Mike Masnick’s Techdirt Profile

mmasnick

About Mike MasnickTechdirt Insider

Mike is the founder and CEO of Floor64 and editor of the Techdirt blog.

He can be found on Twitter at http://www.twitter.com/mmasnick



Posted on Net Neutrality Special Edition - 4 March 2015 @ 1:10pm

Last Week Was A Victory, But The Fight For The Open Internet Is Nowhere Close To Being Done

from the lots-of-pitfalls-ahead dept

As you know, last week the FCC made a somewhat historic move, to vote to reclassify broadband internet access as a "Title II" telecommunications service, which allows the FCC to implement specific open internet rules that disallow things such as paid prioritization and blocking. This move has been rightly celebrated by many people. However, it is also being attacked by many others. Some of that is nothing more than spewing big broadband companies' talking points. Some of it is merely partisan bickering, as the "net neutrality" fight became ridiculously partisan, even though a vast majority of voters in both parties support net neutrality.

That said, there are some legitimate concerns. They're not the ones that you're likely to hear about (other than on the margin), but rather fall under the fact that this is just one battle in a war that is far from over. So, let's take a look at some of the reasons to still remain quite vigilant in protecting a free and open internet:

  1. The details: Yes, as you may have heard, the fully detailed rules are not yet public. This is ridiculous and stupid, but it's the way the FCC operates. If it had released the detailed rules prior to the vote, it would have delayed the entire process. And, while dissenting commissioners Ajit Pai and Michael O'Rielly have been screaming about the travesty that the rules haven't yet been released publicly, what they conveniently leave out is that currently they are the sole reason for the delay. The FCC can't publish the final rules until the FCC has incorporated their dissents, and neither Pai nor O'Rielly have handed in their dissents.

    And, yes, there may be some devils in the details. One particular concern is the "general conduct rule." As the folks at EFF have warned, a vague "general conduct" rule allows the FCC to more or less reserve the right to examine practices of ISPs to see if they're "harmful to consumers." While that may sound good in practice, the vagueness of the rule could subject all sorts of perfectly reasonable practices to long and drawn out legal fights with the FCC. It's good that the FCC wants to be able to stop practices that are harmful to consumers, but if it's going to do that it should lay out directly what it believes to be harmful, rather than leaving things open to interpretation.

    There are some other unclear details as well: exactly how will the fight play out over "interconnection" which isn't directly a "net neutrality" issue (which is just focused on the last mile from the broadband provider to your home), but rather a way that the big ISPs accept traffic from service providers. The big broadband providers deliberately allowed those interconnection points to clog up in order to pressure service providers like Netflix to pay up. The new rules are likely to try to address that issue somewhat, but it's not entirely clear how. Another area of concern is how it deals with "zero rating" plans, whereby broadband providers let some traffic not count against a data cap. While the broadband providers argue that this is a consumer benefit, that ignores that they put the data cap on in the first place. Exempting users from your own anti-consumer practices isn't really consumer friendly. It sounds like the new rules will deal with these situations on a "case by case" basis as well, and that can be problematic.

    How worried should you be? Moderately worried, though the details still very much matter. While anti-net neutrality types are blathering on about tariffs and rate regulations that aren't happening, this is a legitimate concern that could tie up perfectly reasonable practices in uncertainty.

    Should you blame the new rules? Yup. This one is on the FCC. It sounds like the rules got a lot of stuff right, but this may be a push too far. It could have been much worse, but we should still be concerned about some possible problems with the rules and be vigilant about how they are interpreted and applied.

  2. The lawsuits: As you may have heard, pretty much everyone knows that someone is going to sue about the new rules. Last time around, Verizon sued (which was silly because it helped create the incredibly weak rules it sued over, and its "victory" in that case has resulted in these new stronger rules), and either it will sue again or AT&T or Comcast or some combination will sue this time. This will at least create some uncertainty over whether or not the rules will stick, and if the courts toss out these rules too, then we're back to square one -- and in a situation where it may be even tougher to protect net neutrality.

    How worried should you be? Moderately worried. While some anti-net neutrality folks insist that because the FCC lost lawsuits concerning its last two attempts to craft net neutrality rules, this time is pretty different. The court ruling in the last one more or less laid out this path. The reason it rejected the last rules was because it said the FCC was trying to introduce "common carrier" rules without classifying broadband as a common carrier. The new rules classify it as a common carrier, so it appears to be following the court's instructions. And, if it goes up to the Supreme Court, you can't tell for sure, but the court's earlier rulings have suggested that on this particular question it gives the FCC wide leverage in classifying broadband. And, in what may not make many Republican anti-net neutrality folks happy, Antonin Scalia was the most vehement in an earlier case arguing (in dissent) that broadband was obviously a Title II common carrier service. But... nothing is ever certain in the judicial process, and cases can come out with strange and surprising rulings. So it's entirely possible that we'll be back for another sort of battle three or four years from now.

    Should you blame the new rules? No. Verizon had indicated early on that it was likely to sue over any rules. While it backed down from that position after other broadband providers started stage whispering "shut up, Verizon..." it's still likely that some broadband provider somewhere would have sued over the new rules no matter what. So the legal uncertainty would have lingered. And, again, last year's ruling in the Verizon case more or less said that if you're going to issue these kinds of rules, you need to reclassify. It's likely that some of the legal challenges will argue that the FCC didn't follow the proper procedures in reclassifying, but that's a long shot given earlier rulings.

  3. Congress: Again, it's not at all clear why this has become a partisan issue when the public is all for net neutrality, but it is, in fact, now a partisan issue. And the party that is against net neutrality, the Republicans, has a majority in both houses of Congress. There is already an effort underway by Congress to modify the Telecommunications Act to put in place different "net neutrality" rules that are really just a smokescreen to simply strip the FCC of pretty much all authority to protect consumers against questionable broadband provider practices. Separately, Republicans in Congress have already started to make moves to delay the implementation of the new rules, including demanding that FCC boss Tom Wheeler show up for a hearing to explain himself (seriously).

    In theory, it would be better to have a clearer law drafted by Congress, rather than having the FCC make the final decision on this thing, but that theory relies on a competent Congress that obeys the will of the people, rather than special interests. Stop laughing. And, of course, you never know how everything will get twisted around later. As Tim Lee at Vox recently noted, it was the Republicans who rewrote the Telecommunications Act in 1996 that pretty clearly intended for broadband to be classified as a Title II service, which they're now freaking out about.

    How worried should you be? Moderately worried. The new rules have certainly shifted the baseline in one direction such that it would be difficult for Congress to completely undermine an open internet in new rules without setting off massive public backlash. But it can still do some damage. That's perhaps more difficult with an open internet supporter in the White House, but it could flip.

    Should you blame the new rules? No. The new rules have actually been helpful here. Even if the current proposed change to the Telecommunications Act is a joke, it's much, much, much more friendly towards an open internet than what was being talked about just a few months ago. Furthermore, Congress can change as well and can pass new laws at another time also. There's always the risk that Congress will propose a rewrite to the Telecommunications Act, with or without these rules. But with these new rules in place, it actually may be more difficult to get Congress to completely shift things away from a more open internet.

  4. The next FCC: One of the key talking points among anti-net neutrality types is that if this FCC can just make this decision to reclassify, the next one (especially under a Republican president, in which the balance of the FCC would shift to 3 to 2 Republicans to Democrats as commissioners) could just flip it back. Current Republican commissioner Ajit Pai's big filibuster of a speech at the open meeting last week appeared to be his pitch to become the next head of the FCC. And, of course, there's the argument in the other direction, which is that a new FCC with a Democratic majority might go even further with the new rules, and bring back all the "bad stuff" in Title II like rate regulations and tariffs.

    How worried should you be? Not that worried. Despite what some say, it's not that easy to just flip this switch. Note that this process alone has taken basically a year. The FCC has to propose the rules and allow for the slew of comments and then go through this entire process again before it can switch the rules again. It could happen, but by the time it does we'd already be under the existing rules for some time, and when the predicted "harms" of the new rules don't come to pass, the scare stories from anti-net neutrality types won't be even remotely believable. As for the idea that a new FCC might bring back rate regulations and tariffs, that seems ridiculously unlikely. At this point you have basically no one who supports such an idea -- either on the FCC or in the public. The FCC would have to go through a whole new proposal/comment period on such an idea, and it would be so astoundingly unpopular that it's difficult to see it getting anywhere at all.

    Should you blame the new rules? Nope. The FCC is going to flip flop back and forth based on the party in the White House anyway, and all the talk claiming the FCC has become "more partisan" is a lot of bunk. There have long been fights along party grounds on certain issues, and that won't change.

  5. The lack of competition: This probably remains the largest ongoing issue in the fight for an open internet. For years we've been arguing that the attack on net neutrality is really just a symptom of the lack of competition in the market, and that's still true today. Beyond the new rules, if we want to really protect an open internet, we need much more competition. It's notable that the new rules do not (as some wanted) include unbundling requirements, which would have made infrastructure providers let other service providers buy access wholesale to resell, creating competition at the service level (rather than at the network level). Many other countries have this type of unbundling, and it's resulted in a much more competitive broadband market in those places.

    This is also why the FCC's other vote last week may turn out to be the bigger deal. This was the FCC's decision to preempt state laws (generally written by the broadband providers themselves) that blocked municipalities from offering up municipal broadband. Municipal broadband is not a panacea, and there have been some notable failures. However, there are plenty of success stories as well, including some impressive ones in which communities join together to create a strong broadband offering where the giant legacy players have failed to keep up.

    Separately, we're finally starting to see third parties jump into the market. Lots of people point to Google Fiber, but that's just one of a few new and growing entrants. And many of those smaller providers have both embraced the FCC's new rules and pointed out that with those new rules, they may be able to deploy their services more widely, since it will help them get access to things like telephone poles that were blocked in the past. On top of that, while in the past, alternative means of broadband were more hype than reality, the technology for air-based broadband (from wireless systems, satellites, drones, balloons and blimps) is getting rapidly better and may offer a legitimate third-party option. Those technologies are all getting a lot cheaper as well, so it's entirely possible that we could get more significant competition in the future -- especially if there's more open spectrum available.

    How worried should you be? Absolutely worried. The lack of competition is the real travesty in all of this, and while you can be hopeful about some of the things coming down the road that should add to the competitive market, for many of us, there are almost no competitive choices for broadband.

    Should you blame the new rules? Nope. Some anti-net neutrality types are trying to argue that the new rules will reduce competition, but it's hard to find any evidence to support that. Enough small, independent and third-party broadband providers have come out in support of the new rules that it's difficult to take seriously the complaint that it will discourage those competitors from entering the market. They seem to be arguing exactly the opposite.

  6. The games Comcast/Verizon/AT&T will play: When it became clear that there were going to be open internet rules of some sort on the last mile, all of the big broadband providers played the interconnection trick, letting their interconnection points with Netflix clog up in order to get the same result it wanted in the first place: get the internet companies to pay extra to reach its users, even as everyone is already paying for their own bandwidth. And, lately, there have been various games around "zero rating" in which the broadband players (mainly on the wireless side) pretend that they're offering a "consumer benefit" by exempting certain traffic from the unnecessary data caps that the broadband providers themselves set up.

    It seems quite likely that even with the new rules, the big broadband providers will look for loopholes and other tricks to try to chip away at an open internet, allowing it to put toll booths into the internet stream. That's been their focus for a decade now, and it's unlikely that they're going to give up now. The big broadband providers simply hate the idea of just being "dumb pipes" and feel like they need to extract extra money for all of the activity happening on those pipes. It's not clear how they'll plant to get around the rules, but it seems inevitable.

    How worried should you be? Somewhat worried. The big broadband players are incredibly crafty at trying to figure out loopholes and ways through the rules. The interconnection and zero rating cases are just two examples, and both were pretty clever. The zero rating one was particularly clever in that they could pretend to be "consumer friendly" by protecting you from the anti-consumer rules that they themselves set up. It's kind of brilliant in how evil it is. The problem here is that we just don't know what form this attack is likely to take, but it's definitely going to happen.

    Should you blame the new rules?: No. The big broadband players have been playing these games for ages, and the new rules actually do make it much more difficult for them to play at least some of these games. That's why last week was a victory for the open internet.
It should be noted that some net neutrality critics are running around and claiming that these new rules mean the death of the internet, and will lead to the government deciding what content and services are allowed on the internet. If true, that would be an attack on the open internet, but it's simply not true. Don't worry too much about it. That's just FUD.

The reality is that last week was a victory, but it's hardly the end of the fight to protect the open internet. There are some legitimate concerns about both the rules that were passed, as well as the actions that others (including Congress, the FCC and broadband players) may take in the future. And we need to be vigilant about all of this in order to make sure that the internet remains open and free.

26 Comments | Leave a Comment..

Posted on Techdirt - 4 March 2015 @ 12:03pm

How Hillary Clinton Exposed Her Emails To Foreign Spies... In Order To Hide Them From The American Public

from the how-hard-is-it-to-just-use-the-government's-email dept

So the whole Hillary Clinton email story is getting worse and worse for Clinton. We already noted that there was no way she couldn't have known that she had to use government email systems for government work, as there was a big scandal from the previous administration using private emails and within the early Obama administration as well. This morning we discovered that Clinton also gave clintonemail.com email addresses to staffers, which undermines the argument made by Hillary's spokesperson that it was okay for her to use her own email address because any emails with staffers would still be archived by the State Department thanks to their use of state.gov emails. But that's clearly not the case when she's just emailing others with the private email addresses.

As we noted yesterday, there are two separate key issues here, neither of which look good for Clinton. First, is the security question. There's no question at all that as Secretary of State she dealt with all sorts of important, confidential and classified information. Doing that on your own email server seems like a pretty big target for foreign intelligence. In fact, Gawker points out, correctly, that Hillary's private email address was actually revealed a few years ago when the hacker "Guccifer" revealed the inbox of former Clinton aide Sidney Blumenthal. So it was known years ago that Clinton used a private email account, and you have to think it was targeted.

Anonymous State Department "cybersecurity" officials are apparently shoving each other aside to leak to the press that they warned Clinton that what she was doing was dangerous, but couldn't convince her staff to do otherwise:

“We tried,” an unnamed current employee told Al Jazeera. “We told people in her office that it wasn't a good idea. They were so uninterested that I doubt the secretary was ever informed.”
The AP has a somewhat weird and slightly confused article detailing the setup of the email system, but seems to imply things that aren't clearly true.
It was unclear whom Clinton hired to set up or maintain her private email server, which the AP traced to a mysterious identity, Eric Hoteham. That name does not appear in public records databases, campaign contribution records or Internet background searches. Hoteham was listed as the customer at Clinton's $1.7 million home on Old House Lane in Chappaqua in records registering the Internet address for her email server since August 2010.

The Hoteham personality also is associated with a separate email server, presidentclinton.com, and a non-functioning website, wjcoffice.com, all linked to the same residential Internet account as Mrs. Clinton's email server. The former president's full name is William Jefferson Clinton.
While Eric Hoteham may be a mysterious non-entity, as Julian Sanchez points out, an early Clinton staffer was named Eric Hothem. Of course, Stanford cybersecurity guru Jonthan Mayer also notes that Hillary's old home server is still online and running Windows Server 2008 R2.
However, the AP reports that the email has moved around a bit over the past few years:
In November 2012, without explanation, Clinton's private email account was reconfigured to use Google's servers as a backup in case her own personal email server failed, according to Internet records. That is significant because Clinton publicly supported Google's accusations in June 2011 that China's government had tried to break into the Google mail accounts of senior U.S. government officials. It was one of the first instances of a major American corporation openly accusing a foreign government of hacking.

Then, in July 2013, five months after she resigned as secretary of state, Clinton's private email server was reconfigured again to use a Denver-based commercial email provider, MX Logic, which is now owned by McAfee Inc., a top Internet security company.
That likely means the email was much more secure after July of 2013, but it certainly raises questions about how secure it was for years before that.

Though, we do know that it was secure from one thing: FOIA requests. That is the second of the two big issues raised by this whole thing. By using her own email setup, she was clearly able to hide important documents from FOIA requests. In fact, as Gawker notes, her staff's defense of the use of her private email, actually now confirms emails as legit that the State Department denied existed back when Gawker made a FOIA request years ago.

That's because following that Guccifer hack, Gawker filed a FOIA for those emails and was told they don't exist. Yet, now Clinton staffers point to that old Gawker article to suggest that the private email address is "old news," thus confirming that the emails were legit, even though the State Department denied them.
The Clinton camp’s claims about the email account being above-board is also contradicted by the State Department’s response to Gawker’s inquires two years ago. After we published the story about Blumenthal’s correspondence with Clinton, we filed a FOIA request with the agency for all correspondence to date between Hillary Clinton and Sidney Blumenthal, specifically including any messages to or from the hdr22@clintonemail.com account. The screenshots and other documents released by Guccifer—which have now been validated by Clinton’s spokesman—confirmed that such messages existed.

But the State Department replied to our request by saying that, after an extensive search, it could find no records responsive to our request. That is not to say that they found the emails and refused to release them—it is conceivable, after all, that the State Department might have attempted to deny the release of the Clinton-Blumenthal correspondence on grounds of national security or Blumenthal’s own privacy. Instead, the State Department confirmed that it didn’t have the emails at all.

Which is exactly why Clinton used a non-State Department email server to conduct her official business.
According to the NY Times, the State Department says that it won't go back to correct the FOIA requests that it responded to in the past, saying that such records didn't exist. Instead, it will only now search the emails that have been turned over by Clinton's staff. That is another 50,000 emails, but no one knows what emails the staff removed or refused to turn over.

Either way, there are two huge problems here. Clinton likely exposed her emails to foreign spies, while keeping them away from the American public.

49 Comments | Leave a Comment..

Posted on Techdirt - 4 March 2015 @ 10:50am

Encryption Backdoors Will Always Turn Around And Bite You In The Ass

from the golden-keys dept

As you may have heard, the law enforcement and intelligence communities have been pushing strongly for backdoors in encryption. They talk about ridiculous things like "golden keys," pretending that it's somehow possible to create something that only the good guys can use. Many in the security community have been pointing out that this is flat-out impossible. The second you introduce a backdoor, there is no way to say that only "the good guys" can use it.

As if to prove that, an old "golden key" from the 90s came back to bite a whole bunch of the internet this week... including the NSA. Some researchers discovered a problem which is being called FREAK for "Factoring RSA Export Keys." The background story is fairly involved and complex, but here's a short version (that leaves out a lot of details): back during the first "cryptowars" when Netscape was creating SSL (mainly to protect the early e-commerce market), the US still considered exporting strong crypto to be a crime. To deal with this, RSA offered "export grade encryption" that was deliberately weak (very, very weak) that could be used abroad. As security researcher Matthew Green explains, in order to deal with the fact that SSL-enabled websites had to deal with both strong crypto and weak "export grade" crypto, -- the "golden key" -- there was a system that would try to determine which type of encryption to use on each connection. If you were in the US, it should go to strong encryption. Outside the US? Downgrade to "export grade."

In theory, this became obsolete at the end of the first cryptowars when the US government backed down for the most part, and stronger crypto spread around the world. But, as Green notes, the system that did that old "negotiation" as to which crypto to use, known as "EXPORT ciphersuites" stuck around. Like zombies. We'll skip over a bunch of details to get to the point: the newly discovered hack involves abusing this fact to force many, many clients to accept "export grade" encryption, even if they didn't ask for it. And it appears that more than a third of websites out there (many coming from Akamai's content delivery network -- which many large organizations use) are vulnerable.

And that includes the NSA's own website. Seriously. Now, hacking the NSA's website isn't the same as hacking the NSA itself, but it still seems notable just for the irony of it all (obligatory xkcd):

But the lesson of the story: backdoors, golden keys, magic surveillance leprechauns, whatever you want to call it create vulnerabilities that will be exploited and not just by the good guys. As Green summarizes:
There’s a much more important moral to this story.

The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today.

This might be academic if it was just a history lesson — but for the past several months, U.S. and European politicians have been publicly mooting the notion of a new set of cryptographic backdoors in systems we use today. This would involve deliberately weakening technology so that governments can intercept and read our conversations. While officials are carefully avoiding the term “back door” — or any suggestion of weakening our encryption systems — this is wishful thinking. Our systems are already so complex that even normal issues stress them to the breaking point. There's no room for new backdoors.

To be blunt about it, the moral of this story is pretty simple:
Encryption backdoors will always turn around and bite you in the ass. They are never worth it.
Let's repeat that last line, because it still seems that the powers that be don't get it:

Encryption backdoors will always turn around and bite you in the ass. They are never worth it.


Whether it's creating vulnerabilities that come back to undermine security on the internet decades later, or merely giving cover to foreign nations to undermine strong encryption, backdoors are a terrible idea which should be relegated to the dustbin of history.

25 Comments | Leave a Comment..

Posted on Techdirt - 3 March 2015 @ 3:38pm

Disappointing: Google Not Yet Requiring Phone Makers To Encrypt By Default

from the get-things-up-to-speed dept

Well, this is disappointing. Back in September, we were happy to see both Apple and Google announced that their mobile platforms would be encrypted by default (for local storage, not for data transmissions), which has kicked off something of a new round of Crypto Wars, as law enforcement types have shoved each other aside to spread as much possible FUD about the "dangers" of mobile encryption (ignoring that they also recommend mobile encryption to keep your data safe).

However, as Ars Technica reported earlier this week, it appears that while Google is encrypting by default on its own Nexus phones that have the latest Android (Lollipop), it slightly eased back the requirements for its OEM partners such as Motorola and Samsung who make their own devices. Default encryption is now "very strongly RECOMMENDED" rather than required. And even with that "very strong RECOMMENDATION," it appears that neither Samsung or Motorola are enabling default encryption on its latest devices.

While some will likely jump to the conclusion that law enforcement pressure is at work here, a much more likely explanation is just the performance drag created by encryption. Last fall, Anandtech did some benchmarking of the Nexus 6 both with encryption on and off, and as the site itself says, the results are "not pretty." Given the competitive market, there's a decent chance that the big phone manufacturers didn't want to get bad benchmark ratings when phones are compared, and those made the decision to go against the "very strong recommendation."

Hopefully this gets sorted out quickly, as phonemakers can optimize new phones for encryption. And, honestly, as the Anandtech report itself notes, these benchmarks are basically meaningless for real world performance:

The real question we have to ask is whether or not any of these storage benchmarks really matter on a mobile device. After all, the number of intensive storage I/O operations being done on smartphones and tablets is still relatively low, and some of the situations where NAND slowdowns are really going to have an effect can be offset by holding things in memory.
But, it appears, while mobile phone makers don't want to take the chance of bad benchmarks hurting their reputation, they're less concerned about leaving consumers' data exposed.

It's disappointing that this is where things are today, after so much focus on default encryption just a few months ago, but hopefully it's just a temporary situation and we'll get to default encryption very, very soon.

17 Comments | Leave a Comment..

Posted on Techdirt - 3 March 2015 @ 1:30pm

President Obama Complains To China About Demanding Backdoors To Encryption... As His Administration Demands The Same Thing

from the irony dept

Back in January, we pointed out that just after US and EU law enforcement officials started freaking out about mobile encryption and demanding backdoors, that China was also saying that it wanted to require backdoors for itself in encrypted products. Now, President Obama claims he's upset about this, saying that he's spoken directly with China's President Xi Jinping about it:

In an interview with Reuters, Obama said he was concerned about Beijing's plans for a far-reaching counterterrorism law that would require technology firms to hand over encryption keys, the passcodes that help protect data, and install security "backdoors" in their systems to give Chinese authorities surveillance access.

"This is something that I’ve raised directly with President Xi," Obama said. "We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States."
This comes right after the US Trade Rep Michael Froman issued a statement criticizing China for doing the same damn thing that the US DOJ is arguing the US should be doing:
U.S. Trade Representative Michael Froman issued a statement on Thursday criticizing the banking rules, saying they "are not about security – they are about protectionism and favoring Chinese companies".

"The Administration is aggressively working to have China walk back from these troubling regulations," Froman said.
Those claims would sound a hell of a lot stronger if they weren't coming immediately after DOJ officials from Attorney General Eric Holder to FBI Director James Comey had more or less argued for the exact same thing.

Just last week, Yahoo's chief security officer Alex Stamos raised this exact issue with NSA director Admiral Mike Rogers, asking if Rogers thinks it's appropriate for tech companies to build backdoors for other countries if they build them for the US. Rogers ignored the question, just saying "I think we can work our way through this," which is not an answer. And now we're "working our way through this" by having to deal with other countries, such as China, leaping at this opportunity.

And the week before, President Obama himself claimed that he was all for strong encryption, but argued that there were tradeoffs worth discussing, and that some in his administration believed that demanding backdoors made sense to try to stop terrorist attacks. But it's tough to see how he can claim that it's okay to entertain those ideas on the one hand, while using the other hand to try to slap China for doing the exact same thing.

As security researcher Matthew Green rightly points out, "someday, US officials will look back and realize how much global damage they've enabled with their silly requests for key escrow." But that day is apparently not today.
The administration keeps bleating on and on about how China is a massive cybersecurity "threat" out there, and then hands the country this massive gift by having a kneejerk reaction to better encryption that protects American citizens.

44 Comments | Leave a Comment..

Posted on Techdirt - 3 March 2015 @ 10:24am

There Is No Way That Hillary Clinton Didn't Know She Was Supposed To Use A Government Email Account

from the this-makes-no-sense dept

As you may have heard, the latest political "scandal" involving a major Presidential contender comes via the NY Times reporting that when Hillary Clinton was Secretary of State, she refused to have a government email address, and conducted all her work via a personal email account.

Hillary Rodham Clinton exclusively used a personal email account to conduct government business as secretary of state, State Department officials said, and may have violated federal requirements that officials’ correspondence be retained as part of the agency’s record.

Mrs. Clinton did not have a government email address during her four-year tenure at the State Department. Her aides took no actions to have her personal emails preserved on department servers at the time, as required by the Federal Records Act.
This is dumb on many, many levels and there appears to be no excuse for it happening. First off, using a personal email as Secretary of State seems like a massive privacy and security risk. While one hopes that there was at least some attempt to better secure her personal account by government security experts, it's still almost certainly less secure. Given how much sensitive information the Secretary of State has to deal with, it seems inexcusable that she was allowed to conduct official business via her personal account. That to me seems like an even bigger deal than the part that everyone else is focused on: the failure to preserve her emails as required by law.

Of course, the failure to preserve the emails is a big deal as well. But here's the really stunning thing: there is simply no way that Clinton and others in the administration didn't know that she was supposed to be using a government email address and preserving those emails. That's because both the previous administration and others in her own administration got in trouble for using personal email addresses. As Vox notes, towards the end of the Bush administration there was a similar scandal involving a variety of high level administration members using personal email to conduct government business and to avoid transparency requirements.

That scandal unfolded well into the final year of Bush's presidency, then overlapped with another email secrecy scandal, over official emails that got improperly logged and then deleted, which itself dragged well into Obama's first year in office. There is simply no way that, when Clinton decided to use her personal email address as Secretary of State, she was unaware of the national scandal that Bush officials had created by doing the same.

That she decided to use her personal address anyway showed a stunning disregard for governmental transparency requirements. Indeed, Clinton did not even bother with the empty gesture of using her official address for more formal business, as Bush officials did.

But that's not all. What the Vox report doesn't note is that the scandal actually carried over to the Obama administration also, as the White House's first Deputy CTO was reprimanded for using his personal email address as well, early in 2010. So there was both a scandal about the similar use of private email accounts in the previous administration and in the Obama administration. It's impossible to believe that Clinton or the other key people who worked for her in the State Department were unaware of one or both of these issues while she was using her personal email address.

While the White House's email system may be clunky and annoying to use (as I've heard repeatedly), there's simply no excuse for Clinton not to have used it at all -- and for the emails she did send not to be preserved as required under the law. A few years ago, we mocked Homeland Security boss Janet Napolitano for refusing to use email entirely -- though at least she was upfront about the reason. She didn't want to be held accountable for what she said -- though, the reality was she would still have staff members send emails for her. Clinton appears to have wanted to be free of that accountability as well, but to still have the benefits of direct electronic communication herself. In short, she purposely ignored the law for her own benefit.

66 Comments | Leave a Comment..

Posted on Techdirt - 3 March 2015 @ 8:07am

Australian Secretary Of Defense Not Concerned About Phone Hack; Doesn't Think People Want To Spy On His Phone

from the oh-really-now? dept

If you were the Secretary of Defense of a large country, you might think you'd be slightly concerned that foreign agents would want to spy on you. Not so down in Australia apparently, where the current Secretary of Defense, insists that he'd be "surprised" if anyone wanted to find out what was on his phone. Seriously.

We've written about the recent story, revealed in documents leaked by Ed Snowden, that the NSA and GCHQ were able to hack into the systems of Gemalto, the world's largest maker of SIM cards for mobile phones, and obtain the encryption keys used in those cards. While Gemalto insists that the hack didn't actually get those encryption keys, not everyone feels so comfortable with Gemalto's own analysis of what happened.

Senator Scott Ludlam (who we've written about a few times before) reasonably found the story of the Gemalto hack to be concerning, and went about asking some questions of the government to find out what they knew about it. The results are rather astounding. First he had asked ASIO, the Australian Security Intelligence Organization, and they said it wasn't their area, but it might be ASD (the Australian Signals Directorate). The video below shows Ludlam asking the ASD folks for more information about the hack and being flabbergasted that they basically say they haven't even heard about the hack at all:

Right at the beginning, the first person says he's not aware of the situation, and Ludlam asks "are you aware of the broad outlines?" and gets a "no I am not" response, leading to a rather dry "Really?!? Okay, this is going to be interesting" reply from Ludlam. It goes on in this nature for a while, with the various people on the panel playing dumb, and Ludlam repeatedly (and rightly) appearing shocked that they appear to have no idea about the story.

But the really incredible part comes in the last minute of the video, in which Ludlam asks the Australian Secretary of Defense, Dennis Richardson, about his own concerns about his phone being spied on:
Ludlam: Do you use an encrypted phone, Mr. Richardson?

Richardson: No, I don't.

Ludlam: Right. Okay. Do you use a commercial -- I'm not asking you to name names -- but do you use a commercial telecommunications provider?

Richardson: Yeah, yeah, yes.

Ludlam: So there might be a SIM card in your phone or mind. Does this alarm you at all?

Richardson: No.

Ludlam: No?

Richardson: No.

Ludlam: Why is that?

Richardson: Well, because I don't particularly deal with people who... if anyone wants to listen to my telephone calls they can. I'd be surprised if they do, but I don't particularly have conversations which I'm particularly worried about.

[Laughter all around the room]

Ludlam: So it's okay if foreign spooks have hacked every mobile handset in the country because you don't have anything in particular...

Richardson: It's possible some might try to.

Ludlam: It's possible some just have.

Richardson: [shrugs] Well, it's possible.
So there you have it, folks. The Australian Secretary of Defense says that anyone is allowed to listen in to his calls, because there's nothing secret about any of them. I'm not quite familiar with public records/freedom of information laws in Australia, but is it possible for someone to put in a request for recording all of the Secretary of Defense's phone calls?

41 Comments | Leave a Comment..

Posted on Techdirt - 2 March 2015 @ 1:24pm

Should The Punishment For Falsely Accusing People Of A Crime Match The Punishment For The Crime Itself?

from the false-accusations-everywhere dept

Two very different stories, but both with some startling parallels.

First, Radley Balko's story about how police and attorneys in Louisiana apparently flat out lied to claim that a process server "assaulted" a police officer he was serving (in a police brutality case, no less). There are lots of details there, but suffice it to say, the process server, Douglas Dendinger, did not assault Chad Cassard at all -- even though he was soon arrested for it, and Cassard managed to present seven witnesses (including police officers and two prosecutors who witnessed Dendinger serving the papers on Cassard). Dendinger went through two years of hell because of this, before the case was dropped when cell phone videos made by Dendinger's wife and nephew showed that there was no assault at all. Police and prosecutors lying to protect one of their own? Sure, it happens. But now that it's been exposed, Balko has an important question:

Why aren’t the seven witnesses to Dendinger’s nonexistent assault on Cassard already facing felony charges? Why are all but one of the cops who filed false reports still wearing badges and collecting paychecks? Why aren’t the attorneys who filed false reports facing disbarment? Dendinger’s prosecutors both filed false reports, then prosecuted Dendinger based on the reports they knew were false. They should be looking for new careers — after they get out of jail.

If a group of regular citizens had pulled this on someone, they’d all likely be facing criminal conspiracy charges on top of the perjury and other charges. So why aren’t these cops and prosecutors?

I could be wrong, but my guess is that they’ll all be let off due to “professional courtesy” or some sort of exercise of prosecutorial discretion. And so the people who ought to be held to a higher standard than the rest of us will once again be held to a lower one.
Second, we have last week's story about Total Wipes sending an automated takedown notice to Google demanding tons of perfectly legitimate, non-infringing web pages be taken out of Google's index for infringement. Total Wipes blamed it on a "bug" in its program, which would be more convincing if it hadn't happened before.

This second story has Rick Falkvinge, quite reasonably, wondering why the penalties for false takedowns aren't equivalent to the penalties for infringement, saying that this is the way it works in other parts of the law:

The thing is, this should not even be contentious. This is how we deal with this kind of criminal act in every – every – other aspect of society. If you lie as part of commercial operations and hurt somebody else’s rights or business, you are a criminal. If you do so repeatedly or for commercial gain, direct or indirect, you’re having your ill-gotten gains seized. This isn’t rocket science. This is standard bloody operating procedure.

The copyright industry goes ballistic at this proposal, of course, and try to portray themselves as rightsless victims – when the reality is that they have been victimizing everybody else after making the entire planet rightsless before their intellectual deforestation.

The irony is that at the same time as the copyright industry opposes such penalties vehemently, arguing that they can make “innocent mistakes” in sending out nastygrams, threats, and lawsuits to single mothers, they are also arguing that the situation with distribution monopolies is always crystal clear and unmistakable to everybody else who deserve nothing but the worst. They can’t have it both ways here.

Of course, his claim that this is true in "every" other area is proven somewhat false by the first story above. But the underlying factors in both cases are nearly identical, and it actually goes back to a previous concept that Falkvinge has written about: the "high court" and the "low court." The "nobility" gets a special court when they break the law, with limited consequences. The lowly commoners have to go to the "low court" where the consequences are quite severe. Falkvinge's original point is that we still seem to have the same thing today, and that's clearly shown in both stories above.

If you're in power, you can lie about things to accuse others of serious things that can have serious consequences for them, and there's no real punishment. Instead, it's brushed off as not being important -- sometimes with expressions of understanding about how "these things can happen." I'm reminded of the phrase that we "judge ourselves according to our intentions, but others based on their actions," and that seems to be partly at work here as well (though I question the "intentions" of the prosecutors who lied above). The lies are written off as minor "mistakes," whereas those accused are given no such benefit of the doubt. It's a big problem in the copyright space, certainly, but it's true in many other areas of society as well.

49 Comments | Leave a Comment..

Posted on Techdirt - 2 March 2015 @ 12:26pm

Court Doesn't Buy Mississippi Attorney General Jim Hood's Argument: Puts His Google Demands On Hold

from the nice-try,-jim dept

Back in December, we noted that Google had gone to court to try to stop a ridiculously broad subpoena issued by Mississippi Attorney General Jim Hood. For quite some time now, Hood has been publicly attacking Google, based on what appears to be near total ignorance of both the law and technology. Oh, and maybe it also has something to do with the MPAA directly funding his investigation and authoring the letters that Hood sent.

Either way, Google pointed out that the broad subpoena that Hood issued to Google clearly violated Section 230 of the CDA in looking to hold Google accountable for other's actions and speech. It pointed out other problems with the order as well -- and while Hood insisted that his subpoena was perfectly reasonable, it appears that a federal court isn't so sure. Today the court told Hood that he's granting a temporary injunction on the subpoena, noting that Google's argument is "stronger."

This certainly is nowhere close to over, but it does highlight that Hood's repeated arguments that he has every right to hold Google accountable for the fact that sometimes people use the search engine to find illegal stuff, isn't particularly convincing to at least one federal judge.

52 Comments | Leave a Comment..

Posted on Techdirt - 2 March 2015 @ 5:54am

Late Friday, White House Announces That FISA Court Has Rubberstamped NSA Phone Record Collection, While Insisting It Wants Reform

from the uh-huh dept

As per its usual method of releasing news it would rather not talk about, on Friday evening the White House released the news that it had, once again, gotten a rubberstamp approval from the FISA Court for the NSA to collect in bulk basically all your phone records. As you probably know, this is just the latest in a long series of reapprovals by the FISA Court, which needs to reauthorize the program for limited periods of time each time the previous rubber stamp "expires." What hasn't made much sense in all of this is that President Obama announced a year ago that he wanted to end the bulk collection program, and as many people pointed out, there was an easy way to do so: just don't ask the FISA Court to renew the authority. But, rather than do that, the administration just keeps on asking (and getting) approval.

The excuse given in the released statement is that the White House wants Congress to force its hand to stop asking:

As the White House said [link to WH statement], the Administration welcomes the opportunity to work with the new Congress to implement the changes the President has called for. Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the telephony metadata program, the government has sought a reauthorization of the existing program, as modified by the changes the President directed in January.
And, yes, the official announcement says "[link to WH statement]" -- because, hey, they're posting on Friday evening and might as well start the drinking early or something. It's not like this stuff matters. The rest of that claim is similarly misleading. The metadata program has not been shown to be important in any way. In fact, basically everyone who has looked at it from outside the intelligence community, including two separate government review bodies has admitted that there aren't any examples of the program actually being useful. So, it's hard to see what's so "important" about it.

But, really, this is all ridiculous. This is the same White House that is getting criticized all over the place for a variety of moves to take "executive action" where Congress is deadlocked. And, yet, here's a situation where literally the White House has all the power in the world to stop the program it claims it wants stopped -- and it says it needs Congress to act? That's not even close to believable.

The one "noteworthy" aspect to this latest rubberstamping is the end date. The newly approved authority runs until June 1, 2015, which is the date at which Section 215 of the PATRIOT Act sunsets and would no longer be law. This program exists under Section 215, so the government can't continue to collect those phone records after June 1, unless something happens. That "something" is the renewal of Section 215, and you better believe that the next few months are going to be a full on fight by the intelligence community and its supporters to spread as much fear as possible about why this program absolutely must be renewed. As you hear the scare stories, just remember that despite using this program for almost a decade there still isn't a single example of it being useful.

34 Comments | Leave a Comment..

Posted on Techdirt - 28 February 2015 @ 9:00am

Not So Awesome Stuff: Your Worst Crowdfunding Project?

from the looking-at-the-other-side dept

Let me start this post off by noting that I'm a huge fan of crowdfunding and think that it's an amazing force for all sorts of good things in art, culture and innovation. That's part of the reason why we do a weekly awesome stuff post highlighting interesting (and sometimes awesome) crowdfunding projects. But, it should be noted that crowdfunding projects don't always turn out great. There are plenty of horror stories to go around -- some involving what appear to be outright fraud, certainly -- mostly just because project creators are way overly optimistic on their ability to achieve their goals. I've backed a few dozen projects, and I can only think of a handful that were delivered on time. To be honest, this doesn't bother me so much. What's much worse is that as projects go bad, the project creators tend to disappear, not updating people with the bad news, leading people to get angrier and angrier.

Kickstarter, for one, has long tried to make it clear that it is "not a store," but rather that you're backing a project, and there's risk associated with that -- including the risk that a project may fail. However, it's still disappointing to back a project and have it be totally disappointing. So, this week, I thought I'd ask people about the most disappointing crowdfunded projects they've seen or backed. And I'll reveal mine. Back in the summer of 2013, on one of our awesome stuffs I wrote about the HOT Watch, a new smart watch that had some interesting features, including the ability to hold your hand up to your ear and use your hand like a phone. The video for the project was super cheesy/infomercially, which scared me off, but I'd become somewhat fascinated with the possibilities for smartwatches, and at the last minute bought into it. The backers of the project swore up and down, left, right and center, that the project would ship in time for Christmas in 2013. Right up until basically the end of the year the company insisted it would be shipping. It's now February of 2015 and I still don't have mine. Because I just don't care any more, I've asked them for a refund and they haven't replied, which is pretty much what I expected. Some people appear to have received theirs -- but I haven't and it's now 15 months late, and the market for smartwatches has moved way past the HOT Watch.

Lesson learned: crowdfunder beware.

Another, similar project, which (thankfully) I did not back is the Lima, which was a little device that was supposed to enable you to very easily set up your own personal cloud with USB devices at home. That presentation was super slick, and I was tempted to back it, but the pricing seemed a little steep, and I'm glad I didn't because while it also promised delivery by December 2013, at last check, it also has not delivered at all, and there are tons of people demanding refunds. I had mentioned the Lima in another awesome stuff post, and the company reached out to me saying the team wanted to send me a postcard (?!?!) as a thank you. I told the person not to bother, but the company still found our office address and sent it anyway. It seems like, rather than sending out post cards to people who don't want them, they could have put time into working on the product.

Anyway, this isn't to knock crowdfunding, or even these two projects in particular. It's just to note that there are risks associated with crowdfunding, and certain projects turn out to be flops, so you need to be aware. In the meantime, would love to hear about crowdfunding flops that you have backed (or luckily avoided...).

56 Comments | Leave a Comment..

Posted on Techdirt - 27 February 2015 @ 7:39pm

US Court Rules That Kim Dotcom Is A 'Fugitive' And Thus DOJ Can Take His Money

from the um. dept

In the long, convoluted and complex legal battles facing Megaupload founder Kim Dotcom, there was some bizarre stuff that happened late last year. As you may recall, early on, the US government seized basically all of his stuff and money. Dotcom has made efforts to get some of it returned, as it's tough to fight the most powerful government in the world when it's holding onto all of your money. Keep in mind from our previous discussions on asset seizure and forfeiture, the government can basically seize whatever it wants, just by claiming it was somehow related to a crime, but the seizure is only a temporary process. If the government wants to keep it, it then needs to go through a separate process known as civil asset forfeiture, which is effectively the government suing the assets. Back in July, the US government moved to forfeit everything it had seized from Dotcom in a new lawsuit with the catchy name USA v. All Assets Listed In Attachment A, And All Interest, Benefits, And Assets Traceable Thereto. As you may have guessed, Attachment A [pdf] is basically all of Kim Dotcom's money and posessions.

Back in November, the DOJ argued that it should get to keep all of Kim Dotcom's money and stuff because he's a "fugitive", which is a bizarre and ridiculous way to portray Kim Dotcom, who has been going through a long and protracted legal process over his potential extradition from New Zealand (though he's offered to come to the US willingly if the government lets him mount a real defense by releasing his money). Dotcom's lawyers told the court that it's ridiculous to call him a fugitive, but it appears that Judge Liam O'Grady didn't buy it.

In a ruling [pdf] that was just posted a little while ago, O'Grady sided with the government, and gave the DOJ all of Dotcom's things. You can read the full reasoning here and it seems to take on some troubling logic. Dotcom's lawyers pointed out, as many of us have, that there is no secondary copyright infringement under criminal law, but the judge insists that there's enough to show "conspiracy to commit copyright infringement." But the reasoning here is bizarre. Part of it is the fact that Megaupload did remove links to infringing content from its top 100 downloads list. To me, that seems like evidence of the company being a good actor in the space, and not trying to serve up more infringing downloads. To Judge O'Grady and the DOJ, it's somehow evidence of a conspiracy. No joke.

The government has alleged that the conspirators knew that these files were infringing copyrights, as evidenced by their exclusion of infringing files from the "Top 100" list. The "Top 100" list purported to list the most frequently downloaded files on Megaupload.... According to the government, an accurate list would have consisted almost entirely of infringing content, so the claimants "carefully curated" the list to make the site look more legitimate.... Additionally, the claimants regularly told copyright holders, including many U.S.-based organizations, that they would remove infringing content, when in actuality they only removed particular links to the files.... The actual infringing files remained on the Mega-controlled servers and could be accessed from other links.
As for that latter part, there are tons of perfectly legitimate reasons to only remove the links and not the underlying files. If Megaupload was doing deduping, then some version of the same file could be perfectly legitimate. Let's take an example: say that you and I have an MP3 of a Katy Perry song. I upload it to Megaupload to keep as a backup. You upload it to distribute to the world. Megaupload dedupes it, and just has the file stored one time. Your link could be potentially infringing if you distribute unauthorized copies, whereas my copy may be a legitimate personal backup. Given that, Megaupload should only delete the links that are called out as infringing, rather than the underlying files, which -- depending on their use -- may or may not be infringing. But the court just takes the DOJ's version and says "good enough for me."

The court also has no problem with the fact that most of the assets aren't in the US, noting that since some of the "conspiracy" took place in the US, that's good enough. It more or less brushes off the concerns raised by Dotcom and the other defendants that this appears to violate existing treaties between New Zealand and the US -- basically saying that because Dotcom refuses to come to the US, it's not "punitive." Huh? On top of that, the judge says that taking all of Dotcom's assets shouldn't interfere with the legal process in New Zealand, because the New Zealand courts could (yeah right) reject the DOJ's request after this ruling to hand over Dotcom's assets.

Then we get to the whole "fugitive" bit. Judge O'Grady notes that the statute does allow him to call anyone who "declines to enter" the United States a fugitive, and argues that Dotcom fits that description. Furthermore, he actually argues that Dotcom's offer to the DOJ to come willingly to the US if the money is freed for his defense actually works against Dotcom, and gives weight to the fugitive claim:
As demonstrated, Dotcom need not have previously visited the United States in order to meet the prerequisites of § 2466. The statute is satisfied where the government shows that the claimant is on notice of the criminal charges against him and refuses to "enter or reenter" the country with the intent to avoid criminal prosecution. Because the court assesses intent under the totality of the circumstances, it is certainly relevant that Dotcom has never been to the United States and that he has lived in New Zealand since 2011, where he resides with his family. This tends to show that he has other reasons for remaining in New Zealand besides avoiding criminal prosecution. However, the existence of other motivations does not preclude a finding that he also has a specific intent to avoid criminal prosecution. Dotcom's statements, made publicly and conveyed by his attorneys to the government, indicate that he is only willing to face prosecution in this country on his own terms. See Technodyne, 753 F.3d at 386 (2d Cir. 2014) ("The district court was easily entitled to view those [requests for bail], evincing the [claimants'] desire to face prosecution only on their own terms, as a hallmark indicator that at least one reason the [claimants] declined to return in the absence of an opportunity for bail was to avoid prosecution"). Dotcom has indicated through his statements that he wishes to defend against the government's criminal charges and litigate his rights in the forfeiture action. If it is truly his intent to do so, then he may submit to the jurisdiction of the United States.
In short, damned if you do, damned if you don't. This is the justice system, ladies and gentlemen. The DOJ gets to seize and keep all your money, and merely asking for access to it to fight to show your innocence is used as a reason to allow the DOJ to keep it. So he comes to the US and has to fight criminal charges without his own money, or he stays in New Zealand and the government uses it as an excuse to keep all the money. How is any of this even remotely fair? Where is the "due process" in totally handicapping Dotcom from presenting a defense?

Again, it is entirely possible that Dotcom and the others broke the law -- though the case certainly does look pretty weak to me. But what's really astounding is how far the DOJ appears to want to go to make it absolutely impossible for Dotcom to present a full defense of his case.

Read More | 141 Comments | Leave a Comment..

Posted on Techdirt - 27 February 2015 @ 6:23pm

White House Releases Draft 'Privacy' Bill That's Not Very Good

from the let's-try-again,-shall-we dept

It's been talked about for a while, but on Friday, the White House released a draft of what it's calling a "Consumer Privacy Bill of Rights." Conceptually, that sounds like a decent idea, but in practice? Not so much. Yes, it's just a draft, but it's got a lot of vague hand-waving, and basically no one seems all that thrilled about it, either from the privacy advocate side or the tech company side. Also, it doesn't even address the biggest privacy concern of all: government surveillance and snooping.

Privacy is, of course, one of those things that can be rather tricky to regulate, for a variety of reasons. Many attempts turn out badly, and don't really do much to actually protect privacy -- while sometimes blocking legitimate and useful innovations. While we're big supporters of protecting one's privacy we're at least somewhat concerned about legislation that appears to be pretty sloppy, and not all that well defined or thought out. This feels like a "we needed to do something, so here's something" kind of draft bill, rather than a "here's a legitimate problem, and here's how to fix it." It feels like a lost opportunity.

Read More | 14 Comments | Leave a Comment..

Posted on Techdirt - 27 February 2015 @ 1:37pm

Paypal Cuts Off Mega Because It Actually Keeps Your Files Secret

from the doesn't-paypal-like-encryption? dept

There are way too many stories of Paypal unfairly and ridiculously cutting off services that rely on it as a payment mechanism, but here's yet another one. Mega, the cloud storage provider that is perhaps well-known for being Kim Dotcom's "comeback" act after the US government shut down Megaupload, has had its Paypal account cut off. The company claims that Paypal was pressured by Visa and Mastercard to cut it off:

Visa and MasterCard then pressured PayPal to cease providing payment services to MEGA.

MEGA provided extensive statistics and other evidence showing that MEGA's business is legitimate and legally compliant. After discussions that appeared to satisfy PayPal’s queries, MEGA authorised PayPal to share that material with Visa and MasterCard. Eventually PayPal made a non-negotiable decision to immediately terminate services to MEGA. PayPal has apologised for this situation and confirmed that MEGA management are upstanding and acting in good faith. PayPal acknowledged that the business is legitimate, but advised that a key concern was that MEGA has a unique model with its end-to-end encryption which leads to “unknowability of what is on the platform”.

MEGA has demonstrated that it is as compliant with its legal obligations as USA cloud storage services operated by Google, Microsoft, Apple, Dropbox, Box, Spideroak etc, but PayPal has advised that MEGA's "unique encryption model" presents an insurmountable difficulty.
That last line is particularly bizarre, given that if anyone recognizes the value of encryption it should be a freaking payments company. And, of course, Paypal can't know what's stored on any of those other platforms, so why is it being pressured to cut off Mega?

Mega's theory -- which is mostly reasonable -- is that because Mega was mistakenly listed in a report released by the "Digital Citizens Alliance" that insisted Mega was a rogue cyberlocker storing infringing content, that payment companies were told to cut it off. If true, this is problematic on multiple levels. The methodology of the report was absolutely ridiculous. Because most Mega files are stored privately (like any Dropbox or Box or Google Drive account), the researchers at NetNames have no idea what's actually being stored there or if it's being done perfectly legitimately. Instead, they found a few links to infringing works, and then extrapolated. That's just bad research practices.

Furthermore, the Digital Citizens Alliance is hardly an unbiased third party. It's an MPAA front group that was the key force in the MPAA's (now revealed) secret plan to have states attorneys general attack Google. Think the MPAA has reasons to try to go after any potential revenue source for Kim Dotcom? Remember, taking down Megaupload and winning in court against Dotcom was a key focus of the company since 2010 or so, and Dotcom recently noted that he's out of money and pleading with the court to release some of the funds seized by the government to continue to fight his case. The lawyers who represented him all along quit late last year when he ran out of money. It seems like the MPAA might have ulterior motives in naming Mega to that list, don't you think?

And, this all goes back to this dangerous effort by the White House a few years ago to set up these "voluntary agreements" in which payment companies would agree to cut off service to sites that the entertainment industry declared "bad." There's no due process. There's no adjudication. There's just one industry getting to declare websites it doesn't like as "bad" and all payment companies refusing to serve it. This seems like a pretty big problem.

92 Comments | Leave a Comment..

Posted on Techdirt - 27 February 2015 @ 12:39pm

Have You Been Debating What Color Some Random Dress Is All Day? Thank Fair Use

from the and-we-look-forward-to-the-eventual-copyright-fight dept

Yesterday evening I saw a tweet zip by in which some very smart people I know and respect appeared to be arguing about the color of a dress. It seemed like a weird thing, so I went and looked and saw what appeared to be a white and gold dress. No big deal. But, other people insisted that it was blue and black. Vehemently. At first I thought it was a joke. Or an optical illusion. Or maybe it depended on your monitor. But I called over a colleague here in the office, and she swore that it was blue and black. And I was 100% sure that it was white and gold. If you somehow live under a rock, here's the image:

We now know the "truth" (sort of) -- which is that the dress itself really is blue and black, but thanks to the lighting and some odd visual tricks it appears white and gold to a large part of the population. For what it's worth, many people report that after a period of time it switches, and that's true for me too. Late last night I took one last look (after everyone else in my family swore that it was blue and black) and I saw it blue and black. Amusingly, at almost exactly the same time, my wife suddenly saw it as white and gold. My mother-in-law suggested we both need to seek mental help. There are fights like this going on all over the internet, with lots of people trying to decipher why this image seems to work this way. So why are we writing about it here? Because it's Fair Use Week, and what a great fair use story.

This image isn't just being showed everywhere, it's being modified, flipped, adjusted, poked and prodded as people discuss it in all sorts of ways (comment and criticism). And it's all fair use. Take, for example, our own Leigh Beadon, who put forth on Twitter a theory about why different people see it in different ways:
In our internal chat, he was also submitting additional images as he played with the image. Take, for example, this one, where he played with the brightness levels:
And tons of others have weighed in as well. Even software maker Adobe got into the discussion:
"
And someone else posted a helpful video modifying it:
Vice has an amazing story in which they present the image to a color vision expert who is so stumped he admits he may give up trying to cure blindness to devote the rest of his life to understanding the dress. The folks over at Vox both insist that the color changing can't be explained and that it can be (journalism!). The folks at Deadspin say you're all wrong and the dress is actually blue and brown. Almost all of these are using not just versions of the image, but modified ones as well, to try to demonstrate what they're talking about.

And there's been no talk about copyright. Because we don't need to be discussing copyright, because this is all fair use. Last night, some were pointing out that this was such an "internet" story that it's great that it came out on the same day the FCC voted for net neutrality, but I say it's an even better way to close out fair use week, with a great demonstration of why fair use matters.

82 Comments | Leave a Comment..

Posted on Techdirt - 27 February 2015 @ 11:41am

Google Suddenly Realizes That Maybe It Doesn't Need To Ban Adult Content On Blogger

from the oh-look,-we-have-policies dept

Earlier this week, we wrote about a really dumb move by Google to effectively kick out all of the bloggers who use its blogger platform to post "adult" content -- either text or images. Google gave such bloggers just 30 days to find a new home before it would make all their blogs private. It insisted that, going forward, the content police at Google would determine what photographs were "artistic" and allowed, and which were "dirty" and not allowed. As we noted, this move seemed particularly tone deaf and problematic, and could lead to other problems for Google. And a lot of other people agreed.

And... just like that, Google appears to have reversed course. Over in its product forums, someone from the Blogger Team announced that they had realized they already had policies they could enforce and didn't need to implement these new rules:

This week, we announced a change to Blogger’s porn policy. We’ve had a ton of feedback, in particular about the introduction of a retroactive change (some people have had accounts for 10+ years), but also about the negative impact on individuals who post sexually explicit content to express their identities. So rather than implement this change, we’ve decided to step up enforcement around our existing policy prohibiting commercial porn.

Blog owners should continue to mark any blogs containing sexually explicit content as “adult” so that they can be placed behind an “adult content” warning page.

Bloggers whose content is consistent with this and other policies do not need to make any changes to their blogs.

Thank you for your continued feedback.
So, kudos to Google for at least hearing the feedback and rolling back the change -- though it's still unfortunate that it even had to come to that in the first place. It seems likely that many of those bloggers may go looking for alternate hosting anyway.

17 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 27 February 2015 @ 10:34am

Wall Street Journal Upset That Wall Street Isn't Upset About Net Neutrality

from the isn't-the-market-always-right? dept

A few weeks ago, after it was more or less confirmed that the FCC was going forward with full Title II reclassification of broadband, we noted that the stocks of the big broadband companies actually went up suggesting that Wall Street actually knows that reclassification won't really impact broadband companies, despite what they've been saying publicly. Perhaps this is partly because those same companies have been telling Wall Street that the rule change won't have an impact.

However, for the Wall Street Journal -- which has become weirdly, obsessively, anti-net neutrality -- this is an abomination. The newspaper has spent months trying to whip everyone into a frenzy about how evil net neutrality is, using some of the most blatantly wrong arguments around. Just a few days ago, the WSJ turned to its former publisher, now columnist, L. Gordon Crovitz to spread as much misinformation as possible. This is the same L. Gordon Crovitz who a few years ago wrote such a ridiculously wrong article on the history of the internet that basically everyone shoved each other aside to detail how he mangled the history. He, bizarrely, insisted that the government had no role in the creation of the internet. Crovitz also has a history of being wrong (and woefully uninformed) about surveillance and encryption. It's difficult to understand why the WSJ allows him to continue writing pieces that are so frequently factually challenged.

In this latest piece, Crovitz suggests that Ted Cruz didn't go far enough in comparing Obamacare to net neutrality, arguing that net neutrality is even "worse."

The permissionless Internet, which allows anyone to introduce a website, app or device without government review, ends this week.
Um, no, actually, the reverse. The rules say that no website or app needs to get permission. The government isn't going to be reviewing anything, other than anti-consumer practices by the large ISPs.
Bureaucrats can review the fairness of Google's search results, Facebook's news feeds and news sites' links to one another and to advertisers. BlackBerry is already lobbying the FCC to force Apple and Netflix to offer apps for BlackBerry’s unpopular phones. Bureaucrats will oversee peering, content-delivery networks and other parts of the interconnected network that enables everything from Netflix and YouTube to security drones and online surgery.
None of this is true. The BlackBerry thing isn't real. It's a stupid political stunt cooked up by the telcos to try to make the new rules look bad. But the rules do not, in any way, apply to Google's search results or Facebook's news feed or any other content online. It covers internet access services, and all it does is put in place some straightforward rules against discrimination.

Still, all this fear mongering isn't working. Following yesterday's decision by the FCC, the folks over at Quartz noticed that the big broadband stocks have actually had a pretty damn good month:
Which brings us back around to the Wall Street Journal. The paper of record for Wall Street, which normally likes to suggest that markets are "right" about everything, is absolutely positive that the markets are wrong about this. And it's furious. It has an article demanding that broadband investors need to "wake up" to what's happening with net neutrality:
Investors actually seemed to breathe a sigh of relief when FCC Chairman Tom Wheeler unveiled his proposal on Feb. 4, sending cable stocks higher. Investors were cheering the chairman’s assurance that the commission wouldn’t invoke the Title II power to regulate prices.

But investors, beware: Broadband’s new status opens the door to the possibility of a future that is far less lucrative and more uncertain for the companies that provide it.
Bullshit. Frankly, things can always change in the future, in either direction, so claiming that things might change is meaningless FUD. At the end of the article, the WSJ pretends that maybe the reason why stocks are up is because investors expect that the broadband players will win an eventual court battle, but that seems like wishful thinking on multiple levels. Let's go with Occam's Razor on this one. The market is up because everyone knows that Title II won't make a huge difference at all for the prospects of broadband companies. Multiple Wall St. analysts have been saying this for months, as have the big broadband companies to the analysts themselves.

The Wall Street Journal should take a page from its own playbook: maybe the markets do know best.

34 Comments | Leave a Comment..

Posted on Techdirt - 27 February 2015 @ 8:09am

Did Lenovo/Superfish Break The Law?

from the certainly-can-make-an-argument-that-way dept

For many years, it's been something of an open question if creating a major security or privacy vulnerability was illegal. For the most part, courts have ruled that without actual proven harm, it's difficult to show real standing for the sake of a civil lawsuit. In practical terms, this has meant that if you just introduce a massive security risk, without it directly being abused (in a way that people know about), a company's liability is fairly limited. Obviously, that could change quickly if there was an actual abuse. Not surprisingly, class action law firms still love to file these kinds of lawsuits after a major privacy/security breach just in case. So it was totally expected to see a class action firm jump in and sue Lenovo over the Superfish malware that we've been discussing for the past few days.

The folks over at CDT, however, have a very good discussion over whether or not enabling such HTTPS hijacking really is illegal. The article compares the Superfish story to the other recent story about in-flight Wi-Fi provider GoGo doing something similar, and explores whether or not these man-in-the-middle attacks run afoul of Section 5 of the FTC Act, which is the broad rules under which the FTC "protects consumers." The rules basically say companies cannot do things that are "deceptive" or "unfair," but the definitions of both of those words matters quite a bit.

Here's the exploration of whether this kind of man-in-the-middle attack is "deceptive":

At a technical level, these SSL-breaking technologies trick your browser by forging SSL certificates, implying that their service operates encrypted websites like YouTube.com and BankofAmerica.com. In fact, instead of passing encrypted traffic on to the appropriate destination, these technologies enact the previously described “man-in-the-middle attack,” gaining access to potentially sensitive information that should rightly be kept between you and, for example, your bank or health care provider. Though these practices do not directly deceive the end user, they do effectively deceive the user’s software that acts as a “user agent.”  It’s not settled that this is prohibited by deceptive practices authority; in the past, the FTC has been reluctant to pursue deceptive practices cases merely on the grounds of tricking a browser: the FTC declined to pursue companies that issued bogus machine-readable P3P policies to get around Internet Explorer privacy restrictions or against companies that evaded Apple Safari’s default cookie settings in order to place third party cookies.[3] On the other hand, six state Attorneys General did bring a deceptive practices claim under their own version of Section 5 against companies that tricked Safari browsers into accepting third-party cookies.

Alternatively, the FTC could argue that failure to disclose that encrypted transmissions were being intercepted constituted a material omission — that is, failure to explain the practice would be a deceptive means to prevent a consumer from meaningfully evaluating the product. The FTC has brought a number of cases arguing that failure to disclose highly invasive or controversial practices either in a privacy policy or in clear, upfront language could constitute a deceptive practice.  For instance, the FTC has found that failure to disclose access to your phone’s contact information or precise geolocation could constitute a material omission.

From what I can tell, neither Gogo nor Lenovo went out of their way to tell users about these practices. If anything, Gogo’s privacy policy would lead users to think that their SSL-protected communications were safe from eavesdropping.

For Lenovo, a post to one of its user forums says that users had to agree to the Superfish privacy policy and terms of service. I don’t know what these documents said exactly, though the Superfish documents available on their website say nothing about these practices.  Even if Lenovo had disclosed in fine print what it does, regulators could make the case that SSL interception was so controversial that permission needed to be obtained outside of a boilerplate legal agreement. A service could certainly try to make a value proposition to consumers that some feature was worth the cost of breaking web encryption – but that’s not what happened here.

What about the question of "unfair"? Apparently, the FTC prefers to use "unfair" in the cases it brings, rather than deceptive, so that is the more likely option.

In order to be “unfair” under Section 5, a business practice has to meet three criteria – it must:

  1. Cause significant consumer harm,
  2. Not be reasonably avoidable by consumers, and
  3. Not be offset by countervailing benefits to consumers.

If breaking encryption exposes consumers to significant security vulnerabilities, regulators will likely have a very strong case for an unfairness violation.

On causing significant harm, this seems fairly straightforward in Lenovo’s case: its partner Superfish configured its software to intercept all SSL requests — using the same decryption key across all devices. This key was easily reverse engineered soon after the story broke, meaning that any malicious attacker could use this key to intercept any encrypted communication. That’s a huge security vulnerability, and at least as concerning as several other vulnerabilities that the FTC has previously alleged to have harmed consumers. Gogo’s SSL interception also raised security concerns — it arguably inures users to security warnings and exposes them to attackers posing as Gogo’s network — but the risk is probably not as great as in the Lenovo case. The FTC has brought actions against device manufacturers in the past for weakening security; in its case against phone manufacturer HTC, the FTC alleged that badly designed software that let app developers piggyback on HTC’s access to certain phone functionality without user permission was an unfair business practice.

On the second part of the unfairness test, it’s hard to argue how these practices are avoidable by ordinary consumers. They may have clicked though legalistic agreements, but as far as we can tell, none of these documents made any disclosure about these sorts of tactics — or the vulnerabilities to which they exposed consumers. Certainly, neither Gogo nor Lenovo presented information outside of a legal document where consumers were likely to notice. As a result, consumers weren’t provided with actionable information that they could have used to avoid these problems.

Finally, it’s hard to see that the security vulnerabilities introduced by SSL-interception were outweighed by any benefits to the practice. Gogo used this tactic to block bandwidth-heavy video applications on planes with limited internet access — a worthy goal, but one better accomplished through less destructive means. Lenovo allowed its partner to break encryption in order to view private communications for targeted advertising.  It is doubtful that many consumers would find this trade-off beneficial, even if it lowered prices significantly; in any event, Lenovo claims that they didn’t make much money from its deal with Superfish, and the pre-installed adware was simply designed to improve the user experience. Since exposure of these practices, both companies have backtracked and ended use of the encryption-breaking technologies.

But there's a much bigger question: will the FTC actually bother? The fact that Lenovo reacted pretty quickly to this mess probably suggests that the FTC may not bother. Yes, Lenovo's initial reaction wasn't great, but it did change its tune within less than 48 hours, and has been pretty vocal and active in apologizing and fixing things since then. That may be enough reason for the FTC to think it's not necessary to go after the company. Of course, it may feel differently about Superfish itself -- since that company still denies there's any problem and basically refuses to admit its role in this whole mess. It's still standing by its bogus statement that it did nothing wrong and claiming that Lenovo will clear things up -- even as Lenovo has clearly said otherwise.

26 Comments | Leave a Comment..

Posted on Techdirt - 26 February 2015 @ 12:33pm

532,900,000 Reasons Why We Need Patent Reform Now

from the what-a-joke dept

Over the last year, there's been plenty of good news in the fight against the abuse of patents to stifle innovation. A bunch of court rulings have gone the right way, with the biggest being the Supreme Court's ruling in the Alice v. CLS Bank case, that has resulted in many courts invalidating patents, the US Patent Office suddenly rejecting more patents and a rapid decline in patent lawsuits.

Based on that, you might think that we no longer need patent reform. But you'd be wrong. Patent trolls are regrouping and fighting back. Despite the big drop in patent lawsuits following the Alice ruling, patent trolls have come up with some new ideas, and have recently ramped up the filing of new trolling lawsuits at a rapid pace. And there have even been a few victories. While the dollar amounts were relatively low (especially compared to what was asked for), a troll who claimed to have a patent over Bluetooth 2.0 (despite "inventing" it years after Bluetooth 2.0 was on the market) was awarded $15.7 million, and the world's biggest patent troll, Intellectual Ventures actually won a case against Symantec (but got "only" $17 million).

But, earlier this week, there was the big one. A pure patent troll, Smartflash, with a collection of vague and broad patents (US 7,334,720, US 8,118,221 and 8,336,772 -- all for "data storage and access systems") has been awarded $532,900,000 from Apple, despite everyone happily admitting that Apple came up with the idea on its own. Here's the East Texas (of course) court jury form:

And, yes, Apple could probably pay that off with the spare change falling off the edge of Tim Cook's desk, but that's not really the point. Rulings like this don't seem to create any value towards actual innovation. Smartflash once had a product, but it failed in the marketplace over a decade ago. Apple built a product that people actually wanted. Shouldn't we be rewarding the people who actually make the things people want, rather than subsidizing failure by the successful?

Smartflash's lawyer told Ars Technica's Joe Mullin that this ruling is actually a "great example of why the patent system exists." Actually, it's a great example of how screwed up the patent system is. The lawyer also spewed this load of bullshit:
The thing about a patent is—let's say you have a university professor who spent two years researching something. It's irrelevant the effort that [an infringing company] spent to build it. It's the person who came up with it first. That's the way the Constitution, and the patent laws, are written. It's designed to cause people to spend money and time innovating. The patent office publishes it, so that advances the state of the art. In exchange for that, you get a property right.
That's also not how the Constitution is written, though it is (unfortunately) how patent laws are written. But that's not a way to get people to spend "money and time innovating" because the actual innovators here -- Apple -- had to pay out to the guy who failed in innovating. Being "first" isn't innovating. Building the product someone wants is.

Either way, Apple will appeal this ruling (and those other rulings are likely to be appealed as well). And in the last few months, CAFC has actually been shown to have gotten the message about problems with its previous interpretation of patent law. But, in the meantime, we still need serious patent reform.

22 Comments | Leave a Comment..

Posted on Techdirt - 25 February 2015 @ 1:34pm

Gemalto: Ok, Yes, We Were Hacked, And Yes Some SIM Cards May Be Compromised, But Not Because Of Us

from the damage-control dept

Last week, The Intercept revealed how the NSA and GCHQ had hacked into the major supplier of SIM cards to swipe encryption keys for tons of mobile phones. Earlier this week, we noted that Gemalto appeared to be taking the Lenovo approach to insisting that no one was put at risk. Today the company presented the "findings" of its internal analysis of what happened, admitting that there were sophisticated hack attacks, but insisting that those attacks could not have reached the goldmine source of encryption keys. First, the admission of the hack:

In June 2010, we noticed suspicious activity in one of our French sites where a third party was trying to spy on the office network. By office network we mean the one used by employees to communicate with each other and the outside world. Action was immediately taken to counter the threat.

In July 2010, a second incident was identified by our Security Team. This involved fake emails sent to one of our mobile operator customers spoofing legitimate Gemalto email addresses. The fake emails contained an attachment that could download malicious code. We immediately informed the customer and also notified the relevant authorities both of the incident itself and the type of malware used.

During the same period, we also detected several attempts to access the PCs of Gemalto employees who had regular contact with customers.

At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation.
And then the "but don't worry about it" part:
These intrusions only affected the outer parts of our networks – our office networks - which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.

While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.
The report also notes that it appears that someone (again, probably NSA/GCHQ) also targeted communications between Gemalto and its carrier partners using highly targeted spearphishing attacks -- but that the company sought to block those and has long used a "highly secure exchange process" to protect such transmissions.

The company also says that some of the operators listed in the leaked documents are ones that Gemalto has never worked with anyway, so if NSA/GCHQ got access to their keys, it wasn't via Gemalto. It further notes that even where the NSA/GCHQ may have gotten access to keys (via other means) it may have only been of limited use, while also noting that the encryption that was targeted was already pretty weak:
In 2010-2011 most operators in the targeted countries were still using 2G networks. The security level of this second generation technology was initially developed in the 1980s and was already considered weak and outdated by 2010. If the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone. This is a known weakness of the old 2G technology and for many years we have recommended that operators deploy extra security mechanisms. However, even if the encryption keys were intercepted by the Intelligence services they would have been of limited use. This is because most 2G SIMs in service at that time in these countries were prepaid cards which have a very short life cycle, typically between 3 and 6 months.

This known weakness in the original 2G standards was removed with the introduction of proprietary algorithms, which are still used as an extra level of security by major network operators. The security level was further increased with the arrival of 3G and 4G technologies which have additional encryption. If someone intercepted the encryption keys used in 3G or 4G SIMs they would not be able to connect to the networks and consequently would be unable to spy on communications. Therefore, 3G and 4G cards could not be affected by the described attack. However, though backward compatible with 2G, these newer products are not used everywhere around the world as they are a bit more expensive and sometimes operators base their purchasing decision on price alone.
While I will admit to being pretty skeptical based on Gemalto's initial comments, its explanation here is somewhat more reasonable. While some may question if Gemalto really was able to figure out what the NSA/GCHQ got access to, it does not appear that the company is merely brushing this off as a non-story. However, if the company was really hacked back in 2010/2011 -- one can reasonably question how much the company can actually determine what really happened.

Update: Many of Gemalto's claims are now coming under scrutiny, with some suggesting that the company's "research" into things misses the point, and the details...

19 Comments | Leave a Comment..

More posts from Mike Masnick >>