Mike Masnick’s Techdirt Profile


About Mike MasnickTechdirt Insider

Mike is the founder and CEO of Floor64 and editor of the Techdirt blog.

He can be found on Twitter at http://www.twitter.com/mmasnick

Posted on Techdirt - 3 March 2015 @ 10:24am

There Is No Way That Hillary Clinton Didn't Know She Was Supposed To Use A Government Email Account

from the this-makes-no-sense dept

As you may have heard, the latest political "scandal" involving a major Presidential contender comes via the NY Times reporting that when Hillary Clinton was Secretary of State, she refused to have a government email address, and conducted all her work via a personal email account.

Hillary Rodham Clinton exclusively used a personal email account to conduct government business as secretary of state, State Department officials said, and may have violated federal requirements that officials’ correspondence be retained as part of the agency’s record.

Mrs. Clinton did not have a government email address during her four-year tenure at the State Department. Her aides took no actions to have her personal emails preserved on department servers at the time, as required by the Federal Records Act.
This is dumb on many, many levels and there appears to be no excuse for it happening. First off, using a personal email as Secretary of State seems like a massive privacy and security risk. While one hopes that there was at least some attempt to better secure her personal account by government security experts, it's still almost certainly less secure. Given how much sensitive information the Secretary of State has to deal with, it seems inexcusable that she was allowed to conduct official business via her personal account. That to me seems like an even bigger deal than the part that everyone else is focused on: the failure to preserve her emails as required by law.

Of course, the failure to preserve the emails is a big deal as well. But here's the really stunning thing: there is simply no way that Clinton and others in the administration didn't know that she was supposed to be using a government email address and preserving those emails. That's because both the previous administration and others in her own administration got in trouble for using personal email addresses. As Vox notes, towards the end of the Bush administration there was a similar scandal involving a variety of high level administration members using personal email to conduct government business and to avoid transparency requirements.

That scandal unfolded well into the final year of Bush's presidency, then overlapped with another email secrecy scandal, over official emails that got improperly logged and then deleted, which itself dragged well into Obama's first year in office. There is simply no way that, when Clinton decided to use her personal email address as Secretary of State, she was unaware of the national scandal that Bush officials had created by doing the same.

That she decided to use her personal address anyway showed a stunning disregard for governmental transparency requirements. Indeed, Clinton did not even bother with the empty gesture of using her official address for more formal business, as Bush officials did.

But that's not all. What the Vox report doesn't note is that the scandal actually carried over to the Obama administration also, as the White House's first Deputy CTO was reprimanded for using his personal email address as well, early in 2010. So there was both a scandal about the similar use of private email accounts in the previous administration and in the Obama administration. It's impossible to believe that Clinton or the other key people who worked for her in the State Department were unaware of one or both of these issues while she was using her personal email address.

While the White House's email system may be clunky and annoying to use (as I've heard repeatedly), there's simply no excuse for Clinton not to have used it at all -- and for the emails she did send not to be preserved as required under the law. A few years ago, we mocked Homeland Security boss Janet Napolitano for refusing to use email entirely -- though at least she was upfront about the reason. She didn't want to be held accountable for what she said -- though, the reality was she would still have staff members send emails for her. Clinton appears to have wanted to be free of that accountability as well, but to still have the benefits of direct electronic communication herself. In short, she purposely ignored the law for her own benefit.

6 Comments | Leave a Comment..

Posted on Techdirt - 3 March 2015 @ 8:07am

Australian Secretary Of Defense Not Concerned About Phone Hack; Doesn't Think People Want To Spy On His Phone

from the oh-really-now? dept

If you were the Secretary of Defense of a large country, you might think you'd be slightly concerned that foreign agents would want to spy on you. Not so down in Australia apparently, where the current Secretary of Defense, insists that he'd be "surprised" if anyone wanted to find out what was on his phone. Seriously.

We've written about the recent story, revealed in documents leaked by Ed Snowden, that the NSA and GCHQ were able to hack into the systems of Gemalto, the world's largest maker of SIM cards for mobile phones, and obtain the encryption keys used in those cards. While Gemalto insists that the hack didn't actually get those encryption keys, not everyone feels so comfortable with Gemalto's own analysis of what happened.

Senator Scott Ludlam (who we've written about a few times before) reasonably found the story of the Gemalto hack to be concerning, and went about asking some questions of the government to find out what they knew about it. The results are rather astounding. First he had asked ASIO, the Australian Security Intelligence Organization, and they said it wasn't their area, but it might be ASD (the Australian Signals Directorate). The video below shows Ludlam asking the ASD folks for more information about the hack and being flabbergasted that they basically say they haven't even heard about the hack at all:

Right at the beginning, the first person says he's not aware of the situation, and Ludlam asks "are you aware of the broad outlines?" and gets a "no I am not" response, leading to a rather dry "Really?!? Okay, this is going to be interesting" reply from Ludlam. It goes on in this nature for a while, with the various people on the panel playing dumb, and Ludlam repeatedly (and rightly) appearing shocked that they appear to have no idea about the story.

But the really incredible part comes in the last minute of the video, in which Ludlam asks the Australian Secretary of Defense, Dennis Richardson, about his own concerns about his phone being spied on:
Ludlam: Do you use an encrypted phone, Mr. Richardson?

Richardson: No, I don't.

Ludlam: Right. Okay. Do you use a commercial -- I'm not asking you to name names -- but do you use a commercial telecommunications provider?

Richardson: Yeah, yeah, yes.

Ludlam: So there might be a SIM card in your phone or mind. Does this alarm you at all?

Richardson: No.

Ludlam: No?

Richardson: No.

Ludlam: Why is that?

Richardson: Well, because I don't particularly deal with people who... if anyone wants to listen to my telephone calls they can. I'd be surprised if they do, but I don't particularly have conversations which I'm particularly worried about.

[Laughter all around the room]

Ludlam: So it's okay if foreign spooks have hacked every mobile handset in the country because you don't have anything in particular...

Richardson: It's possible some might try to.

Ludlam: It's possible some just have.

Richardson: [shrugs] Well, it's possible.
So there you have it, folks. The Australian Secretary of Defense says that anyone is allowed to listen in to his calls, because there's nothing secret about any of them. I'm not quite familiar with public records/freedom of information laws in Australia, but is it possible for someone to put in a request for recording all of the Secretary of Defense's phone calls?

22 Comments | Leave a Comment..

Posted on Techdirt - 2 March 2015 @ 1:24pm

Should The Punishment For Falsely Accusing People Of A Crime Match The Punishment For The Crime Itself?

from the false-accusations-everywhere dept

Two very different stories, but both with some startling parallels.

First, Radley Balko's story about how police and attorneys in Louisiana apparently flat out lied to claim that a process server "assaulted" a police officer he was serving (in a police brutality case, no less). There are lots of details there, but suffice it to say, the process server, Douglas Dendinger, did not assault Chad Cassard at all -- even though he was soon arrested for it, and Cassard managed to present seven witnesses (including police officers and two prosecutors who witnessed Dendinger serving the papers on Cassard). Dendinger went through two years of hell because of this, before the case was dropped when cell phone videos made by Dendinger's wife and nephew showed that there was no assault at all. Police and prosecutors lying to protect one of their own? Sure, it happens. But now that it's been exposed, Balko has an important question:

Why aren’t the seven witnesses to Dendinger’s nonexistent assault on Cassard already facing felony charges? Why are all but one of the cops who filed false reports still wearing badges and collecting paychecks? Why aren’t the attorneys who filed false reports facing disbarment? Dendinger’s prosecutors both filed false reports, then prosecuted Dendinger based on the reports they knew were false. They should be looking for new careers — after they get out of jail.

If a group of regular citizens had pulled this on someone, they’d all likely be facing criminal conspiracy charges on top of the perjury and other charges. So why aren’t these cops and prosecutors?

I could be wrong, but my guess is that they’ll all be let off due to “professional courtesy” or some sort of exercise of prosecutorial discretion. And so the people who ought to be held to a higher standard than the rest of us will once again be held to a lower one.
Second, we have last week's story about Total Wipes sending an automated takedown notice to Google demanding tons of perfectly legitimate, non-infringing web pages be taken out of Google's index for infringement. Total Wipes blamed it on a "bug" in its program, which would be more convincing if it hadn't happened before.

This second story has Rick Falkvinge, quite reasonably, wondering why the penalties for false takedowns aren't equivalent to the penalties for infringement, saying that this is the way it works in other parts of the law:

The thing is, this should not even be contentious. This is how we deal with this kind of criminal act in every – every – other aspect of society. If you lie as part of commercial operations and hurt somebody else’s rights or business, you are a criminal. If you do so repeatedly or for commercial gain, direct or indirect, you’re having your ill-gotten gains seized. This isn’t rocket science. This is standard bloody operating procedure.

The copyright industry goes ballistic at this proposal, of course, and try to portray themselves as rightsless victims – when the reality is that they have been victimizing everybody else after making the entire planet rightsless before their intellectual deforestation.

The irony is that at the same time as the copyright industry opposes such penalties vehemently, arguing that they can make “innocent mistakes” in sending out nastygrams, threats, and lawsuits to single mothers, they are also arguing that the situation with distribution monopolies is always crystal clear and unmistakable to everybody else who deserve nothing but the worst. They can’t have it both ways here.

Of course, his claim that this is true in "every" other area is proven somewhat false by the first story above. But the underlying factors in both cases are nearly identical, and it actually goes back to a previous concept that Falkvinge has written about: the "high court" and the "low court." The "nobility" gets a special court when they break the law, with limited consequences. The lowly commoners have to go to the "low court" where the consequences are quite severe. Falkvinge's original point is that we still seem to have the same thing today, and that's clearly shown in both stories above.

If you're in power, you can lie about things to accuse others of serious things that can have serious consequences for them, and there's no real punishment. Instead, it's brushed off as not being important -- sometimes with expressions of understanding about how "these things can happen." I'm reminded of the phrase that we "judge ourselves according to our intentions, but others based on their actions," and that seems to be partly at work here as well (though I question the "intentions" of the prosecutors who lied above). The lies are written off as minor "mistakes," whereas those accused are given no such benefit of the doubt. It's a big problem in the copyright space, certainly, but it's true in many other areas of society as well.

45 Comments | Leave a Comment..

Posted on Techdirt - 2 March 2015 @ 12:26pm

Court Doesn't Buy Mississippi Attorney General Jim Hood's Argument: Puts His Google Demands On Hold

from the nice-try,-jim dept

Back in December, we noted that Google had gone to court to try to stop a ridiculously broad subpoena issued by Mississippi Attorney General Jim Hood. For quite some time now, Hood has been publicly attacking Google, based on what appears to be near total ignorance of both the law and technology. Oh, and maybe it also has something to do with the MPAA directly funding his investigation and authoring the letters that Hood sent.

Either way, Google pointed out that the broad subpoena that Hood issued to Google clearly violated Section 230 of the CDA in looking to hold Google accountable for other's actions and speech. It pointed out other problems with the order as well -- and while Hood insisted that his subpoena was perfectly reasonable, it appears that a federal court isn't so sure. Today the court told Hood that he's granting a temporary injunction on the subpoena, noting that Google's argument is "stronger."

This certainly is nowhere close to over, but it does highlight that Hood's repeated arguments that he has every right to hold Google accountable for the fact that sometimes people use the search engine to find illegal stuff, isn't particularly convincing to at least one federal judge.

50 Comments | Leave a Comment..

Posted on Techdirt - 2 March 2015 @ 5:54am

Late Friday, White House Announces That FISA Court Has Rubberstamped NSA Phone Record Collection, While Insisting It Wants Reform

from the uh-huh dept

As per its usual method of releasing news it would rather not talk about, on Friday evening the White House released the news that it had, once again, gotten a rubberstamp approval from the FISA Court for the NSA to collect in bulk basically all your phone records. As you probably know, this is just the latest in a long series of reapprovals by the FISA Court, which needs to reauthorize the program for limited periods of time each time the previous rubber stamp "expires." What hasn't made much sense in all of this is that President Obama announced a year ago that he wanted to end the bulk collection program, and as many people pointed out, there was an easy way to do so: just don't ask the FISA Court to renew the authority. But, rather than do that, the administration just keeps on asking (and getting) approval.

The excuse given in the released statement is that the White House wants Congress to force its hand to stop asking:

As the White House said [link to WH statement], the Administration welcomes the opportunity to work with the new Congress to implement the changes the President has called for. Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the telephony metadata program, the government has sought a reauthorization of the existing program, as modified by the changes the President directed in January.
And, yes, the official announcement says "[link to WH statement]" -- because, hey, they're posting on Friday evening and might as well start the drinking early or something. It's not like this stuff matters. The rest of that claim is similarly misleading. The metadata program has not been shown to be important in any way. In fact, basically everyone who has looked at it from outside the intelligence community, including two separate government review bodies has admitted that there aren't any examples of the program actually being useful. So, it's hard to see what's so "important" about it.

But, really, this is all ridiculous. This is the same White House that is getting criticized all over the place for a variety of moves to take "executive action" where Congress is deadlocked. And, yet, here's a situation where literally the White House has all the power in the world to stop the program it claims it wants stopped -- and it says it needs Congress to act? That's not even close to believable.

The one "noteworthy" aspect to this latest rubberstamping is the end date. The newly approved authority runs until June 1, 2015, which is the date at which Section 215 of the PATRIOT Act sunsets and would no longer be law. This program exists under Section 215, so the government can't continue to collect those phone records after June 1, unless something happens. That "something" is the renewal of Section 215, and you better believe that the next few months are going to be a full on fight by the intelligence community and its supporters to spread as much fear as possible about why this program absolutely must be renewed. As you hear the scare stories, just remember that despite using this program for almost a decade there still isn't a single example of it being useful.

33 Comments | Leave a Comment..

Posted on Techdirt - 28 February 2015 @ 9:00am

Not So Awesome Stuff: Your Worst Crowdfunding Project?

from the looking-at-the-other-side dept

Let me start this post off by noting that I'm a huge fan of crowdfunding and think that it's an amazing force for all sorts of good things in art, culture and innovation. That's part of the reason why we do a weekly awesome stuff post highlighting interesting (and sometimes awesome) crowdfunding projects. But, it should be noted that crowdfunding projects don't always turn out great. There are plenty of horror stories to go around -- some involving what appear to be outright fraud, certainly -- mostly just because project creators are way overly optimistic on their ability to achieve their goals. I've backed a few dozen projects, and I can only think of a handful that were delivered on time. To be honest, this doesn't bother me so much. What's much worse is that as projects go bad, the project creators tend to disappear, not updating people with the bad news, leading people to get angrier and angrier.

Kickstarter, for one, has long tried to make it clear that it is "not a store," but rather that you're backing a project, and there's risk associated with that -- including the risk that a project may fail. However, it's still disappointing to back a project and have it be totally disappointing. So, this week, I thought I'd ask people about the most disappointing crowdfunded projects they've seen or backed. And I'll reveal mine. Back in the summer of 2013, on one of our awesome stuffs I wrote about the HOT Watch, a new smart watch that had some interesting features, including the ability to hold your hand up to your ear and use your hand like a phone. The video for the project was super cheesy/infomercially, which scared me off, but I'd become somewhat fascinated with the possibilities for smartwatches, and at the last minute bought into it. The backers of the project swore up and down, left, right and center, that the project would ship in time for Christmas in 2013. Right up until basically the end of the year the company insisted it would be shipping. It's now February of 2015 and I still don't have mine. Because I just don't care any more, I've asked them for a refund and they haven't replied, which is pretty much what I expected. Some people appear to have received theirs -- but I haven't and it's now 15 months late, and the market for smartwatches has moved way past the HOT Watch.

Lesson learned: crowdfunder beware.

Another, similar project, which (thankfully) I did not back is the Lima, which was a little device that was supposed to enable you to very easily set up your own personal cloud with USB devices at home. That presentation was super slick, and I was tempted to back it, but the pricing seemed a little steep, and I'm glad I didn't because while it also promised delivery by December 2013, at last check, it also has not delivered at all, and there are tons of people demanding refunds. I had mentioned the Lima in another awesome stuff post, and the company reached out to me saying the team wanted to send me a postcard (?!?!) as a thank you. I told the person not to bother, but the company still found our office address and sent it anyway. It seems like, rather than sending out post cards to people who don't want them, they could have put time into working on the product.

Anyway, this isn't to knock crowdfunding, or even these two projects in particular. It's just to note that there are risks associated with crowdfunding, and certain projects turn out to be flops, so you need to be aware. In the meantime, would love to hear about crowdfunding flops that you have backed (or luckily avoided...).

56 Comments | Leave a Comment..

Posted on Techdirt - 27 February 2015 @ 7:39pm

US Court Rules That Kim Dotcom Is A 'Fugitive' And Thus DOJ Can Take His Money

from the um. dept

In the long, convoluted and complex legal battles facing Megaupload founder Kim Dotcom, there was some bizarre stuff that happened late last year. As you may recall, early on, the US government seized basically all of his stuff and money. Dotcom has made efforts to get some of it returned, as it's tough to fight the most powerful government in the world when it's holding onto all of your money. Keep in mind from our previous discussions on asset seizure and forfeiture, the government can basically seize whatever it wants, just by claiming it was somehow related to a crime, but the seizure is only a temporary process. If the government wants to keep it, it then needs to go through a separate process known as civil asset forfeiture, which is effectively the government suing the assets. Back in July, the US government moved to forfeit everything it had seized from Dotcom in a new lawsuit with the catchy name USA v. All Assets Listed In Attachment A, And All Interest, Benefits, And Assets Traceable Thereto. As you may have guessed, Attachment A [pdf] is basically all of Kim Dotcom's money and posessions.

Back in November, the DOJ argued that it should get to keep all of Kim Dotcom's money and stuff because he's a "fugitive", which is a bizarre and ridiculous way to portray Kim Dotcom, who has been going through a long and protracted legal process over his potential extradition from New Zealand (though he's offered to come to the US willingly if the government lets him mount a real defense by releasing his money). Dotcom's lawyers told the court that it's ridiculous to call him a fugitive, but it appears that Judge Liam O'Grady didn't buy it.

In a ruling [pdf] that was just posted a little while ago, O'Grady sided with the government, and gave the DOJ all of Dotcom's things. You can read the full reasoning here and it seems to take on some troubling logic. Dotcom's lawyers pointed out, as many of us have, that there is no secondary copyright infringement under criminal law, but the judge insists that there's enough to show "conspiracy to commit copyright infringement." But the reasoning here is bizarre. Part of it is the fact that Megaupload did remove links to infringing content from its top 100 downloads list. To me, that seems like evidence of the company being a good actor in the space, and not trying to serve up more infringing downloads. To Judge O'Grady and the DOJ, it's somehow evidence of a conspiracy. No joke.

The government has alleged that the conspirators knew that these files were infringing copyrights, as evidenced by their exclusion of infringing files from the "Top 100" list. The "Top 100" list purported to list the most frequently downloaded files on Megaupload.... According to the government, an accurate list would have consisted almost entirely of infringing content, so the claimants "carefully curated" the list to make the site look more legitimate.... Additionally, the claimants regularly told copyright holders, including many U.S.-based organizations, that they would remove infringing content, when in actuality they only removed particular links to the files.... The actual infringing files remained on the Mega-controlled servers and could be accessed from other links.
As for that latter part, there are tons of perfectly legitimate reasons to only remove the links and not the underlying files. If Megaupload was doing deduping, then some version of the same file could be perfectly legitimate. Let's take an example: say that you and I have an MP3 of a Katy Perry song. I upload it to Megaupload to keep as a backup. You upload it to distribute to the world. Megaupload dedupes it, and just has the file stored one time. Your link could be potentially infringing if you distribute unauthorized copies, whereas my copy may be a legitimate personal backup. Given that, Megaupload should only delete the links that are called out as infringing, rather than the underlying files, which -- depending on their use -- may or may not be infringing. But the court just takes the DOJ's version and says "good enough for me."

The court also has no problem with the fact that most of the assets aren't in the US, noting that since some of the "conspiracy" took place in the US, that's good enough. It more or less brushes off the concerns raised by Dotcom and the other defendants that this appears to violate existing treaties between New Zealand and the US -- basically saying that because Dotcom refuses to come to the US, it's not "punitive." Huh? On top of that, the judge says that taking all of Dotcom's assets shouldn't interfere with the legal process in New Zealand, because the New Zealand courts could (yeah right) reject the DOJ's request after this ruling to hand over Dotcom's assets.

Then we get to the whole "fugitive" bit. Judge O'Grady notes that the statute does allow him to call anyone who "declines to enter" the United States a fugitive, and argues that Dotcom fits that description. Furthermore, he actually argues that Dotcom's offer to the DOJ to come willingly to the US if the money is freed for his defense actually works against Dotcom, and gives weight to the fugitive claim:
As demonstrated, Dotcom need not have previously visited the United States in order to meet the prerequisites of § 2466. The statute is satisfied where the government shows that the claimant is on notice of the criminal charges against him and refuses to "enter or reenter" the country with the intent to avoid criminal prosecution. Because the court assesses intent under the totality of the circumstances, it is certainly relevant that Dotcom has never been to the United States and that he has lived in New Zealand since 2011, where he resides with his family. This tends to show that he has other reasons for remaining in New Zealand besides avoiding criminal prosecution. However, the existence of other motivations does not preclude a finding that he also has a specific intent to avoid criminal prosecution. Dotcom's statements, made publicly and conveyed by his attorneys to the government, indicate that he is only willing to face prosecution in this country on his own terms. See Technodyne, 753 F.3d at 386 (2d Cir. 2014) ("The district court was easily entitled to view those [requests for bail], evincing the [claimants'] desire to face prosecution only on their own terms, as a hallmark indicator that at least one reason the [claimants] declined to return in the absence of an opportunity for bail was to avoid prosecution"). Dotcom has indicated through his statements that he wishes to defend against the government's criminal charges and litigate his rights in the forfeiture action. If it is truly his intent to do so, then he may submit to the jurisdiction of the United States.
In short, damned if you do, damned if you don't. This is the justice system, ladies and gentlemen. The DOJ gets to seize and keep all your money, and merely asking for access to it to fight to show your innocence is used as a reason to allow the DOJ to keep it. So he comes to the US and has to fight criminal charges without his own money, or he stays in New Zealand and the government uses it as an excuse to keep all the money. How is any of this even remotely fair? Where is the "due process" in totally handicapping Dotcom from presenting a defense?

Again, it is entirely possible that Dotcom and the others broke the law -- though the case certainly does look pretty weak to me. But what's really astounding is how far the DOJ appears to want to go to make it absolutely impossible for Dotcom to present a full defense of his case.

Read More | 138 Comments | Leave a Comment..

Posted on Techdirt - 27 February 2015 @ 6:23pm

White House Releases Draft 'Privacy' Bill That's Not Very Good

from the let's-try-again,-shall-we dept

It's been talked about for a while, but on Friday, the White House released a draft of what it's calling a "Consumer Privacy Bill of Rights." Conceptually, that sounds like a decent idea, but in practice? Not so much. Yes, it's just a draft, but it's got a lot of vague hand-waving, and basically no one seems all that thrilled about it, either from the privacy advocate side or the tech company side. Also, it doesn't even address the biggest privacy concern of all: government surveillance and snooping.

Privacy is, of course, one of those things that can be rather tricky to regulate, for a variety of reasons. Many attempts turn out badly, and don't really do much to actually protect privacy -- while sometimes blocking legitimate and useful innovations. While we're big supporters of protecting one's privacy we're at least somewhat concerned about legislation that appears to be pretty sloppy, and not all that well defined or thought out. This feels like a "we needed to do something, so here's something" kind of draft bill, rather than a "here's a legitimate problem, and here's how to fix it." It feels like a lost opportunity.

Read More | 14 Comments | Leave a Comment..

Posted on Techdirt - 27 February 2015 @ 1:37pm

Paypal Cuts Off Mega Because It Actually Keeps Your Files Secret

from the doesn't-paypal-like-encryption? dept

There are way too many stories of Paypal unfairly and ridiculously cutting off services that rely on it as a payment mechanism, but here's yet another one. Mega, the cloud storage provider that is perhaps well-known for being Kim Dotcom's "comeback" act after the US government shut down Megaupload, has had its Paypal account cut off. The company claims that Paypal was pressured by Visa and Mastercard to cut it off:

Visa and MasterCard then pressured PayPal to cease providing payment services to MEGA.

MEGA provided extensive statistics and other evidence showing that MEGA's business is legitimate and legally compliant. After discussions that appeared to satisfy PayPal’s queries, MEGA authorised PayPal to share that material with Visa and MasterCard. Eventually PayPal made a non-negotiable decision to immediately terminate services to MEGA. PayPal has apologised for this situation and confirmed that MEGA management are upstanding and acting in good faith. PayPal acknowledged that the business is legitimate, but advised that a key concern was that MEGA has a unique model with its end-to-end encryption which leads to “unknowability of what is on the platform”.

MEGA has demonstrated that it is as compliant with its legal obligations as USA cloud storage services operated by Google, Microsoft, Apple, Dropbox, Box, Spideroak etc, but PayPal has advised that MEGA's "unique encryption model" presents an insurmountable difficulty.
That last line is particularly bizarre, given that if anyone recognizes the value of encryption it should be a freaking payments company. And, of course, Paypal can't know what's stored on any of those other platforms, so why is it being pressured to cut off Mega?

Mega's theory -- which is mostly reasonable -- is that because Mega was mistakenly listed in a report released by the "Digital Citizens Alliance" that insisted Mega was a rogue cyberlocker storing infringing content, that payment companies were told to cut it off. If true, this is problematic on multiple levels. The methodology of the report was absolutely ridiculous. Because most Mega files are stored privately (like any Dropbox or Box or Google Drive account), the researchers at NetNames have no idea what's actually being stored there or if it's being done perfectly legitimately. Instead, they found a few links to infringing works, and then extrapolated. That's just bad research practices.

Furthermore, the Digital Citizens Alliance is hardly an unbiased third party. It's an MPAA front group that was the key force in the MPAA's (now revealed) secret plan to have states attorneys general attack Google. Think the MPAA has reasons to try to go after any potential revenue source for Kim Dotcom? Remember, taking down Megaupload and winning in court against Dotcom was a key focus of the company since 2010 or so, and Dotcom recently noted that he's out of money and pleading with the court to release some of the funds seized by the government to continue to fight his case. The lawyers who represented him all along quit late last year when he ran out of money. It seems like the MPAA might have ulterior motives in naming Mega to that list, don't you think?

And, this all goes back to this dangerous effort by the White House a few years ago to set up these "voluntary agreements" in which payment companies would agree to cut off service to sites that the entertainment industry declared "bad." There's no due process. There's no adjudication. There's just one industry getting to declare websites it doesn't like as "bad" and all payment companies refusing to serve it. This seems like a pretty big problem.

92 Comments | Leave a Comment..

Posted on Techdirt - 27 February 2015 @ 12:39pm

Have You Been Debating What Color Some Random Dress Is All Day? Thank Fair Use

from the and-we-look-forward-to-the-eventual-copyright-fight dept

Yesterday evening I saw a tweet zip by in which some very smart people I know and respect appeared to be arguing about the color of a dress. It seemed like a weird thing, so I went and looked and saw what appeared to be a white and gold dress. No big deal. But, other people insisted that it was blue and black. Vehemently. At first I thought it was a joke. Or an optical illusion. Or maybe it depended on your monitor. But I called over a colleague here in the office, and she swore that it was blue and black. And I was 100% sure that it was white and gold. If you somehow live under a rock, here's the image:

We now know the "truth" (sort of) -- which is that the dress itself really is blue and black, but thanks to the lighting and some odd visual tricks it appears white and gold to a large part of the population. For what it's worth, many people report that after a period of time it switches, and that's true for me too. Late last night I took one last look (after everyone else in my family swore that it was blue and black) and I saw it blue and black. Amusingly, at almost exactly the same time, my wife suddenly saw it as white and gold. My mother-in-law suggested we both need to seek mental help. There are fights like this going on all over the internet, with lots of people trying to decipher why this image seems to work this way. So why are we writing about it here? Because it's Fair Use Week, and what a great fair use story.

This image isn't just being showed everywhere, it's being modified, flipped, adjusted, poked and prodded as people discuss it in all sorts of ways (comment and criticism). And it's all fair use. Take, for example, our own Leigh Beadon, who put forth on Twitter a theory about why different people see it in different ways:
In our internal chat, he was also submitting additional images as he played with the image. Take, for example, this one, where he played with the brightness levels:
And tons of others have weighed in as well. Even software maker Adobe got into the discussion:
And someone else posted a helpful video modifying it:
Vice has an amazing story in which they present the image to a color vision expert who is so stumped he admits he may give up trying to cure blindness to devote the rest of his life to understanding the dress. The folks over at Vox both insist that the color changing can't be explained and that it can be (journalism!). The folks at Deadspin say you're all wrong and the dress is actually blue and brown. Almost all of these are using not just versions of the image, but modified ones as well, to try to demonstrate what they're talking about.

And there's been no talk about copyright. Because we don't need to be discussing copyright, because this is all fair use. Last night, some were pointing out that this was such an "internet" story that it's great that it came out on the same day the FCC voted for net neutrality, but I say it's an even better way to close out fair use week, with a great demonstration of why fair use matters.

82 Comments | Leave a Comment..

Posted on Techdirt - 27 February 2015 @ 11:41am

Google Suddenly Realizes That Maybe It Doesn't Need To Ban Adult Content On Blogger

from the oh-look,-we-have-policies dept

Earlier this week, we wrote about a really dumb move by Google to effectively kick out all of the bloggers who use its blogger platform to post "adult" content -- either text or images. Google gave such bloggers just 30 days to find a new home before it would make all their blogs private. It insisted that, going forward, the content police at Google would determine what photographs were "artistic" and allowed, and which were "dirty" and not allowed. As we noted, this move seemed particularly tone deaf and problematic, and could lead to other problems for Google. And a lot of other people agreed.

And... just like that, Google appears to have reversed course. Over in its product forums, someone from the Blogger Team announced that they had realized they already had policies they could enforce and didn't need to implement these new rules:

This week, we announced a change to Blogger’s porn policy. We’ve had a ton of feedback, in particular about the introduction of a retroactive change (some people have had accounts for 10+ years), but also about the negative impact on individuals who post sexually explicit content to express their identities. So rather than implement this change, we’ve decided to step up enforcement around our existing policy prohibiting commercial porn.

Blog owners should continue to mark any blogs containing sexually explicit content as “adult” so that they can be placed behind an “adult content” warning page.

Bloggers whose content is consistent with this and other policies do not need to make any changes to their blogs.

Thank you for your continued feedback.
So, kudos to Google for at least hearing the feedback and rolling back the change -- though it's still unfortunate that it even had to come to that in the first place. It seems likely that many of those bloggers may go looking for alternate hosting anyway.

17 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 27 February 2015 @ 10:34am

Wall Street Journal Upset That Wall Street Isn't Upset About Net Neutrality

from the isn't-the-market-always-right? dept

A few weeks ago, after it was more or less confirmed that the FCC was going forward with full Title II reclassification of broadband, we noted that the stocks of the big broadband companies actually went up suggesting that Wall Street actually knows that reclassification won't really impact broadband companies, despite what they've been saying publicly. Perhaps this is partly because those same companies have been telling Wall Street that the rule change won't have an impact.

However, for the Wall Street Journal -- which has become weirdly, obsessively, anti-net neutrality -- this is an abomination. The newspaper has spent months trying to whip everyone into a frenzy about how evil net neutrality is, using some of the most blatantly wrong arguments around. Just a few days ago, the WSJ turned to its former publisher, now columnist, L. Gordon Crovitz to spread as much misinformation as possible. This is the same L. Gordon Crovitz who a few years ago wrote such a ridiculously wrong article on the history of the internet that basically everyone shoved each other aside to detail how he mangled the history. He, bizarrely, insisted that the government had no role in the creation of the internet. Crovitz also has a history of being wrong (and woefully uninformed) about surveillance and encryption. It's difficult to understand why the WSJ allows him to continue writing pieces that are so frequently factually challenged.

In this latest piece, Crovitz suggests that Ted Cruz didn't go far enough in comparing Obamacare to net neutrality, arguing that net neutrality is even "worse."

The permissionless Internet, which allows anyone to introduce a website, app or device without government review, ends this week.
Um, no, actually, the reverse. The rules say that no website or app needs to get permission. The government isn't going to be reviewing anything, other than anti-consumer practices by the large ISPs.
Bureaucrats can review the fairness of Google's search results, Facebook's news feeds and news sites' links to one another and to advertisers. BlackBerry is already lobbying the FCC to force Apple and Netflix to offer apps for BlackBerry’s unpopular phones. Bureaucrats will oversee peering, content-delivery networks and other parts of the interconnected network that enables everything from Netflix and YouTube to security drones and online surgery.
None of this is true. The BlackBerry thing isn't real. It's a stupid political stunt cooked up by the telcos to try to make the new rules look bad. But the rules do not, in any way, apply to Google's search results or Facebook's news feed or any other content online. It covers internet access services, and all it does is put in place some straightforward rules against discrimination.

Still, all this fear mongering isn't working. Following yesterday's decision by the FCC, the folks over at Quartz noticed that the big broadband stocks have actually had a pretty damn good month:
Which brings us back around to the Wall Street Journal. The paper of record for Wall Street, which normally likes to suggest that markets are "right" about everything, is absolutely positive that the markets are wrong about this. And it's furious. It has an article demanding that broadband investors need to "wake up" to what's happening with net neutrality:
Investors actually seemed to breathe a sigh of relief when FCC Chairman Tom Wheeler unveiled his proposal on Feb. 4, sending cable stocks higher. Investors were cheering the chairman’s assurance that the commission wouldn’t invoke the Title II power to regulate prices.

But investors, beware: Broadband’s new status opens the door to the possibility of a future that is far less lucrative and more uncertain for the companies that provide it.
Bullshit. Frankly, things can always change in the future, in either direction, so claiming that things might change is meaningless FUD. At the end of the article, the WSJ pretends that maybe the reason why stocks are up is because investors expect that the broadband players will win an eventual court battle, but that seems like wishful thinking on multiple levels. Let's go with Occam's Razor on this one. The market is up because everyone knows that Title II won't make a huge difference at all for the prospects of broadband companies. Multiple Wall St. analysts have been saying this for months, as have the big broadband companies to the analysts themselves.

The Wall Street Journal should take a page from its own playbook: maybe the markets do know best.

34 Comments | Leave a Comment..

Posted on Techdirt - 27 February 2015 @ 8:09am

Did Lenovo/Superfish Break The Law?

from the certainly-can-make-an-argument-that-way dept

For many years, it's been something of an open question if creating a major security or privacy vulnerability was illegal. For the most part, courts have ruled that without actual proven harm, it's difficult to show real standing for the sake of a civil lawsuit. In practical terms, this has meant that if you just introduce a massive security risk, without it directly being abused (in a way that people know about), a company's liability is fairly limited. Obviously, that could change quickly if there was an actual abuse. Not surprisingly, class action law firms still love to file these kinds of lawsuits after a major privacy/security breach just in case. So it was totally expected to see a class action firm jump in and sue Lenovo over the Superfish malware that we've been discussing for the past few days.

The folks over at CDT, however, have a very good discussion over whether or not enabling such HTTPS hijacking really is illegal. The article compares the Superfish story to the other recent story about in-flight Wi-Fi provider GoGo doing something similar, and explores whether or not these man-in-the-middle attacks run afoul of Section 5 of the FTC Act, which is the broad rules under which the FTC "protects consumers." The rules basically say companies cannot do things that are "deceptive" or "unfair," but the definitions of both of those words matters quite a bit.

Here's the exploration of whether this kind of man-in-the-middle attack is "deceptive":

At a technical level, these SSL-breaking technologies trick your browser by forging SSL certificates, implying that their service operates encrypted websites like YouTube.com and BankofAmerica.com. In fact, instead of passing encrypted traffic on to the appropriate destination, these technologies enact the previously described “man-in-the-middle attack,” gaining access to potentially sensitive information that should rightly be kept between you and, for example, your bank or health care provider. Though these practices do not directly deceive the end user, they do effectively deceive the user’s software that acts as a “user agent.”  It’s not settled that this is prohibited by deceptive practices authority; in the past, the FTC has been reluctant to pursue deceptive practices cases merely on the grounds of tricking a browser: the FTC declined to pursue companies that issued bogus machine-readable P3P policies to get around Internet Explorer privacy restrictions or against companies that evaded Apple Safari’s default cookie settings in order to place third party cookies.[3] On the other hand, six state Attorneys General did bring a deceptive practices claim under their own version of Section 5 against companies that tricked Safari browsers into accepting third-party cookies.

Alternatively, the FTC could argue that failure to disclose that encrypted transmissions were being intercepted constituted a material omission — that is, failure to explain the practice would be a deceptive means to prevent a consumer from meaningfully evaluating the product. The FTC has brought a number of cases arguing that failure to disclose highly invasive or controversial practices either in a privacy policy or in clear, upfront language could constitute a deceptive practice.  For instance, the FTC has found that failure to disclose access to your phone’s contact information or precise geolocation could constitute a material omission.

From what I can tell, neither Gogo nor Lenovo went out of their way to tell users about these practices. If anything, Gogo’s privacy policy would lead users to think that their SSL-protected communications were safe from eavesdropping.

For Lenovo, a post to one of its user forums says that users had to agree to the Superfish privacy policy and terms of service. I don’t know what these documents said exactly, though the Superfish documents available on their website say nothing about these practices.  Even if Lenovo had disclosed in fine print what it does, regulators could make the case that SSL interception was so controversial that permission needed to be obtained outside of a boilerplate legal agreement. A service could certainly try to make a value proposition to consumers that some feature was worth the cost of breaking web encryption – but that’s not what happened here.

What about the question of "unfair"? Apparently, the FTC prefers to use "unfair" in the cases it brings, rather than deceptive, so that is the more likely option.

In order to be “unfair” under Section 5, a business practice has to meet three criteria – it must:

  1. Cause significant consumer harm,
  2. Not be reasonably avoidable by consumers, and
  3. Not be offset by countervailing benefits to consumers.

If breaking encryption exposes consumers to significant security vulnerabilities, regulators will likely have a very strong case for an unfairness violation.

On causing significant harm, this seems fairly straightforward in Lenovo’s case: its partner Superfish configured its software to intercept all SSL requests — using the same decryption key across all devices. This key was easily reverse engineered soon after the story broke, meaning that any malicious attacker could use this key to intercept any encrypted communication. That’s a huge security vulnerability, and at least as concerning as several other vulnerabilities that the FTC has previously alleged to have harmed consumers. Gogo’s SSL interception also raised security concerns — it arguably inures users to security warnings and exposes them to attackers posing as Gogo’s network — but the risk is probably not as great as in the Lenovo case. The FTC has brought actions against device manufacturers in the past for weakening security; in its case against phone manufacturer HTC, the FTC alleged that badly designed software that let app developers piggyback on HTC’s access to certain phone functionality without user permission was an unfair business practice.

On the second part of the unfairness test, it’s hard to argue how these practices are avoidable by ordinary consumers. They may have clicked though legalistic agreements, but as far as we can tell, none of these documents made any disclosure about these sorts of tactics — or the vulnerabilities to which they exposed consumers. Certainly, neither Gogo nor Lenovo presented information outside of a legal document where consumers were likely to notice. As a result, consumers weren’t provided with actionable information that they could have used to avoid these problems.

Finally, it’s hard to see that the security vulnerabilities introduced by SSL-interception were outweighed by any benefits to the practice. Gogo used this tactic to block bandwidth-heavy video applications on planes with limited internet access — a worthy goal, but one better accomplished through less destructive means. Lenovo allowed its partner to break encryption in order to view private communications for targeted advertising.  It is doubtful that many consumers would find this trade-off beneficial, even if it lowered prices significantly; in any event, Lenovo claims that they didn’t make much money from its deal with Superfish, and the pre-installed adware was simply designed to improve the user experience. Since exposure of these practices, both companies have backtracked and ended use of the encryption-breaking technologies.

But there's a much bigger question: will the FTC actually bother? The fact that Lenovo reacted pretty quickly to this mess probably suggests that the FTC may not bother. Yes, Lenovo's initial reaction wasn't great, but it did change its tune within less than 48 hours, and has been pretty vocal and active in apologizing and fixing things since then. That may be enough reason for the FTC to think it's not necessary to go after the company. Of course, it may feel differently about Superfish itself -- since that company still denies there's any problem and basically refuses to admit its role in this whole mess. It's still standing by its bogus statement that it did nothing wrong and claiming that Lenovo will clear things up -- even as Lenovo has clearly said otherwise.

26 Comments | Leave a Comment..

Posted on Techdirt - 26 February 2015 @ 12:33pm

532,900,000 Reasons Why We Need Patent Reform Now

from the what-a-joke dept

Over the last year, there's been plenty of good news in the fight against the abuse of patents to stifle innovation. A bunch of court rulings have gone the right way, with the biggest being the Supreme Court's ruling in the Alice v. CLS Bank case, that has resulted in many courts invalidating patents, the US Patent Office suddenly rejecting more patents and a rapid decline in patent lawsuits.

Based on that, you might think that we no longer need patent reform. But you'd be wrong. Patent trolls are regrouping and fighting back. Despite the big drop in patent lawsuits following the Alice ruling, patent trolls have come up with some new ideas, and have recently ramped up the filing of new trolling lawsuits at a rapid pace. And there have even been a few victories. While the dollar amounts were relatively low (especially compared to what was asked for), a troll who claimed to have a patent over Bluetooth 2.0 (despite "inventing" it years after Bluetooth 2.0 was on the market) was awarded $15.7 million, and the world's biggest patent troll, Intellectual Ventures actually won a case against Symantec (but got "only" $17 million).

But, earlier this week, there was the big one. A pure patent troll, Smartflash, with a collection of vague and broad patents (US 7,334,720, US 8,118,221 and 8,336,772 -- all for "data storage and access systems") has been awarded $532,900,000 from Apple, despite everyone happily admitting that Apple came up with the idea on its own. Here's the East Texas (of course) court jury form:

And, yes, Apple could probably pay that off with the spare change falling off the edge of Tim Cook's desk, but that's not really the point. Rulings like this don't seem to create any value towards actual innovation. Smartflash once had a product, but it failed in the marketplace over a decade ago. Apple built a product that people actually wanted. Shouldn't we be rewarding the people who actually make the things people want, rather than subsidizing failure by the successful?

Smartflash's lawyer told Ars Technica's Joe Mullin that this ruling is actually a "great example of why the patent system exists." Actually, it's a great example of how screwed up the patent system is. The lawyer also spewed this load of bullshit:
The thing about a patent is—let's say you have a university professor who spent two years researching something. It's irrelevant the effort that [an infringing company] spent to build it. It's the person who came up with it first. That's the way the Constitution, and the patent laws, are written. It's designed to cause people to spend money and time innovating. The patent office publishes it, so that advances the state of the art. In exchange for that, you get a property right.
That's also not how the Constitution is written, though it is (unfortunately) how patent laws are written. But that's not a way to get people to spend "money and time innovating" because the actual innovators here -- Apple -- had to pay out to the guy who failed in innovating. Being "first" isn't innovating. Building the product someone wants is.

Either way, Apple will appeal this ruling (and those other rulings are likely to be appealed as well). And in the last few months, CAFC has actually been shown to have gotten the message about problems with its previous interpretation of patent law. But, in the meantime, we still need serious patent reform.

22 Comments | Leave a Comment..

Posted on Techdirt - 25 February 2015 @ 1:34pm

Gemalto: Ok, Yes, We Were Hacked, And Yes Some SIM Cards May Be Compromised, But Not Because Of Us

from the damage-control dept

Last week, The Intercept revealed how the NSA and GCHQ had hacked into the major supplier of SIM cards to swipe encryption keys for tons of mobile phones. Earlier this week, we noted that Gemalto appeared to be taking the Lenovo approach to insisting that no one was put at risk. Today the company presented the "findings" of its internal analysis of what happened, admitting that there were sophisticated hack attacks, but insisting that those attacks could not have reached the goldmine source of encryption keys. First, the admission of the hack:

In June 2010, we noticed suspicious activity in one of our French sites where a third party was trying to spy on the office network. By office network we mean the one used by employees to communicate with each other and the outside world. Action was immediately taken to counter the threat.

In July 2010, a second incident was identified by our Security Team. This involved fake emails sent to one of our mobile operator customers spoofing legitimate Gemalto email addresses. The fake emails contained an attachment that could download malicious code. We immediately informed the customer and also notified the relevant authorities both of the incident itself and the type of malware used.

During the same period, we also detected several attempts to access the PCs of Gemalto employees who had regular contact with customers.

At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation.
And then the "but don't worry about it" part:
These intrusions only affected the outer parts of our networks – our office networks - which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.

While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.
The report also notes that it appears that someone (again, probably NSA/GCHQ) also targeted communications between Gemalto and its carrier partners using highly targeted spearphishing attacks -- but that the company sought to block those and has long used a "highly secure exchange process" to protect such transmissions.

The company also says that some of the operators listed in the leaked documents are ones that Gemalto has never worked with anyway, so if NSA/GCHQ got access to their keys, it wasn't via Gemalto. It further notes that even where the NSA/GCHQ may have gotten access to keys (via other means) it may have only been of limited use, while also noting that the encryption that was targeted was already pretty weak:
In 2010-2011 most operators in the targeted countries were still using 2G networks. The security level of this second generation technology was initially developed in the 1980s and was already considered weak and outdated by 2010. If the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone. This is a known weakness of the old 2G technology and for many years we have recommended that operators deploy extra security mechanisms. However, even if the encryption keys were intercepted by the Intelligence services they would have been of limited use. This is because most 2G SIMs in service at that time in these countries were prepaid cards which have a very short life cycle, typically between 3 and 6 months.

This known weakness in the original 2G standards was removed with the introduction of proprietary algorithms, which are still used as an extra level of security by major network operators. The security level was further increased with the arrival of 3G and 4G technologies which have additional encryption. If someone intercepted the encryption keys used in 3G or 4G SIMs they would not be able to connect to the networks and consequently would be unable to spy on communications. Therefore, 3G and 4G cards could not be affected by the described attack. However, though backward compatible with 2G, these newer products are not used everywhere around the world as they are a bit more expensive and sometimes operators base their purchasing decision on price alone.
While I will admit to being pretty skeptical based on Gemalto's initial comments, its explanation here is somewhat more reasonable. While some may question if Gemalto really was able to figure out what the NSA/GCHQ got access to, it does not appear that the company is merely brushing this off as a non-story. However, if the company was really hacked back in 2010/2011 -- one can reasonably question how much the company can actually determine what really happened.

Update: Many of Gemalto's claims are now coming under scrutiny, with some suggesting that the company's "research" into things misses the point, and the details...

19 Comments | Leave a Comment..

Posted on Techdirt - 25 February 2015 @ 12:31pm

As Blurred Lines Trial Starts, Take A Listen To The Special 'Copyright Only' Remix That Jurors Will Hear

from the everybody-get-midi dept

A few weeks ago, we noted how the copyright case over whether or not Pharrell Williams and Robin Thicke violated the copyright of Marvin Gaye with their song "Blurred Lines" was getting interesting, as it started to explore the somewhat blurry lines between what's actually covered by a copyright and what's not. Under the 1909 Act, under which Marvin Gaye's "Got to Give it Up" was recorded, only the specific sheet music is covered by the copyright, not the sound recording itself. And that represented a problem, since the Gaye Estate's attorneys wanted to play the original song, which has a number of similarities to Blurred Lines. But many of those similarities -- including the bass line and the party atmosphere in the background -- are not actually a part of the copyright covered composition. Thus, the judge told the Gaye family to figure out some way to create a recording that only included the copyright covered parts.

The EFF's Parker Higgins predicted that such a recording "likely sounds like the MIDI version that auto-played on a Geocities home page, or a rendition by the animatronic band at Chuck E. Cheese." Well, the enterprising folks over at Ratter got their hands on the recording so that you can take a listen too:

It would seem that Parker's prediction was not that far off. The Gaye Estate is also presenting a remixed version of that MIDI-ized version with Pharrell and Thicke's lyrics put on top:
From there, they certainly sound quite different. And, it's important to note (again) that sounding like something doesn't mean that it's infringing on that thing. If that were the case, we wouldn't have much in the way of culture, since so much of it is built off of the works of others. It will be interesting to see how a jury sees this, as I could see a confused jury thinking that merely because the lyrics fit over Gaye's song that somehow makes it infringing. Hopefully they can see through that, however.

The trial is currently going on and jury selection is certainly interesting, as they're asking people what kind of music they listen to and what they think of the famous video for "Blurred Lines" that included a bunch of naked models....

36 Comments | Leave a Comment..

Posted on Net Neutrality Special Edition - 25 February 2015 @ 10:23am

Calm Down Reddit: No, Mignon Clyburn Is NOT Trying To Undermine Net Neutrality Rules

from the don't-always-believe-what-you-read dept

A reminder: you can't always believe what you read on these here interwebs. Yesterday, an article appeared on The Hill which was originally titled "Democratic FCC commissioner balks at net neutrality rules" and claimed that one of the other FCC commissioners was looking to "water down" Tom Wheeler's net neutrality plans. Cue a total freakout -- especially on Reddit, where people started weaving complex conspiracy theories about how Clyburn was bought and paid for by Time Warner (which is, um, somewhat laughable if you know much about Clyburn). The piece on the Hill, by reporter Julian Hattem, appears to have totally misread what is actually happening, leading to totally unnecessary freakouts. In fact, after many people pointed this out, it appears that The Hill has changed its original headline so that it now reads "Eleventh-hour drama for net neutrality." And it's not even that dramatic. So, hey, Reddit, calm down!

What's actually happening is a bit complex, but Clyburn's concern is not just a reasonable one, it's one that's actually being raised by just about everyone on all sides of the debate. Believe it or not, Clyburn's suggestion is actually supported by everyone from Free Press to Google to AT&T. So calm down.

Remember that old "hybrid plan" that Tom Wheeler had experimentally floated a few months ago? The one that created an entirely new class of services, in which he tried to divide broadband providers into a new classification known as "sender side" so that he could issue rules for that new class of services, rather than having to "reclassify" broadband under Title II? Those rules that everyone hated? Well, it appears that after being convinced to actually go to full reclassification, Wheeler left in a bit of those rules as a sort of "in the alternative" justification for his new rules. However, just as pretty much everyone argued when the hybrid plan was floated, this attempt to create a new classification for "sender side" providers is fraught with serious legal problems, and would create a huge headache.

A few weeks ago, Free Press raised these concerns with the FCC. And last week, Google also raised similar concerns, pointing out that trying to split the baby in this way would also lead some ISPs to believing they could switch to a "sender pays" model of service, which would actually undermine net neutrality in very serious ways. And, just in case you thought this was only a concern from net neutrality supporters, AT&T raised the same concern just last week as well, listing out four separate reasons why the FCC couldn't magically create this newly defined service.

From what nearly everyone has been saying, Clyburn's request to Wheeler is to fix this, and get rid of the remnants of his bad hybrid rules, and keep the rules much more cleanly focused on reclassification. I've spoken with numerous folks in and around the FCC about all of this and they all note that this should actually make the net neutrality rules better and less susceptible to a legal challenge. In fact, many are claiming this makes the rules stronger when it comes to preventing interconnection disputes, which is where many of the big net neutrality fights have migrated.

So, to everyone freaking out that Clyburn is trying to weaken the rules: calm down. It doesn't appear to be happening. In fact, it's the opposite. You can't always believe what you read on the internet, especially when it comes to telco policy.

12 Comments | Leave a Comment..

Posted on Techdirt - 25 February 2015 @ 9:20am

Is Retweeting ISIS 'Material Support Of Terrorism'?

from the depends-on-your-point-of-view-apparently dept

Last week there was a bizarre and ill-informed post by music industry lawyer Chris Castle -- who has a weird infatuation with the idea that Google must be pure evil -- in which he tried to argue that because YouTube wasn't able to take down propaganda videos showing ISIS atrocities fast enough, that Google was providing "material support" for terrorism. As Castle notes:

Google's distribution of jihadi videos on Google’s monopoly video search platform certainly looks like material support of terrorists which is itself a violation of the federal law Google claims to hold so dear. (See 18 U.S. Code §2339A and §2339B aka the U.S. Patriot Act.)
Of course, there are all sorts of problems with the Patriot Act, including its definitions of "material support of terrorism," but to stretch the law to argue that providing an open platform and simply not removing videos fast enough (the videos in question all got removed pretty rapidly anyway, but not fast enough for Castle) is somehow "material support for terrorism" is flat out crazy. It stems from the same sort of confused logic that Castle has used in the past, arguing that Google and others must magically "just know" what is infringing and what is not -- suggesting a true lack of understanding about the scale of offerings like YouTube and the resources needed to sort through all the content.

We were inclined to simply dismiss Castle's nuttiness to the category of "WTF" where it belongs... until at a conference earlier this week, a DOJ official, John Carlin, who holds the role of assistant attorney general for national security, appeared to suggest that anyone helping ISIS's social media campaign could be guilty of "material support" for terrorism:

John Carlin, the assistant attorney general for national security, told a cybersecurity conference in Washington on Monday that officials could try to blunt ISIS’s violent PR operation by essentially trying propagandists as terrorists. He suggested the Justice Department could bring prosecutions under the law against providing material support to a terrorist organization. His remarks were believed to be the first time a U.S. official has ever said that people who assist ISIS with online media could face criminal prosecution.

Carlin was asked at the conference whether he would “consider criminal charges” against people who are “proliferating ISIS social media.”  

His answer: “Yes. You need to look at the particular facts and evidence.” But Carlin noted that the United States could use the material support law to prosecute “technical expertise” to a designated terrorist organization. And spreading the word for ISIS online could count as such expertise.

Carlin seems more focused on someone tweeting a link to ISIS propaganda or something along those lines, which would raise significant First Amendment issues, but his comment about "technical expertise" could certainly be turned around and put upon YouTube, Twitter, Facebook and other providers of social media tools. That would create a huge mess, and open a Pandora's box that would undermine one of the key premises of the internet that has made it so successful.

Is the DOJ really looking to undermine the entire internet, just because some terrorists have figured out that it's a good way to get out their message?

Meanwhile, if you want to see just how far this sort of ridiculous thinking takes you -- at the same time that people like Castle and Carlin are arguing about how YouTube may be supplying material support for terrorists, YouTube was deleting videos that were being used to document ISIS war crimes. YouTube has been rushing around trying to take down all kinds of ISIS and other terrorist content for a while now -- ever since then Senator Joe Lieberman demanded that YouTube block terrorist videos. And, the end result is that important channels that catalog and archive evidence and documentation of war crimes are being taken down. And, this is not the first time this sort of thing has happened.

When you start accusing these platforms of having some sort of liability (potentially criminal liability in the form of "materially supporting terrorists" for merely providing an open platform that anyone can use, you are more or less guaranteeing that important content, such as that which documents war crimes and atrocities gets banned as well. Is that really what Castle and Carlin are looking to do?

66 Comments | Leave a Comment..

Posted on Techdirt - 24 February 2015 @ 3:43pm

Sanctioned Revenge Porner Craig Brittain Says That Google Is Nothing But Copyright Infringement

from the good-luck-with-that-theory,-craiggers dept

We already discussed how the disgraced revenge porn guy, Craig Brittain (aka Pustule Nickelback McHitler III), is now trying to get Google to disappear most articles about his FTC settlement. As we noted, in making sure that the public is well aware of what kind of person Brittain is, the FTC wrote up not one, not two, but three separate notices about Brittain's actions (revenge porn and then setting up a fake lawyer you could pay to "take down" the images you never wanted on his site in the first place).

Back in 2012 Brittain tried to abuse the DMCA to take down earlier criticism (from Popehat). He apparently didn't learn his lesson when that failed, which explains his recent attempt to do the same -- including arguing that the FTC's own writeups about its settlement with Brittain were infringing.

Over on Twitter, Adam Steinbaugh, one of the people who Brittain sought to censor with the DMCA, told Brittain that he could just send a DMCA notice straight to Steinbaugh or his host, rather than going after Google, leading to a fascinating and totally clueless discussion about how Brittain is really doing this because he thinks it's unfair that Google gets to build a search index, which he considers infringing. Uh huh, Craig, sure thing.

If you can't see those images, Brittain says that he's "not interested" in everyone who wrote about his settlement using "his" "material," (still not clearly identified, by the way), but rather "Google's use of the material." Then he notes: "Google is piggybacking of of content creators, which really means that by default they should be paying for it."

Even ignoring the sheer... wrongness... of this "legal analysis," it's doubly hilarious in that it comes from a guy whose entire claim to "fame" is posting photos of people that are submitted to his website, for which he does not pay anyone for those works -- and, rather, tried to get people to pay him to take them down. Irony is a word that apparently Brittain is not acquainted with.

Oh, and I'm especially curious as to how Brittain believes that Google indexing and linking to the FTC's website is infringing and should be paid for, given that, as a work of the federal government, the FTC's statements on Craig Brittain are in the public domain.

At that point, I pointed out that he appeared to be ignoring multiple court rulings that have made it clear that Google's indexing is clearly fair use, at which point it became clear that Brittain had no idea that this issue has been well litigated in the past, and he's just wrong. First he insists that the courts were "acting improperly" and then asks if any of us "jokers" have written about this Perfect 10 v. Google case that apparently was a totally brand new concept to Brittain:
Perfect 10 certainly has quite a reputation for legal buffoonery when it comes to copyright law. Is Craig Brittain getting ready to take things a step further?

30 Comments | Leave a Comment..

Posted on Techdirt - 24 February 2015 @ 11:48am

NSA Director: If I Say 'Legal Framework' Enough, Will It Convince You Security People To Shut Up About Our Plan To Backdoor Encryption?

from the wanna-try-that-again dept

Admiral Mike Rogers, the NSA Director, has barely been on the job for a year, and so far he'd mostly avoided making the same kinds of absolutely ridiculous statements that his predecessor General Keith Alexander was known for. Rogers had, at the very least, appeared slightly more thoughtful in his discussions about the surveillance state and his own role in it. However, Rogers ran into a bit of trouble at New America's big cybersecurity event on Monday -- in that there were actual cybersecurity folks in the audience and they weren't accepting any of Rogers' bullshit answers. The most notable exchange was clearly between Rogers and Alex Stamos, Yahoo's chief security officer, and a well known privacy/cybersecurity advocate.

Alex Stamos (AS): “Thank you, Admiral. My name is Alex Stamos, I’m the CISO for Yahoo!. … So it sounds like you agree with Director Comey that we should be building defects into the encryption in our products so that the US government can decrypt…

Mike Rogers (MR): That would be your characterization. [laughing]

AS: No, I think Bruce Schneier and Ed Felton and all of the best public cryptographers in the world would agree that you can’t really build backdoors in crypto. That it’s like drilling a hole in the windshield.

MR: I’ve got a lot of world-class cryptographers at the National Security Agency.

AS: I’ve talked to some of those folks and some of them agree too, but…

MR: Oh, we agree that we don’t accept each others’ premise. [laughing]

AS: We’ll agree to disagree on that. So, if we’re going to build defects/backdoors or golden master keys for the US government, do you believe we should do so — we have about 1.3 billion users around the world — should we do for the Chinese government, the Russian government, the Saudi Arabian government, the Israeli government, the French government? Which of those countries should we give backdoors to?

MR: So, I’m not gonna… I mean, the way you framed the question isn’t designed to elicit a response.

AS: Well, do you believe we should build backdoors for other countries?

MR: My position is — hey look, I think that we’re lying that this isn’t technically feasible. Now, it needs to be done within a framework. I’m the first to acknowledge that. You don’t want the FBI and you don’t want the NSA unilaterally deciding, so, what are we going to access and what are we not going to access? That shouldn’t be for us. I just believe that this is achievable. We’ll have to work our way through it. And I’m the first to acknowledge there are international implications. I think we can work our way through this.

AS: So you do believe then, that we should build those for other countries if they pass laws?

MR: I think we can work our way through this.

AS: I’m sure the Chinese and Russians are going to have the same opinion.

MR: I said I think we can work through this.

AS: Okay, nice to meet you. Thanks.


MR: Thank you for asking the question. I mean, there are going to be some areas where we’re going to have different perspectives. That doesn’t bother me at all. One of the reasons why, quite frankly, I believe in doing things like this is that when I do that, I say, “Look, there are no restrictions on questions. You can ask me anything.” Because we have got to be willing as a nation to have a dialogue. This simplistic characterization of one-side-is-good and one-side-is-bad is a terrible place for us to be as a nation. We have got to come to grips with some really hard, fundamental questions. I’m watching risk and threat do this, while trust has done that. No matter what your view on the issue is, or issues, my only counter would be that that’s a terrible place for us to be as a country. We’ve got to figure out how we’re going to change that.

[Moderator Jim Sciutto]: For the less technologically knowledgeable, which would describe only me in this room today, just so we’re clear: You’re saying it’s your position that in encryption programs, there should be a backdoor to allow, within a legal framework approved by the Congress or some civilian body, the ability to go in a backdoor?

MR: So “backdoor” is not the context I would use. When I hear the phrase “backdoor,” I think, “well, this is kind of shady. Why would you want to go in the backdoor? It would be very public.” Again, my view is: We can create a legal framework for how we do this. It isn’t something we have to hide, per se. You don’t want us unilaterally making that decision, but I think we can do this.

As you read it, you realize that Rogers keeps thinking that if he says "legal framework" enough times, he can pretend he's not really talking about undermining encryption entirely. Well known cybersecurity guy Bruce Schneier pushed back, pointing out that:
It’s not the legal framework that’s hard, it’s the technical framework. That’s why it’s all or nothing.
No matter what anyone said, however, Rogers appears to keep going back to the "legal framework" well, over and over again, as if that magic phrase would change magical thinking into reality:
“If these are the paths that criminals, foreign actors, terrorist are going to use to communicate, how do we access that?” he asked, citing the need for a “formalized process” to break through encrypted technology.

Rogers pointed toward cooperation between tech companies and law enforcement to combat child pornography. “We have shown in other areas that through both technology, a legal framework, and social compact that we have been able to take on tough issues. I think we can do the same thing here.”
Yes, but that's very different, even as anyone looking to rip apart important privacy and free speech tools loves to shout "child porn," the examples are not even remotely comparable. And no one's looking to backdoor everything just to get at people passing around child porn. But the larger point stands. Rogers seems to think that there is a magic bullet/golden key that will magically only let the good guys through if only the tech industry is willing to work with him on this.
“You don’t want the FBI and you don’t want the NSA unilaterally deciding what” is permissible, Mr. Rogers said.
Except that presumes that if only the surveillance community and the tech industry got together they could come up with such a safe system, and as everyone else is telling him, that's impossible. And for a guy who is supposed to be running an agency that understand cryptography better than anyone else, that's really troubling:

94 Comments | Leave a Comment..

More posts from Mike Masnick >>