posted about 2 hours ago on techdirt
Everyone in government is talking cyber-this and cyber-that, even though a majority of those talking don't have the technical background to back up their assertions. This leads to dangerous lawmaking. The CFAA, easily one of the most abused computer-related laws, came into being thanks to some skittish legislators who'd seen one too many 80's hacker films. ("WarGames," to be specific.) Faulty analogies have led to other erroneous legislative conclusions -- like the comparison of email to snail mail -- which has led to the government treating any unopened email as "abandoned" and accessible without a warrant. But the problem goes further than the legislative branch. The executive branch hasn't been much better in its grasp of technical issues, and the current slate of presidential candidates guarantees this won't change for at least another four years. The judicial branch has its own issues. On both sides of the bench, there's very little technical knowledge. As more and more prosecutions become reliant on secretive, little-understood technical tools like cell tower spoofers, government-deployed malware, and electronic device searches, unaddressed problems will only multiply as tech deployment ramps up and infusions of fresh blood into the judicial system fail to keep pace. Garrett M. Graff of Politico -- in a piece written for the Washington Post -- discusses how the government prosecutors' lack of tech expertise is resulting in bogus investigations and Constitutional violations. Last year, the FBI nearly destroyed the life of an innocent physicist. In May 2015, agents arrested Xi Xiaoxing, the chairman of Temple University’s physics department, and charged that he was sneaking Chinese scientists details about a piece of restricted research equipment known as a “pocket heater.” An illustrious career seemed suddenly to implode. A few months later, though, the Justice Department dropped all the charges and made an embarrassing admission: It hadn’t actually understood Xi’s work. After defense experts examined his supposed “leaks,” they pointed out that what he’d shared with Chinese colleagues wasn’t a restricted engineering design but in fact a schematic for an altogether different type of device. It's not just prosecutors. Graff notes that there's no "pipeline" of lawyers who can read and understand code heading to either side of prosecutions, which means defendants will be at the mercy of judges' interpretations of evidence and arguments. That's bad news as well. As documents have surfaced thanks to the Snowden leaks and the government being more forthcoming with FISA court decisions, it's become apparent that judges issuing orders haven't been fully apprised of the technical details of the NSA's domestic surveillance programs. The fallout from Edward Snowden’s revelations exposed numerous instances in which agency lawyers miscommunicated to courts about what the government was doing. There are two possible explanations: Either they willfully exploited judges’ lack of technical knowledge, or the lawyers themselves couldn’t fathom the programs they were trying to explain. Irritated FISC judges have come down hard on the agency periodically, pointing out serious misrepresentations by the NSA's lawyers. Unfortunately, these discoveries have always come well after the fact. In the periods between judicial benchslaps, the agency has acted with autonomy. Forgiveness is better than permission, especially when the person approving surveillance requests either doesn't have all the information they need or is unable to interpret the information they've been provided. The lack of expertise -- and the lack of new talent flowing in -- means this sort of thing will continue to happen far too often. Judges will be duped. Defendants will end up jailed because of the ignorance surrounding them. Bad analogies will shore up inadequate explanations. And, if you're the sort who believes "accused" means "guilty," the shortage of knowledgeable prosecutors will result in jaw-dropping "technicalities" returning suspected criminals to the streets. In one recent prosecution of a security researcher accused of illegal hacking, an assistant U.S. attorney summarized the case to the court by saying, “He had to download the entire iOS system on his computer, he had to decrypt it, he had to do all of these things I don’t even understand.” The government ultimately lost the case. So, what can be done to fix it? Not much. Only a few law schools offer classes in cybersecurity, coding, or other tech fields. Those that do have long waiting lists. The upside is that a technically-proficient law school grad should find plenty of opportunities awaiting them. The downside is that there's not nearly as much money in the public sector as there is in the private. This may mean criminal defense will see a boost in knowledge, but that will only help those who can afford to hire top-tier lawyers. The government, meanwhile, will likely continue to stumble over its own ignorance. Fortunately for government prosecutors, most judges are willing to cut government prosecutors a lot of slack, something only exacerbated by lawmakers pushing legislation targeting things they don't even understand. Permalink | Comments | Email This Story

Read More...
posted about 4 hours ago on techdirt
I've often joked that the FTC and state AGs choose to live in a fantasy world where Section 230 doesn't exist. A new ruling from the Second Circuit has turned my joke on its ear, suggesting that my underlying fears -- of a Section 230-free zone for consumer protection agencies -- may have become our dystopian reality. The Opinion The case involves weight loss products, including colon cleanses, vended by LeanSpa. To generate more sales, LeanSpa hired LeadClick to act as an affiliate marketing manager. LeadClick coordinated promotion of LeanSpa's products with LeadClick's network of affiliates. Some affiliates promoted the products using fake news sites, with articles styled to look like legitimate news articles and consumer comments/testimonials that were fake. Apparently, all of this added up to big business. LeanSpa paid LeadClick $35-$45 each time a consumer signed up for LeanSpa's "free" trial (which was a negative billing option). LeadClick shared 80-90% of these sign-up fees with affiliates and kept the remainder for itself. In total, LeadClick billed LeanSpa $22M, of which LeanSpa paid only $12M. Still, LeanSpa turned into LeadClick's top customer, constituting 85% of its eAdvertising division's sales. The court summarizes the key facts about LeadClick's role in the fake new sites scheme: While LeadClick did not itself create fake news sites to advertise products…it (1) knew that fake news sites were common in the affiliate marketing industry and that some of its affiliates were using fake news sites, (2) approved of the use of these sites, and, (3) on occasion, provided affiliates with content to use on their fake news pages. The court also notes that LeadClick occasionally bought ads on legitimate news sites to promote fake news sites in its affiliate network. The FTC's Prima Facie Case The FTC alleged that LeadClick engaged in deceptive practices. LeadClick responded that it didn't do any deceptive practices itself; if anyone did, it was its affiliates. Extensively citing the Ninth Circuit's FTC v. Neovi ruling from 2010 (an unfairness case, not a deception case, but this panel ignores the difference) and a subsequent 11th Circuit case (FTC v. IAB Marketing Associates), the Second Circuit concludes that "a defendant may be held liable for engaging in deceptive practices or acts if, with knowledge of the deception, it either directly participates in a deceptive scheme or has the authority to control the deceptive content at issue." In the Neovi case, the defendant Qchex had an online check-creation tool that fraudsters used to create and send bogus checks. The court held that Qchex engaged in unfair practices when it printed and then delivered the bogus checks to recipients. But here, LeadClick never "delivered" anything. Indeed, LeadClick argued that the legal standard conflates direct liability with aiding/abetting liability. The Second Circuit disagreed, saying a defendant who "allows the deception to proceed" thus "engages, through its own actions, in a deceptive act or practice that causes harm to consumers." I'm not a philosopher, but to me, "allowing" a third party to commit misconduct is a bizarre and overly expansive way of defining *direct* liability. Once this court makes this doctrinal cheat, LeadClick didn't have a chance. Applying the legal standard to LeadClick: knowledge. "LeadClick knew that (1) the use of false news pages was prevalent in affiliate marketing, and (2) its own affiliate marketers were using fake news sites to market LeanSpaʹs products." "direct participation in the deceptive conduct." LeadClick satisfied this standard by "recruiting and paying affiliates who used fake news sites for generating traffic, managing those affiliates, suggesting substantive edits to fake news pages, and purchasing banner space for fake news sites on legitimate news sources." "ability to control." LeadClick ran an affiliate network that included fake news sites. "As the manager of the affiliate network, LeadClick had a responsibility to ensure that the advertisements produced by its affiliate network were not deceptive or misleading." I thought the legal standard required "ability," but the court tautologically uses the term "responsibility" to satisfy this element. Also note that the court's legal standard ("has the authority to control the deceptive content at issue") sounds a lot like principal-agency liability, but the court doesn't say or imply that LeadClick had a principal-agency relationship with affiliates. Apparently the court is applying some kind of agency-lite liability. Finally, the court says that LeadClick's intent to deceive consumers is irrelevant; "it is enough that it orchestrated a scheme that was likely to mislead reasonable consumers." Section 230 Because of the court's intellectual corner-cutting that LeadClick committed a "direct" violation of the FTCA, the Section 230 immunity was already doomed. This is consistent with the Neovi case, where Section 230 didn't even come up even though all of the fraudulent content was provided by third parties. Even though Section 230 doesn't apply to a defendant's own legal violations, the court unfortunately decides to muck up Section 230 jurisprudence anyway, apparently for kicks. I believe this is only the second time that the Second Circuit has discussed Section 230. The prior case was GoDaddy's undramatic 2015 win in Ricci v. Teamsters, issued per curiam. Oddly, this panel doesn't cite the Ricci case at all -- not even once. The opinion simply says "We have had limited opportunity to interpret Section 230" without referencing the Ricci case by name. I'm baffled why this opinion so deliberately avoided engaging the recent and obviously relevant Ricci precedent…? Could it be that Ricci would have forced the panel to reach a different result or clearly created an intra-circuit split? Is there some kind of behind-the-scenes politics among Second Circuit judges? I welcome your theories. The court runs through the standard 3 prong test for Section 230's immunity: provider/user of an interactive computer service (ICS). The court correctly says "Courts typically have held that internet service providers, website exchange systems, online message boards, and search engines fall within this definition." (What is a "website exchange system"?). Then the court goes sideways, saying it is "doubtful" that LeadClick qualifies as an ICS because it acts as an affiliate manager that doesn't provide access to servers. LeadClick argued that it provided affiliate tracking URLs and recorded activity on its server, but the panel responds that LeadClick didn't cite any cases applying Section 230 in similar contexts. The court continues that LeadClick's tracking service "is not the type of service that Congress intended to protect in granting immunity" because "routing customers through the HitPath server before reaching LeanSpaʹs website[] was invisible to consumers and did not benefit them in any way. Its purpose was not to encourage discourse but to keep track of the business referred from its affiliate network." Say what? Affiliate programs are just another form of advertising, so like other advertising programs, they help compensate publishers for creating and disseminating their content. We may not want this particular content (fake news sites touting dubious weight loss products). Even so, affiliate programs do support discourse, and the court's denigration of affiliate programs' speech benefits is unfortunate and unsupportable. More generally, the court seems to be marginalizing the speech benefits that third party vendors give to publishers, which is obviously misguided when vendors help publishers conduct their business more efficiently. I hope other courts don't apply a "discourse promotion" threshold for applying Section 230. We rarely see cases turn on the ICS prong, so it's really shocking to see the court go there -- especially when it eventually expressly punts on the issue, making this discussion dicta. content provided by another information content provider (ICP). The court cites Accusearch for the proposition that ICP "cover[s] even those who are responsible for the development of content only in part,ʺ but then adds a "defendant, however, will not be held responsible unless it assisted in the development of what made the content unlawful." The court says LeadClick "participated in the development of the deceptive content posted on fake news pages" because it recruited affiliates knowing some had fake news sites, paid them, occasionally advised them to edit content, and bought ads on legitimate news sites. In other words, the court cites the exact same evidence of LeadClick's prima facie liability as evidence of its lack of qualification for Section 230. This is just another way of saying that once the Second Circuit treated LeadClick as a direct violator of the FTCA, LeadClick had no chance of qualifying for Section 230. Notice that none of the cited facts actually involve content "creation" by LeadClick, so the court apparently assumes content "development" covers other activities -- but doesn't say what that term means. The court continues: "LeadClickʹs role in managing the affiliate network far exceeded that of neutral assistance. Instead, it participated in the development of its affiliatesʹ deceptive websites, ‘materially contributing to [the contentʹs] alleged unlawfulness.'" What does "neutral assistance" mean, and how does that relate to Section 230 immunity? I assume all future plaintiffs in the Second Circuit will claim that the defendant provided "assistance" to the content originator that wasn't "neutral." That should be fun. treated as publisher/speaker. The court pulls the same trick with this prong, i.e., LeadClick was facing direct liability due to its own misconduct and citing evidence from the prima facie case as disqualifying evidence for this prong. Further Implications As we all know, no business wants to litigate against the FTC in court. Not only do the FTC's litigation resources dwarf those available even to large defendants, but judges give the FTC extra credit as the voice of consumers. This case highlighted how the Second Circuit bent plenty of legal doctrine to get the FTC its win. Future defendants who want to fight the FTC in federal court, take note. This kind of doctrinal distortion happens far too frequently in FTC cases, so it would be a mistake to treat it as an unlikely-to-repeat accident. There is so much unnecessary bad stuff here for Section 230 jurisprudence in the Second Circuit. Plaintiffs can find plenty of mischief in the court's discussion about what qualifies as "interactive computer services," "neutral assistance" and "development." Yuck. In a footnote, the court says the analysis would be the same under Connecticut's UTPA. This suggests that state AGs could similarly establish a prima facie "direct" violation against defendants like LeadClick per their state unfair competition laws without running afoul of Section 230 either. I expect we'll see this case cited extensively by state AGs in future enforcement actions. Section 230's year-of-woe keeps going. I'm ready for 2016 to be over. Perhaps the Section 230 pendulum will swing back towards defendants in 2017. Republished from Eric Goldman's Technology & Marketing Law Blog Permalink | Comments | Email This Story

Read More...
posted about 5 hours ago on techdirt
Earlier this month, we noted how Netflix had complained to the FCC about broadband usage caps, quite-correctly noting they're little more than price hikes on uncompetitive markets. Netflix also was quick to highlight how caps can be used anti-competitively against streaming video providers, something the FCC opened the door to when it decided to turn a blind eye to the practice of zero rating (or exempting your own or a paid partners' content from counting against the cap). As such, Netflix urged the FCC to finally crack down on usage caps using its authority under Section 706 of the Telecom Act. Apparently worried the FCC might take Netflix advice seriously (there's zero indication of such), a cable broadband ISP named Mediacom filed its own complaint with the FCC trying to defend the practice. Mediacom, which imposes usage caps as low as 200 GB on its users, tries to complain that criticizing ISPs for imposing caps is hypocritical...because Netflix charges different tiers of service for higher quality content and more streams:"Ironically, those who think ISPs are greedy pigs or evil villains because they charge based on consumption through caps or usage-based pricing do not direct the same moral outrage toward edge providers who price their services in basically the same way. Netflix, for example, charges $7.99 a month for its “basic” subscription. A basic subscriber does not get unlimited usage of Netflix’s library for that price but, instead, is limited to videos in standard definition format and on only one screen at a time."Of course, Mediacom knows it's comparing rotten apples to oranges. In broadband, users have no competitive options, so if an ISP (or both of the duopoly ISPs in a market) imposes usage caps, a consumer can't vote with their wallet. In contrast, users frustrated by Netflix's practice of charging more money for HD (or 4K) streams can just go get content from another streaming or traditional cable TV provider. But this type of ill-suited comparison is trotted out again and again in the FCC filing, with the ISP going so far as to compare broadband service to game consoles, video games, socks, and cloud storage. Ultimately the core of the ISP's astonishingly flimsy argument leans heavily on Starbucks coffee and...Oreos:"Imagine you are out for a walk and experience a sudden, irresistible craving for Oreo® cookies. You only want to spend two dollars, which means that you will be able to buy a two-pack or maybe even a four-pack but for sure you cannot get the family size of over 40 cookies. For that many, you have to spend more. Of course, it would be nice if your two dollars bought you the right to eat an unlimited number of cookies, but you know that is not the way our economy works. It is the same for the Starbucks latte you might want to drink with your cookies and for socks, gasoline and just about every single one of the thousands of other products and services that are for sale in the United States, including essentials like water and electricity."Again that's so misleading as to be insulting. Consumers have a myriad of competitive options for both coffee and cookies, whereas Mediacom is very often the only ISP available to its customers. It's that lack of competition that encourages ISPs to begin charging more money for the same money via caps and overage schemes where -- unlike utility markets -- nobody confirms usage meters are accurate. As for how the economy actually works in broadband: incumbent ISPs buy state legislatures and federal regulators to ensure nobody lifts a finger as they price gouge the living hell out of a captive subscriber base. You know, just like the damn lederhosen industry.Permalink | Comments | Email This Story

Read More...
posted about 6 hours ago on techdirt
It's the case that will never die. As you may recall, over the summer, Oracle asked Judge William Alsup for yet another trial over Google's copying of some Java APIs in Android, claiming that Google had failed to disclose that Android apps would work on Chromebooks. At a hearing last month it seemed very possible that Alsup would order another trial, but (thankfully!) he has now denied Oracle's request for the same exact reason he denied their first request for another trial at the beginning of the summer. He literally says: Oracle’s new Rule 50 motion is denied for the same reasons as its old one. First, Alsup defends his earlier decision to limit the trial to Android's use in smartphones and tablets. It's a long explanation, but a sensible one. In short, because of the (ridiculous) Federal Circuit ruling rejecting Alsup's (much earlier) determination that APIs were not subject to copyright (which was the correct ruling, but was overturned because the Federal Circuit is clueless), the case was sent back to the lower court, years after the original verdict that said Google's use was infringing. This trial was over just the fair use question, but was built off of that earlier verdict. Google argued that adding in a bunch of new devices that used Android (as Oracle wanted) that didn't exist when the first trial happened wouldn't make sense, as they introduced new questions and issues that weren't raised in the first trial -- and Alsup agreed. Alsup also notes that Oracle is "free to pursue its claims for infringement arising from Google’s implementations of Android in devices other than smartphones and tablets in a separate proceeding and trial." In other words, no matter the outcome of this case, Oracle may still file another lawsuit over Android in the future. So, in the end, Alsup notes that Oracle wanted to have the court accept the first jury verdict, but then expand it way beyond its scope: In its new trial motion, Oracle now argues that it was error to limit the device uses in play to smartphones and tablets. We should have had one mega-trial on all uses, it urges. This, however, ignores the fact that Oracle’s earlier win on infringement in 2010 — the same win it wished to take as a given without relitigation — concerned only smartphones and tablets. And, it ignores the obvious — one use might be a fair use but another use might not, and the four statutory factors are to be applied on a use-by-use basis. Significantly, the language of Section 107(4) of Title 17 of the United States Code directs us to consider “the effect of the use upon the potential market for or value of the copyrighted work.” Oracle cites no authority whatsoever for the proposition that all uses must stand or fall together under the fair use test of Section 107. Alsup also scolds Oracle, in noting that while it wanted to lump in all sorts of post-2010 actions by Google, it successfully blocked the introduction of post-2010 evidence that would have helped Google: Oracle itself, it must be said, successfully excluded at least one post-2010 development that would have helped Google. Specifically, a pretrial ruling obtained by Oracle excluded evidence tendered by Google with respect to Android Nougat. Significantly, this evidence would have shown that (back in 2008) all of the accused APIs could simply have been taken from OpenJDK, Sun’s own open-source version of Java, apparently in full compliance with the open-source license. Put differently, Sun itself had given away Java (including all of the lines of code in suit) in 2008 via its open-source OpenJDK. In 2015, Google used OpenJDK to reimplement the Java APIs for the latest release of Android, which it called Nougat. Google wished to use this evidence under the fourth fair use factor to show that its infringement did no more market harm than Sun itself had already invited via its own OpenJDK release. Despite its importance, the Court excluded this development because it had not been presented by Google in time for effective rebuttal by Oracle. This exclusion was a major win for Oracle in the weeks leading up to trial. Then on to the main show: Oracle's claim that Google hid the plans to make Android apps work on Chrome OS. Google had revealed to Oracle its "App Runtime for Chrome" (ARC) setup, and it was discussed by Oracle's experts, but at Google I/O, Google revealed new plans for apps to run in Chrome OS that were not using ARC, but rather a brand new setup, which Google internally referred to as ARC++. Oracle argued that Google only revealed to them ARC, but not ARC++ and that was super relevant to the fair use argument, because it showed that Android was replacing more than just the mobile device market for Java. But, here's Oracle's big problem: Google had actually revealed to Oracle the plans for ARC++. It appears that Oracle's lawyers just missed that fact. Ouch. Throughout the briefing and argument on this motion, Oracle left the distinct impression — more accurately distinct misimpression — that Google had stonewalled and had completely concealed the ARC++ project. This was an unfair argument. In fact, Google timely produced at least nine documents discussing the goals and technical details of ARC++ and did so back in 2015, at least five months before trial. Counsel for Oracle now acknowledges their legal team never reviewed those documents until the supplemental briefing on this motion. The Court is disappointed that Oracle fostered this impression that no discovery had been timely provided on the ARC++ project eventually announced on May 19. Rule 26(e) requires a party to supplement discovery responses in a timely manner only “if the additional or corrective information has not otherwise been made known to the other parties during the discovery process or in writing” (or if otherwise ordered by the Court). This creates a “‘duty to supplement,’ not a right.” Luke v. Fam. Care and Urgent Med. Clinics, 323 Fed. Appx. 496, 500 (9th Cir. 2009). Nevertheless, Google had no duty to supplement responses with new information that had already been disclosed in the ARC++ documents already produced. Oracle should have known that items produced in response to its own document requests potentially contained information that supplemented Google’s earlier written discovery responses. Oracle’s failure to review the ARC++ documents is its own fault. That's a pretty big error on the part of Oracle's lawyers. For all the bombast that they went after Google with in court last month, to then have to admit that they were the ones who had failed to actually read the material that Google supplied them is... really, really bad. If I'm Oracle, I'm really pissed off, because these lawyers from Orrick are not cheap and they just wasted a ton of Oracle money because of their own mistakes. Judge Alsup also notes that none of this really matters anyway because (once again) this trial was limited to the situation back in 2010, when Android was just in use on phones and tablets, and the desktop/laptop issue was left out of the case (in part because of Oracle's own desire not to relitigate the first part of the trial). Oracle’s purported “game changer” would not have changed anything at all, because the scope of the “game” was smartphones and tablets, postponing new and later uses to a later contest. ARC++ was not yet on trial. Thus, any failure to produce such evidence could not have substantially interfered with Oracle’s preparation for our trial. On the contrary, it clearly and convincingly would have been inconsequential. There are a few other attempts from Oracle that Alsup rejects as well -- including some stuff about one particular witness having a single line of an email redacted. There was also an attempt to present some evidence suggesting that Sun wasn't as happy about Google's actions as Google had implied during its testimony, but it involved (yet again) some bizarre behavior by Oracle's lawyers, withholding documents from Google until the very last minute. And, again, Judge Alsup notes that the documents don't really support Oracle's contention anyway. There were a few more arguments in there as well, which aren't as important, but you can read them all in the full ruling from Alsup if you are a glutton for such punishment. Either way, it's almost certain that Oracle will appeal certain aspects of all of this, and in some sense, this is all just procedural posturing anyway. And, on top of that, Oracle may file a new case against Google for non-tablet/phone uses anyway. In short: this case is nowhere near over, but if you get anything out of these documents, it's that Oracle, the company, should be pretty upset at the lawyers it hired for making a big deal out of something that only served to show that they didn't do their job.Permalink | Comments | Email This Story

Read More...
posted about 6 hours ago on techdirt
it is important to have multiple backups of your important files. One option could be the $39 1TB Zoolz Complete Cloud Storage, which uses Amazon AWS infrastructure. With this lifetime of 500 GB of Instant, and 500 GB of Cold Storage, you'll have an extremely affordable place to safely store massive amounts of data. Access your Instant storage quickly and easily, or just deposit data in Cold Storage if you know you won't be needing it for awhile. The license allows you to backup data from 2 machines and to use a third device for recovery. Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.Permalink | Comments | Email This Story

Read More...
posted about 7 hours ago on techdirt
So, just last week, we wrote about how David Kittos, a refugee from Cyprus now living in the UK, had taken the photograph of a bowl of Skittles that Donald Trump Jr. had used in a tweet about banning refugees. Kittos said he was thinking about taking legal action, but said he wasn't sure he had the patience for it. But, of course, thanks to US copyright law, if you want something to disappear, you don't have to go through a whole litigation process, you can just use the DMCA. And that's exactly what David Kittos did (first noticed by The Washington Post, which may have a paywall). ------- == Description of original work: Photography of a bowl of Skittles from my flickr library which was copied WITHOUT my permssion == Links to original work: https://www.flickr.com/photos/david_kittos/[REDACTED]/ --- == Reported Tweet URL: https://twitter.com/DonaldJTrumpJr/status/[REDACTED][REDACTED] == Description of infringement: The image of a bowl of skittles is mine and has always been set as "ALL RIGHTS RESERVED" in my flickr library It was copied and is being used WITHOUT my permission. I have never been contacted by Donald Trump Jr or any representative about the image, before of after it was used in the Tweet. ------- And it worked: Now, of course, there's a question of whether or not Trump Jr. will file a counternotice, and then if Kittos would actually follow through with a lawsuit. I'm guessing neither will happen, but who really knows? There's a possible, but not really that strong, argument that Trump Jr.'s usage was fair use. And it does seem like Kittos' takedown is much more about his objection to the speech, rather than the possible infringement -- and, once again, that suggests it's another example of using copyright to censor speech someone doesn't like. As I made clear, I think the Skittles analogy is incredibly stupid (and racist), but that doesn't mean I'm comfortable with using copyright to silence it.Permalink | Comments | Email This Story

Read More...
posted about 8 hours ago on techdirt
Earlier this week, basically all of the major record labels filed a lawsuit against YouTube-mp3.org, which as you may have guessed from the URL, helps people get audio downloads from YouTube videos. There have been a number of similar sites over the years, and they tend to disappear relatively quickly. Apparently this one lasted long enough that the major labels decided to sue. There are many, many, many problems with the lawsuit which we'll be discussing, but let's start with the big one. The RIAA and the labels seem to believe that SOPA became law back in 2012, rather than being soundly rejected. That's because, as the EFF notes in a blog post, the real target of the lawsuit does not appear to be Youtube-mp3.org, but a bunch of third party service providers. Specifically, the lawsuit asks for two highly questionable remedies targeting non-parties to the lawsuit: enjoining Defendants and all third parties with notice of the Order, including any Web hosts, domain-name registrars, domain name registries, and proxy or reverse proxy services, and their administrators, from facilitating access to any or all domain names, URLs and websites (including, without limitation, www.youtube-mp3.org) through which Defendants infringe Plaintiffs’ copyrights; and enjoining all third parties with notice of the Order from maintaining, operating, or providing advertising, financial, technical, or other support to YTMP3 and any other domain names, URLs, or websites through which Defendants infringe Plaintiffs’ copyrights, including without limitation www.youtubemp3.org; and enjoining all third-party distributors of applications, toolbars or similar software with notice of the Order from distributing any applications, toolbars, or similar software applications that interoperate with any domain names, URLs, or websites through which Defendants infringe Plaintiffs’ copyrights, including without limitation www.youtube-mp3.org. Again, this was the kind of remedy SOPA was designed to enable. But SOPA did not become law. As the EFF points out: As we’ve explained before in other cases, this request is a gross overreach. Federal court rules have a narrow provision that lets successful plaintiffs request a court order against a defendant and people in “active concert and participation” with them, meaning a close associate or co-conspirator. That provision doesn’t allow for orders that bind every vendor providing services to a defendant, especially those with no direct business relationship. So the litany of intermediaries listed in the labels’ complaint are not within the court’s power to bind. What the complaint asks for is also far broader than the law allows. By asking all of those intermediaries to block all “websites through which Defendants infringe Plaintiffs’ copyrights,” without specifying the URLs, the labels are seeking to conscript all of these companies as investigators who must chase down the defendants and block every website they use, under any name. Neither copyright nor trademark law allows courts to put this burden on Internet intermediaries, and for good reason: it’s prohibitively expensive for many, it inevitably leads to blocking of lawful speech, and it gives a big advantage to established players. Finally, and perhaps worst of all, the record labels want to ban “any applications” that might “interoperate” with with youtube-mp3.org and any other websites owned by the defendants. That would seem to require every Web browser, mobile app, and Internet-connected device to block an ever-changing list of websites. Left unchecked, these kinds of orders could become a mechanism whereby the content industry gets veto power over online innovation. Also, according to the lawsuit, which was filed in California, the site is owned by a guy in Germany, Philip Matesanz. An RIAA press release notes that the IFPI has also indicated it's going to file a similar case in the UK. Considering that there's a decently high chance that the guy in Germany won't bother responding to a lawsuit halfway around the world, the RIAA and its labels may simply be hoping for a default judgment, which they can then use to force all those third parties into blocking a website, despite a lack of a full trial over the issues with the case. And, oh boy, does this lawsuit have serious issues. On a conceptual level, how is what this site is doing really all that different from a VCR in recording a TV show? In this case, it's just recording an audio file from a video file. And such recordings for personal time shifting uses are considered fair use and not infringing. It's also quite a useful tool for other fair use activities too — we've used a similar site to grab audio quotes from videos for discussion in our podcast. The "stream ripping" site is just a tool for making such fair use recordings, meaning it has substantial non-infringing uses. So why do the RIAA and these labels insist that it's infringing? The lawsuit notes that this service likely violates YouTube's terms of service, but YouTube/Google are not the plaintiff. They're not the ones arguing over the terms of service being violated (in fact, you could argue that Google is a target of the lawsuit via the third party injunction attempts discussed above). Part of the lawsuit alleges that YTMP3 violates the DMCA by "circumventing" YouTube's "technological measures" designed to block access to the actual video file, but it's not clear how this kind of thing is really a technological protection measure under the DMCA. All it does is obscure the full URL, but still make it accessible. Is it really circumvention to figure out how to get to a publicly accessible URL? That seems like a big leap by the RIAA: Plaintiffs are informed and believe, and on that basis allege as follows: YouTube has adopted and implemented technological measures to control access to content maintained on its site and to prevent or inhibit downloading, copying, or illicit distribution of that content. YouTube maintains two separate URLs for any given video file: one URL, which is visible to the user, is for the webpage where the video playback occurs, and one URL, which is not visible to the user, is for the video file itself. The second URL is generated using a complex (and periodically changing) algorithm – known as a “rolling cipher” – that is intended to inhibit direct access to the underlying YouTube video files, thereby preventing or inhibiting the downloading, copying, or distribution of the video files. That second URL is not "protected" in any real way. It's a publicly accessible URL -- it's just that YouTube doesn't make it easy to find. So does that really count as circumvention? That seems like a big question here as well. Either way, as noted above, these important questions may not get answered if YTMP3 simply decides to ignore the lawsuit -- and the RIAA may very well be counting on that. It really does seem like the labels deliberately picked a site that is likely not interested in defending this lawsuit, no matter how questionable, allowing it to really go after a ton of 3rd party sites and services, as if SOPA were the law.Permalink | Comments | Email This Story

Read More...
posted about 11 hours ago on techdirt
We've been talking about how the latest front in the battle for better broadband competition is the boring old utility pole. As one touch make ready" proposals that use an insured, third-party contractor agreed to by all ISPs to move any ISP's gear during fiber installs (often a matter of inches). But again, because this would speed up Google Fiber's time to market, incumbent ISPs like Comcast, AT&T, Frontier and Time Warner Cable have all been fighting these reform efforts. Excuses provided by the ISPs range from claims that such reform violates their Constitutional rights, to unsubstantiated claims that such a policy would result in massive new internet service outages. AT&T has taken things one step further, and has been suing cities like Louisville for passing such reform laws. After the city council voted to approve similar reform last week in Nashville, AT&T has now filed suit against the city of Nashville (pdf), claiming city overreach and immediate injunctive relief. The complaint trots out all of AT&T's greatest hits for opposing the streamlined pole attachment rules, including claims that it allows random troublemakers to "seize" AT&T's property:"The Ordinance thus purports to permit a third party (the Attacher) to temporarily seize AT&T’s property, and to alter or relocate AT&T’s property, without AT&T’s consent and with little notice. AT&T would be deprived of an adequate opportunity to assess the potential for network disruption caused by the alteration or relocation, and to specify and oversee the work on AT&T’s own facilities to ensure any potential for harm to its network, including harm to the continuity and quality of service to its customers, is minimized." Except that's not true. Most implementations of "one touch make ready" give ISPs ample warning of impending work. Meanwhile, Google Fiber currently needs to wait for incumbent ISPs to prepare the poles for attachment -- a process that can take as long as 9 months if the incumbent ISP has an incentive to stall the process (worse if Google Fiber has to wait for multiple ISPs working in concert). That's something that Google Fiber documented in a blog post recently that has been a real problem in Nashville, where just 33 of the approximately 44,000 poles in the city have been prepared for Google Fiber work. From Texas to California, AT&T has been accused for years of using its control over city utility poles as yet another avenue to discourage broadband competition. And the telco is surely furious somebody is finally doing something about it in Tennessee, a state whose legislature is so eager to protect AT&T's monopoly it effectively lets the telco write awful state law. Hell, Nashville's city council last week even had the gall to shoot down a Comcast and AT&T written proposal that would have bogged Google Fiber down in committee for months. Of course these incumbent ISPs know they can't win. Pole attachment is generally supported by communities, many tech associations and government alike, all collectively tired of AT&T's stranglehold over the status quo. But the goal isn't to stop deployment but to slow it down, giving incumbent ISPs more time to not only lock down existing customers into long-term contracts, but to fuel ongoing rumors that Google Fiber is out of its depth.Permalink | Comments | Email This Story

Read More...
posted about 14 hours ago on techdirt
Whistleblower protections offered by the federal government are great in theory. In practice, they're a mess. This administration has prosecuted more whistleblowers than all previous administrations combined. The proper channels for reporting concerns are designed to deter complaints. Those that do use the proper channels are frequently exposed by those handling the complaints, leading to retaliatory actions that built-in protections don't offer an adequate remedy for. Perhaps the ultimate insult is that the proper channels lead directly to two committees that have -- for the most part -- staunchly defended agencies like the NSA against criticism and any legislative attempts to scale back domestic surveillance programs. The House and Senate Intelligence Committees are the "proper channels," whose offered protections can only be seen as the hollowest of promises, especially after the House Intelligence Committee's lie-packed response to calls for Snowden's pardon. What the federal government offers to whistleblowers is a damned if you do/don't proposition. Bypass the proper channels and brace yourself for prosecution. Stay within the defined lanes and expect nothing to change -- except maybe your security clearance, pay grade, or chances of advancement within the government. Congress doesn’t have much legal power to protect intelligence community employees from such retaliation. The Pentagon’s inspector general website concedes Congress cannot “grant special statutory protection for intelligence community employees from reprisal for whistleblowing.” In most cases of personal or professional retaliation, it ends up being the whistleblower’s problem, says Tom Devine, the legal director for the Government Accountability Project. “The problem is that whistleblowers making most complaints proceed at their own risk,” he said in an interview. “There are no independent due process protections for any intelligence community whistleblowers. And contractors don’t even have the right to an independent investigation unless there’s security clearance retaliation.” The limited evidence that has surfaced about using the "proper" whistleblower channels suggests the protections granted by the government are mostly meaningless. The intelligence committees won't comment on the treatment of government employees who have approached them to blow the whistle. Government contractors working within the intelligence community are even more tight-lipped, suggesting even civilians are on their own when when attached to government programs or projects. The few reports that have made it out into the open indicate it's almost impossible for a whistleblower to prove any actions taken against them post-whistleblowing are actually retaliatory. An Inspector General's investigation of a whistleblower's retaliation complaints determined that anything that had happened to the whistleblower could not be conclusively linked to the Defense Department employee's whistleblowing. All that can be determined is that dozens of whistleblower complaints do make their way to the intelligence committees every year. But even this is based on the assertions of the House Intelligence Committee, which refused to provide any further details. The outcome of the whistleblowing remains under wraps and there are no publicly-released statistics that total the number of complaints, much less which percentage of complaints are found substantial and investigated further. Government employees and contractors are just expected to trust the federal government which, given its response to whistleblowers over the past two decades, isn't going to nudge edge cases away from bypassing the laughable "protections" and proceeding directly to journalists willing to actually protect their sources. Permalink | Comments | Email This Story

Read More...
posted about 18 hours ago on techdirt
One of the most extraordinary government surveillance projects in the world is being rolled out in Kuwait, and involves creating a mandatory DNA database of all citizens and visitors. An article in New Scientist confirms that the system is now under construction: The government has already begun to enact the law, collecting samples from people they suspect of having falsely claimed Kuwaiti nationality, as well as members of the police and military. From November, all Kuwaitis wishing to renew passports will have to submit DNA samples, while the country's embassies around the world have been told to notify potential visitors that they will be required to give a DNA sample upon arrival in the country. The good news is that a bunch of public-spirited Kuwaiti lawyers are fighting back: When the law was passed in July last year, Adel AbdulHadi of the Kuwaiti law firm Adel AbdulHadi & Partners and his colleagues began researching and drafting their challenge to it. Their principal argument is that the law violates privacy and human rights provisions in the country's own constitution, as well as those enshrined in international treaties to which Kuwait is a signatory. To their credit, the lawyers are funding the challenge themselves, as they feel so strongly that the law should be struck down. As the article points out, collecting DNA is hardly likely to be a very effective way of deterring would-be terrorists from entering the country. Equally, finding someone's DNA at the site of a terrorist explosion tells you little: by their very nature, such attacks cause tissues from bombers and victims alike to be scattered widely, making forensic DNA analysis difficult. On the other hand, there is considerable scope for abuse: DNA samples could be used for other purposes, such as identifying illegal immigrants, or determining paternity in country where adultery is a punishable offence. The New Scientist article offers no views on how likely it is that the legal challenge will succeed. We can only hope that it does, because once such a system is successfully implemented in one country, others are sure to see it as an example that they can follow. Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+ Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
It should be quite clear by now that DRM is a fantastic way for video game makers to keep people from playing their games. Not pirates, though. No, those folks can play games with DRM just fine, because DRM doesn't actually keep piracy from being a thing. No, I'm talking about legitimate buyers of games, who in example after example after example suddenly find that the games they bought are unplayable thanks to DRM tools that work about as well as the American political system. And yet DRM still exists for some reason, as game makers look for some kind of holy grail piece of software that will turn every past pirate into a future dollar sign. This search for the perfect DRM continues, as we have just the latest story of DRM gone wrong. This story of the Street Fighter V DRM, though, is a special kind of stupid because it was put in place via a software update release, meaning that a game that worked perfectly one day was bricked the next. The doodad was announced on Thursday shortly before the update rolled out. Capcom called it “an updated anti-crack solution (note: not DRM) that prevents certain users from hacking the executable.” They continued, “The solution also prevents memory address hack that are commonly used for cheating and illicitly obtaining in-game currency and other entitlements that haven’t been purchased yet.” This DRM that Capcom insisted wasn't DRM apparently set off anti-virus software for a ton of legitimate customers, triggered warnings from Windows security software, caused PC crashes for others, and even killed one person's new puppy. Okay, that last one didn't actually happen, but the rest did, and it's the exact sort of thing that DRM shouldn't do: screw those who actually bought the game. On top of that, it seems the update gave the game a rather deep level of access into any PC it was installed on, leading some to warn others off from buying it entirely. As a result of the backlash, Capcom rolled back the DRM via another update pretty quickly, but one has to wonder just how many potential customers were lost in the meantime and how that number compares with the number of potential pirates that were turned into paying customers during that same time period. It would take more imagination than I have to dream up a version of reality in which the latter outnumbered the former, making this attempt at DRM a complete bust. But, then again, they're all busts, really. So why are we wasting our time with DRM still? Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
While we still wait to see if Kim Dotcom can be taken against his will from another country into the US for "copyright infringement" claims, apparently the DOJ has also decided that it can work the other way. The Justice Department's Board of Immigration Appeals has said that people can be deported for copyright infringement. Apparently the law (the Immigration and Nationality Act) says that non-citizens can be deported if they commit crimes "involving moral turpitude" but had never weighed in on whether or not copyright infringement counted. But now they have: On Friday, leaning heavily on precedent that previously declared criminal trademark infringement a CMT, the board said criminal copyright violations “must also be a crime involving moral turpitude.” “Like the use of a spurious trademark ... respondent’s copyright infringement also involves significant societal harm,” BIA member Hugh Mullane wrote in Friday’s ruling. “Congress has made clear that copyright infringement enforcement is an important priority and that the risks and costs associated with intellectual property crime are significant.” To be fair, this was a case of criminal copyright infringement, and not civil copyright infringement -- and the board noted that because criminal copyright infringement requires the showing of "willfulness," it suffices for the "moral turpitude" question. The person in question, Raul Zaragoza-Vaquero, had been arrested for selling 800 copied CDs to an RIAA investigator. He received 33 months in prison and had to pay $36,000... and was then told he had to leave the country. The fact that it's only for criminal copyright infringement is certainly better than it being for any copyright infringement, but we've seen some bizarre attempts to turn what clearly should be civil copyright infringement cases into criminal ones (the Kim Dotcom case being but one example).Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
Data breaches that expose passwords are pretty much a fact of life at this point -- and the effects are multiplied by the fact that many, many people reuse passwords no matter how much they know they shouldn't. As such, there's a big push to move to password managers, two-factor authentication, and even biometrics -- because the simple fact is that the password sucks. This week, we're discussing what if anything will succeed in replacing it. Follow the Techdirt Podcast on Soundcloud, subscribe via iTunes, or grab the RSS feed. You can also keep up with all the latest episodes right here on Techdirt. Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
Last chance to get Vote2016() T-shirts, hoodies & stickers! » Did you come out of last night's debate feeling thrilled about your choices for president? No? What a surprise. Though there are fans on both sides declaring victory, most of the thinking/awake public saw what we expected: an intolerable buffoon babbling on one side, and the resultant lack of scrutiny for the hard-to-like career politician making worrying statements on the other. Perhaps nowhere was this clearer than on an issue of importance here at Techdirt: would you prefer Trump's directionless ramblings about "the cyber", or Clinton's coherent but terrifying overtures of war with Russia? Take your pick, America. And when you do, we've got a shirt for you. There's less than a week left to order your Vote2016() gear. The campaign ends on Oct. 3rd so you can get it just in time for election day — and then it's gone for good! And don't forget to check out our new Math Is Not A Crime shirt, and other designs available for the last time this year in our super-early holiday gear sale. Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
There's just something about adding the word "cyber" to "crime" that brings out the worst in legislators. A host a badly-written laws have been crafted to address everything from cyberbullying to hacking. These tend to be abused first by those in positions of power. Nigeria's government recently enacted a cybercrime law which is, of course, being wielded by thin-skinned government officials to silence critics. The cyberstalking provision is the preferred attack vector, placing those targeted by unhappy government leaders at risk of being hit with a $22,000 fine and three years in prison. Last month, the law was cited in the August 20 arrest of Musa Babale Azare who was detained in the capital, Abuja, by police from Bauchi state. He was accused of allegedly criticising the state governor, Muhammad Abdullah Abubakar, on social media, according to news reports. Azare, who uses Facebook and Twitter as platforms to criticize the actions and policies of Abubakar and his administration, said he was denied access to his lawyer, and that police did not have authority to arrest him outside Bauchi state jurisdiction. Azare wasn't the only one hauled away by police for daring to publicly criticize officials -- although his trip (280 miles) was arguably the longest. (Azare was taken from Abuja back to Bauchi to be questioned.) Politicians could barely wait for the ink on the signatures to dry before deploying it against citizens who had raised their ire. CPJ found that at least three other bloggers were prosecuted under the cybercrime act in the space of four months last year after they reported or commented on critical reports. One "suspect" was refused release until he could come up with a 3 million naira ($9500) bail. Another writer -- a member of a national blogger's guild -- was denied bail three times and held for two weeks before charges were dropped. The third was denied bail and jailed for six months, with four of those spent in maximum security. All three of the cases CJP uncovered occurred within five months of the cybercrime law's passage, which seems to suggest it was crafted with the intent of curbing critical speech, rather than criminal activity. The irony of this is that the freedom of expression and freedom of the press are both enshrined in the Nigerian Constitution. Laws can't be made that directly abridge those freedoms, but government officials seem to have crafted themselves a handy loophole that handily allows them to bypass citizens' constitutional protections. Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
Smile, constituents: this man may become president. Look at the mess that we're in. Look at the mess that we're in. As far as the cyber, I agree to parts of what secretary Clinton said, we should be better than anybody else, and perhaps we're not. I don't know if we know it was Russia who broke into the DNC. She's saying Russia, Russia, Russia. Maybe it was. It could also be China, it could be someone sitting on their bed that weighs 400 pounds... Look, anyone who refers to cybersecurity or cyberwarfare as "the cyber" is probably better off not discussing this. But Donald Trump, in last night's debate, felt compelled to further prove why he's in no position to be offering guidance on technological issues. And anyone who feels compelled to portray hackers as 400-lb bedroom dwellers probably shouldn't be opening their mouth in public at all. With this mindset, discussions about what "the Google" and "the Facebook" are doing about trimming back ISIS's social media presence can't be far behind. Trump did note that ISIS is "beating us at our game" when it comes to utilizing social media. Fair enough. But Trump's cybersecurity "plan" isn't actually a plan. What there is of it has to be compiled from a string of random, semi-related sentences. Apparently, the next cyberwar will pit tweens against 400-lb Russians... I have a son. He's 10 years old. He has computers. He is so good with these computers, it's unbelievable. The security aspect of cyber is very, very tough. And maybe it's hardly do-able. But I will say, we are not doing the job we should be doing, but that's true throughout our whole governmental society. We have so many things that we have to do better, Lester and certainly cyber is one of them. The problem isn't so much that Trump plainly has no idea what he's talking about or even the coherency to bluff his way through it. No one expects presidential candidates to be experts on every possible issue that might come up. But this has been the government's primary focus in recent years, and multiple high-profile hackings have only intensified that. The problem is that Trump clearly has no interest in discussing these issues with those who can offer coherent, possibly-useful cybersecurity strategies. The more he speaks, the more he exposes his ignorance. Ignorance isn't unfixable. But Trump has done nothing over the past several months to close these (often significant) gaps in his knowledge. That's the scariest aspect of his presidential run -- the unwillingness to handle the boring but essential work of creating a platform composed of something more than half-formed thoughts and severely misguided jingoism that blames the rest of the world for somehow making America a worse country. The mitigating factors are these: Hillary Clinton's response may have been more coherent but hers suggests we should probably engage in more actual war than cyberwar to handle ISIS -- something's that gone oh so well for the past couple of decades. And she was ready to declare cyberwar on Russia after the DNC hacking, an idea that's not only stupid (seeing as the entity behind the hacking is still unknown) but an indication she'd be willing to wield government power to avenge embarassment. Trump's power in office is likely to be far less than he obviously envisions it. Trump may be a rather extreme form of populist but those popular votes will be about as useful as Facebook likes when it comes to attempts to push his agenda past far more level-headed advisors and legislators. Either way, voters are faced with choosing between the devil they sort of know and the devil other devils have been distancing themselves from for several weeks. In both cases, we're going to end up with a president who doesn't have the technical knowledge to deal with today's realities. Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
Stop fumbling around your office for open outlets, and grab the $36 Avantree PowerHouse 4 Port Fast USB Charging Station. Avantree provides 4 USB charging sockets and a whopping 4.5A/22.5W output for a super fast charge for all of your devices. It comes with a handy velcro system to manage and hide cables, 2 micro USB charging cables, and is compatible with all iOS and Android devices. It is available in black or white. Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
Last week, an absolutely mammoth distributed denial of service (DDoS) attack brought down the website of security researcher Brian Krebs. His website, hosted by Akamai pro bono, was pulled offline after it was inundated with 620Gbps of malicious traffic, nearly double the size of the biggest attack Akamai (which tracks such things via their quarterly state of the internet report) has ever recorded. Krebs was ultimately able to get his website back online after Google stepped in to provide DDoS mitigation through its Project Shield service. According to Krebs, the attack came, he believes, after he began digging more deeply into various gangs that deliver DDoS attacks on-demand. And according to Krebs, this time they had the help of the hystercially piss poor security of the internet of things (IoT) industry:"There are some indications that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords."So not only are "smart" refrigerators, TVs, tea kettles and power outlets leaking your unencrypted data to any nitwit with a modicum of technical knowledge, they're being utilized to amplify existing attacks on security researchers who are actually trying to make things better. The attack comes directly on the heels of Bruce Schneier warning us the check is about to come due -- after IoT companies and evangelists that prioritized hype and sales over security fundamentals helped introduce millions of new network attack vectors into the wild over the last five years or so. In a recent blog post, Schneier also noted that these larger DDoS attacks come as multiple groups and individuals (likely nation state sponsored hackers) have begun probing for vulnerabilities on an unprecedented scale:"Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure."And they're finding, as many have warned, millions of poorly secured Internet of Things "smart" devices with stupid default passwords -- or in many instances no security at all. In most instances the buyers of these products are utterly clueless of their participation in these botnets, and very frequently these devices don't give the end user transparent end control over what's being sent over the network anyway. In a follow-up blog post by Krebs, he makes it clear that in addition to being immensely dangerous (potentially fatal if the right systems are targeted), these larger scale DDoS attacks propped up by the IoT should also be seen as a growing assault on free speech. After all, few independent journalists would be able to afford the kind of DDoS mitigation technologies necessary to truly stop these new, larger attacks:"In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.For a country that likes to talk a lot about cybersecurity (mostly to justify awful government policy like backdoors that make us less secure than ever), the United States isn't doing all that much to mitigate the looming threat. Much like Schneier, Krebs calls for a more coordinated effort by industry and government to wake up and begin greater institutional-grade collaborative efforts to shore up our collective security before things spiral out of control:"I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections."And it probably goes without saying that this threat looms as we ponder electing two of the least technically sophisticated Presidential candidates in recent memory. These are two researchers who aren't prone to hyperbole, so it seems like we might just want to take their advice before the Internet of Things devolves from a running gag into a potentially fatal shitshow.Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
A couple of weeks ago, Techdirt ran through the catalog of horrors that make up the EU's new Copyright Directive proposals, pointing out that they would be a general disaster in their current form. Of course, the misery would not be evenly spread: some would suffer more, some less. Indeed, an earlier open letter to the European Commission from a bunch of tech companies (including Techdirt), published on the Don't Wreck the Net site, pointed out one group who wouldn't have too much of a problem with the changes: The largest companies have the resources and staff to deal with increased regulations and burdens. Startups do not. That is, the big online companies can weather more or less anything: it's the smaller ones -- particularly startups -- that will have difficulties. That warning was issued before the details were known, and now Joe McNamee from the European digital rights group EDRi has penned a very similar analysis based on the newly-published plans: There is a lot of noise in the press and among lobbyists about an alleged hostility of the EU towards big American internet companies. Reality is more nuanced and more surprising -- the policies appear to be hell-bent on giving Google new monopolies, to the detriment of European citizens and European internet companies. The most astonishing of these policies is the proposal in the new Copyright Directive for mass, preventive filtering of information as it is being uploaded to the internet in Europe -- a policy so restrictive and absurd that even China or Russia would baulk at the notion. An anti-Google measure? Hardly. Google actively lobbied the Vice-President of the European Commission about the alleged virtues of its content identification system ("contentID"), even if they hadn’t expected the Great Firewall of Europe to be the result. Even if the Copyright Directive manages to pass through the EU legislative system without any changes -- which seems unlikely -- Google would be in a strong position, because it already has the content ID technology in place that will allow it to comply. Although McNamee suggests that as a result Google would be "uniquely placed to license such software to European internet providers," it's more likely that it would keep it for its own exclusive use. However, the US company Audible Magic would doubtless be more than happy to license its widely-used content identification system as an alternative. And irrespective of whether it's based on technology from Google or from Audible Magic, it's hard to see how this outcome helps the European tech industry. Moreover, McNamee is certainly right about the likely outcome of bringing in an insane "ancillary copyright" in the EU, which would require Internet companies to pay a fee to use news snippets: In Germany, where this policy has already been adopted, Google has the economic muscle to simply refuse to pay and suddenly it is not Google, but the publishers, who have a problem. Publishers put their content online in order for people to view it and to make money from advertising that is on their sites. They need Google News more than Google News needs them. So, the outcome is that everybody pays except Google. The Spanish government came up with a cunning plan, they passed a similar law to the one in Germany, but required Google News to pay. Result: Google News Spain shut down, to the detriment of smaller Spanish news outlets in particular and, again, everyone except Google loses. The rest of the EDRi post points out other fundamental flaws in the proposed EU Copyright Directive. But the key point is that far from stimulating the European digital economy, the EU's deeply-flawed plans are likely to boost the power and the profits of the largest US Internet companies. That may be good news for them and their shareholders, but it isn't really the European Commission's job. Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+ Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
Back in 2011, Verizon and AT&T eliminated unlimited wireless data plans, instead pushing users toward share data allotments and overage fees as high as $15 per gigabyte. And while the companies did "grandfather" many of these unlimited users at the time, both companies have made at art form out of harassing or otherwise annoying these customers until they convert to costlier shared plans. And despite the fact that such overage-fee-based plans confuse the living hell out of most customers (who have no idea what a gigabyte is), both companies continue to insist that customers don't actually want unlimited data. Speaking at an investor conference last week, Verizon CFO Fram Shammo once again declared that Verizon knows what consumers want, and it isn't unlimited data:"At the end of the day, people don't need unlimited plans," Verizon Chief Financial Officer Fran Shammo said at an investor conference Thursday."And despite the fact that plenty of companies (like T-Mobile) have seen explosive growth of late selling unlimited data plans, Shammo proclaimed making money off of unlimited just isn't possible:"T-Mobile and Sprint have introduced cheaper unlimited data plans -- in exchange for slowing the connection for lower-resolution video -- and AT&T has been trumpeting its own unlimited data bundle with DirecTV video service. The push to unlimited data marks a reversal of the last few years of rhetoric about the costs of delivering service. For Verizon, that remains the biggest argument against unlimited. "You cannot make money on an unlimited video world," he saidOf course what Shammo means is that Verizon won't see the same generous profit margins it's currently seeing if it were to actually give consumers what they want. Verizon saw $8.0 billion in profit on $21.7 billion in second-quarter revenues in large part thanks to shared data plans (though Verizon Wireless' earnings were perfectly healthy under unlimited data plans as well). Since most users don't know what a gigabyte even is, they tend to sign up for bigger plans than they actually need for fear of hitting the overage wall. Those fears pay huge dividends for the mobile carrier, whose wireless plans are constructed like a giant funnel that constantly pushes users to more and more expensive levels of service once in the door. Verizon for years has justified some of the highest rates in the industry as reflective of the overall quality of its wireless network. But as competitors like T-Mobile begin to catch up, Verizon's running out of marketing ideas to justify its service's higher price point. Enter last week, when Verizon responded to new unlimited data promotions from Sprint and T-Mobile with new ads proclaiming that the company doesn't sell unlimited data, it sells "limitless data." When asked how you can call a gigabyte-capped shared data plan limitless, Verizon PR trots out its very finest dancing shoes:"Limitless refers to how you can use your data and unlimited refers to the amount of data,” said Kelly Crummey, director of corporate communications at Verizon...Our competitors claim they offer ‘unlimited plans’ but if you really look at them, they are full of limits on how you use your data with thinks (sic) like SD (not HD) and automatically slowing down your speeds. The way our plans are structured, you can use your data however you want – there are no limits.Well, no limits except the very clear limits. Apparently, Verizon thinks that you compete by telling customers what they want while abusing the hell out of the dictionary. It should be interesting to see how that tactic plays out as T-Mobile continues to erode Verizon's wireless market share.Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
Judges have pointed out to copyright trolls on multiple occasions that an IP address is not a person. Trolls still labor under this convenient misconception because they have little else in the way of "proof" of someone's alleged infringement. Unfortunately, law enforcement agencies also seem to feel an IP address is a person -- or at least a good indicator of where this person might be found. This assumption leads to blunders like ICE raiding a Tor exit node because it thought an IP address was some sort of unique identifier. After having IP addresses explained to it by the EFF, ICE returned the seized hard drives and promised to make the same mistake in the future. In another case, the Seattle PD raided a Tor exit node in search of a person downloading child porn. It didn't find the target it was looking for, but went ahead and demanded passwords so it could search files and logs at the unfortunate citizen's home before realizing it had the wrong person. The EFF is kind of sick of having to explain the difference between an IP address and a person to government entities. It has put together a white paper [PDF] that should be required reading anywhere government employees feel compelled to act on "evidence" as useless as IP addresses. Law enforcement’s over-reliance on the technology is a product of police and courts not understanding the limitations of both IP addresses and the tools used to link the IP address with a person or a physical location. And the police too often compound that problem by relying on metaphors in warrant applications that liken IP addresses to physical addresses or license plates, signaling far more confidence in the information than it merits. [...] These ill-informed raids jeopardize public safety and violate individuals’ privacy rights. They also waste police time and resources chasing people who are innocent of the crimes being investigated. By acting on this bogus assumption, law enforcement agencies are wasting time and money. Plus, they're putting themselves in situations where innocent people could be killed over technical errors, seeing as warrant service these days usually involves militarized squads that value shock and awe tactics over minimizing collateral damage. The white paper points out what should be obvious to anyone who considers themselves capable of solving "computer crimes:" an IP address is not only not a person, it's not even a physical location. First, the technology was never designed to uniquely identify an exact physical location, only an electronic destination on the Internet. [...] At a local level, similar IP addresses may be assigned based on geography, albeit only indirectly. ISPs make decisions to allocate blocks of IP addresses to particular locations for a variety of reasons, with the goal of creating a network that efficiently delivers Internet traffic. The result may be that locations near each other feature similar IP addresses, but that is more often the product of where the provider has physical links and routers to a network than geography. For example, if an ISP has a fiber-optic link between two distant cities, the IP addresses assigned to those cities may be similar because it creates a more efficient network. A third city near one of those towns geographically may not share the same connection and it would thus likely have completely different IP addresses assigned to it. In addition, IP addresses only identify the block of devices assigned to it, not the people utilizing them. Even in cases where there's only one resident at a physical address linked to an IP address, there's still a chance law enforcement may be going after the wrong person. As the paper explains, the pool of IPV4 addresses has been used up. In areas where users haven't been pushed to IPV6 addresses, IP addresses may be shared by more than one user (at more than one physical address) or reassigned to other users by service providers based on need and usage. As the paper states, IP addresses, unlike physical addresses, are not static. The paper also points out that the use of bad analogies by law enforcement and courts has only made the misconceptions worse. Law enforcement agencies sometimes claim that IP addresses are every bit as unique as license plates. The metaphor fails because IP addresses can be shared or redistributed at private companies' discretion unlike license plates, which are government-issued and must remain tied to a registrant. In short, the best analogy for an IP address is an anonymous informant's tip -- something that's basically hearsay until otherwise confirmed. In a line of Supreme Court cases dealing with reliability and corroboration problems that arise whenever third parties provide tips to law enforcement, the court has made clear that police must do more to confirm the tips provided by anonymous informants before seeking a warrant or other process… The question is: will law enforcement care enough about potential collateral damage to educate themselves on the problems of treating IP addresses as people… or will they decide that a combination of forgiveness (good faith exception, etc.) and easily-obtained immunity is preferable to gathering corroborating evidence and acting more cautiously? Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
As a lifelong Cubs fan with a resume that includes going to my first game at Wrigley when I was four months old and living in Wrigleyville for several years, I can at the very least claim some expertise on the culture around the team and the stadium. For those that have not been lucky enough to visit baseball's Mecca, the walk about up to the park consists of bar-laden streets on either Addison or Clark, with the sidewalks spilling over with fans, bar-patrons, and street vendors. Those street vendors offer innumerable wares, including t-shirts, memorabillia, and food. It's part of the experience. An experience suddenly under fire by the team and Major League Baseball, which have jointly filed a federal lawsuit against some forty street vendors for trademark and counterfeit violations. The Cubs and Major League Baseball filed a lawsuit in federal court Thursday against a vendors hawking allegedly counterfeit and trademark-infringing merchandise. "Defendants are a group of vendors who are deliberately free riding on the success of the Cubs and trading — without a license or permission — on the substantial goodwill associated with the Cubs' trademarks and trade dress," the team and the league claimed in the lawsuit, alleging the vendors "flooded Wrigleyville and the Internet with all manner of unlicensed products." They're not wrong, of course. These vendors are everywhere. As I said, it's part of the experience. And it got to be that way because it's gone on forever. That the team is suddenly taking this action on the eve of a playoff run is within its rights, certainly, but doesn't otherwise make a great deal of sense. Were this the problem the filing appears to claim it is, it should have been a problem during last year's playoff run, or in 2007 and 2008 when the team also made postseason appearances. While much is made in the Tribune post about how the internet has exacerbated this problem, the vendors targeted here sell solely on the street around the ballpark. Something they have surely done for years now. The team must surely have considered the question of whether forty street vendors posed a true threat to its trademark rights and the insane merchandise revenue it collects from its own sales, and whether or not that threat was of greater importance than an ambiance and culture that has always been central to the team's commercial success. The Cubs clearly think the threat is real, but it's tough to see how that makes sense. Other avenues besides a federal lawsuit could have been pursued in order to protect the team's trademark rights, but the Cubs didn't go that route. Instead, street vendors will be brought into court, even as the team makes its run. The friendly confines feel a little less friendly all of a sudden. Permalink | Comments | Email This Story

Read More...
posted 2 days ago on techdirt
Hopefully some good news will follow the bad news handed out by the California Appeals Court earlier this year. In a ruling that did some serious damage to Section 230 protections and the First Amendment, the court decided to enforce an injunction against Yelp for a defamatory review -- despite Yelp not being an actual party to the lawsuit. Dawn Hassell sued a former client over a defamatory review she allegedly posted on Yelp. The defendant, Ava Bird, never bothered to show up in court. Hassell secured a default judgment against Bird. All well and good, except for the fact that Hassell and the court brought Yelp into the equation, without ever giving the site a chance to respond to the proposed injunction. This drive-by injunction opens the door for abuse by aggrieved parties. It allows plaintiffs to sue parties they're pretty sure won't show up in court, obtain default judgments, and use those judgments to force third parties to remove negative reviews, articles, etc. This eliminates any form of due process for third-party websites -- services that should be covered by Section 230 whether or not they voluntarily remove reviews. Yelp was never given a chance to respond to Hassell's allegations nor was it allowed to challenge the injunction she obtained. Why the Appeals Court failed to see the potential for abuse or the due process issues raised is unclear. The good news is that the state's Supreme Court has agreed to review the decision. Eugene Volokh and a host of other free speech advocates and lawyers have filed a brief ahead of the Supreme Court's hearing, pointing out the host of negative consequences created by the lower court's misguided decision. [T]he decision below offers plaintiffs a roadmap for violating these speakers’ rights. Say a business dislikes some comment in a newspaper’s online discussion section. The business can then sue the commenter, who might not have the money or expertise to fight the lawsuit. It can get a consent judgment (perhaps by threatening the commenter with the prospect of massive liability) or a default judgment. And it can then get a court to order the newspaper to delete the comment, even though the newspaper had no opportunity to challenge the claim, and may not have even heard about the claim until after the judgment was entered. This is directly analogous to what plaintiff Hassell did in this very case. It's not as though shady reputation management outfits or thin-skinned entities need any encouragement to abuse the legal process to make criticism disappear. We've already seen abuse of both the DMCA process and the court system to push Google towards delisting reviews no court has actually found to be defamatory. The Appeals Court decision does nothing more than legitimize another shady tactic: suing someone who likely won't appear in court, but enforcing the judgment against a deeper-pocketed party who definitely would have made an appearance... if only they'd actually been named in the lawsuit. The brief goes on to point out that orders like this -- predicated on arguments one party never had a chance to respond to -- are unconstitutional and cannot be enforced. Yelp, Amazon, and other such sites cannot be ordered to remove an allegedly libelous post, without an opportunity to themselves dispute this restriction on their own speech rights. The Court of Appeal erred in treating Yelp as essentially lacking First Amendment rights here. See Pet. for Review 22 (copy of Court of Appeal opinion) (“Yelp’s factual position in this case is unlike that of the . . . appellants [in Marcus v. Search Warrants, 367 U.S. 717 (1961)], who personally engaged in protected speech activities by selling books, magazines and newspapers.”). A site such as Yelp or Amazon is, if anything, even more engaged in protected speech than a bookstore, and more like a magazine creator than just a magazine seller: It creates a coherent speech product—a Web page that aggregates readers’ comments—and distributes it to readers. That 47 U.S.C. § 230 immunizes Yelp from tort liability as a publisher for the material that it reproduces does not strip Yelp of its First Amendment rights as a creator and distributor of the speech aggregating the material. It's almost unimaginable that this decision will be allowed to stand. It upends the legal process and creates a hostile environment for third-party content hosts in California. But it's impossible to claim this definitely will be overturned, what with the state's courts displaying an unfortunate amount of schizophrenia when handling Section 230-related cases. At stake here is the First Amendment, more than Section 230 protections, but both are definitely under attack. The Appeals Court has given plaintiffs a way to route around Section 230 and stifle speech hosted by services they'll never have to face off with in court. Permalink | Comments | Email This Story

Read More...
posted 2 days ago on techdirt
Because an Ohio police department couldn't handle being (momentarily) mocked, it's now being sued by the man officers arrested after he created a spoof of the department's Facebook page. Earlier this year, Anthony Novak parodied the Parma (OH) Police Department's Facebook page, posting obviously fake announcements from the faux department like the following: The Parma Civil Service Commission will conduct a written exam for basic Police Officer for the City of Parma to establish an eligibility list. The exam will be held on March 12, 2016. Applications are available February 14, 2016, through March 2, 2016. Parma is an equal opportunity employer but is strongly encouraging minorities to not apply. The test will consist of a 15 question multiple choice definition test followed by a hearing test. Should you pass you will be accepted as an officer of the Parma Police Department. Other postings not quite as charming, but definitely as fake, included announcements of the PD's new roving abortion van, a "Pedophile Reform event," plans to arrest anyone caught outside between noon and 9 pm, and a ban on feeding the homeless to better serve the city's plan to eradicate the problem through starvation. Novak did copy the department's logo and the Facebook page did look similar… right up until readers read the posts, or noticed the fake department's motto: "We No Crime." Rather than leave this in Facebook's hands (or just leave it alone altogether), the Parma police decided to greet the situation head on. It came up with a charge to use to go after Novak: use of a computer to "disrupt, interrupt or impair" police services. Then it went after him, mustering far more force than would seem to be necessary to handle a bogus Facebook page. Jacob Sullum of Reason recaps the stupidity. Parma police...launched an investigation that involved at least seven officers, a subpoena and three search warrants, and a raid on Novak's apartment, during which the cops surprised his roommate on the toilet and seized two hard drives, a laptop, two tablets, two cellphones, and two video game systems. After his arrest on March 25, Novak spent four days in jail before he got out on bail, and then he had to report weekly to a probation officer if he wanted to keep his freedom. The charge was obviously bogus. Statements made in defense of the PD's actions mainly focused on the derogatory nature of the posts. But very little was said about how a Facebook page that was up for less than two days and gathered only 300 followers made it more difficult for the police to continue servicing the community. It would seem the diversion of seven officers to a stupid investigation with obvious Constitutional implications would be far more disruptive to public service. While the Parma police obviously found a judge willing to overlook their extremely questionable assertions when signing warrants, it had no similar luck when attempting to prosecute Novak. Someone in the Cuyahoga County Prosecutor's Office evidently had second thoughts about the case, because Novak was offered a plea deal under which the felony charge would have been reduced to an unspecified misdemeanor. Novak turned the offer down, by that point eager to have his day in court. By the time his trial rolled around, prosecutors had settled on the theory that Novak's Facebook gag had disrupted police services by generating phone calls to the police department—a grand total of 10 in 12 hours. The jury did not buy it, and everyone who was involved in the case should have known better than to let it get that far. The end result is a lawsuit [PDF], which will definitely impair the community's trust in the police department. Novak alleges First, Fourth and Fourteenth Amendment violations -- all stemming from the warrants issued to the PD which, if determined to be bogus, support his Fourth and Fourteenth claims. As for the First Amendment, Novak's parody page was protected speech and the Parma police had no business using their powers to shut it down, much less arrest the page's creator. As for the PD's supporting affidavits, they appear incredibly weak according to what's documented in the lawsuit. There was more made about the content of the page being "derogatory" than about the supposed criminal activity Novak (obviously didn't) engage in: disruption of government services. That being said, it will be tough to prevent immunity from being awarded to most, if not all, of the participants in this censorious travesty. Unless the Parma police have specific guidance or training that encourages them to trample all over citizens' First Amendment rights, it's unlikely the allegations will survive a motion to dismiss. Then again, the PD didn't just tread lightly on Novak's free speech -- it steamrolled him with a trumped-up felony charge, seizure of all of his devices, and jailed him for four days. The city may find it more expedient to settle this quickly than take the chance of Novak prevailing completely. The Parma PD should have limited itself to informing particularly stupid/gullible citizens that the parody page wasn't the real thing. Then it should have left it alone. Instead, it leveraged its power to avenge its hurt feelings, resulting in a tantrum that could prove to be very expensive. Permalink | Comments | Email This Story

Read More...
posted 2 days ago on techdirt
It's generally agreed that the state of security for the Internet of Things runs from "abysmal" to "compromised during unboxing." The government -- despite no one asking it to -- is offering to help out… somehow. DHS Assistant Secretary for Cyber Policy Robert Silvers spoke at the Internet of Things forum, offering up a pile of words that indicates Silvers is pretty cool with the "cyber" part of his title... but not all that strong on the "policy" part. The industry, according to Silvers, is demanding that IoT security is tackled "from a DHS perspective," meaning a focus on public safety. And then he damned other government departments' efforts with faint praise. "This is complex stuff, but it's not going to be regulatory or over prescriptive, it's not even going to be highly technical," he argued. "What we're going to be doing is drawing on the best approaches, pulling them together and elevating them to get the public's attention." Shorter DHS: we're going to take what the private sector and other government agencies have accomplished, print it out on a few pages of DHS letterhead, and call it good. All Silvers is promising is the DHS's insertion into a crowded marketplace of vague ideas, many of them coming from other government agencies. Even better, Silvers claimed the DHS's intrusion into this overcrowded space won't be "regulatory." This statement arrived shortly before Silvers suggested regulation was on its way. “We have a small and closing window of time to take decisive and effective action,” Silvers said, “the challenge of addressing IoT security is outweighed only by the greater challenge of patching, or building on the security of already deployed systems. While some of this may sound like common sense, it’s an undeniable fact that some companies are not being held accountable,” Silvers said. "Companies not being held accountable" sounds like the sort of thing the government would feel compelled to fix with regulation. As Kieran McCarthy of The Register points out, the DHS seems mostly concerned with ensuring it's cut in on the cybersecurity action. The DHS's current plan seems to be little more than shoving their foot in the door: Silvers could not give a timetable for the principles, or even a consultation plan. He didn't highlight specific areas of concern, or point to the direction the DHS is expected to take. Perpetually-increasing budgets are on the line here. Every agency wants a piece of the "cyber" pie, whether on the offensive or defensive side. The DHS is no different, even though its track record on cybersecurity is mostly terrible. (Its track record on "homeland" security isn't that fantastic either…) Its Election Cybersecurity task force is composed of state politicians, rather than security experts. And the Government Accountability Office has previously noted the DHS has no plans in place to protect government buildings from cyberattacks on access and control points -- despite having had nearly 15 years to do so. In front of a group of professionals actually putting together best practices for the Internet of Things, the DHS has announced its willingness to coattail-ride its way into the cybersecurity future -- one promising to be full of government intrusion and steady paychecks. And, like others in the government who feel the government should do nothing more than make demands of the private sector, Silvers encouraged the forum attendees to "nerd harder." Or, at least, faster. Silvers issued a call of action to attendees, urging them to “accelerate everything” they’re working on and tackle issues that pop up in cybersecurity in real time. Thanks, bossman. There's nothing security professionals like more than being told how to do their jobs by government agencies without coherent future plans or the ability to secure anything more than a pension. Permalink | Comments | Email This Story

Read More...