purse. Her motion to suppress was denied by a lower court, but the state appeals court found otherwise.

From the ruling:

Defendant was a passenger in a truck driven by her husband, which was stopped by Oregon State Police Trooper Ratliff on suspicion of driving while intoxicated. Ratliff noticed that defendant’s husband was “overly nervous” and that there was a bottle of alcohol on the seat, as well as many knives, lighters, and trash in the truck.
We'll stop right here and discuss a couple of things.

First, officers regularly declare people they stop to be "nervous" and use that as the "reasonable suspicion" they need to prolong the stop and start fishing for criminal charges. This is obviously a very handy "tool," because almost every citizen is more nervous than usual when speaking to people who are not only armed, but possess incredible amounts of power.

Judges, fortunately, are pushing back on this assertion more frequently. Just recently, the Tenth Circuit Court pointed out that "nervousness" does not equal reasonable suspicion, although the totality of other elements (rented car in another's name, inconsistent travel plans) certainly did. Another told the DEA that nervousness -- even when combined with three cellphones and a past criminal history -- did not automatically rise to the level of reasonable suspicion. But it still must work often enough, because "nervousness = reasonable suspicion" doesn't seem to be going away.

Second, the condition of the vehicle's interior is also cited as "reasonable suspicion" -- namely that it had trash and lighters in it. Paradoxically, law enforcement almost simultaneously claims that the absence of drug paraphernalia/trash is inherently suspicious. Here it is arguing that a clean car is a drug trafficker's car in a Seventh Circuit Court decision from earlier this month:
A ten-minute search turned up nothing, save for two cell phones. The interior of the car was “spotless” and had no other personal effects, which the officers believed was suggestive of the car being a “trap car” used for drug trafficking.
You can't win. But you can try to even the odds.
Defendant was wearing a dress, and Ratliff did not believe she had any weapons in her pockets. Ratliff asked defendant if she had any weapons in her purse, and defendant replied, “I don’t want you to search my purse.”
The officer asked her to place the purse on the hood of the vehicle for "safety" reasons. (Not completely unreasonable, considering Barker hadn't answered one way or the other on the question about whether the purse held a weapon.) It fell open a little, exposing a small, gray scale. This led to the assumption of the probable cause needed to effect an arrest of Barker, combined with Barker's appearance ("leathery") and "drug history."

All well and good, but the officer then decided to search the purse without a warrant, ultimately discovering a small amount of meth hidden in a wallet. And that's where it ran into problems. First, Officer Ratliff made this assertion, which basically states that "innocent" people don't force cops to respect their rights.
Ratliff went on to note that the “innocent motoring public doesn’t generally have those indicators. They don’t get out of the vehicle and tuck their purse tightly with them and immediately refuse search.”
The lower court bought Ratliff's arguments and refused to suppress the fruits of the warrantless search. The appeals court, however, looked at each element the state claimed added up to permission to warrantlessly search Barker's purse and found them all wanting -- those being Barker's history of drug use, the vehicle's appearance, Barker's appearance ("leathery," clenched teeth), dilated pupils, in possession of a small scale and refusing to allow an officer to search her purse.
As we have previously held, the mere fact that a defendant has a history of drug use does not provide an officer with reasonable suspicion to stop a defendant, let alone probable cause to search or arrest.

[...]

For similar reasons, defendant’s inability to remain still and dilated pupils also contribute little to establishing probable cause.

[...]

[T]he record in this case lacks evidence to support an objectively reasonable inference that, even if the scale was used in connection with controlled substances, it was more likely than not that defendant was in current possession of controlled substances, as residue on the scale or otherwise.
Finally, it addresses the claim that Barker's control of her purse was yet another factor contributing to her apparent guilt.
The state argues that “[t]he strongest indicator that defendant was in possession of drugs was her conduct towards her purse.”
But that's completely wrong, according to the court. It's not a "strong indicator." It's an assertion of rights.
When an individual seeks to protect an item and openly asserts his or her privacy rights, that behavior and assertion is neither innately shifty nor sinister—rather, it is constitutionally protected. And, “[a]llowing the police to conduct a search on the basis of the assertion of a privacy right would render the so-called right nugatory.” State v. Brown, 110…
Although furtive behavior may contribute to probable cause, asserting a constitutionally protected privacy right cannot. Defendant’s protective behavior to safeguard the privacy of her purse and her statement that she did not want it searched are not properly considered as part of the totality of the circumstances and may not contribute to probable cause.
In short (and as summed up in a footnote), police cannot use someone's constitutionally-protected right to refuse a search as probable cause to justify a search. The ruling is reversed and remanded and the police are now in the same position they were before they performed the warrantless search: looking at someone they want to arrest but without the probable cause to do so. And now it's so much worse because the officer knows Barker was in possession of a controlled substance but can't do anything about it. With the evidence suppressed, the single possession charge resulting from this arrest no longer exists.

These rights weren't granted to citizens just so the government could use any exercise of them against those availing themselves of these protections. They were supposed to safeguard citizens against governmental overreach and abuse of its powers, but default mode seems to be that only the guilty assert their rights. This mindset is so perverse -- and so pervasive -- that it has to be beaten back one court decision at a time. Law enforcement officers treat assertions of rights as, at best, an annoyance and at worst, tacit admissions of guilt. To operate under such a twisted interpretation displays an almost incomprehensible level of privilege -- where government agents are owed whatever they request and any failure to cooperate is treated with suspicion.

Read More | 45 Comments | Leave a Comment..

Posted on Techdirt - 21 May 2015 @ 1:42pm

Report: FBI's PATRIOT Act Snooping Goes Beyond Business Records, Subject To Few Restrictions

from the 'just-metadata'-means-whatever-the-FBI-can-obtain dept

A report by the FBI's Office of the Inspector General (OIG) on the agency's use of Section 215 collections has just been released in what can only be termed as "fortuitous" (or "suspicious") timing. Section 215 is dying. It was up for reauthorization on June 1st, but the Obama administration suddenly pushed that deadline up to the end of this week. Sen. Mitch McConnell took a stab at a clean reauth, but had his attempt scuttled by a court ruling finding the program unauthorized by existing law and the forward momentum of the revamped USA Freedom Act. And, as Section 215's death clock ticked away, Rand Paul and Ron Wyden engaged in a filibuster to block any last-second attempts to ram a clean reauthorization through Congress.

The report focuses mainly on the FBI's 2007-2009 use of the program in response to previous OIG recommendations and alterations ordered by the FISA court. As is to be expected in anything tangentially-related to the NSA, it's full of redactions, especially in areas where a little transparency would go a long way towards justifying the FBI's belief that the program should continue in a mostly-unaltered state.

Redactions like this do absolutely nothing to assure the public that the program is useful and/or considerate of citzens' rights.


Areas dedicated to discussing controls of the obtained data are similarly obscured. Whatever policies the FBI adopted in terms of minimization, dissemination and oversight at the recommendation of the OIG are covered in black ink.







What information does actually make its way past the redactions shows that what's collected (and turned over to the FBI) goes far beyond the "just" telephone metadata often claimed to be the primary target of the program's collections.

Far from being just business records -- something the public supposedly has no 4th Amendment-related privacy interest in -- the Section 215 program also allows the FBI to obtain "non-public" records and data.
In the 2008 report, we recommended that the Department implement minimization procedures for the handling of nonpublicly available information concerning U.S. persons in response to Section 215 orders…
More sentences scattered throughout the report hint at expansive collections going far beyond the business records covered by the Third Party Doctrine. As noted in the report, reauthorizations of the Patriot Act expanded the program's reach far beyond what was allowed in its earliest iterations -- from business records from certain approved sources to "any tangible thing." This, combined with a continually-lowered threshold for "relevance" has resulted in the following:
We found that [redacted] of [redacted] applications submitted to the FISA Court on behalf of the FBI requested materials related to Internet activity. [p. 7]

Materials produced in response to Section 215 orders now ranges from hard copy reproductions of business ledgers and receipts to gigabytes of metadata and other electronic information. [p. 8]

We reviewed [redacted] related Section 215 applications that requested subscriber and transactional information for [redacted] e-mail accounts from U.S. providers. [p. 40]
The report also notes that minimization procedures do not apply to "publicly-available information," possibly indicating that the FBI's interpretation of the Third Party Doctrine allows it to retain and search non-relevant information on US persons, as well as disseminate it freely without fear of breaching its internal policies. The FBI's "Final Procedures" -- adopted in the wake of the FISA court's smackdown of the NSA, as well as on the recommendation of the OIG -- only applies to "nonpublicly available information."

The OIG also cautions that technological advances have blurred the line between communications and metadata and warns the FBI that vigilance will be needed to keep the two separate. This statement points to the eventual development of further minimization procedures, but if it's anything like the last set of OIG recommendations, it will be years before the FBI gets around to putting anything in motion.
We found the Supplemental Orders significant because the practice began almost 3 years after the Department was required by the Reauthorization Act to adopt specific minimization procedures for material produced in response to Section 215 orders, and over a year after we found that the Interim Procedures implemented by the Department in September 2006 failed to meet the requirements of the Reauthorization Act. The Department and FBI ultimately produced final minimization procedures specifically designed for Section 215 materials in 2013. The Attorney General adopted the FBI Standard Minimization Procedures for Tangible Things Obtained Pursuant to Title of the Foreign Intelligence Surveillance Act on March 7, 2013 (Final Procedures), and in August 2013 the Department began to file Section 215 applications with the FISA Court which stated that the FBI would apply the Final Procedures to the Section 215 productions.

Given the significance of minimization procedures in the Reauthorization Act, we do not believe it should have taken 7 years for the Department to develop minimization procedures or 5 years to address the OIG recommendation that the Department comply with the statutory requirement to develop specific minimization procedures designed for business records
The report also contained details on numerous instances of potential abuse of the Section 215 collections. Most of these discussions are redacted, but one reveals enough information to indicate the FISA Court was used to obtain information pertaining solely to a US person, as well as other intriguing (but mostly censored) incidents where FBI agents apparently felt FISA Court orders were more useful and expeditious than National Security Letters -- something of an anomaly for an agency that has so thoroughly abused its administrative privileges.

What is clear from these heavily-redacted recountings is that the FBI uses court orders designed for foreign intelligence gathering for domestic investigations, as well as to aid the agency in its cyberwar efforts.

The report also takes note of the severe restrictions imposed by the FISA court in 2008 after uncovering widespread abuse of the metadata collections by the NSA. It points out that several of these restrictions were lifted after an end-to-end review showed no instances of abuse by the agency during the period examined. In addition to confirming that the NSA collects from providers (plural) -- despite the government's arguments to the contrary when disputing plaintiffs' standing in Section 215-related lawsuits -- the report also points to the FBI and NSA obtaining records they shouldn't have had access to by an overly-helpful telco.
[N]SD reported to the FISA Court in March 2011 that in December 2010 and January 2011 NSA technical personnel discovered that the telephony metadata produced by a telecommunications provider included [redacted]. NSA contacted the carrier and was informed that a software change made in October 2010 resulted in this occurrence. According to the NSD's compliance notice filed with the Court, beginning on or about January 14, 2011, the telephony metadata did not include [redacted]. The NSA subsequently provide updates to the FISA Court describing the methods taken to purge the [redacted] from its databases.
And, as is the case with nearly every FBI document release, there's some over-redaction that serves no purpose other than to make the agency look foolish.
In June 2013, former NSA contract employee Edward Snowden caused to be publicly released documents relating to the bulk collection of telephony metadata and the Office of the Director of National Intelligence has since declassified aspects of this program. We have included a description of the NSA program, [redacted] in the body of this report.

The Department relied on [redacted] to obtain FISA Court orders [redacted].
So much for the transparency push. Despite leaks and declassification in response, the FBI withholds information already in the public domain.

Additionally, the document could have shed some light on the FBI's current Section 215 activities, but instead the agency has chosen to hide every last bit of discussion on its ongoing efforts. [pp. 68-72]


FBI head James Comey continues to insist there needs to be a discussion about the respective weighting of security and privacy, but heavily-redacted documents like these do not add to that discussion. How is the public supposed to weigh these two factors if it can't access the FBI's arguments in favor of Section 215's continued existence? The only purpose this document serves is to give legislative true believers something to wave around as they defend the Patriot Act's perpetual, unaltered renewal.

Read More | 17 Comments | Leave a Comment..

Posted on Techdirt - 21 May 2015 @ 10:42am

New Leak Shows NSA's Plans To Hijack App Store Traffic To Implant Malware And Spyware

from the a-spy-in-the-house-of-apps dept

Proving there's nowhere spy agencies won't go to achieve their aims, a new Snowden leak published jointly by The Intercept and Canada's CBC News shows the NSA, GCHQ and other Five Eyes allies looking for ways to insert themselves between Google's app store and end users' phones.

The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals…

The main purpose of the workshops was to find new ways to exploit smartphone technology for surveillance. The agencies used the Internet spying system XKEYSCORE to identify smartphone traffic flowing across Internet cables and then to track down smartphone connections to app marketplace servers operated by Samsung and Google.

Branded "IRRITANT HORN" by the NSA's all-caps random-name-generator, the pilot program looked to perform man-in-the-middle attacks on app store downloads in order to attach malware/spyware payloads -- the same malicious implants detailed in an earlier Snowden leak.


While the document doesn't go into too much detail about the pilot program's successes, it does highlight several vulnerabilities it uncovered in UC Browser, a popular Android internet browser used across much of Asia. Citizen Lab performed an extensive examination of the browser for CBC News, finding a wealth of exploitable data leaks. [PDF link for full Citizen Lab report]

In addition to discovering that phone ID info, along with geolocation data and search queries, was being sent without encryption, the researchers also found that clearing the app cache failed to remove DNS information -- which could allow others to reconstruct internet activity. Citizen Lab has informed the makers of UC Browser of its many vulnerabilities, something the Five Eyes intelligence agencies obviously had no interest in doing.

But IRRITANT HORN went beyond simply delivering malicious implants to unsuspecting users. The Five Eyes agencies also explored the idea of using compromised communication lines to deliver disinformation and counter-propaganda.
[The agencies] were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations that are used to spread propaganda or confuse adversaries. Moreover, the agencies wanted to gain access to companies’ app store servers so they could secretly use them for “harvesting” information about phone users.
As is the case with each new leak, the involved agencies have either declined to comment or have offered the standard defensive talking points about "legal framework" and "oversight," but it's hard to believe any legal mandate or oversight directly OK'ed plans to hijack private companies' servers for the purpose of spreading malware and disinformation. And, as is the case with many other spy programs, IRRITANT HORN involves a lot of data unrelated to these agencies' directives being captured and sifted through in order to find suitable targets for backdoors and implants.

Read More | 30 Comments | Leave a Comment..

Posted on Techdirt - 21 May 2015 @ 9:39am

Judge Tells FBI It Doesn't Have A 'Two-Minute Rule' That Allows It To Listen In On Personal Phone Calls

from the first-two-minutes-of-privacy-violations-free-w/purchase-of-full-investigation! dept

Something the FBI has long considered to be part of its wiretapping efforts has been rejected by the Second Circuit Court of Appeals. Much like many people believe a 30-second-or-less clip from a movie, TV show or song entitles them to claim fair use, the FBI believes that a two-minute or less phone conversation can be listened to in its entirety even if it has nothing to do with the investigation at hand.

The U.S. Court of Appeals for the Second Circuit declined to adopt a rule that agents get a "two-minute presumption" on the reasonableness of wiretapping calls that are personal in nature.

The circuit did so while dismissing a civil suit brought against FBI agents by a woman who claimed her privacy was violated when agents taped intimate phone calls between herself and her husband during a criminal investigation.

The circuit said the woman, Arlene Villamia Drimal, will be allowed to file a new complaint against the agents.

Drimal is the wife of convicted insider trader Craig Drimal. She sued 16 FBI agents for conversations they overheard in 2007 and 2008 while executing a wiretap secured under Title III of the Omnibus Crime Control and Safe Streets Act of 1968, §§2510-2522.
This doesn't necessarily "put to death" the two-minute window on personal calls FBI agents grant themselves, contrary to Drimal's lawyer's claims. The ruling is very specifically narrowed to cover only the FBI agents' actions in this case. The 16 agents listed in Drimal's lawsuit moved for dismissal, citing qualified immunity and pointing to a previous decision which allowed the FBI approximately two minutes to ascertain a call's purpose and relevance.
They cited the Second Circuit case of United States v. Bynum, 485 F.2d 490 (2d Cir. 1973), where the court held a wiretap that monitored 2,058 in a large narcotics case did not violate Title III minimization requirement.

The Bynum court excluded calls under two minutes from its evaluation of the wiretap because "in a case of such wide-ranging criminal activity as this, it would be too brief a period for an eavesdropper even with experience to identify the caller and characterize the conversations as merely social or possibly tainted."
The FBI has an indeterminate amount of time to discern the intent and content of wiretapped calls, with an obligation to disconnect as soon as it's surmised the phone call has no investigatory relevance. This still remains in force, even with this rejection of its "two minute" argument. Without a doubt, this allowance has been abused to listen in on phone calls of a personal nature, but its intent is to minimize privacy violations while still allowing agents to collect evidence. What distinguishes this case from others is that the FBI agents were caught not "minimizing" wiretapped calls in violation of the court order authorizing the wiretap. This abusive behavior was called out by the presiding judge.
This case does not present the same circumstances as Bynum. Many of the violations here took place in the early stages of the wiretap when defendants were less familiar with the case and with Mrs. Drimal’s lack of involvement in it, but the agents should have realized reasonably early in the wiretap that these husband and wife conversations were not relevant to the investigation. As Judge Sullivan noted in Goffer, Mr. and Mrs. Drimal occasionally discussed “deeply personal and intimate” issues, 756 F. Supp. 2d at 594, and “in each of these calls it should have been apparent within seconds that the conversation was privileged and non‐pertinent,” id. at 595.

As a result, the reasoning from Bynum that it would be too difficult to minimize calls under two minutes is not applicable here where agents could determine in seconds that the calls between husband and wife were entirely personal in nature. The two‐minute presumption we applied in Bynum thus does not automatically shield defendants against the failures to minimize calls under two minutes that the putative amended complaint is likely to allege.
On one hand, the ruling undercuts the FBI's assumption that all calls under two minutes in length can be listened to in their entirety, no matter their relevance to ongoing investigations. On the other hand, the ruling cannot be applied broadly to other FBI wiretapping efforts. Civil suits brought over alleged privacy violations aren't going to be any easier to pursue as the "window" for FBI eavesdropping is still wide open, what with the Bynum ruling only applying to the specific facts of that case, rather than FBI wiretapping in general.

Drimal's case was aided by a couple of unlikely incidents, one of which was two agents' open admissions that they had listened to privileged phone calls. The other factor weighing into this decision was the very specific instructions the agents received, not only from the court issuing the wiretap order, but also from the US State's Attorney. Without these two elements, the FBI would likely have been found to be acting lawfully within the confines of its wiretap policies and applicable court orders.

Read More | 17 Comments | Leave a Comment..

Posted on Techdirt - 21 May 2015 @ 4:02am

Court Follows Shutdown Of Jason Leopold's Torture Report FOIA Request By Denying Same To ACLU

from the (b)5:-for-when-you-absolutely,-positively-have-to-hide-every-motherfuckin'-d dept

The ACLU is suing the CIA over its withholding of CIA Torture Report-related documents, including the so-called Panetta Review. The CIA, so far, has managed to withhold the requested documents in their entirety, citing multiple FOIA exemptions. The ACLU isn't taking no for an answer and has challenged the CIA's refusal to turn over any of the documents the ACLU has requested. But this effort has now been shut down by the DC District Court.

The decision starts by noting that if the SSCI report (Torture Report) had remained solely in the hands of the Senate, it would have been unobtainable via FOIA requests. The ACLU had argued that its transfer to the CIA has released it from this clearly delineated restriction. ("For purposes of FOIA, the definition of an “agency” specifically excludes Congress, legislative agencies, and other entities within the legislative branch.")

The court finds otherwise:

The Court’s inquiry, therefore, is a streamlined one: do there exist “sufficient indicia of congressional intent to control,” id., the Full SSCI Report? [...] Although this case is no slam dunk for the Government, the Court answers that question in the affirmative.
The decision quotes from a SSCI letter from 2009 referring to the still in-the-works Torture Report.
In its June 2009 letter to the CIA, SSCI expressly stated its intent that the documents it generated during its investigation “remain congressional records in their entirety and disposition,” such that “control over these records, even after the completion of the Committee’s review,” would “lie[] exclusively with the Committee.” June 2, 2009, SSCI Letter, ¶ 6. Making its wishes even more explicit, it continued, “As such, these records are not CIA records under the Freedom of Information Act, or any other law.”
The ACLU pointed out that this letter from 2009 was both outdated and irrelevant to the issue at hand, as it only pertained to the use of documents shared with the Senate by the CIA, rather than the resulting report. The court disagrees, stating that the language in the 2009 letter is broad enough to cover the finished product, rather than just the documents contributing to it. But it also points out the CIA's arguments in defense of its secrecy are also inconsistent.
One final point bears mention. Defendants’ own characterizations of the scope of the letter vary somewhat in their submissions. Compare, e.g., Higgins Decl., ¶ 12 (“One key principle necessary to this inter-branch accommodation . . . was that the materials created by SSCI personnel on [the] segregated shared drive would not become ‘agency records’ even if those documents were stored on a CIA computer system or at a CIA facility.”) (emphasis added), with Def. Reply at 5 (explaining that the language of the June 2009 letter “covers the Full Report” as a “final . . . report[] or other material[] generated by Committee staff or members,” even though it did not reside on the network drive).
The ACLU also argued that Dianne Feinstein's letter from 2010 is a better indicator of whether or not the report and its supporting documents are FOIA-able.

As its pièce de résistance, the ACLU seizes on the December 10, 2014, transmittal letter from Senator Feinstein, claiming it represents “direct evidence of the SSCI’s intentions for the Final Full Report.” Id. That letter, to recap, states:

"[T]he full report should be made available within the CIA and other components of the Executive Branch for use as broadly as appropriate to help make sure that this experience is never repeated. To help achieve this result, I hope you will encourage use of the full report in the future development of CIA training programs, as well as future guidelines and procedures for all Executive Branch employees, as you see fit." December 10, 2014, Feinstein Letter.

“By encouraging the use and dissemination of the Final Full Report among the executive branch, and by leaving to the executive branch the decision as to how ‘broadly’ the report should be used within the agencies,” claims Plaintiff, “SSCI relinquished its control over the document.”
The court rebuts this argument as well. Rejecting the ACLU's "refinement" of the entirety of SSCI-related communication between the Senate and the CIA to a single letter, the court declares that Feinstein's instructions must be considered in context.
The Court, therefore, need not confine its consideration to the moment of transmission. On the contrary, SSCI’s 2009 letter sets the appropriate backdrop against which Senator Feinstein’s 2014 letter can be properly understood.

So teed up, her letter does not evince congressional intent to surrender substantial control over the Full SSCI Report. While it does bestow a certain amount of discretion upon the agencies to determine how broadly to circulate the Report, such discretion is not boundless. Most significantly, the dissemination authorized by the letter is limited to the Executive Branch alone. It plainly does not purport to authorize the agencies to dispose of the Report as they wish – e.g., to the public at large.
The court also adds that Feinstein's statement accompanying the public release of the report summary further declares the documents off-limits -- at least until further notice.
SSCI’s deliberate decision not to publicly release the Full Report, combined with its assertion that it would consider that course of action in the future, serve to further undermine Plaintiff’s theory that Congress intended to relinquish control over the document only days later.
It finds similarly for the "Panetta Report" documents, citing its rejection of Jason Leopold's FOIA request. The CIA continues to assert that these documents are "deliberative" in nature and out of the reach of FOIA requests, despite the fact that what's being deliberated has already been made public (in the summary report) and handed over to the executive and legislative branches (via the full report). The court upheld the CIA's exemption (b)5 declaration, stating that it doesn't matter whether or not portions of the sought documents are in the public domain, but rather that the documents are part of an agency's "deliberative process." (This is why exemption (b)5 is the most-abused FOIA exemption.)

As it had already shot down Leopold's request, the court finds no reason to alter its course, despite some "novel" arguments advanced by the ACLU -- including quoting Sen. Udall's assertion that the Panetta Review is a complete work of critical importance (a "smoking gun") that far exceeds the CIA's portrayal of it as an unfinished pile of somewhat related deliberative works-in-progress. The CIA's motion to dismiss is granted.

With this decision (and many preceding it), government agencies are being given even more reason to declare anything they don't want released "deliberative" and trust the courts to uphold their declarations.

Read More | 11 Comments | Leave a Comment..

Posted on Techdirt - 20 May 2015 @ 3:44pm

EFF Asks Court To Reconsider Ruling That Would Make Violating Work Computer Policies A Criminal Act

from the surfing-on-the-clock?-that's-a-jailing dept

The EFF is asking the Oregon Supreme Court to take a look at a disturbing opinion issued by the state's appeals court -- one that could see employees face fines and prison time simply for violating company policies.

The case prompting the filing of an amicus brief on behalf of the defendant does contain an element of criminality, but the court's decision should have been limited to the end result of the defendant's actions, rather than the actions taken to reach that point.

Caryn Nascimento worked as a cashier at the deli counter of a convenience store. As part of her job, she was authorized to access a lottery terminal in the store to sell and validate lottery tickets for paying customers. Store policy prohibited employees from purchasing lottery tickets for themselves or validating their own lottery tickets while on duty. After a store manager noticed a discrepancy in the receipts from the lottery terminal, it was discovered that Nascimento had printed lottery tickets for herself without paying for them. She was ultimately convicted not only of first-degree theft, but also of computer crime on the ground that she accessed the lottery terminal “without authorization.”

Nascimento appealed the computer crime conviction. She argued that because she had permission to access the lottery terminal as part of her work duties, she did not access the terminal without authorization—as required under the Oregon's computer crime statute. Unfortunately, the Oregon Court of Appeals affirmed Nascimento’s conviction, finding she had only “limited authorization” to access the lottery terminal for purposes of printing and validating lottery tickets for paying customers, and acted without authorization when she printed them for herself.
At first glance, it almost seems like a reasonable application of the law simply because the end result was theft. But it's the specifics that make it troublesome. "Without authorization" is far too broad a term to be used in this context. With this reading of Oregon's law, the appeals court has basically criminalized a wide variety of corporate computer-related policy violations. Actions that would normally be met (in a corporate setting) with warnings and reprimands could now be viewed as criminal acts.
[T]he Court of Appeals’ decision transforms millions of unsuspecting individuals into criminals on the basis of innocuous, everyday behavior—such as checking personal email or playing solitaire on a work computer. Such restrictions, frequently included in employers’ computer policies, are no different than the restriction imposed on Nascimento. They're ultimately all computer use, not access, restrictions. Upholding Nascimento’s conviction on the basis of a violation of a computer use restriction expands Oregon’s computer crime statute to criminalize violations of any computer use restriction.
The broad reading of Oregon's criminal statute also poses potential problems outside of the work environment.
The court’s holding that a person acts “without authorization” if she violates a policy regarding the use of a computer that she is otherwise authorized to access could be extended to an Internet user who accesses a website in violation of a written terms of service. For example, Facebook’s terms of use provide that “[y]ou will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.” But as the Ninth Circuit noted en banc, “[l]ying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight.” Under the Court of Appeals’ expansive reading of ORS 164.377, if a user shaves a few years off her age in her profile information, asserts that she is single when she is in fact married, or seeks to obfuscate her current physical location, hometown or educational history for any number of legitimate reasons, she violates the computer crime law. The court’s decision thus opens the door to turning millions of individual Internet users—not just millions of individual employees—into criminals for typical and routine Internet activity.
The EFF points out that rolling back this "unconstitutionally vague" reading of Oregon's computer crime law doesn't leave the state without options to punish Nascimento for her actions. She still faces one count of aggravated first-degree theft -- a charge the EFF is not disputing. Pointing to previous decisions by the Fourth and Ninth Circuit courts, the EFF states that similarly broad readings of the rightfully-maligned CFAA (Computer Fraud and Abuse Act) have been rejected for potentially criminalizing violations of workplace computer use policies.

The Supreme Court should have no problem rolling back this broad reading and the attendant charge brought against Nascimento. The theft may have been facilitated by improper access that violated company policy, but this access doesn't rise to the level of a criminal act -- even if it ultimately resulted in a criminal action.

Read More | 38 Comments | Leave a Comment..

Posted on Techdirt - 20 May 2015 @ 2:50pm

Prenda Lawyer's ADA Shakedown Efforts Running Into Resistance From Public, Judges

from the hoping-this-ends-up-in-tears-and-sanctions-as-well dept

Paul Hansmeier, having learned all he needs to know about practicing law from his years in the trolling trenches as part of Prenda Law, is now shaking down businesses using ADA (Americans with Disabilities Act) lawsuits. This new (but not really) approach is slightly more palatable to the general public than attempting to fish a few bucks from randy torrenters via infringement lawsuits, but not by much. Those on the receiving end of these shakedown efforts don't see much difference between Hansmeier's new approach and the actions that netted him and Prenda Law sanctions from multiple courts.

Hansmeier still seems enthralled with the possibility of easy money, even if his experience with Prenda Law didn't exactly pan out the way its principals hoped. Most are still in the process of extracting themselves from the flaming wreckage of Prenda, but they're limping away, rather than strutting. Some may even face jail time for contempt.

Hansmeier and his non-profit (Disability Support Alliance) -- which exists nowhere but the Minnesota business registry and as a nominal plaintiff in his 50+ ADA lawsuits -- are running into roadblocks on Easy Buck Ave. One of the businesses he recently sued addressed his allegations by filing a $50,000 counterclaim for abuse of process and civil conspiracy.

Now, there's more trouble on the way.

Cal Brink was tired of the lawsuits that just kept coming. Since the first suit claiming lack of disability access was filed more than a year ago, businesses in this southwest Minnesota town of nearly 14,000 people have been worried that they, too, would be hit.

Nine lawsuits have been filed here so far by the Disability Support Alliance, a nonprofit group formed last summer, including one against the only bowling alley in town. The owner said he will soon close rather than pay the DSA’s $5,500 settlement offer or make the $20,000 of changes needed to comply with the Americans with ­Disabilities Act.

“Nobody fights them, because it’s going to cost you more to fight,” said Brink, executive director of the local Chamber of Commerce.

Now Marshall is fighting back. Working in concert with the Minnesota State Council on Disability, Brink developed an access audit for local businesses, allowing them to develop a plan to fix ADA issues and potentially to ward off litigation.

The plan has won the attention of the state Department of Human Rights, which hopes it could be used in other communities hit by serial litigation.
Since the putative goal is to improve access for the disabled, you'd think something called the "Disability Support Alliance" would be behind it. But the DSA isn't about improving access. It's about making money. Eric Wong, a member of the four-person-strong DSA says companies just need to pay it first and worry about complying with the law later.
His group “is currently in the process of producing a voluntary mass settlement agreement for those businesses in Marshall that are ready to confess to their crime, fully comply … and pay the damages/restitution that they are liable for under the law,” Wong said in an e-mail.

“The lawsuits will stop when there is no more access crime to prosecute,” he said. Many businesses “fail to understand that … we are now a zero tolerance state.”
Roughly translated: the trolling will continue until it's run off the rails by the public or the courts. The lawsuits have already caught the eye of Hennepin County's chief judge, which noted that the flurry of filings "raised the specter of serial litigation" and has ordered all DSA/Hansmeier's lawsuits filed in this county be handled by one judge. This will probably prompt Hansmeier to take his "business" elsewhere, rather than deal with extra scrutiny from a judge who won't have to connect the dots between multiple filings in multiple venues. With any luck, Hansmeier's efforts elsewhere will be greeted with the same local resistance and judicial distrust.

16 Comments | Leave a Comment..

Posted on Techdirt - 20 May 2015 @ 4:10am

Dept. Of Public Works Finds Watching 20 Hours A Week Of Full-Screen Porn On Work Computers To Be A Bit Too Much

from the 'I-find-working-in-public-service-to-be-[self]-gratifying' dept

I'll never understand the mentality of an employee -- government or otherwise -- who watches porn while on the clock and on company computers. I get that the mind wanders when not otherwise occupied, but rather than surf the web for innocuous time-killers, certain people decide to just head off the deep end and view something that's forbidden in every work environment not actively engaged in the production or distribution of porn.

While I may have skirted policies meant to keep time-wasting to a minimum (some days were filled with only wasted time), I have never opted to go the porn route. I have nothing against porn or those who watch it. I would just rather not give my employers (a) the equivalent of the middle finger re: computer use policies and (b) any insight into my personal sexual preferences. (LET YOUR IMAGINATIONS RUN WILD.) Both of these seem like BAD THINGS to do.

(Also, there's that whole thing about it that insinuates some sort of self-pleasure is involved, and in a work environment, that's just… amazingly gross. Even the employees at the porn shop don't relish cleaning up the spank rooms. Imagine being told after a few weeks at work that your predecessor [and previous cubicle occupant] was fired for watching tons of porn during work hours. You'd want to shower in decontaminant and return in a hazmat suit.)

And yet, we have written multiple stories about employees (most of them in the public sector) who not only watch porn at work, but do so with unimaginable gusto for hours at a time. Here's yet another, involving a Baltimore Department of Public Works employee:

Inspector General Rob Pearre Jr. released a report last week revealing the employee, a maintenance supervisor at the facilities division of the Back River Wastewater Treatment Plant, was suspended in September 2014 and fired Jan. 20 at the conclusion of an investigation.

The report said officials received an anonymous complaint about the worker in August of last year and monitoring software installed on the man's work computer found he spent 39 of the 82 hours he spent working in a two-week period watching a pornographic DVD on the computer.
Nothing handles the ridiculousness of a porn-related firing more aptly than an official report so dry it could apply for disaster relief funds.

"HOW MUCH PORN DID HE WATCH?" the studio audience in my mind demands. Here's a per-shift breakdown, listed in this report as "Table 1."


It appears the employee's workload tended to diminish over the course of week, with Mondays and Tuesdays (with one exception -- a seven-of-eight work hours marathon) being relatively light and the ration of porn-to-work increasing as the week wore on. Fridays were half-days and, accordingly, roughly half of that time was given over to porn-watching.

Now, the employee obviously felt accessing porn via the internet might result in a swift dismissal. His workaround -- bringing a DVD from home -- allowed him to bypass web filters. However, the length of time it was watched, combined with how it was watched, gives the impression that no one really checked on this employee's productivity, much less ever stopped by his desk.
The City-owned computer operated by the MSI was connected to a single monitor. OIG personnel noted that when pornographic material was visible, the video was maximized to cover the entire screen.
Full-screen porn during work hours is a strong indicator that the employee was neither valued nor popular. Viewing porn in full screen can only be done by those confident their porn sessions will not be interrupted.

The Inspector's report then goes on to state the (inadvertently hilarious) obvious.
OIG personnel noted that minimal computer activity was performed while pornographic material was visible. Based on these findings, the OIG believes that little to no work was being performed during the time that pornographic material was visible on the screen of the MSI’s City-owned computer.
Doh! If only this employee would have reduced it to the upper-corner of the monitor and run a few work-related applications in the background. He might have been able to hold onto this job until retirement -- at which point his porn-watching could have resumed uninterrupted, barring the occasional trip to the bank to deposit his pension check. (Or not, what with direct deposit…) But he didn't. Instead, he did this.
OIG personnel noted that the MSI would occasionally maximize his email inbox in the Microsoft Outlook program and then minimize it moments later leaving only the pornographic material visible on the screen.
Fortunately for Baltimore taxpayers, there's no pension in the future nor the continued annual funding of Dept. of Public Works porn-watching. $30,000/year for twiddling your thumbs self is damn good money, but there aren't many entities willing to fork that out. (Barring, of course, those involved in the production/distribution of porn…)
At an hourly rate of $29.90, the MSI was paid $1,166 for 39 hours for which no work was performed. By annualizing the data gathered during the two-week monitoring based on a 2000 hour work-year, pornographic material would be visible on the screen of the MSI’s City-owned computer for 951 hours which would cost the City approximately $28,400.
Also noted in the report: the employee appealed his pending termination briefly before being persuaded to take a 10-day payout in exchange for dropping the appeal he had very little chance of winning.

The report wraps up with the DPW and OIG giving each other big, warm hugs for being so competent/cooperative (respectively). And for the moment, all is slightly more right in Baltimore's Dept. of Public Works.

Read More | 43 Comments | Leave a Comment..

Posted on Techdirt - 20 May 2015 @ 1:09am

Transparency Watch Releases Searchable Database Of 27,000 US Intelligence Workers

from the publicly-posted-information,-searchable-by-the-public dept

Intelligence gathering on intelligence gatherers. Watching the watchers. Whatever you want to call it, Transparency Toolkit is doing it. It has gathered 27,000 publicly-posted resumes from members of the "intelligence community" and turned them into a searchable database.

The database -- ICWatch -- was put together using software specifically constructed by Transparency Watch (and posted at Github). Not only can the database be searched through TW's front end, but the data is also available in raw form for data-mining purposes.

Some may find this searchable database to be a form of doxxing, but TW says that isn't the intent. Instead, it's meant to give the public additional insight into the inner workings of the intelligence community, as well as allowing researchers and journalists to sniff out information on still-unrevealed surveillance programs.

"These resumes include many details about the names and functions of secret surveillance programs, including previously unknown secret codewords," Transparency Toolkit said.

"We are releasing these resumes in searchable form with the hopes that people can use them to better understand mass surveillance programs and research trends in the intelligence community."
What Transparency Watch has done is simplified a task anyone could have performed prior to the compilation of the ICWatch database. In fact, nearly two years ago, the ACLU's Chris Soghoian pointed out that public LinkedIn profiles were coughing up classified program names posted by intelligence community members in their listed skills and work history.

This is all Transparency Watch has done -- only in aggregate and accessible to those without a LinkedIn account.
The data was collected from LinkedIn public profiles using search terms like known codewords, intelligence agencies and departments, intelligence contractors, and industry terms, the group said.
What Soghoian noted back in 2013 remains true. Searches for known NSA programs frequently bring up other program names, all posted publicly by employees and contractors with an apparent disregard for the agency's "everything is a secret" policies.

A search for "PINWALE" brings up a profile listing the following:
Cultweave, UIS, Nucleon, CREST, Pinwale, Anchory, Association, Dishfire, SharkFinn, GistQueue, GoldPoint, Mainway
And another listing these terms:
Snort, TRAFFICTHIEF, PINWALE, BOUNDLESS INFORMANT, BLARNEY, BULLRUN, CARNIVORE
You can also find out who's involved in Predator drone flights. Or who's participated in the NSA's Tailored Access Operations.

Some may argue that this algorithmic collection of resumes and LinkedIn profiles may be dragging some people under the "intelligence community" umbrella that shouldn't really be there. That's likely true, but this is one of those inescapable outcomes of dragnet operations. They may also argue that turning over this information to the public may cause some of those listed to be subjected to harassment or put them in danger. Also, this may unfortunately be true as well.

But there's a simple solution, albeit one that can't be applied retroactively.

As the government so frequently points out to us, publicly-posted information carries no expectation of privacy. The same goes for government employees and government contractors in sensitive positions who choose to disclose information about their skills and employment publicly. If any danger to these people exists, it has always existed. ICWatch may make the job simpler, but it's done nothing any person can't do on their own, using simple search tools.

13 Comments | Leave a Comment..

Posted on Techdirt - 19 May 2015 @ 9:04pm

Congress Continues To Withhold Congressional Research Service Documents From The Public

from the no-un-spun-insight-for-you,-citizens dept

The Congressional Research Service conducts research for Congress on a multitude of topics. This information is (theoretically) used to guide policy decisions. The research itself is (again, theoretically) valuable, considering it's free of partisan rhetoric and biased conclusions. This lack of bias and rhetoric helps explain the following actions:

First, Congress has again -- for the third year straight -- refused to increase the office's budget. Congress chalks this up to its seldom-seen sense of budgetary restraint.

In the new spending bill, the House Committee ominously rejected a CRS request for a $5 million budget increase in 2016, and allocated $107 million, the same as the 2015 level.

"The Legislative Branch must set itself as an example for fiscal restraint while continuing to serve the Nation. This bill will require strict fiscal discipline on the part of all congressional offices and all agency heads in the Legislative Branch," the report said.
Fiscal restraint is great, but it's always a good idea to take a closer look at the areas Congress decides to apply it. (There aren't many, so it shouldn't take long…) Steven Aftergood of the Federation of American Scientists' (FAS) Secrecy News blog notes that Congress doesn't have much use for unbiased research.
[CRS reports are] the kind of in-depth policy analysis that can only be helpful to those whose policy preferences are not predetermined by ideology or affiliation.
Who wants to pay (via taxpayers) for research that doesn't agree with the requester's point of view? Not Congress. So, the CRS will have to make do with the same budget it's had for three years straight. And while it struggles to meet the demands of representatives' requests for research, the CRS will also have to pitch in with the arduous task of answering requests from constituents on behalf of Congress members.
What is often deemed most useful is having CRS analysts assist congressional staff in responding to constituent mail, including eccentric or demented requests for information.
Like this request, which resulted in the CRS losing an analyst.
Why is the US Postal Service "stockpiling ammunition"? That sort of question helped lead CRS analyst Kevin Kosar to leave his job, he explained in an article in the Washington Monthly earlier this year ("Why I Quit the Congressional Research Service," Jan/Feb 2015).
This is where Congress feels CRS's limited resources (that it limited) are best deployed -- not providing clear, factual insight into policy issues.

Now, on to the second point. This research is crafted to guide policymaking -- policies that affect the public. This research, like everything else on Capitol Hill, is paid for with tax dollars. It's essentially public domain material. And yet, Congress continues to instruct the CRS to withhold this research from the public that paid for it.
The Congressional Research Service (CRS) will continue to be barred from releasing its reports to the public, the House Appropriations Committee said yesterday in its report on legislative branch appropriations for the coming year.

"The bill contains language which provides that no funds in the Congressional Research Service can be used to publish or prepare material to be issued by the Library of Congress unless approved by the appropriate committees," the House report said.
And so, the research remains locked up. Constituents can request this information from their representatives, but they are under no obligation to produce the documents. The same public that paid for the research once now spends its own money maintaining archives of any CRS reports they manage to acquire. FAS hosts hundreds of liberated reports. Wikileaks has posted nearly 7,000 CRS reports to its archives as well.

The CRS itself is no transparency angel itself. It, too, has opposed legislation aimed at making the reports directly available to the general public. It's been more than a decade since any effort to free these made it to a vote (a resolution was introduced in 2012 but went nowhere), but in an internal memo obtained by FAS, the CRS claimed (among other things) that this would unduly influence the researchers, if not the research itself.
Over time, CRS products might come to be written with a large public audience in mind and could no longer be focused solely on congressional needs.
However, another listed concern seems to indicate the service is OK with allowing Congress members to "translate" its reporting for American citizens.
The danger of placing CRS, a support agency, in an intermediate position responding directly to constituents instead of preserving the direct relationship between constituents and their elected representatives. This threatens the dialog on policy issues between Members and their constituents that was envisioned by the Constitution.
This seems like a legitimate complaint until you realize exactly what's happening here. CRS provides mostly-unbiased research -- something citizens could use to better inform themselves about legislative/world issues. If it allowed these reports out into the wild, Congress members would be unable to twist the findings to fit their own personal agendas or conform with the party line. This "direct relationship" with constituents means molding the data to match the message -- something that's crucial to winning the support of influential figures and cash-heavy contributors. A CRS report out in the open undercuts spin attempts. By not pushing for the release of unbiased research to the general public, the CRS is complicit in allowing politics -- rather than data -- to guide decision-making, while keeping the electorate from being fully informed.

4 Comments | Leave a Comment..

Posted on Techdirt - 19 May 2015 @ 3:58am

Border Patrol Agents Tase Woman For Refusing To Cooperate With Their Bogus Search

from the the-question-that-has-no-real-answer dept

Jessica Cooke, a New York native who had recently applied for a position with Customs and Border Protection, asked the only question that needed to be asked after being tased by CBP agents for asserting her rights: "What the fuck is wrong with you?!?"

Cooke was driving from Norfolk to her boyfriend's house in Ogdensburg, the northern border of which is the St. Lawrence River. If you cross the river, you are in Canada, but Cooke was not crossing the river. She nevertheless became subject to the arbitrary orders of CBP agents by driving through one of the country's many internal immigration checkpoints, which can be located anywhere within 100 miles of the border (a zone that includes two-thirds of the U.S. population). For some mysterious reason, she was instructed to pull into a secondary inspection area, where she used her cellphone to record a five-minute video of the stop (below). [Language possibly NSFW]

These CBP agents -- like too many other law enforcement officers -- had no idea how to react when their authority was challenged. They only saw one route to take: escalation.

Cooke knew the CBP agents needed something in the way of reasonable suspicion to continue to detain her. But they had nothing. The only thing offered in the way of explanation as they ordered her to return to her detained vehicle was that she appeared "nervous" during her prior interaction with the female CBP agent. This threadbare assertion of "reasonable suspicion" is law enforcement's blank check -- one it writes itself and cashes with impunity.

The CBP supervisor then stated he'd be bringing in a drug dog to search her vehicle -- another violation of Cooke's rights. The Supreme Court very recently ruled that law enforcement cannot unnecessarily prolong routine stops in order to perform additional searches unrelated to the stop's objective.

If the purpose of CBP is to secure borders and regulate immigration, then this stop had very little to do with the agency's objectives. Cooke is an American citizen and had not crossed a border. If the CBP's objective is to do whatever it wants within x number of miles of the border, then it's apparently free to perform suspicionless searches. In this case, the CBP was operating in drug enforcement mode, but even so, it still hadn't offered anything more than Cooke's alleged "nervousness" to justify the search and detainment. Additionally, the CBP's decision to bring in a drug dog raised the bar for justification.
While nervousness alone might be deemed enough for reasonable suspicion, SUNY Buffalo immigration law professor Rick Su told the local NPR station, "it is not sufficient" to justify a vehicle search, which requires probable cause to believe the vehicle contains evidence of a crime.
Things escalated when Cooke refused to return to her vehicle and wait passively for the CBP to perform its questionable search. Cooke told the officers she would leave if the search wasn't performed within 20 minutes. The supervisor told her she could leave, but her car couldn't and if she tried, spike strips would be deployed.

Shortly thereafter, this exchange occurred:
CBP agent: I'm going to tell you one more time, and then I'm going to move you.
Cooke: If you touch me, I will sue your ass. Do you understand me?
CBP agent: Go for it.
Cooke: Touch me then.
CBP agent: Move over there.
Cooke: Go ahead. Touch me.
CBP agent: I'm telling you to move over there.
Cue said "touching," followed almost immediately by screams of pain and swearing as Cooke is tased. Before the recording end, you can hear the CBP agent claiming Cooke "assaulted a federal officer." (As one does…)

And for all the hassle, the CBP came up with nothing.
During an exterior inspection of her vehicle by the unit, nothing was found, Ms. Cooke said. She said agents then opened the car doors, got her keys and opened the trunk.

Again, nothing was found, Ms. Cooke said, adding that agents did a second search of the vehicle with the K-9 unit, but found nothing.
There will always be those who feel citizens who refuse to meet law enforcement instructions with anything but meek obedience deserve whatever happens to them. "It's tough being in law enforcement," they claim. And it is. But considering the job contains the constant threat of injury or death, a little mouthiness or stubbornness shouldn't be met with this level of force.

Things are slowly changing, though. Law enforcement officers can no longer rely on the belief that citizens know less about their rights than they do. They will need to do more to justify searches and seizures in the future, instead of just making vague claims about perceived nervousness. Otherwise, their unconstitutional search attempts are either going to rely heavily on ensuring compliance through inapproriate use of force, or head to the other end of the spectrum, where they won't even get a chance to take a look. [Language possibly NSFW]

136 Comments | Leave a Comment..

Posted on Techdirt - 18 May 2015 @ 12:40pm

FBI Says It Has No Idea Why Law Enforcement Agencies Are Following The Terms Of Its Stingray Non-Disclosure Agreements

from the geez,-all-these-law-enforcers-take-our-agreement-so-LITERALLY dept

The FBI doesn't want to talk about its Stingray devices. It definitely doesn't want local law enforcement agencies talking about them. It forces any agency seeking to acquire one to sign a very restrictive non-disclosure agreement that stipulates -- among other things -- that as little information as possible on IMSI catchers makes its way into the public domain, which includes opposing counsel, prosecutors' offices and judges. The NDAs also instruct agencies to drop prosecutions if disclosure appears unavoidable. We know this because two NDAs have actually been obtained through Freedom of Information requests.

Now that Stingray usage and its attendant secrecy have been questioned by high-ranking DC legislators, the FBI is apparently feeling it should be a bit more proactive on the Stingray info front, presumably in hopes of heading off a more intrusive official inquiry. So, it has offered some "clarification" on its Stingray policies -- including the NDAs it makes local agencies sign.

The "clarification" seems to contradict a great deal of what the FBI's own NDAs require.

In a handful of criminal cases around the country, local police officers have testified in recent months that non-disclosure agreements with the FBI forbid them from acknowledging the use of secret cellphone-tracking devices. In some, prosecutors have settled cases rather than risk revealing, during court proceedings, sensitive details about the use of the devices.

The FBI, however, says such agreements do not prevent police from disclosing that they used such equipment, often called a StingRay. And only as a “last resort” would the FBI require state and local law enforcement agencies to drop criminal cases rather than sharing details of the devices’ use and “compromising the future use of the technique.”

To date, the bureau hasn’t invoked that provision, FBI spokesman Christopher Allen said in a statement to The Washington Post.
Let's compare the official statement with statements found in the agreement signed with a New York sheriff's department. The FBI says it's OK for law enforcement agencies to disclose Stingray usage in this "clarification." Here's the NDA:
The Erie County Sheriff's Office shall not, in any civil or criminal proceeding, use or provide any information concerning the Harris Corporation wireless collection equipment/technology… beyond the evidentiary results obtained through the use of the equipment/technology including, but not limited to, during pre-trial matters, in search warrants and related affidavits, in discovery, in response to court ordered disclosure, in other affidavits, in grand jury hearings, in the State's case-in-chief, rebuttal, or on appeal, or in testimony in any phase of civil or criminal trial, without the prior written approval of the FBI.
Hmm.

The FBI also denies it instructs agencies to toss cases rather than face possible exposure of Stingray usage. The NDA:
In addition, the Erie County Sheriff's Office will, at the request of the FBI, seek dismissal of the case in lieu of using, or providing, or allowing others to use or provide, any information concerning the Harris Corporation wireless collection equipment/technology [...] if using or providing such information would potentially or actually compromise the equipment/technology.
This "clarification" is mostly bullshit, but it's all in the wordcraft. Everything the FBI stated here could be technically factual. It may have never explicitly directed agencies to dump cases or hide Stingray usage. Instead, it has relied on law enforcement agencies to follow the restrictions laid out in the NDAs -- something they've apparently done without ever bothering to approach the FBI for permission to turn over Stingray information during court cases.

To say these NDAs do not prevent law enforcement agencies from acknowledging the use of Stingray devices is only true insofar as the NDAs themselves are apparently just a pile on unenforceable words. The implication, however, is that these agencies will see their Stingray privileges yanked if they cough up information. Or, in the best case scenario, law enforcement officials will be sternly talked to by FBI officials for breaching the agreement.

As for the claim that the FBI has never directly instructed a law enforcement agency to toss a case rather than disclose information? That may be true, as well as being completely unverifiable. Agencies appear to be taking these agreements literally -- which is, of course, the point of ANY WRITTEN AGREEMENT -- and proactively dropping cases rather than risk breaching the terms of the NDA.

The FBI is washing its hands of the Stingray secrecy mess it created. This "clarification" is astoundingly disingenuous. The FBI forces agencies into these agreements and then steps back and says, "Hey. we didn't make them do this. They just interpreted the agreement to mean exactly what it says it means." It passes the buck to local cop shops, blaming them for not seeking the second opinions these agreements clearly discourage.

If this "clarification" is actually going to approach something akin to honesty, the FBI needs to immediately begin rescinding its non-disclosure agreements. It can't force agencies into restrictive agreements and then throw up its hands and claim it has no idea why these agencies might be interpreting these highly-restrictive NDAs so literally. This is a nasty, self-serving cheap shot wrapped in the guise of transparency.

13 Comments | Leave a Comment..

Posted on Techdirt - 18 May 2015 @ 5:43am

South Korea's New Law Mandates Installation Of Government-Approved Spyware On Teens' Smartphones

from the please-spy-on-our-behalf,-thx! dept

Considering the extent of its (most web-related) censorship efforts, South Korea must consider itself fortunate to be next-door neighbors with North Korea. Any time another censorship effort arrives, all the government has to say is, "Hey, at least we're not as bad as…" while pointing its index fingers in an upward/roughly northerly direction.

It blocks sites and web pages with gusto, subverting its own technological superiority by acting as a Puritanical parental figure. Not that it helps. Every time the government ropes off one area, citizens carve out another. Four years ago, it attempted to pass a law making government-approved computer security software installation mandatory, supposedly in hopes of heading up the enlistment of citizens' computers into botnet armies.

Now, it's telling parents they must install government-approved and crafted spyware on the smartphones of any children under the age of 19.

The app, "Smart Sheriff," was funded by the South Korean government primarily to block access to pornography and other offensive content online. But its features go well beyond that.

Smart Sheriff and at least 14 other apps allow parents to monitor how long their kids use their smartphones, how many times they use apps and which websites they visit. Some send a child's location data to parents and issue an alert when a child searches keywords such as "suicide," ''pregnancy" and "bully" or receives messages with those words.

Last month, South Korea's Korea Communications Commission, which has sweeping powers covering the telecommunications industry, required telecoms companies and parents to ensure Smart Sheriff or one of the other monitoring apps is installed when anyone aged 18 years or under gets a new smartphone. The measure doesn't apply to old smartphones but most schools sent out letters to parents encouraging them to install the software anyway.
No one appears to have taken a close look at the inner workings of "Smart Sheriff" at this point, but a similar app known as "Smart Relief" also allows parents to monitor their children's smartphone activities and sends alerts triggered by any of the 1,100+ words on its watchlist.

Some terms it monitors (both in text messages and searches) would obviously raise concerns in parents.
Threat, kill, shut up, violence, destroy, handicap, crazy, prostitute, garbage, thief, porn, suicide, pregnancy, inn, obscene, sex, sexual crime, sexual relationship, prostitution, motel, beer, rape, adultery, run away from home, outcast, invisible person, don't have friends, jealousy, lonely, stress, don't want to live, loser, complaint, help, worry, menstruation, adoption, divorce, rape, homosexual love, single parent, IS, terrorism, poison...
Other trigger terms seem to do nothing more than give parents a reason to lock their kids up until they're old enough to move out:
Girl I like, boy I like, dating, boyfriend, girlfriend, breakup…
This new mandate is obviously creating a chilling effect. Some have noted the Smart Sheriff app may give government agencies access to minors' communications, all under the pretense of helping parents out. Nearly 80% of South Korean schoolchildren (teens and elementary students) own smartphones. That's a whole lot of communications potentially being delivered to law enforcement and intelligence agencies (if not also to schools and service providers).

As a result, smartphones are now no longer viewed as essential equipment by teenagers.
To get around the regulations, some students say they will wait until they turn 19 to get a new phone.

"I'd rather not buy a phone," said Paik Hyunsuk, 17. "It's violation of students' privacy and oppressing freedom."
Open Net Korea, which has tracked South Korean censorship efforts for years, has a translation of the law's stipulations, which not only requires installation of government-approved spyware apps, but also stipulates cell phone providers actively hassle parents who don't seem to be taking the mandated monitoring seriously.
Article 37-8 (Methods and Procedures for Providing Means to Block Media Products Harmful to Juveniles, etc.)

(1) According to Article 32-7(1) of the Act, a telecommunication business operator entering into a contract on telecommunications service with a juvenile under the Juvenile Protection Act must provide means to block the juvenile’s access to the media products harmful to juveniles under the Juvenile Protection Act and the illegal obscene information under Article 44-7(1)1 of the ICNA (“Information harmful to juveniles”) through the telecommunication service on the juvenile’s mobile communications device such as a software blocking information harmful to juveniles.

(2) Procedures prescribed below must be followed when providing the blocking means under (1):

At the point of signing the contract:
a. Notification to the juvenile and his/her legal representative regarding types and features of the blocking means; and
b. Check on the installation of the blocking means.


After closing the contract:

Monthly notification to the legal representative if the blocking means was deleted or had not been operated for more than 15 days.
So, not only is it censorware and spyware, but it's also apparently nagware -- with telecom reps calling or emailing every month to remind parents to perform their duties as proxy surveillance operatives for the South Korean government.

32 Comments | Leave a Comment..

More posts from Capitalist Lion Tamer >>