Glyn Moody’s Techdirt Profile

glynmoody

About Glyn MoodyTechdirt Insider




Posted on Techdirt - 28 April 2016 @ 11:23pm

Chevron Lobbied For Corporate Sovereignty Rights In TAFTA/TTIP To Act As 'Environmental Deterrent'

from the they're-not-even-trying-to-hide-it-anymore dept

Back in 2014, Techdirt noted that arguably the most serious problem with corporate sovereignty was not the huge awards that could be imposed on countries, but the chilling effect the mere threat of those awards could have on national sovereignty. In that post, we quoted from a remarkable 2001 article in The Nation. A former Canadian government official in Ottawa revealed that numerous proposals for new environmental regulations had been dropped in the face of threats that NAFTA's investor-state dispute settlement (ISDS) framework would be used against Canada if it brought in new laws. The Techdirt post also mentioned a case in Indonesia, where a mining company dropped a corporate sovereignty case when it was offered "special exemptions" from a new mining law.

More recently, we've seen New Zealand put on hold its plans to require plain packaging for cigarettes, as a result of Philip Morris bringing an ISDS claim against the Australian government for doing the same. The New Zealand government was concerned it too might get hit, and so decided to wait. Now that the Australian case has been thrown out, New Zealand is pressing ahead with its plain packs legislation.

The chilling effects of corporate sovereignty are now so well established that companies are even beginning to cite them as a reason for including it in trade deals. The minutes of a meeting that took place between European Commission officials, and Chevron executives, obtained by The Guardian, make that plain:

"ISDS has only been used once by Chevron, in its litigation against Ecuador," say the minutes of a meeting in April 2014 between unnamed Chevron executives and European commission officials, which the Guardian obtained under access to documents laws. "Yet, Chevron argues that the mere existence of ISDS is important as it acts as a deterrent."
Chevron is talking about the multi-billion dollar award made against Ecuador in one of the longest-running and most complex disputes involving corporate sovereignty. When contacted by The Guardian, Chevron repeated its claim that ISDS was a really great weapon to wield against countries, although naturally it expressed that view in somewhat different language:
ISDS serves a useful function of encouraging investors and host states to negotiate in good faith in order to avoid escalation of disagreements that occasionally arise.
Aside from confirming people's worst fears about the chilling effects of corporate sovereignty, Chevron's candid admission that it wants ISDS in TAFTA/TTIP as a "deterrent" reveals something else. It shows that corporations not only demand a unique privilege to circumvent national legal systems using secret tribunals composed of corporate lawyers, but are now trying to craft yet another "right": to deploy routinely the mere threat of ISDS as a "deterrent" to government action. Or, as you and I would put it, the right to engage in raw, brutal bullying on a global scale.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

21 Comments | Leave a Comment..

Posted on Techdirt - 26 April 2016 @ 11:23pm

Monster Corporate Sovereignty Ruling Against Russia Overturned By Dutch Court, But It's Hard To Tell Whether It's Over Yet

from the plus-or-minus-$50-billion dept

By now, the theoretical risks of including corporate sovereignty chapters in TPP and TAFTA/TPP are becoming more widely known. But as Techdirt wrote back in 2014, there's already a good example of just how bad the reality can be, in the form of the monster-sized case involving Russia. An investor-state dispute settlement (ISDS) tribunal ruled that Vladimir Putin really ought to pay $50 billion to people who were majority shareholders in the Yukos Oil Company. The Russian government didn't agree, and so naturally took further legal action to get the ruling overturned. As The New York Times reports, it seems to have succeeded:

In a major victory for the Russian government, a Dutch court on Wednesday overturned an award of more than $50 billion to former shareholders of the defunct oil company Yukos that Moscow was ordered to pay in 2014.
The award was thrown out because of something mentioned in the earlier Techdirt article: the fact that the claim was brought under the Energy Charter Treaty, which Russia signed, but never ratified. Because the ISDS arbitration panel had met in The Hague, in the Netherlands, Russia took its case before Dutch judges, who agreed that Vlad need not pay in these circumstances.

But the ruling is unlikely to signal the end of this case -- after all, some pretty serious sums of money are involved. According to The New York Times, the international arbitration practice representing the Yukos shareholders intends to make an appeal to higher courts in the Netherlands against the decision. And even if it fails to get the latest court ruling overturned, it's still quite possible that GML, the company that controlled a majority of the Yukos shares, will be able to collect its $50 billion elsewhere. As the NYT says:

GML is pursuing legal efforts to collect the Russian money in a half-dozen other countries: Belgium, Britain, France, Germany, India and the United States. There have not yet been rulings in those cases, and it was not immediately clear on Wednesday how the decision in The Hague might affect them.
That lack of legal clarity underlines one of the worst aspects of ISDS: the fact that it does not sit neatly within traditional legal systems, but in many ways lies outside them. Far from helping to uphold the law, as supporters of corporate sovereignty like to claim, it makes it arbitrary and unpredictable. When you're talking plus or minus $50 billion, that's a pretty serious flaw.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

16 Comments | Leave a Comment..

Posted on Techdirt - 26 April 2016 @ 3:25am

Constitutional Court Throws Out Surveillance Law In Georgia (The Country)

from the setting-a-good-example dept

Techdirt has naturally been following closely the battles over government attempts to bring in ever-more intrusive surveillance laws, particularly in the US, UK, and China, which are some of the worst culprits in this regard. But it's important to remember that this is a struggle that is taking place all around the world, even in the smaller countries that often get overlooked by mainstream media. For example, Georgia -- the country, not the state -- is witnessing exactly the same tussle between the politicians and the courts that we find elsewhere, as reported here on the civil.ge site:

Georgia's Constitutional Court ruled on April 14 that legislation allowing security agency to have direct, unrestricted access to telecom operators' networks to monitor communications is unconstitutional.
As the article explains, the key issue is over the use of "black boxes" sitting on communication service providers' networks. In 2014, efforts were made to address concerns that the system would be abused, by adopting the following approach:
Legislation gave the office of personal data protection inspector the right to electronically authorize law enforcement agencies' lawful interception of communications once there was a relevant court warrant -- this system, involving security agency having direct access to telecom operators servers and personal data inspector having power to authorize monitoring is informally called "two-key" model.
The passage of the the two-key legislation was fraught: it was adopted by the Georgian Parliament, vetoed by the Georgian President and then reinstated by the Parliament. As a result, complaints were lodged with the country's Constitutional Court, which has just handed down its judgment against the two-key system. One of the problems, the judges said, was the following:
The State Security Service possesses technical capabilities for eavesdropping and monitoring online communications, which allow mass (actually unrestricted) collection of personal information in real time.
The court was also unhappy with the metadata retention allowed by the legislation:
The court said that retention of metadata for 2 years represents "unreasonably lengthy period of time, which results into disproportionate interference into [constitutional] rights."
After making both of those reasonable comments, the judges went on to give the Georgian politicians a reasonable amount of time to sort things out:
The Constitutional Court said that it understands "fundamental legislative amendments, as well as institutional and technical application of the new system", stemming from this verdict, requires time and for that reason it set March 31, 2017 as the deadline for implementing this decision of the court.
All in all, Georgia emerges rather well from this episode, with democratic processes working as they should, and constitutional judges doing a good job. If only the same could be said for all the other countries going through the same painful experience.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

2 Comments | Leave a Comment..

Posted on Techdirt - 25 April 2016 @ 12:40pm

Internet Protections Enshrined In Brazil's Marco Civil Framework Under Threat From New Laws

from the this-is-why-we-can't-have-nice-things dept

A couple of years ago, Techdirt wrote about Brazil's Marco Civil -- variously called a "constitution for the Internet," and a "Magna Carta for the Web." Whatever you want to call it, the Marco Civil was a heartening example of the rights of Internet users being strengthened for a change. In June 2015, one year after it passed, an article on the Council on Foreign Relations site noted its wide-ranging impact:

The Marco Civil has been instrumental in curbing the power of the Brazilian government from having undue influence over the net and its content. The law prevents the government from taking down or regulating content, or exercising any pressure on online platforms (e.g. the Twitters and YouTubes of the world) or Internet service providers. Only the courts, by means of due process, and limited by clear legal thresholds, can actually take action regarding online content when it infringes on other rights.
Of course, this was too good to last. As Andrew McLaughlin explains on Medium, the Marco Civil is in danger:
Amid the tumult and chaos of Brazil's current (and colossal) political crisis, the moment of counter-attack has arrived. Under the guise of fighting "cybercrime", a group of Brazilian legislators, acting via a Parliamentary Commission of Inquiry, has introduced 8 bills that, to state it directly, would give the Brazilian government sweeping powers to censor and control the Internet.
The EFF has a summary of what those bills propose:
Allowing police warrantless access to IP addresses;

Requiring sites and apps to monitor content to prevent new sharing of materials already deemed offensive by court decision;

Criminalizing improper computer system access that presents a "risk of misuse or disclosure" of data, even if no actual misuse or disclosure occurs -- broad and vague terms that also apply to actions with no criminal intent, jeopardizing legitimate security research that might never be done if obtaining prior permission were a legal requirement;

Allowing judges, in direct violation of net neutrality rules, to block sites and applications that are used for criminal purposes or that don’t comply with demands for user information.
Clearly, if these bills pass in their present form, they will nullify many of the safeguards found in the Marco Civil. The key vote is expected to take place on April 27, and the EFF has a page where you can ask Brazilian lawmakers to reject the proposals. There is also a joint statement to the Brazilian congress, which companies active in the country are invited to sign.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

2 Comments | Leave a Comment..

Posted on Techdirt - 22 April 2016 @ 3:28am

New Zealand Government Trying To Streamroller TPP Through Ratification Without Proper Scrutiny Or Public Input

from the so-much-for-that-'don't-worry,-you-can-debate-it-when-it's-finished& dept

Back in February, we noted that the TPP has been officially signed, and that the focus now moves on to ratification by each of the 12 participating countries. On this score, there's been plenty of sound and fury in the US, including bizarre demands to re-negotiate TPP, but less coverage of what is happening elsewhere. As we noted, Canada's ratification has ground to a halt as the new government there launches "widespread consultations." Japan, too, won't be ratifying TPP for a while, for reasons explained by The Mainichi site:

The government and ruling Liberal Democratic Party (LDP)-Komeito coalition decided to put off attempting to ratify the treaty and enact related bills as they determined that a combination of opposition party resistance and the Kyushu earthquake disaster response leaves insufficient time to deliberate the legislation. The administration of Prime Minister Shinzo Abe is not planning to extend the current Diet session, which is scheduled to end on June 1. The government will instead carry the ratification and bills over to an extraordinary Diet session to be convened this autumn, to discuss them again in the House of Representatives for final approval and enactment.
The government in New Zealand, by contrast, seems to be doing everything in its power to ram through TPP as quickly as possible, with little time being given for that full public debate so frequently promised. Even the country's MPs are being stampeded, as Radio New Zealand News reports:
MPs have been given just five days to consider hundreds of submissions on the controversial TPP trade deal after the timeframe was drastically cut from four weeks.

The select committee was originally give a month to write its report and present it back to Parliament.
According to the news item, the committee was due to hear from hundreds of people who were keen finally to make their voices heard. But the government has apparently decided that it just doesn't care what the public thinks:
The tight deadline meant the [MPs'] draft report would be written before the committee had finished hearing all the submissions.
Apparently, the New Zealand government isn't interested in democracy, only timetables:
Opposition members on the committee say they were told yesterday the government wanted to cut down the time they had to analyse the submissions, so the legislation could get through by the end of the year.
Nor are MPs and the public the only ones being treated in a shabby way. So is the Waitangi Tribunal, which is an important commission charged with investigating and making recommendations on claims brought by the indigenous Māori people relating to actions by the New Zealand government. Because the select committee of MPs examining TPP will produce its report earlier than expected, the Waitangi Tribunal also finds itself with little time to consider the issue properly. An article on the Scoop site suggests that might be intentional:
"Why the government suddenly announced it is fast-tracking the report date for the select committee considering the Trans-Pacific Partnership Agreement (TPPA) from the end of May to 4 May is now clear.

It gives the Waitangi Tribunal three rather than seven weeks to produce its urgent report on the claim brought by prominent Maori that the Agreement violates the Crown's obligations under the Treaty of Waitangi", says Professor Jane Kelsey who has been advising the claimants.
What makes the situation even more worrying for New Zealanders is something Techdirt wrote about a couple of months ago: the fact that even if TPP fails, it seems that laws brought in to comply with the terms of the treaty would not be rolled back by the New Zealand government. That's an extremely good reason to take things slowly and carefully -- not to rush ahead recklessly as is currently happening.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

18 Comments | Leave a Comment..

Posted on Techdirt - 19 April 2016 @ 11:38pm

Australian Case Shows Why Corporate Sovereignty Isn't Needed In TPP -- Or In Any Trade Agreement

from the running-out-of-arguments dept

One of central claims made by supporters of corporate sovereignty chapters in trade deals is that companies "need" this ability to sue the government in special tribunals. The argument is that if the extra-judicial investor-state dispute settlement (ISDS) framework is not available to a company, it will be defenseless when confronted with a bullying government. A new case in Australia shows why that's not true. A column in The Sydney Morning Herald provides the background, which concerns a US company called Nucoal:

In 2013, the NSW [New South Wales] Independent Commission against Corruption found that there had been corrupt conduct relating to the granting of mining licences to Nucoal and other mining companies and the NSW government cancelled the licences.
Naturally, Nucoal unleashed its lawyers:
[Nucoal] demanded compensation of more than $900 million in Australia's High Court, claiming the decision to cancel its licence without compensation was unconstitutional and had reduced the value of the company. The High Court found in April 2015 that under Australian law Nucoal was not entitled to compensation.
Now Nucoal had a problem. Normally, a company in this situation would invoke the corporate sovereignty chapter in a relevant trade deal, and move the case to secret ISDS tribunals, which were likely to be more favorable to its cause than the independent national courts. But with unusual foresight, Australia refused to accept ISDS in the 2004 AUSFTA trade agreement between the US and Australia -- which makes its decision to acquiesce to ISDS in TPP doubly foolish. Despite what fans of corporate sovereignty claim, Nucoal still has another option at this point:
Nucoal is pressuring the US government to put a case to the Australian government that the denial of compensation has violated the general investment terms of the [AUSFTA] agreement. This could result in a formal complaint from the US government demanding trade sanctions against the Australian government.

Last week The Australian reported that the CEO of the US Chamber of Commerce in Australia has announced that the US government will raise the issue in a closed-door review of the AUSFTA to be held in May.
That is, unable to avail itself of the investor-state dispute mechanism, Nucoal now wants to take advantage of the state-state dispute settlement process (pdf) whereby the US government formally complains to the other government concerned. Now, whether the US government should really be taking up a case involving corruption is another question. The key point is that it is not absolutely necessary to include corporate sovereignty provisions in a trade deal to protect companies, because there is always the state-to-state mechanism that can be invoked if necessary.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

23 Comments | Leave a Comment..

Posted on Techdirt - 19 April 2016 @ 6:31am

China Considers Cutting Itself Off From The Global Internet, As Three Home-Grown Browsers Are Found Leaking Personal Data

from the probably-just-a-coincidence dept

Techdirt readers know that the Chinese authorities have been steadily tightening their grip on most aspects of online life in the country, but there's one area that hasn't been mentioned much: the Web browser. Recently, a new report from the University of Toronto's Citizen Lab identified security and privacy issues in QQ Browser, a mobile browser produced by the China-based Internet giant Tencent. Here's a summary:

The Android version of the browser transmits personally identifiable data, including a user's search terms, the URLs of visited websites, nearby WiFi access points, and the user's IMSI [International Mobile Subscriber Identification] and IMEI [International Mobile Equipment Identifier] identifiers, without encryption or with easily decrypted encryption. Similarly, the Windows version sends personally identifiable data, including the URL of all pages visited in the browser, a user's hard drive serial number, MAC address, Windows hostname, and Windows user security identifier, also without encryption or with easily decrypted decryption.
Now, this could just be the result of some supremely sloppy coding combined with lax privacy practice -- in theory, at least. But that generous interpretation becomes rather harder to sustain when you bear in mind that this is not the first time Citizen Lab has found this behavior. To be precise, this is the third time. Last month, it discovered that Baidu Browser, a free Web browser for the Windows and Android platforms produced by Baidu, one of China’s biggest tech companies, has strikingly similar problems to QQ Browser:
The report identifies security concerns in both the Windows and Android versions of the browser that may expose personal user data, including a user’s geolocation, hardware identifiers, nearby wireless networks, web browsing data and search terms. Such user data is transmitted, in both the Windows and Android versions, unencrypted or with easily decryptable encryption, which means that any in-path actor could acquire this data by collecting the traffic and performing any necessary decryption. In addition, neither version of the application secures its software update process with a digital signature, which means that a malicious in-path actor could cause the browser to download and execute arbitrary code.
And before that, back in May last year, the same researchers found unauthorized transmission of personal data by another widely-used browser:
UC Browser is among the most popular mobile apps in the Chinese Internet space. UC Browser claims to have more than 500 million registered users, and is reported to be the most popular mobile browser in China and India. Overall, the application is the fourth most popular mobile browser globally, and is behind only pre-installed Chrome, Android, and Safari browsers.
Putting these three browsers together, you have a serious chunk of not just the Chinese online population, but across the whole of Asia. As the Citizen Lab researchers point out:
That the three China-based browser applications we have examined all evince strikingly similar data gathering and insecure data handling problems raises an obvious question of whether there is some underlying cause for the similarities.
The post runs through all the options, including the most likely explanation: that the companies were ordered by the Chinese authorities to build in these highly-useful vulnerabilities. Not surprisingly:
The questions we asked the companies about government directives or influence have not been directly answered.
But if anyone still doubts that the Chinese government wants to control every aspect of the Internet, they may like to consider the following recent report in The New York Times:
A draft law posted by one of China’s technology regulators said that websites in the country would have to register domain names with local service providers and with the authorities.
It's not entirely clear what that means, but there is one possibility that would be very problematic for Chinese Internet users -- and for every Western company operating in the country:
If the rule applies to all websites, it will have major implications and will effectively cut China out of the global Internet. By creating a domestic registry for websites, the rule would create a system of censorship in which only websites that have specifically registered with the Chinese government would be reachable from within the country.
China's technology regulator has rejected that interpretation, and said that there is a "misunderstanding." But if past experience teaches us anything, it is that there really are no limits to what the present Chinese leadership is willing to do in order to bring the online world under control. And that doubtless even includes cutting China off from the rest of the Internet, if need be.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

8 Comments | Leave a Comment..

Posted on Techdirt - 19 April 2016 @ 3:27am

EU-Canada Trade Deal Still Struggling, As Romania And Belgium Say They Won't/Can't Ratify Treaty

from the it-ain't-over-yet dept

Alongside the better-known trade deals that aren't really trade deals, TPP and TAFTA/TTIP, the smaller one between the European Union and Canada, CETA, is still trapped in a strange kind of political limbo. It was "celebrated" way back in October 2014, and has been officially in the "legal scrubbing" phase where the text is tidied up and translated into all the relevant languages (lots of them for the EU). Cleverly, the EU has used this period to sneak in the "lipstick on a pig" version of corporate sovereignty in an attempt to head off revolts among EU nations worried about growing public resistance to the idea. But just when the European Commission thought it had everything nicely sewn up, this happens:

Romania will not ratify the Comprehensive Economic and Trade Agreement (CETA) between the EU and Canada which was concluded in 2014, as an angry reaction to the refusal by Ottawa to lift the visa requirement of its nationals, but also for the lack of EU solidarity for solving the issue.
As EurActiv explains, Romania is upset because Canada is requiring Romanian (and Bulgarian) citizens to obtain a visa before visiting Canada, whereas everyone else in the EU can get in without one. As a result:
A Romanian government official who asked not to be named said that Romania would "veto" the CETA ratification.

Normally the ratification of CETA should conclude by the end of 2016 or 2017. Romania however will not ratify the agreement, EurActiv was told.
If that were the only problem with ratifying CETA, it might be possible to resolve with some judicious arm-twisting by the European Commission. But it's not, because SputnikNews is reporting the following:
The government of the French-speaking Belgian region of Wallonia has refused to ratify the EU-Canada free trade agreement approved by the Belgian cabinet, the region's minister-president said.
Belgium may be a fairly small country, and Wallonia an even smaller part of it, but if the regional government doesn't agree, it would seem that Belgium can't ratify CETA, and without Belgium's OK, the whole CETA agreement might unravel. In truth, nobody really knows -- and that's why these unexpected developments are so worrying for the European Commission. It is uncharted legal territory for EU countries like Romania and Belgium to be unwilling or unable to ratify international trade agreements the Commission has negotiated. One thing is certain: CETA ain't over until it's really, absolutely, definitively over. Until then, grab the popcorn.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

16 Comments | Leave a Comment..

Posted on Techdirt - 13 April 2016 @ 9:29am

Maybe The NSA Has Already Broken Every Security System, Not By Hacking Computers, But By Hacking The Entire Industry

from the this-is-just-a-thought-experiment,-right?-right??? dept

Post sponsored by

Golden Frog

As part of our funding campaign for our coverage of encryption, we reached out to some companies that care about these issues to ask them to show their support. This post is sponsored by Golden Frog, a company dedicated to online privacy, security and freedom.


Recently, there have been plenty of Techdirt stories about the authorities in the US and elsewhere making increasingly strident attacks on encryption, with claims that things are "going dark," and that Silicon Valley is foolishly aiding terrorism thanks to its "obsession" with privacy etc. etc. Against that background, it's easy to get swept up by a narrative that pits us, the freedom fighters, against them, the dark forces of repression, and to celebrate the occasional wins that come our way.

But suppose all this is just for show -- not so much security theater, but as privacy theater to divert our attention from what is really happening. That's one possible conclusion that cynics might draw after watching a brilliant presentation made back in 2014, and highlighted recently by a post on Boing Boing that includes a video of the talk and a link to the slides (pdf):

In 2014, Poul-Henning Kamp, a prolific and respected contributor to many core free/open projects gave the closing keynote at the Free and Open Source Developers' European Meeting (FOSDEM) in Belgium, and he did something incredibly clever: he presented a status report on a fictional NSA project (ORCHESTRA) whose mission was to make it cheaper to spy on the Internet without breaking any laws or getting any warrants.
NSA's fictional operation achieves that by exploiting the way the computing industry works, with different challenges dealt with using completely legal means. For example, the "ABBA" program handles the following situation:
Somebody comes up with an idea that would make [communications intelligence] collection harder and/or more expensive
The novel solution is for the NSA to exploit "raw capitalism," and to "throw money at the problem" by playing the role of a friendly local venture capitalist that wants to turn the idea into a company. At the same time, the NSA finds a relevant patent held by one of its "friends" in the industry, and then asks those friends to send around their patent lawyers to the new startup it is funding, to get it shut down in a perfectly non-suspicious way.

The "QUEEN" program to tame the potentially dangerous world of open source is even more subtle. The NSA takes advantage of the open development process to place its own people within the system, so that they can subvert it using the following:

FUD

Play GPL vs BSD card

"Bikeshed" discussions

Soak mental bandwidth with bogus crypto proposals
A key technique is to exploit the fact that free software is based on trust, and that once a coder is trusted as a result of building up a record of good work, nothing they do thereafter is subject to much scrutiny. That phenomenon potentially allows patches with strategic weaknesses to be included in key projects with massive knock-on effects. Kamp dubs the exploitation of this fact the "BOYS" program, whose "crown jewel" is OpenSSL. The impact of the "Heartbleed" vulnerability discovered in OpenSSL two years ago was so great and convenient that many wondered at the time whether it had been placed there by the NSA. That's just one indication that Kamp's witty re-imagining of recent computer history is not so far-fetched.

Even assuming -- hoping -- that Kamp's talk is largely a thought experiment, it has an importance that goes beyond its undoubted entertainment value. By turning everything on its head, and showing how easy it would be for the NSA -- or other well-funded agencies -- to subvert today's computing industry in perfectly legal ways, it provides an important warning about what's wrong and what we need to do to address it. Unfortunately, as Kamp himself admits in his keynote speech, the problems are so deep and fundamental that fixing them won't be easy. But at least, thanks to him, we have been reminded that they exist, which is a start.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Privacy & Security on the Golden Frog Blog:

VyprVPN from Golden Frog is the world's fastest highly-secure VPN.
Get 25% off VyprVPN now »

36 Comments | Leave a Comment..

Posted on Techdirt - 13 April 2016 @ 8:28am

Comedian Could Face 3 Years In German (Not Turkish!) Jail For Mocking Notoriously Thin-Skinned Turkish President

from the insulting-organs-or-representatives-of-foreign-states dept

Techdirt has been following with interest the ways in which the delicate sensibility of Turkey's President, Recep Tayyip Erdoğan, is being wounded. First there was Gollum; then the filing of 1,845 cases of allegedly insulting the Turkish President; and finally, a mild satirical video that Erdoğan didn't want you to see. The last of these not only caused the Streisand Effect to kick in with a vengeance, but has provoked a German comedian to take things up a notch, as reported here by the Guardian:

In a short clip from a late-night programme screened on the German state broadcaster ZDF at the end of last month, comedian Jan Böhmermann sits in front of a Turkish flag beneath a small, framed portrait of Erdoğan, reading out a poem that accuses the Turkish president of, among other things, "repressing minorities, kicking Kurds and slapping Christians while watching child porn".
Exactly as Böhmermann doubtless intended, this has caused a huge political stink. The broadcaster ZDF took down the video, and the German Chancellor, Angela Merkel, told Turkey's prime minister that the poem was a "deliberately offensive text" that she personally disapproved of. Most significantly, the Turkish government has filed a formal request for Böhmermann's prosecution. So what? you might ask. Germany isn't Turkey, and so surely there's no way that somebody would be prosecuted just for a few rude lyrics about a foreign leader. Well, it turns out that's not the case:
On 6 April it emerged that Germany's state prosecutor was investigating Böhmermann for violation of the little-used paragraph 103 of the criminal code, which concerns insulting organs or representatives of foreign states. At worst the comedian was facing a prison sentence of up to three years.
Although some people in Germany have condemned Böhmermann for being coarse, an attention-seeker and even racist, Merkel does not want to be seen as a world leader who harms freedom of speech:
In a government press conference on Monday, [Merkel's spokesperson] Seibert said Merkel wanted to make it unequivocally clear that freedom of speech was "naturally the highest good", irrespective of whether she considered a satirical piece "tasteful or tasteless".
On the other hand, Merkel desperately needs Turkey's help in dealing with the huge numbers of refugees from the Middle East flooding into southern Europe. A deal between the EU and Turkey has been agreed to help address this problem, although doubts remain about whether it is a realistic solution. In any case, Erdoğan is in a very strong position -- and knows it. This really puts Merkel and the German government on the spot, and it will be intriguing to see how -- or even if -- they manage to reconcile the conflicting pressures.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

39 Comments | Leave a Comment..

Posted on Techdirt - 8 April 2016 @ 6:18pm

New Reports On Terror Attacks Underline Why Crypto Isn't A Serious Problem: It's Hard To Use And Easy To Get Wrong

from the multiple-missed-opportunities dept

As Techdirt has reported, politicians (and some journalists) haven't waited for the facts to be established before assuming that encryption is to blame for recent terrorist attacks. But as detailed information starts to appear, it becomes clear once more that the bombings and shootings did not succeed because things had "gone dark," but largely because intelligence agencies in both Europe and the US missed numerous clues and hints about the bigger picture. This emerges most powerfully from a long article in The New York Times, which charts the rise of ISIS over many years, and how the authorities were slow to catch on:

For much of 2012 and 2013, the jihadist group that eventually became the Islamic State, also known as ISIS or ISIL, was putting down roots in Syria. Even as the group began aggressively recruiting foreigners, especially Europeans, policy makers in the United States and Europe continued to see it as a lower-profile branch of Al Qaeda that was mostly interested in gaining and governing territory.
Arrests were made in Italy, Spain, Belgium, France, Greece, Turkey and Lebanon of European citizens that had been trained in Syria, and had returned to carry out terrorist attacks -- usually unsuccessfully. And yet:
in each instance, officials failed to catch -- or at least to flag to colleagues -- the men’s ties to the nascent Islamic State.
Sometimes the inability to grasp what was really happening borders on the incredible, for example in the case of the person alleged to have killed four people in the Jewish Museum of Belgium, in 2014:
Even when the police found a video in his possession, in which he claimed responsibility for the attack next to a flag bearing the words "Islamic State of Iraq and Syria," Belgium’s deputy prosecutor, Ine Van Wymersch, dismissed any connection.

"He probably acted alone," she told reporters at the time.
Another article, from CNN, makes it clear that missed opportunities to spot connections between possible terrorists have continued right up until the recent attacks in Paris and Brussels. It reports on current efforts to locate "at least 8 suspects" with links to those attacks:
All but one of the suspects are said to have connections to Abdelhamid Abaaoud, the leader of the Paris attacks, or Salah Abdeslam, the only survivor among the Paris attackers, who was arrested earlier this month in Brussels.

The security bulletin gives a sense of ISIS' geographical reach in Europe. Three of the suspects were residents or spent time in the Netherlands, Germany and Sweden respectively.
The picture that emerges from these two reports is of a large, well-established network of terrorists located across several European countries. Many of them were known in multiple ways to the authorities, which repeatedly failed to bring all this crucial information together, probably because there was too much, not too little, to sift through. What is conspicuous by its absence is any suggestion that the would-be attackers escaped arrest by using encrypted communications. Both stories do, however, reveal that ISIS-trained terrorists have used encryption tools, but in a non-standard way.

@thegrugq has written a good piece on Medium analyzing the system. It seems the discontinued encryption program TrueCrypt was provided by ISIS on a USB drive. The program was used to place one or more messages inside an encrypted volume, which was then uploaded to an inconspicuous online site. By employing a shared password to encrypt the volume, more than one person could read the messages in a relatively secure and anonymous way. The system creates a kind of digital dead letter drop that can't be addressed simply by mandating crypto backdoors.

That might seem to confirm the worst fears of all those politicians (and journalists), but as @thegrugq explains, there are some serious operational problems with this approach, notably the following:

This system makes non-standard use of the tools, which means the user has to take a number of additional manual steps to compensate. Requiring users to do a manual process generally means there will be mistakes. For example, I would expect that the user might forget to put the message into the volume before sending. Or the user might send an old version of the volume rather than the latest one. Or the user might fail to save the volume after copying the message in, and the contents get lost. Or the user might attempt to download the volume while the current volume is still open, and experience failures saving to disk. There are a number of places that this protocol can break down.
Using crypto is hard, and easy to get wrong -- which is probably why terrorists prefer to deploy old-fashioned means like burner phones. But don't take my word for it, just ask the person who was using the TrueCrypt system described above. Here's what the French police discovered when they arrested him last August:
Behind a couch, they found his USB stick from the Islamic State, and in his bag a piece of paper showing his login credentials for TrueCrypt.
Whoops.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

17 Comments | Leave a Comment..

Posted on Techdirt - 7 April 2016 @ 8:32am

Adding End-To-End Encryption To WhatsApp Is Great...But Not Quite As Secure As People May Think

from the human-error-is-the-intelligence-agency's-friend dept

Techdirt has just written about WhatsApp finishing the roll-out of end-to-end encryption to its billion users worldwide, including for group chats. That's obviously pretty big news. As the Whatsapp blog post announcing the move notes:

Encryption is one of the most important tools governments, companies, and individuals have to promote safety and security in the new digital age. Recently there has been a lot of discussion about encrypted services and the work of law enforcement. While we recognize the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people's information to abuse from cybercriminals, hackers, and rogue states.

While WhatsApp is among the few communication platforms to build full end-to-end encryption that is on by default for everything you do, we expect that it will ultimately represent the future of personal communication.
That's likely, even with governments around the world muttering vague threats to weaken or backdoor crypto. And equally, there are bound to be plenty who will decry this latest move as "helping the terrorists" or "creating a safe space", with all the hand-wringing and emotional blackmail that accompanies such pronouncements. But an article in the German news magazine Der Spiegel does a great job in explaining that even with strong, end-to-end crypto, WhatsApp conversations aren't as secure as they might seem (Google Translate of original German).

Der Spiegel notes that end-to-end encryption is only available if all the participants in a conversation are using the latest version of the software. If one of them isn't, group chats will be unencrypted. That lack of consistency will make it very easy to communicate in the mistaken belief that everything is hidden, when in fact it is taking place out in the open.

That problem is unlikely to affect many chats, but the second issue raised by the German article most certainly will. Der Spiegel points out that even with strong, end-to-end encryption in place, the accompanying metadata is still leaking important information about who you are communicating with, and when. Aggregating such metadata provides hugely valuable information about your network of acquaintances, and the patterns of your life.

Indeed, message metadata is arguably even more revealing than the content, because it already comes with computer-readable tags like sender, recipient, time, etc. It also scales: with a powerful enough computer you can work out the social interrelationships of thousands or even millions of people. That's simply not possible looking at the content of messages, which needs to be parsed first -- still a difficult task for machines -- before it is analyzed en masse, also hard.

Der Spiegel reminds us that even though it is based on the open Signal Protocol, WhatsApp's new encryption features are not open source. There is no way to know whether WhatsApp's parent company, Facebook, has added backdoors -- or might be forced to add them at a later date. Strong crypto doesn't provide much protection if it has been subtly and invisibly compromised.

The article also notes that end-to-end encryption does not protect you from malware that is capturing your keystrokes and sending them over the Internet, or from slips like accidentally storing a screenshot of sensitive chats. Similarly, your super-secure chat may not actually be with the person you think it is: perhaps a smartphone was stolen, or was left unattended for a while. Group chats increase the risk that there are unwanted participants listening in to supposedly secret conversations.

Individually, those points may not be huge risks. But collectively, they mean that using strong, end-to-end encryption is not a magic formula that guarantees perfect online privacy for its users. As a result, they underline once more why the increasing deployment of encryption is a boon, not a bane -- something governments should welcome for the enhanced security it brings ordinary users. In particular, they should not worry that it will not make things "go dark" for intelligence services. There are so many ways encryption can -- and will -- go wrong, that even in the unlikely event of terrorists using it for their communications, key information will always leak out.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

9 Comments | Leave a Comment..

Posted on Techdirt - 6 April 2016 @ 2:03pm

Destroying Reputations And Hacking Elections For Fun And Profit

from the coming-to-a-presidential-candidate-near-you dept

Although rather forgotten now, one of the most troubling Snowden revelations appeared in 2014, and concerned GCHQ's "dirty tricks" group known as JTRIG -- the Joint Threat Research Intelligence Group. Put simply, its job is to "manipulate, deceive and destroy" reputations. Of course, it would be naïve to think that GCHQ is alone in using these techniques. We can safely assume all the major spy agencies engage in similar activities, but what about other players? To what extent might ambitious politicians, for example, be using these dirty tricks to slime their opponents -- and to win elections unfairly?

If a long and fascinating feature in Bloomberg is to be believed, the outcome of presidential elections in Nicaragua, Panama, Honduras, El Salvador, Colombia, Mexico, Costa Rica, Guatemala, and Venezuela were all influenced and possibly even determined by the work of one man, a certain Andrés Sepúlveda, using similar methods to those employed by JTRIG. It's a great story, and well-worth reading in full. What follows are some of the details that are likely to be of particular interest to Techdirt readers.

Sepúlveda began on a modest scale:

For $12,000 a month, a customer hired a crew that could hack smartphones, spoof and clone Web pages, and send mass e-mails and texts. The premium package, at $20,000 a month, also included a full range of digital interception, attack, decryption, and defense.
Eventually, he hit the big time. For $600,000 Sepúlveda is alleged to have helped elect Peña Nieto as the Mexican President in 2012:
He led a team of hackers that stole campaign strategies, manipulated social media to create false waves of enthusiasm and derision, and installed spyware in opposition offices, all to help Peña Nieto, a right-of-center candidate, eke out a victory.
His team varied from seven to 15 people, and came from all over Latin America:
Brazilians, in his view, develop the best malware. Venezuelans and Ecuadoreans are superb at scanning systems and software for vulnerabilities. Argentines are mobile intercept artists. Mexicans are masterly hackers in general but talk too much. Sepúlveda used them only in emergencies.
Money was no problem:
At one point, Sepúlveda spent $50,000 on high-end Russian software that made quick work of tapping Apple, BlackBerry, and Android phones. He also splurged on the very best fake Twitter profiles; they’d been maintained for at least a year, giving them a patina of believability.
But in many ways, Sepúlveda's most powerful tool was not digital technology, but his understanding of how digital technology had re-shaped the political landscape:
His insight was to understand that voters trusted what they thought were spontaneous expressions of real people on social media more than they did experts on television and in newspapers. He knew that accounts could be faked and social media trends fabricated, all relatively cheaply. He wrote a software program, now called Social Media Predator, to manage and direct a virtual army of fake Twitter accounts. The software let him quickly change names, profile pictures, and biographies to fit any need. Eventually, he discovered, he could manipulate the public debate as easily as moving pieces on a chessboard -- or, as he puts it, "When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything."
Of course, that's true not just for Latin America, but pretty much everywhere else too. Which inevitably raises the following:
On the question of whether the U.S. presidential campaign is being tampered with, he is unequivocal. "I’m 100 percent sure it is," he says.
Sepúlveda has no reason to lie. After all, he's not looking for work anymore:
He's serving 10 years in prison for charges including use of malicious software, conspiracy to commit crime, violation of personal data, and espionage, related to hacking during Colombia's 2014 presidential election.
So the issue is probaby not so much whether dirty tricks of the kind described above are being deployed against US presidential candidates, but rather: by whom, to what end, and with what effect?

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

21 Comments | Leave a Comment..

Posted on Techdirt - 4 April 2016 @ 11:23pm

Canadian Hospital Strikes Deal In Gene Patents Battle, But Leaves Patentability Question Unanswered

from the so-can-you-or-can't-you? dept

As Techdirt has reported, over the last few years there has been a general swing away from allowing patents on genes. The highest courts in both the US and Australia threw them out in cases involving Myriad Genetics and its attempts to patent genes affecting breast cancer susceptibility. Another country where the status of gene patents has been called into question is Canada. In November 2014, the Children’s Hospital of Eastern Ontario (CHEO) brought a case over five gene patents held by Transgenomic connected with the Long QT syndrome, an inherited heart rhythm disorder that can be fatal. CHEO took legal action because it wanted to be able to carry out genetic tests for the syndrome without needing to pay for patent licenses. Last week, CHEO announced that it had come to an agreement with Transgenomic:

On March 9, 2016, CHEO announced a deal that ensures Canadian public sector hospitals and laboratories the right to test for Long QT syndrome for Canadian patients.

What's more, it sets a precedent that will help address the issue of gene patents more broadly in Canadian health care.

In the settlement, the patent holder Transgenomic has agreed to provide CHEO and all other Canadian public sector hospitals and laboratories the right to test Canadians for Long QT syndrome on a not-for-profit basis. The deal defines a pathway for all public Canadian hospitals and labs to conduct genetic testing without legal roadblocks from gene patents.
CHEO called this a "tremendous win for families":
We have created a model for recognizing the public interest in genetic testing within the Canadian health care system. As these tests can now be performed in Canada, families across the country will have better, quicker access to the answers and the care they need. This agreement will save lives.
Moreover, CHEO believes it has created a template for others in Canada to use more widely:
From now on, public hospitals and laboratories can ask patent holders to sign similar agreements allowing not-for-profit access. If the patent holder doesn’t agree, the province can step in and ask the patent office to give it, on behalf those hospitals and laboratories, a compulsory license on the same terms.
That's certainly a good deal, and solves CHEO's immediate problem of being able to carry out genetic testing without paying for licenses. But viewed against the landmark rulings obtained in the US and Australia, it's something of a failure. An analysis on the legal site Lexology explains:
The patents in question remain valid and enforceable against commercial use of the isolated genes in Canada, because the case settled without a determination of the subject matter patent-eligibility of genes ("subject-matter patent eligibility" refers to whether genes are a patentable category of invention -- for example, abstract ideas, pure business methods and laws of nature are not patentable subject matter).
Moreover, there is no other case that could establish definitively whether isolated genes are patentable or not in Canada. Since CHEO's mission is saving lives, not killing abusive intellectual monopolies, it's quite understandable that it was happy to accept this kind of pragmatic solution. But it's also regrettable, since it means an opportunity to add to the momentum building against gene patents around the world has been lost.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

6 Comments | Leave a Comment..

Posted on Techdirt - 4 April 2016 @ 12:46pm

Not 'Going Dark': 15 Out Of 15 Most Recent EU Terrorists Were Known To The Authorities In Multiple Ways

from the sure,-mass-surveillance-doesn't-work,-but-think-of-the-money-we-are-saving dept

Important information about recent terrorist attacks in Europe continues to emerge. Here's the latest news from Brussels, as reported by the Guardian:

Plans and photographs of the home and office of Belgium's prime minister, Charles Michel, have been found on a computer abandoned near a terrorist hideout in Brussels, according to Belgian sources.

The laptop was found in a bin near a flat in the Schaerbeek district that had been a makeshift bomb factory for the terrorists who killed 32 people and injured at least 340 in last week's suicide bombings at Brussels airport and the city metro.
Not unnaturally, perhaps, most commentary has been about the fact that Belgium's prime minister was apparently being considered as a target. But there's something else in this story that's interesting, not least because it's not explicit. The Belgian sources for this story have revealed that "plans and a photograph" were found on a computer. Assuming the laptop did indeed belong to the terrorists, that means one of two things: either the system did not use encryption at all, or that it was possible to bypass the protection. In either case, it looks like this is yet another demonstration that things are not "going dark" when it comes to terrorism, despite continued claims to the contrary.

Given how details about the attackers are coming through very sporadically, it can be hard to see the bigger picture. To address that issue, the German journalist Sascha Lobo has pulled together all the information he could find about lethal terrorist attacks carried out by Islamists over the last two years in Europe. Specifically, these were the attack on the Jewish Museum in Brussels in May 2014; the Paris attack on Charlie Hebdo and a Jewish supermarket in 2015; the attack on a cultural center and synagogue in Copenhagen in 2015; the second attack in Paris in November last year; and the recent attacks in Brussels.

The results of his research appear in the German news magazine Der Spiegel, but fortunately he has produced a tabulated form (with references) that doesn't require any knowledge of the German language to grasp. A glance is enough to see that every single one of the 15 attackers who have been identified was known to the authorities, often for multiple reasons. Indeed, as Lobo writes, it's even worse than it seems at first sight:

All 15 identified attackers were on terror warning lists or "Islamist instigator" lists in at least one European country. In addition, most were on other lists, such as no-fly lists. All 15 had been classified as violence-prone. 14 had known contacts with other radical Islamists (one of them was apparently radicalized only via the Internet). Twelve had taken trips to the "Islamic State" in Syria, or to al-Qaida in Iraq or Yemen. Ten had criminal records, most of them for violent crimes.
This is not a terrifying world where things are "going dark" for the authorities. This is not a situation where strong crypto made it impossible to know who was doing what. This is a world of persistent failure by the intelligence agencies and police to use the information they already had at their disposal. This is a world that wants to shift the blame to evil encryption, rather than admit that mass surveillance doesn't work, and is the wrong approach. Lobo offers a plausible explanation why this is still happening, despite the manifest inability of blanket snooping to spot obvious connections and use them to stop attacks:
Comprehensive surveillance appears as seemingly inexpensive because it is a solution that scales thanks to technology: troubleshooting at the press of a button. Directly linked with the aim of saving more and more, just as with the State in general. But classic investigative work, which is proven to work, is expensive and labor intensive. This leads to a failure by the authorities because of a faith in technology that is driven by economics.
In other words, it's much cheaper to call for even more automated mass spying than to address the problem properly by bringing in more trained personnel to carry out targeted surveillance of people who are known threats.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

38 Comments | Leave a Comment..

Posted on Techdirt - 4 April 2016 @ 11:39am

Terabyte-Sized 'Panama Papers' Leak Confirms The Continuing Rise Of The Super-Whistleblowers

from the who's-next? dept

As you may have noticed on Twitter and across social media, a big leak of documents from Mossack Fonseca, a global law firm based in Panama, took place over the weekend. Actually, to call the Panama Papers leak "big" is something of an understatement:

11.5 million records, dating back nearly 40 years -- making it the largest leak in offshore history. Contains details on more than 214,000 offshore entities connected to people in more than 200 countries and territories. Company owners in billionaires, sports stars, drug smugglers and fraudsters.
The main Panama Papers site run by The International Consortium of Investigative Journalists notes this bounty has provoked the "largest cross-border collaboration ever"; dozens of media sites are involved, although curiously few from the US. That means in-depth analysis of the implications of these documents for the rich, the powerful, the criminals and the companies they created will be appearing for many weeks, if not months. So there's little point trying to second-guess what will emerge, not least because there is no public access to the documents involved, making deeper analysis impossible.

Fortunately, here on Techdirt we're interested in a few specialized angles. For example, the tech side. The Guardian states that the the Panama Papers total 2.6 terabytes of data, which dwarfs earlier leaks of financial documents: the HSBC files are 3.3 gigabytes, the Luxembourg tax files 4.4 gigabytes, and the so-called "offshore secrets" files total 260 gigabytes, while Wikileaks is a mere 1.7 gigabytes.

A few years ago, it would have been inconceivable to "exfiltrate" terabytes of data like this. That in itself was a powerful brake on massive leaks. But today you can buy a portable, pocket-sized USB hard disk drive with a capacity of several terabytes for tens of dollars, with prices continuing to fall -- thanks to Kryder's Law and other factors. As a result, we are seeing leak inflation: where whistleblowers first grabbed megabytes and then gigabytes, but they now take terabytes, simply because they can. Why settle for a partial set, and risk leaving behind the juicy stuff, when you can simply "collect it all" (now, where have we heard that before?)

So leaks are likely to get bigger. They may also become more common. The more high-profile whistleblowers there are, the more others are likely to be inspired to do the same. That fact has not gone unnoticed in the corporate world. In an evident attempt to stem the flow of embarrassing leaks, companies have been pushing for more laws to protect their "trade secrets." For example, as Techdirt noted last year, TPP includes stronger protection, and TAFTA/TTIP will have it too. Even before TTIP is likely to require it, the EU is proposing to bring in new laws to beef up protection for corporate trade secrets:

A small group of lobbyists working for large multinational companies (Dupont, General Electric, Intel, Nestlé, Michelin, Safran, Alstom…) convinced the European Commission to draft such a legislation, and helped it all along the way. The problem is that they were too successful in their lobbying: they transformed a legislation which should have regulated fair competition between companies into something resembling a blanket right to corporate secrecy, which now threatens anyone in society who sometimes needs access to companies' internal information without their consent: consumers, employees, journalists, scientists...
As that post from Corporate Europe Observatory puts it, we are witnessing attempts to enshrine a new "right to corporate secrecy" around the world. That's the bad news; the good news is that it's getting easier for anyone to be a super-whistleblower on a massive scale. Recognizing the value of such leaks, the Greens in the European Parliament hope to present a proposal for laws protecting whistleblowers across Europe. There's not much hope it will be adopted at this stage, but it's a further sign of how important this whole area has become.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

40 Comments | Leave a Comment..

Posted on Techdirt - 31 March 2016 @ 3:29am

New Analysis Shows 'Frivolous' Corporate Sovereignty Suits Increasingly Used To Deter Regulation Rather Than Win Compensation

from the abusing-the-system dept

The rise in public awareness of the dangers of corporate sovereignty provisions in agreements like TPP and TAFTA/TTIP has brought with it a collateral benefit: academics are starting to explore its effects in greater depth. An example is a new paper from Krzysztof J. Pelc, who is an Associate Professor in the Department of Political Science, at McGill University in Canada. Called "Does the Investment Regime Induce Frivolous Litigation?" (pdf), it looks at how the investor-state dispute settlement (ISDS) mechanism has evolved in recent years, and in a very troubling direction.

Along the way, the paper explores one of the central arguments made by those supporting the inclusion of corporate sovereignty chapters in major agreements: investors lose most of the claims that they bring against governments, so ISDS is really nothing to worry about. But Pelc identifies a key question posed by this line of thinking:

Why would investors continue to file these highly costly cases, if the expected success rate is so low?
In fact, things turn out to be even more mysterious:
Current estimates actually overstate investors' success rates, especially when it comes to specific types of legal claims. What is more, this rate of success has been dropping precipitously over time -- the exact opposite trend to the one we observe in inter-state disputes in the trade regime over the same period.
By analyzing 1421 individual claims in 676 investment disputes from 1993 to present day, Pelc discovered that most disputes are over what are claimed to be instances of indirect expropriation by governments. That's in contrast to the traditional direct kind, for example when dictators send their armed thugs to throw foreign investors out of a factory they own -- something that almost never happens these days. Indirect expropriation is claimed by companies to include things like enforcing higher standards for drug patents, or simply trying to protect key water supplies from pollution. Pelc explains why investors are doing this, even though the odds of winning are low:
The cost of investor-state litigation -- far higher than the cost of, e.g., trade litigation -- means that firms may benefit from spillover effects of the challenges they bring forth. When Philip Morris challenged Australia's labeling regulations, New Zealand put its own labeling legislation on hold, and Philip Morris loudly praised the decision. If litigation exerts a sufficient deterrent effect, firms may benefit even when they lose a case. The result is an increased likelihood of frivolous litigation, where the purpose of a challenge is not so much to win the dispute or obtain compensation, as it is to deter further regulation.
Pelc says his analysis shows this kind of "frivolous" corporate sovereignty litigation is becoming more common:
Firms are litigating more and more, and they are winning less and less. To wit, investors win less than 10% of the indirect expropriation claims they bring against democratic countries. The design of the regime, which allows private standing [whereby private firms or individuals can themselves decide to bring a lawsuit against governments], has contributed to such frivolity: compared with analogous regimes like international trade, it features little of the restraint that exists in dispute settlement between sovereign states.
The fact that corporations can sue nations under ISDS without needing to ask permission, or to satisfy any pre-conditions, makes it particularly easy to bring "frivolous" claims against democratic governments purely in the hope that doing so will chill further regulations, rather than with any serious hope of winning substantial damages. Of course, the fact that such awards are also available represents an additional incentive to file lots of corporate sovereignty challenges, however weak. Pelc points out another feature of ISDS that encourages companies to bring even the most frivolous cases: the absence of reciprocity -- the risk that they will be sued back. In fact:
The only cost they face from a legal challenge is the cost of counsel -- which in the case of the investment regime, in particular, remains quite high. Yet they need not worry about possible retaliatory challenges, or the reputational costs of belligerence. Quite the opposite, a reputation as an aggressive claimant may work to a multinational company’s net benefit.
That kind of behavior is evident in the ISDS cases brought by Philip Morris against both Australia and Uruguay. They are clearly designed to establish the multinational company as a determined litigator in order to discourage other countries from bringing in new regulations to reduce tobacco consumption.

Pelc's paper is an important contribution to the field because it reveals the oft-repeated claim that corporate sovereignty is really nothing to worry about because investors rarely win as deeply misleading: investors do not need to win formal victories in ISDS tribunals in order to triumph in the wider world outside. It also shows that the one-sided nature of corporate sovereignty -- where companies can sue nations, but not the other way around -- not only tilts the playing field unfairly towards investors, but encourages them to abuse the system even further. Both are compelling reasons to drop corporate sovereignty chapters in trade agreements completely.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

14 Comments | Leave a Comment..

Posted on Techdirt - 29 March 2016 @ 3:29am

In the Wake Of The Latest Terrorist Attacks, Here's A Rational Approach To Saving Lives

from the psychology-of-security dept

The knee-jerk response of politicians to terrorist attacks -- calling for more surveillance, more crackdowns, more displays of purposeless force -- is by now so routine that we don't even remark on it. We tend to go along with their plans because we are very poor at estimating risks, and thus often end up making bad decisions about trade-offs -- specifically, trading off liberty in the (misguided) hope that it will deliver security. That's not a new insight -- Bruce Schneier wrote two fascinating posts on what he called "The Psychology of Security" as far back as 2008. But maybe it's time to start challenging a strategy that hasn't worked, doesn't work and will never work. Maybe we should start pushing for an alternative response to terrorist attacks -- one based on logic and the facts, not rhetoric and fear. That's exactly what Björn Brembs, Professor of Neurogenetics at Regensburg University in Germany, has done in a short blog post about a more rational approach that avoids bad trade-offs. As he writes:

It is very difficult to prevent casualties such as those in the recent terror attacks in Madrid, London, Paris, Brussels or elsewhere, without violating basic human rights and abandoning hard-won liberties.
So what might we do instead? Brembs suggests a new kind of "death prevention program." Not one based on futile attempts to stop every terrorist attack, but a compensatory plan to save far more lives than terrorists ever take:
There are ~1.2 [million] preventable deaths in Europe alone every year. These deaths are due to causes such as lung cancer, accidental injuries, alcohol related diseases, suicides and self-inflicted injuries. With even in the 1970s and 1980s terrorist-related fatalities never exceeding 500 per year, we are confident that we will be able, from now on, to save at least 100 lives for every one that is being taken in a terrorist attack.

To reach this ambitious goal, we will start with increasing our efforts to prevent alcohol and tobacco-related deaths through effective public-health intervention programs as well as basic and applied biomedical research into the prevention, causes and treatment of these diseases and disorders. With about 30,000 annual fatalities in traffic-related accidents, we will also introduce European-wide speed limits, strong enforcement via speed-traps and an increased police force which collaborates across Europe. Drivers convicted of violating speed limits or DUI will have their driver's licenses withdrawn for extended periods of time. Should these activities fail to reach these goals, we will start targeting more areas.
Although it could be argued that some of those measures are themselves restrictions on freedom (and things like speed traps haven't been shown to make the roads any safer), against the background of today's harsh anti-terror laws, and plans for even more surveillance -- the UK's Snooper's Charter, for example -- those don't look as bad. In any case, implementation details are less important than shifting emphasis to this very different approach. The idea of focusing on stopping preventable deaths caused by known factors, rather than chasing after unpredictable events is a good one. Moreover, as Brembs writes, a "death prevention program" would not only preserve basic human rights and civil liberties better than today's response, it would also benefit the economy and boost employment:
Our investment in basic and applied research will yield discoveries that will benefit all of humanity long after the last terrorist has sacrificed his life in vain. With our new program, every single terrorist attack will save the lives of countless more citizens than it has cost, turning terrorism into a net life-saving activity.
That, surely, is the way to truly defeat the terrorists -- rather than handing them an easy victory by accepting disproportionate measures that destroy the very freedoms politicians claim to defend.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

68 Comments | Leave a Comment..

Posted on Techdirt - 25 March 2016 @ 3:28am

French Politicians Want To Create Ancillary Copyright In Thumbnail Images

from the make-your-views-known dept

Despite the fact that copyright has been repeatedly extended and strengthened over the years, the thought never seems to cross publishers' minds that they could ever have too much of it, or that the public might have some countervailing rights here. As a consequence of this insatiable appetite, there have been a number of recent moves to create an ancillary copyright, also known as a "snippet tax," "link tax" and "Google tax," since it aims to make it obligatory to pay for making even short excerpts or linking to copyright material -- for example, in search results. Rather amazingly, publishers are still pushing for this new monopoly "right" despite abundant evidence from their own research that it harms their businesses.

Undeterred by these facts, some politicians in France are pushing for the creation of yet another kind of ancillary copyright, covering thumbnail images. That idea was squashed a long time ago in the US, but as the public domain advocacy group Comunia explains, in France, the following is still a real possibility:

A new right that would require search engines and indexing services to pay royalties for the use of thumbnail images of copyright protected works. According to French proposal, which has been approved by the French Senate, this new right would be managed by one or more collecting societies, regardless of the intention of the rightholders whether to be financially compensated for the use of their works by search engines.
In an open letter to the French Minister of Culture (pdf) Comunia explains why this is a really stupid idea:
Its scope will impact many online services and mobile apps, from search engines to creative commons models and [the online cultural collection] Europeana. Money would be collected arbitrarily and without any realistic way of redistributing it accurately. Basic, every day activities of online users, such as posting, linking, embedding photos online, would be subject to a cloud of legal uncertainty.

It would isolate France in the European Union, at a time when courts across Europe have made clear these were lawful activities under national, European and international laws. It would isolate France globally, as a country where using images online would be subject to restrictive and unworkable practice.
Unfortunately, France isn't the only part of Europe that is considering the introduction of ancillary copyright. This week, the European Commission launched a public consultation on the idea of giving publishers what it calls "neighbouring rights" -- in other words, ancillary copyright:
[The European Commission] is seeking views on the role of publishers in the copyright value chain, including the possible extension to publishers of the neighbouring rights. Publishers do not currently benefit from neighbouring rights which are similar to copyright but do not reward an authors' original creation (a work). They reward either the performance of a work (e.g. by a musician, a singer, an actor) or an organisational or financial effort (for example by a producer) which may also include a participation in the creative process.
The European Commission paints European publishers as somehow missing out on the ancillary copyright currently enjoyed by those in the music or theatre worlds. The intention is clearly to suggest that this kind of extra right is perfectly normal, and that it should -- of course -- be granted to those poor, struggling publishers, who barely have any copyright at all, apparently. However, that framing rather skates over the fact that posting an article on a website is hardly a creative act on a par with performing a song, or appearing in a play. So it's not entirely clear why the European Commission thinks it deserves an extra layer of legal protection on top of standard copyright -- other than the fact that publishers want that new monopoly in the hope of extracting money from Google.

Fortunately, the consultation is open to everyone, including those outside the EU, which means Techdirt readers everywhere can make their views known using the online questionnaire. As a bonus, you can also give your views on the so-called "panorama exception" -- another area where lobbyists are working hard to make copyright even less fit for the digital age than it is now.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

21 Comments | Leave a Comment..

Posted on Techdirt - 24 March 2016 @ 3:25am

Russian Anti-Piracy Group Wants To Forbid Discussions Of Blocklist Circumvention Tools

from the copyright-leads-yet-again-to-censorship dept

Just recently, we were writing about the increasingly-desperate assault on Popcorn Time in Norway, where even linking to sites that offer the software is enough for the authorities to seize a domain name. Now the Russian anti-piracy group Association for the Protection of Copyright on the Internet (AZAPO) wants to take its own fight up a notch in an equally vain attempt to stop people finding out how to circumvent blocklists using proxies, VPNs and Tor. As TorrentFreak reports:

In a document penned by AZAPO, approved by [Russian] telecoms watchdog Rozkomnadzor, and seen by Gazeta.ru, the anti-piracy group says that banning discussion of workarounds will enhance the country's blocking regime.

"The introduction of [a system of fines] for those who promote methods for bypassing Internet blockades will enhance the effectiveness of blocking prohibited Internet resources," the group writes.
Fines will range from around $70 for individuals, up to $14,500 for companies. AZAPO's document is being sent to the Ministry of Communications for discussion in the lower house of Russia's parliament.

The TorrentFreak post points out that even if the authorities managed to enforce such a law within Russia, there's not much they could do about companies promoting VPNs outside the country. And the ultimate constraint on any attempt to forbid people from knowing something is the Streisand Effect: the more the Russian government tries to ban discussions of circumvention technologies, the more people will be keen to find out about them.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

9 Comments | Leave a Comment..

More posts from Glyn Moody >>