posted about 2 hours ago on techdirt
The key idea behind open access is that everyone with an Internet connection should be able to read academic papers without needing to pay for them. Or rather without needing to pay again, since most research is funded using taxpayers' money. It's hard to argue against that proposition, or that making information available in this way is likely to increase the rate at which medical and scientific discoveries are made for the benefit of all. And yet, as Techdirt has reported, academic publishers that often enjoy profit margins of 30-40% have adopted a range of approaches to undermine open access and its aims -- and with considerable success. A recent opinion column in the Canadian journal University Affairs explains how traditional publishers have managed to subvert open access for their own benefit: An ironic twist to the open-access movement is that it has actually made the publishers richer. They've jumped on the bandwagon by offering authors the option of paying article processing charges (APCs) in order to make their articles open access, while continuing to increase subscription charges to libraries at the institutions where those authors work. So, in many cases, the publishers are being paid twice for the same content -- often charging APCs higher than purely open access journals. Another serious problem is the rise of so-called "predatory" open access publishers that have distorted the original ideas behind the movement even more. The Guardian reported recently: More than 175,000 scientific articles have been produced by five of the largest "predatory open-access publishers", including India-based Omics publishing group and the Turkish World Academy of Science, Engineering and Technology, or Waset. But the vast majority of those articles skip almost all of the traditional checks and balances of scientific publishing, from peer review to an editorial board. Instead, most journals run by those companies will publish anything submitted to them -- provided the required fee is paid. These issues will be hard, if not impossible, to solve. As a result, many are now looking for a different solution to the problem of providing easy and cost-free access to academic knowledge, this time in the form of preprints. Techdirt reported earlier this year that there is evidence the published versions of papers add very little to the early, preprint version that is placed online directly by the authors. The negligible barriers to entry, the speed at which work can be published, and the extremely low costs involved have led many to see preprints as the best solution to providing open access to academic papers without needing to go through publishers at all. Inevitably, perhaps, criticisms of the idea are starting to appear. Recently, Tom Sheldon, who is a senior press manager at the Science Media Centre in London, published a commentary in one of the leading academic journals, Nature, under the headline: "Preprints could promote confusion and distortion". As he noted, this grew out of an earlier discussion paper that he published on the Science Media Centre's blog. The Science Media Centre describes itself as "an independent press office helping to ensure that the public have access to the best scientific evidence and expertise through the news media when science hits the headlines." Its funding comes from "scientific institutions, science-based companies, charities, media organisations and government". Sheldon's concerns are not so much about preprints themselves, but their impact on how science is reported: I am a big fan of bold and disruptive changes which can lead to fundamental culture change. My reading around work on reproducibility, open access and preprint make me proud to be part of a scientific community intent on finding ways to make science better. But I am concerned about how this change might affect the bit of science publication that we are involved with at the Science Media Centre. The bit which is all about the way scientific findings find their way to the wider public and policymakers via the mass media. One of his concerns is the lack of embargoes for preprints. At the moment, when researchers have what they think is an important result or discovery appearing in a paper, they typically offer trusted journalists a chance to read it in advance on the understanding that they won't write about it until the paper is officially released. This has a number of advantages. It creates a level playing field for those journalists, who all get to see the paper at the same time. Crucially, it allows journalists to contact other experts to ask their opinion of the results, which helps to catch rogue papers, and also provides much-needed context. Sheldon writes: Contrast this with preprints. As soon as research is in the public domain, there is nothing to stop a journalist writing about it, and rushing to be the first to do so. Imagine early findings that seem to show that climate change is natural or that a common vaccine is unsafe. Preprints on subjects such as those could, if they become a story that goes viral, end up misleading millions, whether or not that was the intention of the authors. That's certainly true, but is easy to remedy. Academics who plan to publish a preprint could offer a copy of the paper to the group of trusted journalists under embargo -- just as they would with traditional papers. One sentence describing why it would be worth reading is all that is required by way of introduction. To the extent that the system works for today's published papers, it will also work for preprints. Some authors may publish without giving journalists time to check with other experts, but that's also true for current papers. Similarly, some journalists may hanker after full press releases that spoon-feed them the results, but if they can't be bothered working it out for themselves, or contacting the researchers and asking for an explanation, they probably wouldn't write a very good article anyway. The other concern relates to the quality of preprints. One of the key differences between a preprint and a paper published in a journal is that the latter usually goes through the process of "peer review", whereby fellow academics read and critique it. But it is widely agreed that the peer review process has serious flaws, as many have pointed out for years -- and as Sheldon himself admits. Indeed, as defenders note, preprints allow far more scrutiny to be applied than with traditional peer review, because they are open for all to read and spot mistakes. There are some new and interesting projects to formalize this kind of open review. Sheldon rightly has particular concerns about papers on public health matters, where lives might be put at risk by erroneous or misleading results. But major preprint sites like bioRxiv (for biology) and the upcoming medRxiv (for medicine and health sciences) are already trying to reduce that problem by actively screening preprints before they are posted. Sheldon certainly raises some valid questions about the impact of preprints on the communication of science to a general audience. None of the issues is insurmountable, but it may require journalists as well as scientists to adapt to the changed landscape. However, changing how things are done is precisely the point about preprints. The present academic publishing system does not promote general access to knowledge that is largely funded by the taxpayer. The attempt by the open access movement to make that happen has arguably been neutered by shrewd moves on the part of traditional publishers, helped by complaisant politicians. Preprints are probably the best hope we have now for achieving a more equitable and efficient way of sharing knowledge and building on it more effectively. Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+ Permalink | Comments | Email This Story

Read More...
posted about 6 hours ago on techdirt
It's been a week or so since we last checked in on the Aloha Poke situation, so perhaps you were wondering how things were coming along with the Chicago chain that wasn't founded by Hawaiians attempting to bully native Hawaiian poke joints across the country out of using their own language and culture over trademark concerns. You will recall that Aloha Poke Co. had sent cease and desist notices to many poke restaurants that dared to use the ubiquitous Hawaiian term "Aloha" in their names, including to proprietors on the Hawaiian Islands themselves. That many operations throughout the country had been chugging along sharing this name and food culture without issue apparently didn't prevent Aloha Poke Co. from registering "Aloha Poke" as a trademark and then go the bullying route. The last touchstone in all of this was a hundreds-strong planned protest at the company's headquarters in Chicago, which indeed ended up happening. So, how have things gone since? Well, Aloha Poke Co. appears to be simply digging in its heels and trying to ride this storm out rather than backing down, but it's a strategy that doesn't appear to be working all that well. Just this week, the Office of Hawaiian Affairs, an organization that promotes and protects Hawaiian culture, has jumped into the fray, both voicing its displeasure at Aloha Poke Co.'s bullying and essentially filling up its homepage with news about the protests. In a statement, OHA CEO Kamana’opono Crabbe described the attitude of OHA as “appalled” over the food chain’s trademarks, which uses culturally significant words from ‘Ōlelo Hawai’i, the traditional native Hawaiian language. OHA also asserted that they were currently contacting prominent stakeholders to “discuss possible solutions” to the trademark controversy. The organisation went on to highlight the continuous “commercialisation and exploitation” of traditional Hawaiian culture that hinders attempts to preserve customs and languages in an appropriate manner. As we've said in past posts, the concerns about cultural appropriation, particularly in light of the subsequent bullying, are valid and very real, but the better route to victory against Aloha Poke Co. is almost certainly legal arguments over its trademark more generally. Whatever you might think of this sort of cultural appropriation, it seems obvious to me that the United States government and its USPTO wing are not sure-fire candidates for swaying on arguments that big business isn't treating natives all that well. Backing that statement up for citation purposes is: history. Instead, we should be seeing as many or more arguments that the term "Aloha" is, as stated, ubiquitous and non-identifying, whereas the term "poke" simply refers to the goods sold at these establishments. Marrying a generic term with a name of a product you can't trademark obviously doesn't create a valid trademark. But none of that is to suggest that efforts to gin up anger over the appropriation side of this doesn't have a place in getting Aloha Poke Co. to reverse course on its bullying. Public shaming does indeed work and it's good to see that the company's current strategy of waiting out the anger simply isn't working. In other words: Dear Aloha Poke Co., it's probably time to cut your losses and issue a mea culpa. Permalink | Comments | Email This Story

Read More...
posted about 9 hours ago on techdirt
You may have heard the general mantra that "puns are the lowest form of comedy." Heathens say that, because puns are great and, if I had my way, there would be a legal requirement to use at least one in every legal document this country produces. They can also be used to lighten up what would otherwise be heavy legal actions. Such is the case with In-N-Out Burger, which decided to respond to what is pretty likely trademark infringement with a pun-laden cease and desist. We'll start with the product that was likely infringing on In-N-Out's trademarks, which itself involves some punnery. The back and forth banter all started on July 12 when Seven Stills took to Instagram and posted a photo of its soon-to-be-released "barrel aged neopolitan milkshake stout." The beverage's logo featured In-N-Out's famous red palm tree lining, arrow logo and the phrase "In-N-Stout Beer." In case you're wondering just how clearly Seven Stills' use of In-N-Out's trade dress was, here is the brewery's own Instagram post. Barrel aged neopolitan milkshake stout coming soon. @innout A post shared by Seven Stills of SF (@sevenstills) on Jul 12, 2018 at 10:34am PDT In case you're somehow unaware of In-N-Out's log and cup design, the In-N-Stout effort above is a very clear play on it: So, yeah, despite the two companies being in different markets, this sort of use could still cause some kind of confusion and create an impression of affiliation between the two entities. If you really want to argue any of that, I suppose you can, but this is probably trademark infringement. In-N-Out, which we have criticized in the past for some dodgy trademark behavior, deserves some credit here instead for firing off a cease and desist that certainly didn't take itself too seriously. After In-N-Out caught wind of the idea, its legal team crafted a cease and desist letter jam-packed with puns related to beer making. "Based on your use of our marks, we felt obligated to hop to action in order to prevent further issues from brewing," part of the letter read. The C&D actually had way more puns than just those, however. Given the gentle and congenial nature of the C&D, in fact, Seven Stills made a point to post the entire thing to its Instagram account, as well as agreeing to alter its beer's trade dress to remove In-N-Out's branding from the can. We count 9. Can you find them all? A post shared by Seven Stills of SF (@sevenstills) on Aug 13, 2018 at 4:00pm PDT If you can't see that, it reads: Dear Seven Sills Brewery & Distillery, We at In-N-Out Burgers ("In-N-Out") received multiple reports of your "In-N-Stout Beer" featured on your social media pages. The In-N-Stout Beer label features In-N-Out's trademarks including our palm tree and arrow logos along with a substantial similarity to In-N-Out's brand name. Based on your use of our marks, we felt obligated to hop to action in order to prevent further issues from brewing. In case you are not already aware, In-N-Out owns multiple trademark registrations in these marks. As you may expect, we tap into a lot of effort in protecting our marks, which includes limiting their use by others. Please understand that use of our marks by third parties ales us to the extent that this could cause confusion in the marketplace or prevent us from protecting our marks in the future. We hope you can appreciate, however, that we are attempting to clearly distill our rights by crafting an amicable approach with you, rather than barrel through this. Accordingly, we request that you refrain from further use of In-N-Out's marks by not selling or promoting items featuring our marks, and removing images of "In-N-Stout" and any other items featuring our marks from your website and social media pages. Please contact us as soon as possible, so this does not continue to ferment. Thank you for your time and consideration, and we look froward to resolving this in good spirits. The lesson here isn't that there wasn't some other way to work this out beyond a cease and desist notice. No, the point here is that trademark issues can reach amicable ends if only companies are congenial with one another... and use as many puns as possible. Permalink | Comments | Email This Story

Read More...
posted about 11 hours ago on techdirt
Earlier this week, the Associated Press did a story revealing that even for Google users (on both Android and iPhone) who turned off location tracking Google was still tracking their location in some cases. Google says that will prevent the company from remembering where you’ve been. Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.” That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking. (It’s possible, although laborious, to delete it .) For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are. And some searches that have nothing to do with location, like “chocolate chip cookies,” or “kids science kits,” pinpoint your precise latitude and longitude — accurate to the square foot — and save it to your Google account. If you squint, you can kind of see why this might have happened. Apps like Maps and weather more or less need your location info to work well (though, the search part is a bit more baffling). But, even so, this seems like a huge blunder by Google, a company that should absolutely know better. The latest, of course, is that Google has quietly moved to update the language that users see to "clarify" that some location data may still be recorded: But its help page for the Location History setting now states: “This setting does not affect other location services on your device.” It also acknowledges that “some location data may be saved as part of your activity on other services, like Search and Maps.” Previously, the page stated: “With Location History off, the places you go are no longer stored.” It's entirely possible, if not likely, that the location history feature is completely disconnected from the location specific data within these other apps. But, still, the average consumer is not going to realize that. Indeed, the tech savvy consumer is mostly unlikely to understand that. And Google's new "clarification" isn't really going to do a very good job actually clarifying this for people either. Google certainly has done a better job than a lot of other companies both in providing transparency about what data it collects on you and giving you controls to see that data, and delete some of it. But this was still a boneheaded move, and it's simply ridiculous that someone at the company didn't spot this issue and do something about it sooner. As I've been pointing out for a while, a big part of why so many people are concerned about privacy on digital services is because those services have done a piss poor job of both informing users what's happening, and giving them more control over the usage of their data. This kind of situation is even worse, in that under the guise of giving users control (a good thing), Google appears to have muddied the waters over what information it was actually collecting. I also wonder if this will make the FTC's ears perk up. There is still an FTC consent decree that binds the company with regards to certain privacy practices, and that includes that the company "shall not misrepresent in any manner, expressly or by implication... the extent to which consumers may exercise control over the collection, use, or disclosure of covered information." And "covered information" includes "physical location." Would these practices count as misrepresenting the extent to which consumers could stop Google from collecting location info? It certainly seems like a case could be made that it does. There are many areas where it feels like people attack the big internet companies just because they're big and easy targets. Sometimes those attacks are made without understanding the underlying issues. But sometimes, I'm amazed at how these companies fail to take a thorough look at their own practices. And this is one of those cases. Permalink | Comments | Email This Story

Read More...
posted about 11 hours ago on techdirt
Add an extra layer of security to your browsing with NordVPN. Get online access anywhere with 3,521 worldwide server locations in 61 different countries, and you can connect 6 devices simultaneously. All data sent through NordVPN’s private tunnels is double encrypted, and with zero logs recorded, you can surf with greater confidence that your data is protected. A 2 years subscription is on sale for $69, or a 3 years subscription for $99. Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team. Permalink | Comments | Email This Story

Read More...
posted about 13 hours ago on techdirt
As a New Jersey native I know how tempting it is for people to gratuitously bash my home state. But, you know, sometimes it really does have it coming. In this case it's because of the recent announcement of a new password policy for all of the New Jersey courts' online systems – ranging from e-filing systems for the courts to the online attorney registration system – that will now require passwords to be changed every 90 days. This notice is to advise that the New Jersey Judiciary is implementing an additional information security measure for those individuals who use Judiciary web-based applications, in particular, attorney registration, eCourts, eCDR, eTRO, eJOC, eVNF, EM, MACS, and DVCR. The new security requirement - password synchronization or p-:-synch - will require users to electronically reset their passwords every 90 days. For reasons explained below, this new policy is a terrible idea. But what makes it particularly risible is that the New Jersey judiciary is claiming this change is being implemented in order to comply with NIST. This requirement is being added to ensure that our systems and data are protected and secure consistent with industry security standards (National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)). The first problem here, of course, is that this general allusion to NIST is not helpful. If NIST has something specific to say that the courts are relying on, then the courts should specially say what it is. Courts would never accept these sorts of vague hand-wavy references to authority in matters before them. Assertions always require a citation to the support upon which they are predicated so that they can be reviewed for accuracy and reasonableness. Instead the New Jersey judiciary here expects us to presume this new policy is both, when in fact it is neither. The reality is that the NIST Cybersecurity Framework does not even mention the word "password," let alone any sort of 90-day expiration requirement. Moreover, what NIST does actually say about passwords is that they should not be made to expire. In particular, the New Jersey judiciary should direct its attention to Special Publication 800-63B, which expressly says: Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). That same section of the Special Publication also says that, "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets" because, as a NIST study noted, it tends to reduce overall security hygiene. Guess what else the new New Jersey password policy does: Users must select passwords that are no more than eight (8) characters long and contain at least one capital letter, one lower case letter, one numeral, and one of the enumerated special characters. It also gets worse, because as part of this password protocol it will require security questions in order to recover lost passwords. Additionally, this policy change will require that each user choose and answer three personal security questions that will later allow the user to reset their own password should their account become disabled, for example, because of an expired password. The answers to the three security questions should be kept confidential in order to reduce the risk of unauthorized access and allow for most password resets to be done electronically. Security questions are themselves a questionable security practice because they are often built around information that, especially in a world of ubiquitous social media, may not be private. From their dangerous guessability to the difficulty of changing them after a major breach like Yahoo's, security questions have proven to be deeply inadequate as contingency mechanisms for passwords. They're meant to be a reliable last-ditch recovery feature: Even if you forget a complicated password, the thinking goes, you won't forget your mother's maiden name or the city you were born in. But by relying on factual data that was never meant to be kept secret in the first place—web and social media searches can often reveal where someone grew up or what the make of their first car was—the approach puts accounts at risk. And since your first pet's name never changes, your answers to security questions can be instantly compromised across many digital services if they are revealed through digital snooping or a data breach. The Wired article this passage came from is already two years old. Far from New Jersey imposing an "industry standard" password protocol, it is instead imposing one that is outdated and discredited, which stands to undermine its systems security, rather than enhance it. And largely, it seems, because it does not seem to understand the unique needs of its users – who are not all the same. Some may log into these sites daily, while others (like me) only once a year when it's time to pay our bar dues. (What does this 90-day reset requirement mean for an annual-only user?) Furthermore, although things have been improving over the years, lawyers are notoriously non-technical. They are busy and stressed with little time to waste wrangling with the systems they need to use to do their job on behalf of their clients. And they are often dependent on vendors, secretaries, and other third parties to act on their behalf, which frequently results in credential sharing. In short, the New Jersey legal community has some particular (and varied) security needs, which all need to be understood and appropriately responded to, in order to improve systems security overall for everyone. But that's not what the New Jersey courts have opted to do. Instead they've imposed a sub-market, ill-tailored, laborious, and needlessly demanding policy on their users, and then blamed it on NIST. But as yet another NIST study explains, security is only enhanced when users can respect the policy enforcing it. The more arbitrary and frustrating it is, the more risky the user behavior, and the weaker the security protocol becomes. The key finding of this study is that employees’ attitudes toward the rationale be-hind cybersecurity policies are statistically significant with their password behaviors and experiences. Positive attitudes are related to more secure behaviors such as choosing stronger passwords and writing down passwords less often, less frustration with authentication procedures, and better understanding and respecting the significance to protect passwords and system security. As NIST noted in a summary of the study, "'security fatigue' can cause computer users to feel hopeless and act recklessly." Yet here are the New Jersey courts, expressly implementing, for no good reason, a purposefully cumbersome and frustrating policy, one that could hardly be better calculated to overwhelm users, and which, despite its claims to the contrary, is far from a respected industry norm. Permalink | Comments | Email This Story

Read More...
posted about 16 hours ago on techdirt
The Telecom Act of 1996 mandates that the FCC routinely assess whether broadband is "being deployed to all Americans in a reasonable and timely fashion," and do something about it if that's not the case. As part of that mission, the FCC also periodically takes a look at the way it defines broadband to ensure the current definition meets modern consumer expectations and technical advancements. That's why, much to the telecom industry's chagrin, the FCC in 2015 changed the definition of broadband from a fairly-pathetic 4 Mbps downstream and 1 Mbps upstream to the current standard of 25 Mbps downstream and 3 Mbps upstream. Telecom monopolies (and the lawmakers paid to love them) whined incessantly about the changes at the time. Why? Because the higher definition only highlights how there's virtually no competition at faster speeds in the U.S. It also highlights how because countless U.S. telcos have shifted their focus to more immediately-profitable ventures (like flinging video ads at Millennials), they've neglected network upgrades on a comical scale. As a result, most modern telcos fail to even technically sell "broadband" across vast swaths of America, giving cable giants like Comcast a bigger broadband monopoly than ever before. As such, you can kind of understand why, if you're a lumbering broadband monopoly, why you'd prefer the definition of broadband remain at ankle height. With the FCC preparing its latest assessment of the broadband broadband industry as required by law, the question over whether the broadband standard should again be lifted has again raised its ugly head. Especially given that in the age of symmetrical gigabit (1 Gbps) connections and cloud storage, that 3 Mbps upstream standard is looking a little lame. But in a Notice of Inquiry (pdf) published last week, Pai’s FCC proposed keeping the current 25/3 definition intact, something that apparently annoyed his fellow Commissioner Jessica Rosenworcel. In a statement (pdf), Rosenworcel suggests that symmetrical 100 Mbps would be a far more ambitious goal to aim for: "...This inquiry fundamentally errs by proposing to keep our national broadband standard at 25 Megabits per second. I believe this goal is insufficiently audacious. It is time to be bold and move the national broadband standard from 25 Megabits to 100 Megabits per second. When you factor in price, at this speed the United States is not even close to leading the world. That is not where we should be and if in the future we want to change this we need both a more powerful goal and a plan to reach it. Our failure to commit to that course here is disappointing. Disappointing but not surprising. Again, an even higher bar would only more clearly illustrate that a huge swath of the broadband industry has effectively given up on upgrading their broadband networks at any real scale, a reason why countless consumers can only get sub 3 Mbps DSL from their incumbent telco. Pai's unwillingness to aim higher is also unsurprising given he was recently forced to retreat from a plan that would have technically lowered the broadband definition bar back down to 10 Mbps. Pai had attempted a policy change that would have declared any 10 Mbps wireless connection good enough to be considered broadband, a move that would have ignored the fact that wireless connections are subject to all manner of limits (caps, overage fees, weird restrictions on HD video, rural congestion) making them a less than suitable full replacement for fixed line broadband. With Pai's net-neutrality-killin' majority controlling any meaningful vote on this subject, it's likely that if the definition of broadband changes at all, it will likely be lowered. After all, you certainly wouldn't want any data highlighting how broken the U.S. broadband market currently is, lest somebody get the crazy idea to actually do something about it. Permalink | Comments | Email This Story

Read More...
posted about 19 hours ago on techdirt
Cops in California have literally unbelievable protections. To ensure the "privacy" of government employees sworn to serve the public, the Cali legislature has kowtowed to state police unions to make disciplinary records all but impossible to obtain… by anyone. This has led to the expected results. Professional liars in cop uniforms offer unimpeached testimony filled with more lies as defense lawyers stand helplessly by, screwed out of offering effective counsel by state law. The law is so restrictive prosecutors are often unable to obtain these files. In the unlikely event a cop is being prosecuted, past misdeeds are hidden under a heavy layer of legislated opacity, hindering effectiveness on the other side. Sure, if you're the victim of police violence, your past is an open book. The cops will dump everything they have on you, from the shoplifting citation two decades ago to every charge ever brought (but ultimately dropped or dismissed) against you in your lifetime to smear your reputation and burnish their own. But if the court would be better served knowing the witness on the stand is an inveterate liar with a history of misconduct, justice will not only go blind but underserved under state law. This bill aims to change that. There is currently a bill before the California Legislature that would ease the burden for the prosecutors and the public to know whether the officers in their communities are trustworthy. SB1421 would require police departments to release information about, inter alia, sustained findings of dishonesty in the course of criminal cases and other instances of police misconduct. This bill would also require police departments to release information about serious uses of force, including officer-involved shootings, to increase transparency. As the article notes, cops -- especially the good ones -- should welcome this move towards transparency. [C]urrent California law protects the worst officers by hiding their identities from the public and makes them indistinguishable from the bulk of the officers who do their jobs faithfully in accordance with the Constitution. But they won't. Or, at the very least, their support will be overridden by all the other cops: the mediocre, the bad, the repugnant, and the morally and criminally corrupt. These are officers and former officers currently holding prominent positions in the state's unions, and police unions are universally opposed to transparency, accountability, or minor policy changes that might make policing better. This bill could change things but it faces the same opposition that managed to talk the legislature into turning police officers into an extremely protected class. It's a welcome effort, but has little chance of survival. Maybe the tide has turned. Maybe this time police unions will be told to stop standing in the way of rebuilding California communities' trust in the officers and agencies policing their neighborhoods. Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
Between the explosion in the craft beer industry and our pernicious ownership culture, the beer industry has enough of a trademark problem to regularly appear in our posts. While many of the disputes in the industry are generated by once-small breweries that have grown up and shed their permissive attitudes towards branding, just as many trademark disputes result from entities outside the industry attempting to pretend that the alcohol industries, if not craft beer specifically, are not markets all to their own. This lack of nuance occasionally pervades even within the USPTO, unfortunately. But sometimes the TTAB gets it right. Such is the case with Comrade Brewing, makers of its 'Superpower IPA' brew, for which the TTAB refused the opposition of The Wonderful Company, which makes fruit juices. At issue was the slogan for POM Wonderful juices: "Antioxidant Superpower." In past cases, the board has held that wine and spirits are closely related to beer in the minds of consumers, but it said The Wonderful Co. had failed to show that a soft drink such as fruit juice had the same kind of connection. “Simply put, opposer has not submitted sufficient evidence that consumers are accustomed to encountering these goods under the same mark,” Judge Peter W. Cataldo wrote for a three-judge panel. “Particularly in light of the differences between the goods but also because the two marks had key differences in appearance,” Cataldo wrote, “the board sided with Comrade Brewing.” This opposition was a loser on several grounds. The markets being different for each product is certainly the easiest to conceptualize. Customers looking for fruit juices are unlikely to wander into a store's craft beer section and find themselves irrevocably confused. As someone who has seen what pomegranate juice looks like, and as someone who has consumed an unholy quantity of IPAs, this opposition would be hilarious if it weren't so frustrating in the first place. For a small brewer to have to entertain this kind of clear bullying from a much larger company at the trademark office is plainly absurd. And, when you take into account the difference in the actual marks, it becomes all the more so. A beer named "Superpower IPA" and a slogan that says "Antioxidant Superpower" are simply unlikely to cause anything resembling confusion in the market. Everything else about the trade dress is also, of course, wildly different. David Lin, owner of Comrade Brewing, appears to be taking this all in stride. “Operating this brewery has thrown us a lot of curveballs,” explains Lin. “If I’m being completely honest the potential confusion between antioxidant juice and craft beer was more surprising to me than the day someone crashed their truck through our front door. We’re going to laugh this one off over a couple of Superpowers.” It's certainly an endearing attitude to have, but it should be obvious that the wasting of a non-competitor's time with this sort of thing ought to be worthy of punishment. Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
A few years back, e-commerce company Newegg decided to take something of a scorched earth approach to all of the various patent trolls that came after it: it would never settle with a patent troll. While many trolls rely on the fact that it's cheaper to settle than to fight in court (even if you win), Newegg did the longer term calculation, and recognized that even if it cost more to defeat trolls in court, by being very public with its stance in fighting it would likely scare off trolls from continuing to sue the company. It took a few years, but the strategy mostly worked. Trolls have mostly learned to steer clear of Newegg. Last year, Cloudflare decided to up the ante a bit on such a strategy. After a patent troll went after it, Cloudflare didn't just promise to fight back, it promised to effectively burn the patent troll into the ground. It set up a bounty looking for prior art on every patent held by that patent troll (Blackbird Technologies), and also filed ethics complaints against the lawyers who ran the company, arguing that they were pretending not to practice law when they clearly were. That strategy has resulted in an easy win over Blackbird in court while various Blackbird patents are being challenged. It appears that approach is inspiring other companies as well. Streaming infrastructure company Bitmovin's General Counsel Ken Carter (who, notably, used to work at Cloudflare) put up a blog post describing just how it dealt with a recent patent troll. After first pointing out that patents can be important, and noting that the company itself holds some patents, the post reminds everyone that it's possible to abuse the patent system. Patent trolls tend to be at the bottom of the IP food chain. If the patents they held were really valuable, the patents would have already wound up in the hands of someone who could make the invention. These trolls behave like bullies, threatening companies actually servicing customers, hoping to pick up some quick cash. The troll knows about and takes advantage of the fact that it is cheaper for those companies to pay it off than to endure the cost of litigating the case. By contrast, patent holders who are making products for customers tend to be more rational. Sure, sometimes the likes of Apple, Google, Microsoft, and Samsung get one another involved in multi-year, multi-million dollar lawsuits, but for the most part these companies don’t extort one another. It’s a better use of their time to make products than to sue. Bitmovin didn't just hit back at this patent troll: it promised a similar scorched earth approach to the one that Cloudflare took against Blackbird: We threatened to counter sue the troll, win the case on the merits, and then seek recovery of our fees and costs from the troll and its lawyers. Further, we pledged that Bitmovin would, as a public service, reinvest any recovery in invalidating all of the troll’s other patents. Through our initial investigation, we found the person behind the troll who had acquired some 15 patents originally held by a European technology company. This person then placed these patents in at least two other LLCs. In turn, those LLCs were asserting these patents in no fewer than 13 other lawsuits against defendants such as Sony, Microsoft, Cisco, Polycom, Blue Jeans Networks, and Motorola. Bitmovin pledged to use our recovery to assist those 13 companies and 6 other companies defending against the current patent in finding prior art and filing Inter partes Reviews at the US PTO’s Patent Trial and Appeal Board to invalidate all of those patents. How did that work out? Pretty well: Without another word, the troll dismissed its lawsuit against us. And the company hopes that other trolls will take notice: Trolls beware. Bitmovin will continue to stand for innovation and a nuanced, balanced approach to intellectual property. We will stand up against intellectual property abuse and for our customers, our industry, and the Internet at large. Of course, in that post, Bitmovin declined to name the troll. Though, it's not that hard to figure it out. The case was filed by Hertl media, whose only existence online is for the various patent troll lawsuits it filed at the end of June. Within 3 days, Hertl Media sued not just Bitmovin, but also Amazon, Cox Communications, Netflix, Comcast, Longtail Ad Solutions, and Telestream. One hopes that others on that list take a similar approach to Bitmovin, and they too might see the following neat results. With minimal effort in court (just a standard request for extra time to file a response), Hertl just walked away and the case was closed: Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
FCC "oversight" hearings continue to be comically lacking in the actual oversight department. As we noted previously, today was Congress' opportunity to hold the FCC and agency head Ajit Pai accountable for making up a DDOS attack and then lying (repeatedly) about it to the press, FBI investigators, and Congress. As we've previously stated, both e-mails obtained via FOIA and an FCC Inspector General report found that the FCC bizarrely made up a DDOS attack to try and explain away the fact that John Oliver viewers angry about the net neutrality repeal had organically crashed the agency's website. The IG's report and internal e-mails go to great lengths to point out that not only did FCC CIO make up a DDOS, but several FCC staffers then misled Congress repeatedly about the total lack of evidence supporting that claim. The false statements were bad enough to warrant them being forwarded to the DOJ, which refused to prosecute anyone. But the e-mails also highlight how the FCC's press office repeatedly misled numerous press outlets, and even went so far as to issue statements denigrating like Gizmodo's Dell Cameron for being "irresponsible" as they slowly uncovered the fake claims. In a functional democracy, this is the sort of thing that would be covered extensively at a hearing purportedly designed specifically to hold the FCC accountable to Congress and the public. In said fictional healthy democracy, Congress might even, you know, actually do something about it. But today's hearing was little more than a joke, rife with lots of giggling, football references, and numerous softball questions -- but few if any hard inquiries about the DDOS attack that wasn't. The closest thing Pai experienced to actually being pressured came from Senator Brian Shatz. But when pressed as to what he knew and when, Pai once again threw his employees under the bus, denying that he had any knowledge of the FCC's efforts to mislead Congress or the public. The exchange is here for those interested: Exchange between Sen. @brianschatz & @AjitPaiFCC over a previous claim by the @FCC that the agency was the victim of a cyberattack (DDoS). Full video here: https://t.co/5DYkNA3Lr5 pic.twitter.com/Hxxj7MHRO2 — CSPAN (@cspan) August 16, 2018 According to Pai, the entire sordid affair was entirely the fault of his since-departed CIO David Bray. When pressed as to why Pai didn't do more to correct the false claims over the last year, Pai tried to claim that he was just trying to respect the integrity of the confidentiality of the Inspector General's inquiry: "Sen. Brian Schatz (D-Hawaii) asked Pai why he didn’t quickly correct the FCC’s public allegation that the malfunction was the result of a cyberattack. “At some point before the IG report came out did it occur to you to communicate back with the public that this may not have been a DDoS attack?” Schatz asked. Pai insisted that he was bound by a request for confidentiality by the inspector general, who had referred the improper claims of a cyberattack to the Justice Department for possible criminal prosecution. The FCC “wanted you to get this information sooner,” Pai said, but the inspector general requested that he not publicly comment on the matter while it conducted its investigation. “I made the judgment that we had to adhere to the [inspector general’s] request, even though I knew we would be falsely attacked for having done something inappropriate,” Pai said. “The story in this report vindicated my position." The problem with that claim, again, is that it wasn't just the FCC CIO making the false DDOS claims. The IG report found that at least three staffers were giving false statements to not only Congress, but also to FBI investigators trying to determine the scope of the alleged attack. And throughout the inquiry Pai's press shop was also busy issuing prickly statements like this one made last summer, attacking media outlets that began to uncover that the whole thing was made up. Like this punchy statement issued to the press accusing reporters of being "irresponsible" for pointing out there was a lack of data proving the DDOS attack occurred: "The FCC has never stated that it lacks any documentation of this DDoS attack itself," the agency states. "And news reports claiming that the Commission has said this are without any basis and completely irresponsible. In fact, we have voluminous documentation of this attack in the form of logs collected by our commercial cloud partners." But none of that was true. There was no DDOS attack and there was no evidence, "voluminous" or otherwise. Again, there's every indication that the FCC doubled down on the fake DDOS claim (even after it knew it was fake) because it wanted to downplay media reports that people were so pissed about the death of net neutrality they crashed the FCC website. It's the same reason why the FCC refused to do anything about the bogus comments that plagued the repeal's net neutrality comment period: it wants to push the narrative that the massive public anger over the attack net neutrality isn't real. The fact that Pai's press shop was actively spreading false statements and maligning reporters makes it pretty obvious that Pai actively participated in or was at least aware of the FCC's head fake. But at no point during the "oversight" hearing was this avenue of inquiry pursued. Instead, users who tuned in for a reckoning instead got to enjoy Ted Cruz once again misrepresenting what net neutrality was, and numerous softball inquiries by folks like Senator John Thune attempting to measure Ajit Pai's boundless love and adoration of neglected rural broadband markets. Aside from the fake DDOS attack, the hearing was yet another missed opportunity to seriously hold the FCC to account on a number of issues, including making up data and ignoring the public in the rush to repeal net neutrality, gutting funding for rural broadband, eroding consumer privacy protections, killing efforts to improve cable box competition, and every other little anti-consumer, pet project Ajit Pai has embraced as leader of the agency. But instead of "oversight," users that tuned in this morning got something that looked much more like a game of patty cake. Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
Lots of government employees and officials would love to shut their critics up. The problem is that most methods they come up with don't work (at best) or are unconstitutional (at worst). That doesn't stop them from trying. The amount of hours expended trying to find ways to silence critics sits well above zero, making these efforts fraudulent as well as potentially unconstitutional. Never underestimate the creativity of the criticized class, as Tony Webster reports. Carol Becker, an elected official on the Minneapolis Board of Estimate and Taxation, confirmed Friday night that she was behind an effort to file business and trademark registrations for Wedge LIVE!, the name of a blog that has been critical of her. Wedge LIVE! is run by John Edwards, who has covered urban planning and related political issues in depth for the last four years. He has gone after Becker a number of times in his reporting and blog posts. He's even attempted to take her job. In the peak months of former Minneapolis Mayor Betsy Hodges’ 2017 re-election campaign, Becker filed a civil lawsuit against the Mayor, claiming she had violated the City’s charter in the budgetary process. After Becker had claimed victory before any final disposition of the lawsuit, a judge found there was no violation and dismissed the case. “When she sued the mayor, it felt like a stunt,” Edwards said, “I just felt like she was using her office to take political shots at people. She’s a perfect representation of a certain kind of politics in Minneapolis that I’m not a fan of.” Edwards decided to run a last-minute write-in campaign against Becker, which he described as being a “half-joke” and doomed from the start. Becker won, but a surprising 1,539 voters wrote Edwards’ name on their ballot. Becker has gone after Edwards and Wedge LIVE! as well, claiming the site is funded by "realtors" using "dark money." The contentious relationship has escalated in recent months, with the formation of an activist group by Edwards that opposes the policies and zoning changes Becker would like to institute. Edwards also asked readers to comment on proposed plans during the public comment period, leading to Becker receiving negative responses by readers of his site. All of this has now culminated in an intellectual property war without the knowledge of one of the participants. A public notice of a business registration was spotted by a Wedge LIVE! Fan while reading the analogue version of the local paper. This was passed on to Edwards, who had no idea his site's name was being turned into a business by a subject of his criticism. In the days after the public comment period ended, Becker went to the Office of the Minnesota Secretary of State and filed business documents—name reservations and certificates of assumed name—for both “Wedge Live” and “WedgeLive,” the name of Edwards’ blog. Becker also filed an application with the U.S. Patent and Trademark Office to obtain a trademark on the name “Wedge Live,” stating under penalty of law that she believed she was entitled to use the mark in commerce, that nobody else has the right to use the mark, and that she had a bona fide intention to use it herself. Becker wants to pretend this is all a coincidence. Reached by phone, Becker admitted—proudly so—that she filed the business and trademark documents, paying at least $355 to do so. “There were no legal entities using that name, and I think it would be an awesome name for a podcast. And so since no one else is actually legally using that name, it seemed like a good thing to do,” Becker said, stating that she intended the podcast to discuss ‘wedge issues’ and to do so ‘live’ instead of attacking others on social media, something she felt Wedge LIVE! Does. [...] Becker continued to insist her “Wedge Live” business and trademark registrations were a separate, independent matter from her concerns regarding Wedge LIVE!, the blog. “Two great minds coming up with the same name isn’t a bad thing,” Becker said. There is a non-zero chance this is true. But it's so small, it's a rounding error. Becker admits it could be viewed as "retaliatory," but says no one would really care if she retaliates against an "illegal business" and "tax fraud." [!!!!] As for the whole "podcast" claim, Tony Webster notes the trademark registration appears to describe the Wedge LIVE! website and its offerings, rather than refer to anything of a podcasting nature. It also appears Carol Becker may have been instrumental in getting items removed from Wedge LIVE's Teespring store. This statement, though, is probably the best/worst response Becker gave to Webster. Becker said she would not have been able to register the names had Edwards registered them first. “If it wasn’t me, it could have been someone who is an asshole,” Becker said, going on to say that she wasn’t out to hurt anyone. Instead of letting someone else be the asshole, Becker stepped up to be the asshole. Congrats. Of course, this is also not how trademark law actually works. You don't have to register to hold a common law trademark. You only have to use the name in commerce, meaning it's likely that Edwards could be considered the common law trademark holder over "Wedge Live" and Becker's attempt at registering the same name would almost certainly flop. The good news is it appears Becker greatly overestimated the public's tolerance for assholery from their elected officials. As of Monday morning, an outpouring of support for Wedge LIVE! resulted in a 27% increase in Patreon donors for the site, and records at the Office of the Minnesota Secretary of State and the U.S. Patent and Trademark Office showed cancellation of the assumed name and trademark filings, but no cancelation of the name reservation was recorded. This means Wedge LIVE! retains the name… for now. Becker has promised to try again in another six months if Edwards doesn't make a move. But she might have gotten away with it if it hadn't been for a local resident still reading the news in printed form. Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
SitePoint will get you up to speed with premium access to a huge library of e-books, courses, and tutorials on topics ranging from blockchain and HTML to JavaScript, design, and much more. New content is added monthly, so you can always stay up to date. You'll get access to 125 e-books, 128 courses, and 25 tutorials. It's on sale for $40. Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team. Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
Last year at Defcon, the Voting Machine Hacking Village showed just how bad the security was on electronic voting machines. This is not a surprise, of course. It's a topic we've covered on Techdirt going back almost 20 years. But what's still most incredible is how much the voting machine manufacturers and election officials continue to resist the efforts of security experts to explain all of this. Even earlier this year, there were reports about the insane lengths that voting machine vendors were going to to try to stop Defcon from obtaining their machines: Village co-organizer Harri Hursti told attendees at the Shmoocon hacking conference this month they were having a hard time preparing for this year's show, in part because voting machine manufacturers sent threatening letters to eBay resellers. The intimidating missives told auctioneers that selling the machines is illegal -- which is false. Meanwhile, election officials have been whining about the whole thing, and telling people not to pay any attention to all of this: Election officials from the National Association of Secretaries of State (NASS) bristled at the demonstrations, saying they didn't reflect what could actually happen on Election Day. So did voting machine vendors, which argued it would be difficult for adversaries to gain the level of access necessary to tamper with equipment. Leading voting machine Vendor, ES&S put out a completely bullshit letter to its customers basically saying "don't pay any attention to Defcon." That letter was expertly debunked and mocked by reporter Kim Zetter: In advance of the @VotingVillageDC tomorrow, ES&S sent a message to customers today with their comments about the hacking village and the security of their machines. I've pasted their memo below, with some annotation from me. pic.twitter.com/6eQUYuuGJA — Kim Zetter (@KimZetter) August 10, 2018 Also, memo to ES&S: when hackers are trying to help you improve the security of your shitty machines, whining that they're "breaking licensing agreements" is not a good look. But, it's the hill ES&S has ridiculously decided to die on: In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company’s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal. And, of course, all this hand-waving failed to stop the inevitable. The news is full of stories, often revolving around the hook that an 11-year-old hacked into and changed votes on a replica Florida state website: The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals. Lots of other hackers were successful as well: After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations. And while the Secretaries of State continue to insist that this is not a real world replica, Defcon folks disagree: Nico Sell, the co-founder of the the non-profit r00tz Asylum, which teaches children how to become hackers and helped organize the event, said an 11-year-old girl also managed to make changes to the same Florida replica website in about 15 minutes, tripling the number of votes found there. Sell said more than 30 children hacked a variety of other similar state replica websites in under a half hour. “These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour on Sunday. “These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society.” The really incredible part of this, of course, is that election officials and voting machine vendors don't embrace Defcon's vote hacking village. That would open up important lines of communication, rather than all this sniping. Indeed, Defcon folks made the effort only to be mostly ignored: “The Voting Village conducted an outreach effort that was more extensive than any other organization. The Village mailed invitations to almost 7,000 election officials, made over 3,500 live calls, and sent two emails to nearly every single election official in the country, inviting them to participate at DEFCON and the Voting Village.” While it appears that a few election officials came (including some from Illinois, Colorado and Ohio), many others did not, preferring to just complain about the demonstration. The end result, of course, is that they look silly and petty -- and unconcerned with the terrible security associated with their machines. Permalink | Comments | Email This Story

Read More...
posted 1 day ago on techdirt
It has only taken a few years, but the press, public and law enforcement appear to finally be waking up to the problem of SIM hijacking. SIM hijacking (aka SIM swapping or a "port out scam") involves a hacker hijacking your phone number, porting it over to their own device (often with a wireless carrier employee's help), then taking control of your personal accounts. As we've been noting, the practice has heated up over the last few years, with countless wireless customers saying their entire identities were stolen after thieves ported their phone number to another carrier, then took over their private data. Sometimes this involves selling valuable Instagram account names for bitcoin; other times it involves clearing out the target's banking or cryptocurrency accounts. Case in point: California authorities recently brought the hammer down on one 20-year-old hacker, who had covertly ported more than 40 wireless user accounts, in the process stealing nearly $5 million in bitcoin. One of the problems at the core of this phenomenon is that hackers have either tricked or paid wireless carrier employees to aid in the hijacking, or in some instances appear to have direct access to (apparently) poorly-secured internal carrier systems. That has resulted in lawsuits against carriers like T-Mobile for not doing enough to police their own employees, the unauthorized access of their systems, or the protocols utilized to protect consumer accounts from this happening in the first place. While T-Mobile has received the lion's share of negative press attention on this subject in recent months, AT&T this week got dragged into the fun. The company was sued this week for $224 million by a customer who says AT&T's failure to adequately protect his account resulted in the theft of nearly $24 million in cryptocurrency. The full complaint (pdf) notes that AT&T customer Michael Terpin is seeking $200 million in punitive damages and $24 million of compensatory damages for the cryptocurrency losses. The suit alleges that Terpin had his phone number stolen and ported out at least twice between mid 2017 and early 2018, resulting in the thief then hijacking his identity to empty out his cryptocurrency accounts. Terpin also accuses of AT&T of failing to protect its customers despite ample press coverage of the SIM hijacking phenomenon. Worse perhaps, the lawsuit alleges that the thief successfully hijacked his phone number despite AT&T adding "higher security level" protections, which AT&T specifically stated would protect his account from such hijinks. From the complaint: "AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well aware that its customers are subject to SIM swap fraud and that its security measures are ineffective. AT&T does virtually nothing to protect its customers from such fraud because it has become too big to care." Again, carriers haven't really much wanted to talk about this phenomenon, or the fact that their own employees are frequently either being hoodwinked or paid to participate in these thefts. And while carriers are trying to add additional security to protect such ports from happening (for example, T-Mobile customers should call 611 from their phone and demand a "port validation” passcode), the problem of carrier employees playing a starring role in these scams hasn't yet been fully addressed. It's likely the growing number of lawsuits by hoodwinked users will add some additional incentive to do so. Permalink | Comments | Email This Story

Read More...
posted 2 days ago on techdirt
Yet another content protection service decides it's better off letting the machines do the work, with predictably catastrophic results. The EFF first noticed the DMCA abuse being committed by "Topple Track," a content protection service offered by Symphonic Distribution. Symphonic talks big about its protection service, pointing out its position as one of the "leading members" of Google's "Trusted Copyright Program." The thing about trust is that it's hard to gain but easy to lose. Topple Track’s recent DMCA takedown notices target so much speech it is difficult to do justice to the scope of expression it has sought to delist. A sample of recent improper notices can be found here, here, here, and here. Each notice asks Google to delist a collection of URLs. Among others, these notices improperly target: EFF’s case page about EMI v MP3Tunes The authorized music store on the official homepage of both Beyonce and Bruno Mars A fundraising page on the Minneapolis Foundation’s website The Graceland page at Paul Simon’s official website A blog post by Professor Eric Goldman about the EMI v MP3Tunes case A Citizen Lab report about UC Browser A New Yorker article about nationalism and patriotic songs Other targets include an article about the DMCA in the NYU Law Review, an NBC News articleabout anti-virus scams, a Variety article about the Drake-Pusha T feud, and the lyrics to ‘Happier’ at Ed Sheeran’s official website. It goes on and on. If you search for Topple Track’s DMCA notices at Lumen, you’ll find many more examples. Topple Track's failures came to the EFF's attention because it targeted one of its URLs, supposedly for infringing on artist Luc Sky's copyright for his song "My New Boy." The page targeted by Topple Track discusses the EMI lawsuit against MP3Tunes -- one that has been on the EFF's site for eight years. If Luc Sky even exists (the EFF could find no info on the artist/track), the discussion of a long-running legal battle certainly didn't contain an unauthorized copy of this track. Presumably Topple Track has customers. (The "Luc Sky" dead end isn't promising.) If so, they're being ripped off by DMCA notices sent in their names that target tons of legit sites containing zero infringing content. The URLs targeted have no relation to the name/title listed as protected content and it's impossible to see how an algorithm could do the job this badly. There's obviously no human interaction with the DMCA process Topple Track employs, otherwise none of the DMCA notices listed would even have been sent to Google. What did we say about trust? Google has confirmed that it has removed Topple Track from its Trusted Copyright Removal Program membership due to a pattern of problematic notices. Symphonic has commented on the debacle, claiming "bugs in the system" resulted in the wave of bogus takedown notices. Possibly true, but all it would have taken was a little human interaction to prevent this abuse of the process and this PR black eye. Permalink | Comments | Email This Story

Read More...
posted 2 days ago on techdirt
As you likely know, Germany has some very restrictive laws surrounding how and when Nazi iconography can appear in the country. This has resulted in a heavily-policed artistic community, particularly when it comes to video games, which has produced some fairly funny happenings about games accidentally going to Germany chock full of Nazi stuff and other funny happenings in which the game makers make a show of doing as little as possible to get around the law. In the realm of other media, such as movies, the German government has put in place a review process to make sure that the use of Nazi symbols furthers the artistic or historical accuracy of the entertainment. Video games have not had such a review system. And, look, on some level this sort of attempt by Germany to restrict the use of these hateful symbols is understandable. The kind of global embarrassment that comes with committing the worst genocide in history is the sort of thing that leaves a mark. But we've also pointed out that these German laws aren't so much stamping out fascist thought as they are putting the government's collective head in the sand as some kind of grand virtue signal to the planet. Which is why it's at least a tepid step forward that Germany has revised its position and will now allow Nazi iconography in some video games, some of the time, on a case by case basis. The government has moved from a blanket ban on swastikas and Hitler moustaches to a case-by-case basis, which will be administered by the USK, Germany’s ratings board. The official release with the news gives the specifics: When games that depict symbols of unconstitutional organisations are submitted to the USK for an age rating, the USK committees can now assess them on a case-by-case basis to decide whether the ‘social adequacy clause’ (Sozialadäquanzklausel, as laid out in section 86, subsection (3) of the German Criminal Code) applies. In this context, ‘social adequacy’ means that symbols of unconstitutional organisations can be used in games in individual cases, as long as those symbols serve an artistic or scientific purpose, or depict current or historical events. Again, the big shift here is actually one of cultural importance, which is the German government will now consider video games as an artistic form, which they undoubtedly are. Movies and television have had a similar review process in place for years, but games were left out. And, as the gaming art form continues to gain ground as the preferred entertainment medium, it was impossible for the German government to ignore this forever. So, while it seems odd to declare a victory in which more swastikas will be seen by the German public, this is much more to do with an acknowledgement of culture than cheering on the Third Reich. Felix Falk, Managing Director of the German Games Industry Association, says: This new decision is an important step for games in Germany. We have long campaigned for games to finally be permitted to play an equal role in social discourse, without exception. Computer and video games have been recognised as a cultural medium for many years now, and this latest decision consistently cements that recognition in terms of the use of unconstitutional symbols as well. It remains to be seen whether or not older games like Wolfenstein will resubmit the original forms of its games for inclusion in all of this, but at least the German government will no longer act as though it can pretend that Nazis were never a thing. Permalink | Comments | Email This Story

Read More...
posted 2 days ago on techdirt
Another (partial) win for the First Amendment, the ACLU, and American citizens. The Ninth Circuit Court of Appeals has overturned a decision forbidding the photography of CBP officers at border crossings. (h/t Mitra Ebadolahi) The CBP seems to have a problem respecting the First Amendment rights (along with several other rights) of American citizens when engaged in its border patrolling and protecting. This same appeals court recently allowed the heavily-harassed citizens of an Arizona border town to move forward with their First Amendment lawsuit against the agency, ruling that the CBP acted arbitrarily when dealing with protesters and activists documenting checkpoint activity. The record clearly showed the CBP removed people it didn't like from its imaginary zone of exclusion while allowing other random citizens more aligned with the CBP's open harassment of American citizens to venture inside the ad hoc DMZ to harass citizens documenting harassment. This lawsuit centers on allegations CBP officers confiscated cameras and phones of people documenting border checkpoint activity and destroyed photos and videos. Here are the narratives of the two plaintiffs, taken from the Appeals Court decision [PDF]: On the afternoon of April 19, [Ray] Askins stood at the intersection of First Street and Paulin Avenue on the U.S. side of the border, near the shoulder of the streets and immediately in front of the park. He was approximately 50–100 feet from the exit of the secondary inspection area, and he had not crossed the border or otherwise passed through border security to reach his location. Standing in the street, Askins took three or four photographs of the exit of the secondary inspection area. Multiple CBP officers approached Askins on the street to demand he delete the photographs he had taken. When Askins refused, the officers threatened to smash his camera, then searched and handcuffed him, confiscated his property, and detained him inside a secondary inspection area building. Askins was released after approximately twenty-five to thirty-five minutes and his property was returned, at which time he discovered that CBP had deleted all but one of his photographs of the exit of the secondary inspection area. [...] [Christian] Ramirez observed male CBP officers at a security checkpoint below inspecting and patting down only female travelers. Concerned that the officers might be acting inappropriately, Ramirez observed the checkpoint from the bridge for ten to fifteen minutes and took approximately ten photographs with his cellphone camera. Ramirez and his wife were approached by men who appeared to be private security officers. The men ordered them to stop taking photographs. The officers also demanded their identification documents, which Ramirez refused to provide as they had already passed through border inspection. The officers radioed for backup as Ramirez and his wife walked away, and at the bottom of the bridge, Ramirez was met by five to seven CBP officers. The CBP officers questioned Ramirez, and, without Ramirez’s consent, a CBP officer confiscated Ramirez’s cellphone and deleted all of the photographs Ramirez had taken from the bridge. A U.S. Immigration and Customs Enforcement officer confiscated the Ramirezes’ passports and walked away, leaving Ramirez surrounded by the CBP officers. After ten to fifteen minutes, their documents were returned to them and the Ramirezes were allowed to leave. Both plaintiffs allege the CBP's practices violate the First Amendment. They are not seeking to photograph the inside of buildings or other sensitive areas not visible to the public eye, but rather border checkpoints where inspections and questioning are performed in public, completely visible to passersby. The CBP somehow believes what happens in public can't be documented by the public. The district court decided to take the CBP up on its irrational argument, tossing aside logic to embrace the agency's claims about the super-secret nature of national security activities performed out in the open, visible to the unadorned eye. The appeals court says this isn't the way things are done. The lower court should not have lifted the government's burden of proof onto its own shoulders and carried it home for it. The district court found that the CBP policies survived strict scrutiny because of “the extremely compelling interest of border security” and the government’s general interest in “protecting United States territorial sovereignty.” To this, the government adds that the CBP policies serve compelling government interests in protecting CBP’s law enforcement techniques and the integrity of on-going investigations; protecting the privacy of travelers, suspects, and sensitive digital information; ensuring the safe and efficient operation of the ports of entry; and protecting against terrorist attacks. In conclusory fashion, the district court held that the policies were the least restrictive means of serving these interests. These conclusions are too thin to justify judgment for the government on a motion to dismiss. [...] It is the government’s burden to prove that these specific restrictions are the least restrictive means available to further its compelling interest. They cannot do so through general assertions of national security, particularly where plaintiffs have alleged that CBP is restricting First Amendment activities in traditional public fora such as streets and sidewalks. The decision does not hand the plaintiffs a complete victory. It does shift the burden of proof back on the government and instructs the lower court to allow the case to proceed to see if the government can actually offer up anything supporting its random time/place restrictions that border on total violation of established First Amendment principles. The appeals court seems inclined to believe the CBP cannot simply forbid photography of publicly-viewable enforcement activities by members of the public. We'll have to see what the lower court does on remand, considering it already granted the government a free pass once, because National Security > Established Constitutional Rights, apparently. Permalink | Comments | Email This Story

Read More...
posted 2 days ago on techdirt
Late last year, we discussed a lawsuit brought by Disney against Characters For Hire, a small company that sends costume characters to children's birthday parties. Those characters, as we said at the time, are barely-altered clear homages to storied Disney-owned characters, such as Dark Lord (Dearth Vader) and Big Hairy Guy (sigh, Chewbacca). While Disney sued over both trademark and copyright, the alterations to the characters and the very clear disclaimer Characters For Hire puts on its site and documents meant the chances for confusion as to Disney's affiliation was always non-existent. When you add that the changes in the characters and the medium in which they were offered at least partially put us in the idea/expression dichotomy zone for copyright law. That part of the law essentially says copyright applies to specific expressions (written stories, film, music, and sometimes characters), but not general ideas (a Dark Lord, a, sigh, Big Hairy Guy). Well, nearly a year later, the first legal returns have come in and they are not great for Disney. On Thursday, a New York federal judge refused to grant summary judgment in favor of Disney in its ongoing case against Nick Sarelli, alleged to run a "knock-off business ... built upon the infringement of Plaintiffs' highly valuable intellectual property rights." What's more, U.S. District Court Judge George Daniels threw out most of Disney's trademark claims against a defendant who will send out individuals dressed as "The Princess" (meaning Leia) or "Big Hairy Guy" (meaning Chewbacca) for special events. Daniels recognizes some similarity, but isn't buying that Disney and Sarelli compete in the same business nor that Sarelli's customers are likely to be confused. The judge makes the point that it's "adults, not children" who plan parties and there's no evidence of actual confusion. This is roughly as predicted in our original post. The trademark claims were far less likely to succeed due to all the steps Characters For Hire took to explicitly make sure that the public wasn't confused when buying from it. Disney's evidence mostly amounted to customer reviews for the Characters For Hire that occasionally referenced the original characters being paid homage, but the judge found that even in those comments there was nothing indicating confusion. Instead, it seemed that parents knew full well they were buying so-called knockoffs, making the trademark claims unwarranted. The only trademark claim that survives for trial, if it gets that far, will be for dilution. The court also refused summary judgement for the copyright portion of Disney's claims, noting that Disney's lawyers presented for evidence poor-quality screenshots of Characters For Hire's website, including screenshots of site pages no longer active, but which were instead grabbed from the Internet Archive. The copyright claims, however, will go to trial, assuming Disney lets it get that far after these early losses. The more likely outcome is that a settlement will be reached. With so little left to argue, Disney surely can't want to throw money for lawyer's fees just to keep some kids from having fun at their birthday parties... can it? Permalink | Comments | Email This Story

Read More...
posted 2 days ago on techdirt
If you haven't noticed, the entertainment industry has a new, terrifying bogeyman. Over the last year or two, pressure from entertainment industry lobbying groups has resulted in an all-out war on streaming video devices (aka computers) that run Kodi, the video streaming software. Kodi has technically been around since 2002, first as Xbox Media Player, after which it became the Xbox Media Center until 2014. The XBMC Foundation then renamed the software Kodi, and it became popular as an easy way to store and stream content, including copyrighted content, from hardware running Kodi to other devices in or out of the home. For years now, tinkerers everywhere have built custom-made PCs that use the open-source Kodi platform. In more recent years, outfits like Dragonbox or SetTV have taken things further by selling users tailor-made hardware that provides easy access to live copyrighted content by not only including Kodi, but integrating numerous tools and add-ons that make copyright infringement easier. Driven largely by clearly-terrified entertainment-industry execs and lobbyists, numerous studios, Netflix and Amazon have tried to sue these efforts out of existence. Even the FCC has tried to help the entertainment industry in this fight, demanding that Ebay and Amazon crack down on the sale of such devices. Since the FCC lacks authority over copyright, it has instead tried to justify its involvement here by focusing on these devices' illegal use of the FCC approval logo. It's another big favor to the entertainment industry by the Pai FCC, who you'll recall killed efforts to help make the traditional cable box sector more open and competitive. But the fight has also been pushed well beyond "fully loaded" Kodi-embedded devices specifically built and sold with an eye on copyright infringement. Google, for example, has banned the word Kodi from its autocomplete filter despite the fact that the Kodi software is perfectly legal. Facebook has also been piling on, initially updating its commerce policy to ban the promotion of "products or items" that facilitate or encourage unauthorized access to digital media. Last week, Cordcutter news was the first to notice that Facebook had since tailored its commerce policy further to specifically ban Facebook users from promoting "the sale or use of streaming devices with KODI installed.": Facebook hasn't banned the sale of any devices that are compatible with Kodi-streaming devices (keyboards, remotes). But the specific focus on Kodi remains a problem because, again, Kodi itself isn't illegal. Nor is building a small custom-PC with Kodi (or any of numerous variants like Plex) installed. Banning users for selling custom PCs that just happen to include software the entertainment industry assumes will be used for piracy is an obnoxious over-reach, but it should make it clear just how terrified the entertainment industry is of such devices. It's an age-old story. This "threat" (which again is perfectly-legal hardware running perfectly-legal software) could be countered by offering consumers better, more modifiable, and open products and services. Instead, as we saw with the cable industry's massive disinformation attack against cable box reform efforts, the goal is always to keep everything unrealistically locked down to the detriment of the right to tinker and consumer choice. Permalink | Comments | Email This Story

Read More...
posted 2 days ago on techdirt
Here's one that might create a bit of a stir. The history of the 20th century and maximalist, ever expanding copyright is often associated with one particular company: Disney. I mean, the 1998 Copyright Term Extension Act (CTEA) is regularly called the "Mickey Mouse Protection Act" and Tom Bell once created this lovely Mickey Mouse Curve showing how copyright terms always seemed to expand just before the original movie starring Mickey, Steamboat Willie was about to enter the public domain: This pattern might finally (miraculously) end this year -- but not because Disney has become enlightened. Rather, it's mainly because Disney's lobbying influence is not what it once was, and SOPA seemed to make both Congress and the legacy entertainment industry realize that they would almost certainly lose another such fight on an issue like this (not that there weren't attempts to slip provisions into trade agreements that had the potential to expand copyright terms). However, it does seem notable -- as first spotted by Eriq Gardner at The Hollywood Reporter -- that Disney has now been put in the possibly awkward position of complaining about "overzealous copyright holders," and talking about the importance of user rights and fair use to protect free speech and the First Amendment. No, really. Disney, of course, owns ABC. Back in May (though the complaint appears to incorrectly state March), ABC aired a two-hour program entitled The Last Days of Michael Jackson. The Michael Jackson Estate was not pleased and sued for copyright infringement. The complaint itself is quite a read. It completely mocks the program in question: Although titled The Last Days of Michael Jackson, the program did not focus on Michael Jackson’s last days. Rather, it was simply a mediocre look back at Michael Jackson’s life and entertainment career. A Rolling Stone review described the program as “offer[ing] little in the way of new revelations or reporting and at times seems heavy on armchair psychoanalysis and unsupported conjecture.” The magazine was being too generous. The program contained nothing “in the way of new revelations or reporting.” It also digs deep on Disney's well-known history for maximalism: Disney’s media business depends on its intellectual property and, more specifically, the copyrights it holds in its well-known characters, motion pictures, music, and the like. Disney has never been shy about protecting its intellectual property. Indeed, its zeal to protect its own intellectual property from infringements, real or imagined, often knows no bounds. a. Disney has threatened to sue independent childcare centers for having pictures of Mickey Mouse and Donald Duck on their walls, forcing them to remove all pictures of Mickey or Donald—and other anthropomorphized mice or ducks—rather than face ruinous litigation from one of the world’s largest corporations. b. Disney once sued a couple on public assistance for $1 million when they appeared at children’s parties dressed as an orange tiger and a blue donkey. Apparently, these costumes cut too close to Tigger and Eeyore for Disney’s tastes. c. Disney takes a very narrow view of copyright law’s “fair use” doctrine. For example, just a few years ago, it sent DMCA takedown notices to Twitter, Facebook, and other websites and webhosts, when consumers posted pictures of new Star Wars toys that the consumers had legally purchased. Apparently, Disney claimed that simple amateur photographs of Star Wars characters in toy form infringed Disney’s copyrights in the characters and were not a fair use. It's hard to deny any of the above. And thus, the complaint, with a healthy dose of snark, notes Disney's fairly blatant hypocrisy: Like Disney, the lifeblood of the Estate’s business is its intellectual property. Yet for some reason, Disney decided it could just use the Estate’s most valuable intellectual property for free. Apparently, Disney’s passion for the copyright laws disappears when it doesn’t involve its own intellectual property and it sees an opportunity to profit off of someone else’s intellectual property without permission or payment. It claims "at least thirty different copyright works" were used without permission. These included clips from songs and music videos, concert footage and the Jackson Estate's own documentary footage. So now Disney has answered and finds itself, quite incredibly, arguing against overzealous copyright holders and about the importance of protecting the First Amendment from being harmed by excessive copyright claims. Literally. This case is about the right of free speech under the First Amendment, the doctrine of fair use under the Copyright Act, and the ability of news organizations to use limited excerpts of copyrighted works—here, in most instances well less than 1% of the works—for the purpose of reporting on, commenting on, teaching about, and criticizing well-known public figures of interest in biographical documentaries without fear of liability from overzealous copyright holders. I agree with everything in that paragraph. I'm just shocked that it's Disney stating this. Disney is not the most credible defender of the First Amendment and fair use. Nor is it the most credible defendant to be yelling about overzealous copyright holders. Throughout the answer to the complaint Disney insists that its uses of the Michael Jackson works "were included in the Documentary on a transformative and fair use basis." Without having seen the documentary, it's impossible to say whether or not the uses truly qualify as fair use, though the argument that they are sounds reasonable. But the idea that Disney is the one fighting for fair use and against overzealous copyright holders remains stunning and bizarre. I'd like to believe this is Disney coming to its senses and making amends for the century of harm its done thanks to copyright, but it seems much more likely that this is just an opportunistic defense of fair use, and the company remains firmly in the camp of supporting ever expanding copyrights. I wonder how Disney would feel if someone showed up to future hearings in the case wearing an unauthorized Mickey Mouse costume? Permalink | Comments | Email This Story

Read More...
posted 2 days ago on techdirt
No need to struggle with remembering long and complicated passwords, Sticky Password is a password management and form filler solution, available for Mac, Windows, iOS, and Android. This lifetime Sticky Password Premium subscription protects your online identity by providing strong encrypted passwords for all your accounts, managed by a single master password known by you, and only you. It's on sale for $40. Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team. Permalink | Comments | Email This Story

Read More...
posted 3 days ago on techdirt
Yet again, when it comes to digital goods, you don't own what you buy. Inmates in Florida's prison system are learning this fact of life, thanks to a change in jail "entertainment" providers. In April last year, the Florida Department of Corrections struck a deal with JPay. The private company, spearheading a push to sell profit-driven multimedia tablets to incarcerated people across the country, would be allowed to bring the technology to every facility in the nation’s third-largest prison system. But there was a catch. Inmates had already been purchasing electronic entertainment for the last seven years — an MP3 player program run by a different company: Access Corrections. For around $100, Access sold various models of MP3 players that inmates could then use to download songs for $1.70 each. Inmates could keep them in their dorms. The demand was clear. More than 30,299 players were sold, and 6.7 million songs were downloaded over the life of the Access contract, according to the Department of Corrections. That’s about $11.3 million worth of music. Because of the tablets, inmates will have to return the players, and they can't transfer the music they already purchased onto their new devices. The corrections system is switching to JPay. Unfortunately, nothing else is switching. Money isn't easy to obtain in prison, meaning most of this suddenly useless music was purchased with funds from friends and family at inflated prices. The prison system comes out of it OK. It has collected $11.3 million on the sale of worthless infinite goods to a literally captive audience. Now, with a lucrative JPay contract in effect, inmates are out millions of dollars in digital goods. The only options to keep what they purchased means shelling out more cash for the opportunity to put their purchased music completely out of reach. The Department of Corrections negotiated an extension with Access Corrections to allow inmates to keep their MP3 players until January 23, 2019 if they choose not to participate in the tablet program. Manderfield, the department spokesman, said that a department code prohibits inmates from owning more than one MP3 player at a time, but even without that, inmates would be able to keep the players because the contract is ending and there would be no way to service them. Once returned, the inmates can pay a $25 fee to have their device unlocked or their music downloaded onto a CD before being shipped out to a non-prison address. All of this stupidity is made possible by greed, greed, and more greed. First, the move to JPay gives Florida prisons even more money: $2.75 every time someone adds money to a JPay account, as well as a cut of any new content sold to inmates for the new devices. This has already resulted in $3.9 million in commissions over a twelve-month period covering April 2017 to March 2018. The music end involves greed as well. Licensing is a nightmare, thanks to the endless meddling of music labels and performance rights organizations. An MP3 should be able to travel to any other device that supports that format, but it never does (especially not if the devices are controlled by an outside contractor). Licensing fees paid by Access Corrections apparently don't cover transfers of infinite goods to devices produced and sold by someone else. JPay handles its own licensing and even if it covers much of the purchased music, that's just not acceptable to everyone up the line waiting with their hands out. People who don't have much money or any way to earn much of it are out $11.3 million. The prison gets paid. The service contractors get paid. The labels and PROs get paid. Everyone comes out of this fine except for the people who paid for the goods. If they want to "own" more music, they'll be paying everyone else twice for something they bought. Permalink | Comments | Email This Story

Read More...
posted 3 days ago on techdirt
So FCC boss Ajit Pai will need to don some tap-dancing shoes this Thursday, when he'll be forced to explain to a Senate oversight committee why his agency not only made up a DDOS attack, but lied repeatedly to the press and Congress about it. As we recently noted, e-mails obtained by FOIA request have proven that the FCC completely made up a DDOS attack in a bizarre bid to downplay the fact that John Oliver's bit on net neutrality crashed the agency website last year. A subsequent investigation by the FCC Inspector General confirmed those findings, showing not only that no attack took place, but that numerous FCC staffers misled both Congress and the media when asked about it. Pai initially tried to get out ahead of the scandal and IG report by issuing a statement that threw his employees under the bus while playing dumb. According to Pai's pre-emptive statement, the entire scandal was the fault of the FCC's since-departed CIO and other employees who mysteriously failed to alert him that this entire shitshow was occurring (you can just smell the ethical leadership here): "I am deeply disappointed that the FCC’s former Chief Information Officer (CIO), who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office." There's several problems with Pai's statement. One, while FCC CIO David Bray was hired by the Obama-era FCC, he remained employed (and spreading the false DDOS attack) well through last year under Pai's "leadership." Two, the FCC IG found that Bray and several other employees had not only been circulating the false DDOS report to reporters, but had repeatedly misled Congress (again under Pai's watch). The lies of three FCC employees to Congress were deemed severe enough that they were reported to the DOJ, which refused to prosecute anybody (I'm sure you and I would have been granted the same benefit of the doubt). That Pai had no idea that any of this was happening is a pretty big stretch, especially considering that the FCC continues to block FOIA requests for certain e-mail exchanges related to the stupid affair. As such, when Pai appears before a Senate oversight committee on Thursday, the big question is going to be: just how long did Pai know that his staff was actively misleading Congress in numerous back and forth letter exchanges on the subject? The other major problem, and it's one you'd hope lawmakers at the hearing address, is that Pai's claim that this was all the fault of rogue employees doesn't gel with the fact that Pai's press shop was actively misleading and denigrating reporters throughout this whole affair. For example, when the press began digging into the agency's shaky claims, Pai's FCC thought it would be a good idea to send a prickly statement to numerous media outlets. That statement not only tried to claim reporters were "irresponsible" simply for trying to clear up the matter, but that the FCC had "voluminous documentation" proving the DDOS attack occurred: "The FCC has never stated that it lacks any documentation of this DDoS attack itself," the agency states. "And news reports claiming that the Commission has said this are without any basis and completely irresponsible. In fact, we have voluminous documentation of this attack in the form of logs collected by our commercial cloud partners." Outside of the first sentence, nothing in that official FCC statement is true. So again, the idea that Pai knew nothing at all about this mess is hard to believe. Especially given that his own press shop and numerous employees were busy lying to Congress and denigrating reporters simply for getting to the truth. Pai's explanation for this should make for good television, whether or not Congress grows a spine and actually holds Pai's feet to the fire. If you've watched Pai's FCC work, it seems pretty clear at this point that the nonexistent DDOS attack, much like the FCC's refusal to address bogus comments during the net neutrality public comment period, are all part of the same effort: doing everything possible try and downplay the scope and importance of the massive, unprecedented public opposition to Pai's historically unpopular policies. You'd like to think there's something vaguely resembling accountability at the end of this story. At the very least, it's likely that the bogus DDOS attack and fake comments will be playing starring roles during the upcoming net neutrality hearings, where all of this can be used to add context to the FCC's rushed, facts-optional efforts to repeal net neutrality exclusively at broadband monopolies' behest. Permalink | Comments | Email This Story

Read More...
posted 3 days ago on techdirt
The Australian government is looking to revamp its compelled access laws to fight encryption and other assorted technological advances apparently only capable of being used for evil. It's getting pretty damn dark Down Under, according to the Department of Home Affairs' announcement of the pending legislation. Encryption conceals the content of communications and data held on devices, as well as the identity of users. Secure, encrypted communications are increasingly being used by terrorist groups and organised criminals to avoid detection and disruption. The problem is widespread, for example: Encryption impacts at least nine out of every ten of ASIO’s priority cases. Over 90 per cent of data being lawfully intercepted by the AFP now use some form of encryption. Effectively all communications among terrorists and organised crime groups are expected to be encrypted by 2020. An example of harmful encryption is provided for readers at home, so they can weigh their own security and privacy against an anecdote about a registered sex offender who may or may not have escaped prosecution (the outcome of the case isn't provided) by using encrypted messaging apps. And it includes an inadvertently helpful lesson about the stupidity of targeting encryption with legislation, even if the DHA likely doesn't realize it. The suspect was arrested and his mobile phone was seized but despite legislative requirements he refused to provide his passcode. There's the limitation of lawmaking. Lawbreakers break laws and they're not going to stop just because you've told them not to with a government mandate. Legislation [PDF] like this does little more than make life more difficult for service providers and device makers while undermining the privacy and security of millions of law-abiding citizens. The explanation sheet [PDF] notes the government is not seeking to mandate encryption backdoors. That being said, it would like providers of encrypted services/devices to leave the door cracked open so the government can step inside whenever it feels the need to look around. The type of assistance that may be requested or required under the above powers include (amongst other things): Removing a form of electronic protection applied by the provider, if the provider has an existing capability to remove this protection. Providing technical information like the design specifications of a device or the characteristics of a service. Installing, maintaining, testing or using software or equipment given to a provider by an agency. Formatting information obtained under a warrant. Facilitating access to devices or services. Helping agencies test or develop their own systems and capabilities. Notifying agencies of major changes to their systems, productions or services that are relevant to the effective execution of a warrant or authorisation. Modifying or substituting a target service. Concealing the fact that agencies have undertaken a covert operation. The law can't retroactively force companies to produce crackable devices and messaging systems. But the first bullet point could see the Australian government demanding they do so in the future if they want to provide goods and services to the Australian public. Fortunately, the bill includes a clause making future demands along these lines impossible for the time being. The Bill expressly prohibits technical assistance notices or technical capability notices from requiring a provider to build or implement a systemic weakness or systemic vulnerability into a form of electronic protection. This includes systemic weaknesses that would render methods of authentication or encryption less effective. The Australian Government has no interest in undermining systems that protect the fundamental security of communications. The new powers will have no effect to the extent that requirements would reasonably make electronic services, devices or software vulnerable to interference by malicious actors. Importantly, a technical capability notice cannot require a provider to build a capability to remove electronic protection and puts beyond doubt that these notices cannot require the construction of decryption capabilities. Without further discussion by the legislature, it's tough to tell whether creating an escrow system would be considered a "system weakness" or make "encryption less effective." I mean, it obviously is and does, but does the DHA see it that way? And will this clause survive the final markup? Compelling decryption using "existing" methods seems especially useless if most services and devices cannot currently be decrypted by providers. The government is better off seeking outside help from contractors who do nothing else but find ways to crack or bypass encryption, rather than dropping language into the law that suggests backdoors the government won't call "backdoors" will be mandated in the future. It also gives the government a considerable expansion of power, allowing it to peruse private companies' design specs and a heads up if any redesigns are in the works. It also forces companies to be compliant partners in government surveillance by mandating their assistance in man-in-the-middle attacks ("modifying or substituting a target service") and ordering them to withhold information from affected customers. There is a public comment period, which is a nice touch. There also appears to be some respect for the good encryption does, rather than simply viewing it as an escape route for criminals and terrorists. But there's also a good deal of power expansion tied to rickety wording that suggests backdoors might be mandated if the government can talk itself into viewing proposals as something other than backdoors. And there's no guarantee this vague promise will make the final cut. Permalink | Comments | Email This Story

Read More...