posted 9 days ago on techdirt
As you may recall, about a year ago, President Obama gave a speech pledging some fairly weak NSA reforms in response to the Snowden revelations. There were some good things proposed, but he could have gone much further. One specific promise: the NSA would stop hoarding metadata on every phone call. As he said, it was time to "transition away" from using Section 215 of the Patriot Act to collect all those phone calls for the NSA to snoop through. Of course, he left the details up to Congress. And, Congress, in true Congress-like fashion, completely dropped the ball and failed to approve any of the proposed legislative changes that would have ended the metadata collection program. So, President Obama is giving up. He apparently is breaking his promise to take the metadata away from the NSA: President Barack Obama's administration has quietly abandoned a proposal it had been considering to put raw U.S. telephone call data collected by the National Security Agency under non-governmental control, several U.S. security officials said.... [....] The Obama administration has decided, however, that the option of having a private third party collect and retain the telephone metadata is unworkable for both legal and practical reasons. "I think that's accurate for right now," a senior U.S. security official said. It is neither unworkable for legal nor practical reasons. It's only unworkable because of political reasons in that Congress couldn't get its act together to bar the practice. Furthermore, if President Obama had ever actually been serious about ending the program, he could have easily done it himself. That's because his administration has to go back to the FISA Court every few months to renew the program -- and he could have simply not had them do so. But, instead, the DOJ has just kept on renewing over and over again since then. And thus, the NSA gets to keep on collecting all that metadata -- unless the courts magically put a stop to it or Section 215 isn't renewed by Congress in June of this year...Permalink | Comments | Email This Story

Read More...
posted 9 days ago on techdirt
Germany has figured on Techdirt on a number of occasions because of the widespread use of warning letters there, sent out in large numbers in connection with alleged copyright infringement, and usually including a demand for money. Back in April 2013, the German digital rights group Digitale Gesellschaft (Digiges) contacted the European Commission in order to draw its attention to the misuse of warning letters, which it said were in contravention of safeguards contained in the relevant European legislation. Here's the background, as explained by the digital rights association EDRi: Digiges pointed out that in Germany, IPRED [the EU's Intellectual Property Enforcement Directive] had led to a situation which allowed rightsholders to acquire personal data of the users directly from the providers. All they needed for that was the IP-address of an alleged infringer and an application to a court that would order the provider to hand over the requested information. While this option was originally meant to facilitate the realisation of damages and injunctive relief, the whole process in fact became more and more automated over time. The requests from rightsholders usually comprised between 15 and 3 500 IP-addresses at a time. In one single case in October 2009, the number even reached a breathtaking 11 000. Given the fact that the court proceedings in these cases are always summary or expedited ones, it becomes clear that there is hardly any chance for a judge to thoroughly check the validity and accuracy of the "evidence" presented by the rightsholder. In its letter, Digiges argued that the situation created by the German implementation of IPRED violates EU law, and asked the European Commission to do something about it. It did: in October 2013, it invited representatives to Brussels to explain their case further. After further correspondence with Digiges, more than one and a half years after the initial letter was sent, the Commission has finally decided to take the first step towards an infringement procedure against Germany: The Commission officially prompted the German government to comment on the German situation around warning letters within ten weeks. Heady stuff. EDRi points out that any practical effect of the Commission taking up this case is likely to be very slow to arrive: The German government is expected to delay their answer to the Commission as long as possible. Once it has arrived, the Commission will have 10 weeks to evaluate the government’s reply. An ensuing judicial infringement procedure might take up to two years and will be repeated if the member state in question fails to comply with the ruling of the court. So, realistically, we are looking at over four years before Germany actually has to do anything serious like changing its law here. But EDRi tries to look on the bright side, concluding its post as follows: it is still unclear if and when Germany will change its laws facilitating the abuse of warning letters. But an important step towards the first infringement procedure with a net-political twist has been taken. That's the spirit. Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+ Permalink | Comments | Email This Story

Read More...
posted 9 days ago on techdirt
You may recall that there have been recent trademark issues over the term "12th Man", which Texas A&M insists is its alone to use, even as the Seattle Seahawks perhaps use it most famously in describing their rabid crowds and the deafening noise their home stadium produces. Well, on the eve of the Seahawks returning to the Super Bowl, the trademark lawyers for the team have decided to make a run at getting their own trademark on the number "12" ... and just about everything else they could think of as well. Despite that long history of onomatopoeia in the sport, the Seahawks are now trying to trademark the word “boom” and use it for the team’s own purposes. The effort is part of a quiet legal strategy in which the team has filed some two dozen trademark applications since October 2013 for phrases such as “Go Hawks” and the number “12.” Football and the word “boom” have been married for decades, long before someone nicknamed Seahawks defenders the “Legion of Boom.” Way back in the 1960s, Minnesota Vikings running back Bill Brown was known as “Boom-Boom” for his similarly punishing style. Ex-coach John Madden bellowed “boom” during play-by-play TV broadcasts so often that, by the 1990s, it became his personal catchword, used in commercials featuring the popular pitchman. No matter, apparently, because the attorneys are here to make sure the long history of "boom" and "numbers" in football belong to them for commercial purposes. The idea that a word that describes a sound could be locked up by a team, not to mention a number that describes the fanbase as a part of the team, is absolutely ludicrous. But the flag bearing the number "12" has already been approved for trademark. We'll have to see about the "boom." As for "Go Hawks", good luck to the Seahawks because there are very interested parties lining up to object. The Seahawks’ aggressive quest for new revenue has led both the NBA and NHL to try to slow one of the trademark applications. And while Seattle’s owners were once sued over the use of “12th Man,” the team is now trying to seize control of many other variations of the term. You can bet the Atlanta Hawks in the NBA and the Chicago Blackhawks in the NHL will be throwing lawyers at the Seahawks' lame attempt to lock up language. Those two teams alone have an insane amount of merchandise in place bearing the "Go Hawks" language. So why haven't those teams ever tried to trademark the term? Well, because unlike the Seahawks, most professional sports teams are surprisingly lax when it comes to trademarking tangential language. Scott Andresen, a sports entertainment attorney in Chicago, said the Seahawks’ pursuit of so many different trademarks contrasts with conduct by other teams, even those with a national brand such as the Dallas Cowboys. “They’ve always been a little aggressive about securing intellectual property for themselves,” said Andresen, who has worked with other professional franchises. “They’ve really taken the position that the more intellectual property, the better.” Just in the past few months, the Seahawks have petitioned the U.S. Patent and Trademark Office for a chance to oppose a film company’s application to trademark a geographical name featured in the blockbuster “Hunger Games” books and movies: “District 12.”...While the Seahawks’ team owners have submitted 24 trademark applications in the past 15 months, officials with the Green Bay Packers, last weekend’s opponent, have filed just 36 applications in the past 40 or so years, according to federal records. So the Seahawks are especially insane when it comes to trying to trademark anything and everything. Perhaps they learned this deviant behavior at the hands of Texas A&M, and the cycle simply repeats itself with the victim becoming the perpetrator. Or maybe there's some kind of gas leak in the offices of the team's attorneys. Either way, it's probably time for a well-being check. Permalink | Comments | Email This Story

Read More...
posted 9 days ago on techdirt
Wind power is getting a bit of boost from various new technologies that allow turbines to capture higher altitude wind without building enormous and unsightly towering structures on the ground. There are plenty of airborne wind companies (eg. WindLift, SkySails, Sky Windpower, NTS, etc), as well as smarter ground-based generators that are aiming to provide cheaper and more reliable electricity. Check out a few of these links if you like the idea of the skies filled with drones, blimps, kites and other floating devices. Altaeros Energies has a floating wind turbine that should generate electricity at the cost of $0.18 per kilowatt-hour. The Buoyant Airborne Turbine (BAT) is an inflatable, helium-filled ring with a turbine placed in the center. It has a capacity of 30 kilowatts, and it flies at an altitude of 300 meters. [url] Google's Makani project generates electricity from high flying kites equipped with turbines that can circulate from 80 to 350 meters off the ground. These kites can capture more energy than traditional ground-based turbines, and they can be moved to different locations to maximize their wind collection. [url] Ground-based wind turbine generators haven't changed that much over the last few decades, but they're getting more cost competitive with fossil fuel generators (about $0.065 per kilowatt-hour). With sensors and battery storage systems, traditional generators can provide more consistent and reliable power to the grid. [url] If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.Permalink | Comments | Email This Story

Read More...
posted 9 days ago on techdirt
Another Supreme Court ruling... and another smackdown of CAFC, the Appeals Court for the Federal Circuit that handles all patent appeals. This regular smackdown of CAFC by the Supreme Court has become such a recurring story that it would almost be surprising if the Supreme Court took a patent case to do anything but smackdown CAFC. The key issue here is that the Supreme Court basically has taken away CAFC's powers to review a patent directly to determine if the patent itself is valid or not. Instead, it can only review the district court's findings, to determine if there was an obvious error by those district courts in handling claim construction. While this takes away power from CAFC, it actually is seen as beneficial to patent trolls, since (especially lately), the now-chastened CAFC has suddenly been rejecting patents left and right. But that might stop now as the CAFC's ability to do that is now greatly limited. The specific case is Teva Pharmaceuticals v. Sandoz, and the 7-2 ruling argues that appeals courts are only supposed to set aside "clearly erroneous" findings of fact by the district court, and that means that the CAFC should not do "de novo" review of a patent (i.e., from scratch): Federal Rule of Civil Procedure 52(a)(6) states that a court of appeals “must not . . . set aside” a district court’s “[f]indings of fact” unless they are “clearly erroneous.” In our view, this rule and the standard it sets forth must apply when a court of appeals reviews a district court’s resolution of subsidiary factual matters made in the course of its construction of a patent claim.... Even if exceptions to the Rule were permissible, we cannot find any convincing ground for creating an exception to that Rule here. The Rules Advisory Committee pointed out that, in general, exceptions “would tend to undermine the legitimacy of the district courts . . . , multiply appeals . . . , and needlessly reallocate judicial authority.” The ruling further notes that the CAFC can still do "de novo review" of the lower court's "ultimate interpretation of the patent claims," but just not the fact finding portion. Still, where this is concerning is that, for all the problems with CAFC judges generally loving patents, district court judges are unlikely to have much understanding of the underlying issues that go into a patent. And thus, the fact finding part of the process will just involve piling on experts, and the side willing to spend more on experts who will claim its interpretation of the claims is right will win, and the CAFC can no longer do much to challenge that. Unlike recent CAFC smackdowns that were of the 9-0 variety, this one had two dissenting Justices: Thomas and Alito. Their dissent is a worthwhile read also. And it focuses on the somewhat fuzzy area in between what is a finding of fact and one of law. And it notes that patents are not that different from laws, and as such the claim construction aspect shouldn't be seen so much as a finding of fact as a finding of law. Specifically, a patent is effectively a law against others being able to use a certain invention. And thus, according to the dissent, it should be treated like a law, subject to specific interpretations that can be reviewed by the appeals court: Because they are governmental dispositions and provide rules that bind the public at large, patent claims resemble statutes. The scope of a patent holder’s monopoly right is defined by claims legally actualized through the procedures established by Congress pursuant to its patent power. Thus, a patent holder’s actual intentions have effect only to the extent that they are expressed in the public record.... Moreover, because the ultimate meaning of a patent claim, like the ultimate meaning of a statute, binds thepublic at large, it should not depend on the specific evidence presented in a particular infringement case. Although the party presentations shape even statutory construction, de novo review on appeal helps to ensure that the construction is not skewed by the specific evidence presented in a given case. Furthermore, the dissent reasonably worries that this will now open up a huge opportunity for patent trolls to argue where the line is between fact and law, creating quite a bit of new litigation: Perhaps the majority is correct that “subsidiary factfinding is unlikely to loom large in the universe of litigated claim construction.” .... But I doubt it. If this case proves anything, it is that the line between fact and law is an uncertain one—made all the more uncertain by the majority’s failure to identify sound principles for the lines it draws. The majority’s rule provides litigants who prevail in district court a significant opportunity and incentive to take advantage of this uncertainty by arguing on appeal that the district court’s claim construction involved subsidiary findings of fact. At best, today’s holding will spawn costly—and, if the majority is correct about the frequency with which these evidentiary determinations make a difference, meritless—collateral litigation over the line between law and fact. We generally avoid any rule of judicial administration that “results in a substantial expenditure of scarce judicial resources on difficult questions that have no effect on the outcome of the case,” ..., and there is no reason to embrace one here. So while it's not surprising that CAFC received another Supreme Court smackdown, it seems like perhaps this time, it may create more problems, rather than cleaning up a mess.Permalink | Comments | Email This Story

Read More...
posted 9 days ago on techdirt
Glyn already covered European Parliament Member (and the EU Parliament's only Pirate Party representative) Julia Reda's report on copyright reform in the EU. However, for Day 3 of Copyright Week -- which is all about transparency, I wanted to focus on the other aspect of Reda's release of her report: just how transparent she's been. When we talk about transparency in copyright law, we're often talking about the lack of such transparency, often via international trade negotiations, like ACTA, TPP and TAFTA/TTIP, in which backroom dealing is done by unelected bureaucrats. The public is kept out of the negotiating process entirely, while lobbyists have full access. Combine that with the revolving door between the negotiators and the lobbyists themselves, and it's a recipe for non-transparent policy-making by which legacy industries get all the "gifts" they want. Reda's approach with her report on copyright shows that it doesn't need to be that way. Along with the report, she detailed all of the 86 meeting requests she received from lobbyists regarding copyright (noting that the number went way up after she was appointed to write this report): She also noted that she really wanted to "balance out the attention paid to various interest groups" and that she really wanted to speak to content creators directly, rather than middlemen: Most requests came from publishers, distributors, collective rights organizations, service providers and intermediaries (57% altogether), while it was more difficult to get directly to the group most often referred to in public debate: The authors. The results of the copyright consultation with many authors’ responses demonstrate that the interests of collecting societies and individual authors can differ significantly. The end result: Meetings requested RightholdersAuthorsAuthoritiesService providersAcademiaUsers Meetings taken She also includes a list of every lobbying meeting request she received on copyright: This is great to see, and it would be nice to see others working on these issues post similar things. A few years ago, I noticed that while the USTR's FOIA website has a page for visitor logs, that page is conveniently left blank: After many months of back and forth, the USTR finally sent me visitor logs in an almost entirely unusable manner. Here's one of the many documents that were sent: DV.load("https://www.documentcloud.org/documents/686130-visitor-log-february-1-to-february-28-2011.js", {width: 560, height: 500, sidebar: false, container: "#viewer-686130-visitor-log-february-1-to-february-28-2011"}); Compare and contrast the two situations. One appears to be representative government. The other seems to be doing everything possible to hide what's really going on when it comes to important things like understanding who's influencing copyright policy.Permalink | Comments | Email This Story

Read More...
posted 10 days ago on techdirt
The Olympics: an every other year experiment in curtailing the rights of its hosts while draining those hosts of as much money as possible. It's apparently gotten so bad that essentially nobody actually wants to host the olympic games. Those still relentlessly putting in bids to bring on this multi-nation quagmire of garbage probably don't care all that much that the IOC and its smaller sub-parts are money-grubbing, number-trademarking, viewer-hating megalomaniacs that quite possibly lack what we refer to as souls and may or may not be fully-manufactured Hitler-clones. But if they do care about those things, they better not say so, according to what is apparently boiler-plate legal language in Boston's agreement with the USOC. Nobody who lives in Boston actually wants the city to win its bid for the 2024 Olympic games. And yet, in a joinder agreement between the city and the United States Olympic Committee, mayor Marty Walsh has signed a contract that forbids city employees from speaking negatively about the bid, the IOC, or the Olympic games. It's a great day for free speech in the cradle of liberty. Boston, home of the Boston Massacre and the tea party revolt, the city from whence the USS Constitution launched, the home of both President John Adams', has decided to suspend their employees' free speech rights in favor of hosting a corporate sporting event packed with more authoritarian bullshit than your average Middle East dictatorship. Let that sink in for a moment. Or, if you're like Boston's Mayor, Marty Walsh, just dust that crap off your shoulder cuz it's no big deal, yo. "Mayor Walsh is not looking to limit the free speech of his employees and, as residents of Boston, he fully supports them participating in the community process. This was standard boilerplate language for the Joinder Agreement with the USOC that all applicant cities have historically signed. The Mayor looks forward to the first citywide community meeting that will be held next week." The Mayor has also claimed that there would absolutely be no punishment for city workers who decided to express their feelings about the Olympics being a big bucket of money-sucking dogshit, but contracts are contracts, so they may not be inclined to test Walsh's honesty on that point. So I'll do it for them. The Olympics sucks. Just read it in a Boston accent. Permalink | Comments | Email This Story

Read More...
posted 10 days ago on techdirt
We've written a few times about the ridiculous case against Barrett Brown, a journalist who took a deep interest in Anonymous and various hacking efforts. As we noted, a key part of the initial charges included the fact that Brown had organized an effort to comb through the documents that had been obtained from Stratfor via a hack. The key bit was that Brown had reposted a URL pointing to the documents to share via his "Project PM" -- a setup to crowdsource the analysis of the leaked documents. Some of those documents included credit card info, so he was charged with "trafficking" in that information. Brown didn't help his own cause early on with some immensely foolish actions, like threatening federal agents in a video posted to YouTube, but there were serious concerns about how the government had twisted what Brown had actually done in a way that could be used against all kinds of journalists. While the feds eventually dismissed the key "linking" claim (equating linking to trafficking), they still got Brown to agree to a plea deal on other charges. After many months, he was finally sentenced today to 63 months in prison, more than double the 30 months that his lawyers asked for (30 months being the time he's already served in prison). He also has to pay $890,000 in restitution. For linking to some files he didn't have anything to do with leaking. Before the sentencing, Brown made a statement to the judge that is well worth reading. He admits that the threatening videos were "idiotic" and apologizes for it, but delves more deeply into what's really at stake in his case. Here's just a tiny bit: Every journalist in the United States is put at risk by the novel, and sometimes even radical, claims that the government has introduced in the course of the sentencing process. The government asserts that I am not a journalist and thus unable to claim the First Amendment protections guaranteed to those engaged in information-gathering activities. Your Honor, I’ve been employed as a journalist for much of my adult life, I’ve written for dozens of magazines and newspapers, and I’m the author of two published and critically-acclaimed books of expository non-fiction. Your Honor has received letters from editors who have published my journalistic work, as well as from award-winning journalists such as Glenn Greenwald, who note that they have used that work in their own articles. If I am not a journalist, then there are many, many people out there who are also not journalists, without being aware of it, and who are thus as much at risk as I am. Your Honor, it would be one thing if the government were putting forth some sort of standard by which journalists could be defined. They have not put forth such a standard. Their assertion rests on the fact that despite having referred to myself as a journalist hundreds of times, I at one point rejected that term, much in the same way that someone running for office might reject the term “politician”. Now, if the government is introducing a new standard whereby anyone who once denies being a particular thing is no longer that thing in any legal sense, then that would be at least a firm and knowable criteria. But that’s not what the government is doing in this case. Consider, for instance, that I have denied being a spokesperson for Anonymous hundreds of times, both in public and private, ever since the press began calling me that in the beginning of 2011. So on a couple of occasions when I contacted executives of contracting firms like Booz Allen Hamilton in the wake of revelations that they’d been spying on my associates and me for reasons that we were naturally rather anxious to determine, I did indeed pretend to be such an actual official spokesman for Anonymous, because I wanted to encourage these people to talk to me. Which they did. Of course, I have explained this many, many times, and the government itself knows this, even if they’ve since claimed otherwise. In the September 13th criminal complaint filed against me, the FBI itself acknowledges that I do not claim any official role within Anonymous. Likewise, in last month’s hearing, the prosecutor accidentally slipped and referred to me as a journalist, even after having previously found it necessary to deny me that title. But, there you have it. Deny being a spokesperson for Anonymous hundreds of times, and you’re still a spokesperson for Anonymous. Deny being a journalist once or twice, and you’re not a journalist. What conclusion can one draw from this sort of reasoning other than that you are whatever the FBI finds it convenient for you to be at any given moment. This is not the “rule of law”, Your Honor, it is the “rule of law enforcement”, and it is very dangerous. The judge didn't seem to care, however. Judge Sam Lindsay claimed that Brown was "more involved than he wants the court to believe" despite no such evidence being presented. Furthermore, it appears that even though the charges related to the link sharing were dropped and the plea was over other charges, sharing that link is part of why his sentence was so high. This is a very dangerous ruling for those who believe in freedom of the press. Rulings like this put anyone reporting on any hacked or leaked info at risk. While some don't like it, reporters need to be free to report on things, from the Stratfor documents to the Sony Hack documents to the Snowden revelations. A sentence like this puts a massive chill over journalism and the First Amendment in general.Permalink | Comments | Email This Story

Read More...
posted 10 days ago on techdirt
One of the most exciting scientific explorations currently underway is the Rosetta space probe, which succeeded in placing a lander on the surface of the comet 67P, and which continues to send back some astonishing pictures. But according to an article on the BBC News site, those pictures come from Rosetta's navigation cameras, not from the main science cameras, which produce higher-quality images. Here's why that's happening: These images are subject to a six-month embargo to allow the mission team to make discoveries without being scooped. That's strange, since Rosetta comes from the publicly-funded European Space Agency (ESA), so there is obviously a good case for them being released immediately, especially given the high level of interest from many people. But as the BBC article explains, it's not ESA that is holding things back: The agency procures the satellite platform, the launch rocket and runs day-to-day operations, but the instruments that gather the data are supplied -- and funded -- via national member states. Esa may drive the truck, but it does not own the merchandise in the back. Giving scientists on particular instruments a proprietary period has become standard practice. It provides the researchers with a head start, enabling them to be first to announce major discoveries and to publish the details in the top journals. The credit and citations that follow boost their ability to propose future programmes and win further funding. This process has become central to the way they work. Maybe, but the approach is looking increasingly anachronistic. That's partly because of a new kind of real-time public engagement with science thanks to the Internet; but it's also to do with changes in the way raw scientific data is made available. As an example, the BBC report mentions the data policies for the Sentinel Earth-observation satellites that ESA is building and managing for the European Commission: The first of these spacecraft, a radar platform called Sentinel-1a, became operational late last year. All of its pictures are being given away free, with no priority access. The view is that this will supercharge discovery and even create new businesses in Europe that can exploit the data. Even though the Rosetta team is still clinging to the older model, there's plenty of evidence elsewhere in science that sharing results does indeed speed up discovery -- and boost the economic return. For example, researchers working on the Human Genome Project (HGP) decided as far back as 1996 that all data from publicly-funded projects should be released immediately. According to a 2013 study, the HGP created $966 billion in economic impact and $59 billion in federal tax revenue; not bad for an investment of $14.5 billion by the US government. Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+ Permalink | Comments | Email This Story

Read More...
posted 10 days ago on techdirt
Included in the new Snowden document dump by Der Spiegel is one detailing the GCHQ's exploitation of iPhones [pdf link]. It isn't discussed much in the Der Spiegel piece (unsurprising, considering the number of documents revealed) but has picked up press elsewhere. The GCHQ managed to pull off a bit of coup, considering the iPhone's general resistance to malware. Instead of deploying an exploit to the target's phone, the GCHQ used an "endpoint machine" (a compromised computer or other device) to harvest data from the phone whenever it connected and synced. Similar to the NSA's exploitation of ad-tracking cookies, the GCHQ's program extracted the iPhone's UDID (Unique Device Identifier) during certain interactions -- like debit card purchases or interactions with AdMob. The Mobile Theme has invested a large amount of research into iPhone apps and metadata analysis over the last year accumulating with a detailed report done by [redacted] in October 2009 and 29 SEM rules created by ICTR-MCT These rules have used to extract iPhone metadata for a number of apps and in particular the Unique Device Identifier (UDID) from any carrier being processed using DEBIT CARDs. Further TDI rules are being developed by GTE that will in the future extract UDID events from carriers processed through the MVR system. The resulting events have then been used to populate both research and corporate QFDs (Query Focused Datasets) such as MUTANT BROTH and AUTOASSOC and will eventually form the basis of mobile correlations in HARD ASSOC. The end result of this proxy exploit? A ton of data and communications. The WARRIORPRIDE exploit has resulted in extraction of the target's address book, sms, call logs, notes, WLAN logs, bookmarks, map query history, Safari browsing history and some images. The document notes that this limited deployment resulted in the acquisition of three targets for the NSA, in addition to a number of UDIDs passed on to GCHQ's Tailored Access Operations, presumably in order to push further exploits to the phones at syncing. Unfortunately, further information isn't forthcoming as the accompanying guidance document -- the inadvertently hilariously-titled "Good Penetration Guide" -- has not been made public. One particular case was a [redacted] target, [redacted] with yahoo selector that was seen active on a iPhone OS 3_1_2, as shown in Figure 8. The resulting Yahoo-B cookie is [redacted] and as can be seen the target has been active off [redacted]. Running the resulting Yahoo-cookie through MUTANT BROTH resulted in 171 events primarily on case notations GWUKGOOS, and IRUKCO36. The resulting information was then forwarded to the in the [redacted] team for tasking by the standard CNE process as outlined in the Good Penetration Guide. The document is dated November 2010. Apple began phasing out the UDID system the next year and finally banned app developers from integrating this deprecated identifier into their apps in May of 2013. Considering the dates involved, the GCHQ had at least a two-year window where the end machine exploit provided access to data and content. (Apple began its deprecation of the identifier in 2012.) Considering this collection was killed off by the unaware company along with its UDID system, the GCHQ is obviously on board with UK Prime Minister David Cameron's call to forbid the sort of encryption Apple is making available by default. No one likes to see a source dry up, especially one utilizing devices historically resistant to outside exploitation. Permalink | Comments | Email This Story

Read More...
posted 10 days ago on techdirt
In the past we've discussed the Shirky Principle, named after a statement by Clay Shirky that: "Institutions will try to preserve the problem to which they are the solution." In some ways that's a corollary to Upton Sinclair's famous quote: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" I've long believed that the MPAA has this problem in spades. The group, which is supposed to be about helping the big Hollywood studios, has long taken a very different positions. Five years ago, we wrote about how bizarre it was that the MPAA had an entire "Content Protection" division. As we noted at the time, the organization not only had a Chief Content Protection Officer, but also an Executive VP of Content Protection, a Senior VP of Content Protection and a regular VP of Content Protection, and probably a handful of Content Protection Minions or whatever they call their non-VP worker bees. And yet, there didn't seem to be anyone at the MPAA who had a title along the lines of "Chief Open Internet Evangelist" or "Chief Digital Business Model Strategist" or something along those lines, who could have been working with Hollywood to help transition the organization into the digital age. No, instead that transition has come in fits and starts with the MPAA itself fighting against most of the key moves and doing little to help forward thinking filmmakers and studios. In fact, if you talk to many of the up-and-coming filmmakers these days, they're just as angry about the MPAA's stance as open internet supporters -- because they realize just how counterproductive a "protection" regime is, rather than a "embrace the opportunity" regime would be. Eli Dourado has written up a fantastic discussion of this very idea, by focusing on two key things that came out of the Sony Hack that, together, more or less highlight the point above: that the MPAA is not pro-Hollywood at all, but rather seems entirely focused on "giving itself a reason to exist, rather than solving the film industry's" challenges. Specifically he highlights these two things: Leaked emails revealed the Motion Picture Association of America’s ongoing plans to censor the Internet to reduce digital film piracy.The hack prompted a surprise, online Christmas Eve release of The Interview that let us observe the effect of a new distribution model on film revenue. We have, of course, covered both of these, but Dourado puts them together nicely in context, showing how the MPAA's site-blocking/filtering/censorship strategy is one focused on destroying many of the opportunities of the internet, while the digital release of The Interview showed how embracing digital can actually be quite useful for Hollywood -- not that the MPAA wants anything to do with that at all. When put together, these vignettes raise important questions about the future of the film industry and its lobbying efforts. Is the MPAA really representing Hollywood’s long-term interests in Washington, or is it trying to fight old battles over and over in an attempt to justify its own existence? Dourado goes through the detailed history -- revealed by the Sony Hack -- of how, post-SOPA, the MPAA has regrouped to focus on ways to bring back site-blocking and censorship online, while simultaneously attacking Google at every turn (even when Google did exactly what the MPAA asked for and demoted sites the MPAA dislikes). As Dourado notes: But the more striking point is what this strategy reveals about the MPAA: the organization still deeply believes in site blocking as more or less the solution to online piracy. It continues to position itself as an enemy of the open Internet. From there, he discusses the success of the online release of The Interview, pointing out how well it did. Of course, some of that may have been because of all the (somewhat questionable) news about the supposed threat from North Korea, leading some to choose to watch it for patriotic reasons. Still, Dourado notes that, while there was piracy of the film as well, much of it came outside the US, because Sony initially limited the release to US only online. And the movie did make a fair bit of money online and, perhaps more importantly, got people to pay attention to its online efforts: There is additional evidence that the online release was a win for Sony: its YouTube channel gained 243,000 new subscribers in the aftermath of the Interview release. As YouTube entrepreneurs like Michelle Phan would note, subscribers are as good as cash, a ready source of revenue for future online movie releases, if Sony decides to do more of them. The Interview episode shows that the Internet need not be viewed only as a source of piracy. With a modest change in business model, it can also be the film industry’s next great distribution platform. And then you get to the divergence question: which strategy is best for Hollywood and the film industry... and which strategy is best for the MPAA? Take a wild guess: What is the best strategy for the film industry going forward? Should it continue to fight the open Internet, as it did with SOPA, and as it has continued to do through state AG investigations and lobbying the ITC? Or should it embrace the Internet as a potentially profitable distribution platform that is in any case here to stay? It’s clear which strategy the MPAA, the lobbying organization, prefers. If the studios were to truly embrace the Internet, the MPAA would have a much diminished reason for existence. There is no one you need to lobby in order to release films online. Many employees, such as chairman Chris Dodd and general counsel Steven Fabrizio, would have little to do. The organization would have to go back to administering its film ratings system and asking states for ridiculous film tax credits. He goes even further, pointing out that this stupid focus on "content protection" has been shown time and time again not to work, whereas embracing the internet seems much more likely to work. But, of course, it would leave the MPAA with less things to do. And thus, to me, it goes all the way back around to the Shirky Principle. The MPAA has to keep focusing on "the piracy problem" because it has set itself up as "the solution" to that problem, perhaps knowing full well that it's a solution that can never be solved. Yet, because of this, it guarantees a large role for itself, convincing gullible studio bosses to keep forking money over to the MPAA, so that its leadership can keep earning multi-million dollar salaries. The real issue here is that, as younger, more internet-savvy filmmakers continue to bubble up throughout Hollywood, sooner or later more of them are going to realize what a farce the MPAA has become. And just like the MPAA's "content protection" strategy has totally failed Hollywood, eventually it's going to totally fail itself as well. That's what you get for fighting the future, rather than embracing it.Permalink | Comments | Email This Story

Read More...
posted 10 days ago on techdirt
Last month we pointed out a fracas over Comcast lobbyists handing out special "VIP cards" to lawmakers in the hopes of letting them believe they were able to get special treatment from Comcast. As we noted at the time (and Comcast was quick to point out) pretty much all employees get these cards, which direct users to a special, one-time use phone number that allows a card recipient to jump over the rest of the plebeians in the pursuit of slightly-less substandard Comcast technical support. We're not treating power players differently, argued the company, because everybody can get these cards if they bitch enough. Fast forward a few weeks and a piece in the Washingtonian notes how a 2005 court filing indicates Comcast was keeping a list of VIP power players in the DC area that had Comcast service, and they did appear to get special service -- but only if their phone number was on record. Politicians, influential businessmen, civic leaders and other figures were tracked on a list, though Comcast again claims that none of these individuals received special treatment:"A Comcast spokesperson declined to explain why such “VIP” lists were compiled or whether the company still maintains such lists. “Comcast does not and has not offered special service, perks or free upgrades to lawmakers or public officials,” the spokesperson said in a statement to Washingtonian."Except again, it's not entirely clear that this is actually true. Two anonymous sources spoke to The Consumerist to note that not only were VIPs tracked, but if they called Comcast using their on-record phone number, they did in fact get special treatment:"One source worked for a company contracted by Comcast to maintain its automatic call distributor (ACD) system, which routes customer phone calls as they come in. This person says that the Comcast system was set up so that when one of the people on the VIP list called in, it would identify them by their phone number and jump them to the front of the line. "My understanding was they were not told they were receiving preferential treatment,” says the source, "so in my opinion Comcast was deceiving them into thinking the service was better than it actually was."Another, more recently-employed source confirms the first, telling The Consumerist that VIP treatment was tied to a logged phone number, and was unrelated to the VIP cards (which offered access to a one-use phone number at Comcast):"They say there were situations where the system wouldn’t identify VIP callers correctly because they called from a phone that was not associated with the account. But once the account was looked up, “we could see that status on their account and escalated them to the Platinum group,” says the source, who claims that frontline support people were never given the “We’ll make it right” cards that Comcast supposedly hands out to all employees."That sounds suspiciously like special treatment, though at the end of the day being escalated from horribly abysmal customer service to marginally-decent customer service (or just getting horribly abysmal customer service faster) is probably a wash. Comcast, for what it's worth, will only mechanically and repeatedly insist that nobody has ever received special treatment, despite the now growing evidence that numerous people -- at least in DC -- were able to get special treatment. So, without a deeper investigation, I suppose we'll just have to take Comcast's word for it that all of the company's customers get treated like shit equitably.Permalink | Comments | Email This Story

Read More...
posted 10 days ago on techdirt
We had mentioned in the past, that once Senator Richard Burr took over the Senate Intelligence Committee, it seemed likely that the CIA torture report, prepared by the Committee's staffers, would be buried. That was before the redacted version of the executive summary was released, and it was written to explain why an agreement needed to be reached to release the report before the new Congress took over. However, what we didn't expect was that Senator Burr, upon taking office, would then take the rather unprecedented step of trying to bury the report anyway. But that's exactly what he's doing. Specifically, he has freaked out and demanded that the White House return every copy of the full 6,600 page report, saying that Senator Feinstein never should have delivered that full report to anyone in the administration: Burr, upon taking charge in January, wrote to the executive branch and the federal agencies in receipt of the document, and asked that it be returned to the committee, as he did not feel it was a valid disclosure. “It gets pretty technical,” Burr said, confirming he sent the letter. The full document, he explained, had been voted complete in the 112th Congress, and the release of the executive summary was voted on by the 113th Congress. But what wasn’t ever agreed upon, said Burr, was the disclosure of the full report to several arms of the federal government, which prompted his letter demanding all copies be returned. And, that's not all he's asking for. He's also demanding back the so-called "Panetta Review," which was the internal review, done by the CIA of the torture program, with findings that largely mirrored the Senate Intelligence Committee's report. The Panetta Review had been done, on the orders of then director Leon Panetta, and the CIA insists it was only meant for internal use at the CIA. At some point, however, according to the Intelligence Committee staffers, the CIA gave a draft of that document over to the those staffers. That resulted in then Senator Mark Udall asking the CIA for the final review -- leading the CIA to freak out that a Senator knew of the existence of the Panetta Review in the first place. That, of course, resulted in the CIA then spying on the Senate staffers' computers to find out how they got the document and the CIA ridiculously claiming that the staffers had violated criminal laws in removing the document from the network and storing it in a safe place. Udall, before leaving Congress, argued that the Panetta Review should be released, but Burr has (not surprisingly) demanded the document back. Once again, this raises some serious questions about what Senator Burr thinks his role is. Is it oversight of the CIA -- or is he the CIA's protector? Because the demands for both of these reports to be "returned" so that he can more or less destroy them, certainly suggests the latter, rather than the former. And, as ridiculous as it may sound to demand the return of these reports, it's more than just a gesture of solidarity with the CIA. The ACLU is currently suing the CIA over its refusal to release the Panetta Review under a FOIA request and also the federal government for refusing to release the full CIA torture report. Having that information in other parts of the government make it more likely that a court could order it to be turned over. But Burr seems to be focused on making sure that it's only held by "friendly" parties who might destroy this important historical document, detailing the CIA's abuses. As the ACLU noted in a statement: “Senator Burr is supposed to be overseeing the CIA, not covering up its crimes. The full Senate torture report was given to Executive Branch agencies to be widely used to make sure that the federal government learns its lesson and never uses torture again. Senator Burr’s attempt to recall the report seems like a bid to thwart Congress’s own Freedom of Information Act, which protects the rights of the American people to learn about their own government. Americans should ask, if Senator Burr isn’t going to serve his role in the Constitution’s system of checks and balances, then why did he want to be chairman of the intelligence committee? This is a poor start to a chairmanship.” Permalink | Comments | Email This Story

Read More...
posted 10 days ago on techdirt
Because of the complicated nature of power-sharing in the European Union, some international agreements require the approval of both the European Parliament and of every Member State -- so-called "mixed agreements." It is generally accepted that both the Canada-EU trade agreement (CETA) and TAFTA/TTIP are mixed agreements, and will therefore require a double ratification: by the full European Parliament, and all the EU governments. Indeed, the European Commission has frequently cited this fact to bolster its assertion that both CETA and TAFTA/TTIP are being negotiated democratically, since the European public -- through their representatives -- will have their say in these final votes. But a disturbing analysis published by Greenpeace on its Austrian pages (original in German), suggests that built into the CETA agreement, which is currently going through a "legal scrub" before being presented for ratification (pdf), are a couple of sections that will allow the European Commission to introduce the corporate sovereignty provisions anyway. According to Article X.06 3(a): This Agreement shall be provisionally applied from the first day of the month following the date on which the parties have notified each other that their respective relevant procedures have been completed. This means that CETA would enter into force provisionally as soon as the European Commission and the Canadian government have notified each other that "relevant procedures have been completed." There's no explicit requirement there for those "relevant procedures" to include ratification by the European Parliament or the EU Member States: the European Commission might claim that the "relevant procedures" simply meant things like the legal scrub. One of the provisions of CETA is a corporate sovereignty chapter, so this too would enter into force at this point, regardless of what national governments might want. Now suppose that the European Parliament, or one of those Member States, does not ratify CETA, perhaps because of the investor-state dispute settlement (ISDS) mechanism, in which case the entire agreement would fail. But here's what Article X.07 4 says happens in this case: If the provisional application of this Agreement is terminated and it does not enter into force, a claim may be submitted pursuant to the provisions of this Agreement, regarding any matter arising during the period of the provisional application of this Agreement, pursuant to the rules and procedures established in this Agreement, and provided no more than three (3) years have elapsed since the date of termination of the provisional application. In other words, even if CETA is rejected in Europe, thus causing the provisional application to be terminated, claims under the ISDS chapter would still be possible up to three years afterwards for investments made during the provisional period. What's even more troubling is that the European Commission proposes to add similar clauses to TAFTA/TTIP, as the Greenpeace article notes: A representative of the European Commission at a press briefing session in Vienna on Tuesday confirmed to Greenpeace that the Commission intends to propose a "provisional application" for TTIP too. This would be even worse than putting such sections in CETA, because ISDS in TAFTA/TTIP will apply retrospectively to all existing investments, as the negotiating mandate specifies (pdf): The investment protection chapter of the Agreement should cover a broad range of investors and their investments, intellectual property rights included, whether the investment is made before or after the entry into force of the Agreement. This would allow corporate sovereignty provisions applying to huge numbers of existing investments to enter into force and remain there for some years even if TTIP were rejected by the European Parliament or one of the national governments. So much for the European Commission's much-vaunted "democracy" -- and another compelling reason to take the ISDS chapter out of both CETA and TAFTA/TTIP. Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+Permalink | Comments | Email This Story

Read More...
posted 10 days ago on techdirt
It's been 10 years since the coining of the term "The Streisand Effect", but it still seems like a concept that eludes many public figures. With trademarks in particular, I just can't seem to figure out how people are surprised when public backlash slams a public figure attempting to control language. Yet, surprise appears to be in play in the story of a young NHL rookie hockey player who tried to trademark a nickname he'd been given because his agent didn't like how it was being used. When Johnny Gaudreau’s agent noticed the eye-catching slogan — “Johnny (Effin’) Hockey” — he went to work, applying for “Johnny Hockey” trademarks with patent offices in Canada and the United States. Understandably, this garment is not something Lewis Gross wanted associated with his client, a hotshot rookie with the Calgary Flames. “There were a couple shirts, a couple things, that were derogatory,” Craig Conroy — assistant general manager of the Flames, who was represented by Gross during his playing days — said Wednesday at the Saddledome. “Lewis said, ‘We just want to make sure we monitor it.’ And that’s all it was. More than anything, it was to make sure that people weren’t selling stuff that made him look bad. I mean, I think that’s what it came down to.” Look, I get it, to some degree. Here you are, a young athlete, and someone gives you a nickname that's a derivative of "Johnny Football", which was coined to describe Johnny Manziel in the NFL. And he has a certain infamous party reputation. A young hockey player might not want to be associated with that reputation, even if it is only a couple of shirts and items that are derogatory. The problem with going the trademark application route is now this association is cemented everywhere through the exposure of the backlash. Unfavourable comparisons to rabble-rousing quarterback Johnny Manziel — himself in the process of trademarking Johnny Football and Johnny Cleveland — popped up via social media. “I talked to Lewis,” said Conroy, “and he was shocked at how big a story it had become in Canada. Johnny doesn’t want anyone to think that he’s bigger than anything. He’s just a player on the team and (the nickname) is just something that happened at Boston College. More than anything (Gaudreau) was just embarrassed by all the attention it got. He just wanted to keep it low key and pretend it didn’t even happen. I said, ‘Well, it did happen, so now just deal with it.’ ” That's about as classic Streisand Effect as it gets, with a little trademark thrown in, apparently in an attempt to make this an early contender for 2015's most Techdirt-y story. A small annoyance was the genesis for a heavy-handed attempt to lock up language through intellectual property. The result was that the small annoyance became a huge annoyance and the exact opposite of the intended effect occurred. Textbook case, I think. Hopefully it's a lesson learned for the young man who can get back to concentrating on his profession and not let a little nickname bother him so much in the future. Permalink | Comments | Email This Story

Read More...
posted 10 days ago on techdirt
Growing fuel from algae is a goal that plenty of scientists have been working on for years. Creating an economically viable process for doing this would be a real game-changer, but so far, there are still some major challenges (and the price of oil is looking remarkably low nowadays, too). Still, progress for growing biofuels from algae is inching along, and here are just a few examples. One of the problems for using algae to produce biofuels is that these organisms normally produce lipid oils when they are starved for nutrients -- but they don't grow well under those conditions. However, engineering some diatoms to produce lipids without hindering their growth has been achieved. [url] An algae pilot plant in Alabama is making diesel and jet fuel -- and treating waste water at the same time. Algae Systems puts waste water, algae and CO2 into large plastic bags and lets the algae grow for a few days offshore in the sun. This process currently produces 3,000 gallons of fuel per acre per year and treats 40,000 gallons of water per acre per year, so it still needs to scale up before everyone is driving/flying around using this biofuel. [url] An algae-powered building in Hamburg relies on heat from growing algae to make the building (somewhat) self sufficient. This BIQ building sucks carbon dioxide out of the air, creating biomass, and uses traditional solar panels to augment its power needs. The upfront building costs are significant, but if it can continue to operate with minimal ongoing energy costs, the investment will pan out in the future. [url] If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.Permalink | Comments | Email This Story

Read More...
posted 10 days ago on techdirt
The state of New York wants to get in on all the cybersecurity fun the kids legislators and intelligence officials are talking about these days. New York Attorney General Eric T. Schneiderman has announced his plan to introduce cybersecurity legislation this year, putting the state in the position to regulate data security and its citizens' privacy. Most legislation that includes the word "cyber" is nothing more than an excuse to give the government a larger piece of the action -- generally by redefining the term "information sharing" to mean a one-way street of data collection running from private companies (and their customers) to various law enforcement and security agencies. Schneiderman's proposal seems to be more skewed towards actually increasing protections of companies and customers, rather than simply codifying additional government access. But before we start passing around high fives and popping champagne corks, it must be noted that not a single word of this has been put to paper yet (excluding the press release). At this point, it's just a proposal for legislation. There's no first draft to read and no indication what its interplay (amendments, etc.) with existing laws will entail. That being said, most of what's delivered in Schneiderman's statement is mostly reasonable. Most of what's being asked for should have already been in place (including additional restrictions on the sharing of medical data). Many companies (coughSONYcough) seem to treat their customers' personal data as an afterthought -- something that only deserves attention after it's been Pastebinned for the world to see. Expand Definition of Private Information- New York legislators should expand the definition of “private information” to include both the combination of an email address and password, and an email address in combination with a security question and answer, as California already has done. Additionally, the definition of private information should include medical information, including biometric information, and health insurance information. Legislate Reasonable Data Security Requirement- All entities that collect and/or store private information should be required to have reasonable security measures to protect said information. These measures should include: Administrative safeguards to assess risks, train employees and maintain safeguards. Technical safeguards to (i) identify risks in their respective network, software, and information processing, (ii) detect, prevent and respond to attacks and (iii) regularly test and monitor systems controls and procedures. Physical safeguards to have special disposal procedures, detection and response to intrusions, and protect the physical areas where information is stored. Certification- Entities that obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security. Legislate a Safe Harbor to Provide an Incentive for a Heightened Level of Data Security– New York needs to incentive businesses to implement the most robust data security. To do so, New York should offer a safe harbor if a company adopts a heightened form of security. To comply, entities would be required to categorize their information systems based on the risk a data breach imposes on the information stored. Once information systems are categorized, a data security plan based on a multitude of factors would be implemented and followed. Once this standard is met, the entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether. Overall, not terrible, with a couple of caveats. One: the government's ability to protect itself from cyberattacks and other hacking ranges from less-than-adequate to abysmal. Considering its lack of self-awareness, it seems presumptive to put itself in the position of setting standards for data security. Sure, it could bring in actual experts in the field to craft these, but once legislators have had their say, what's been recommended may only bear the faintest resemblance to what's actually implemented. Two: while the proposal helpfully expands the definition of "private information," it fails to provide specifics about who can or can't access this information. Any company could route around these restrictions with some fine print in its Terms of Service. And there's nothing forbidding the acquisition of medical, biometric and insurance data by the state itself. In fact -- and here's where we head into the "fairly decent BUT" section" -- the proposal lays the groundwork for one-way information sharing in the final paragraph. Protection for Sharing Forensic Data- Finally, in the event of a data breach, New York should incentivize companies to share forensic reports with law enforcement officials. One way to accomplish this would be to make sure that the disclosure of a forensic report to a relevant law enforcement agency for the purposes of investigating those responsible for a data breach does not affect any privilege or protection. This would allow companies to feel comfortable with the free sharing of information while giving authorities a better chance at catching those responsible. This is more sensible than other proposals as it looks to limit sharing of data to forensic data only. Then again, this is a proposal and, while all intentions are pure, it's a long way from a finished product. When the bill finally hits the legislative floor, it's very likely that this restrictive sharing will be loosened. Considering the panic that surrounds all things cyber-related -- especially once some enterprising do-gooder tosses the word "cyberterrorism" into the mix -- it's going to take a very dedicated and obstinate person to shepherd this through with most of these protections still intact. And someone's still going to need to sell this additional layer of regulation to the companies it will affect -- many of whom have some pull in the upper reaches of the government. They're not exactly going to welcome the additional expense of implementing solid data security, even if they should have been on top of this since day one. The litigation safe harbor should make the pitch a bit more appealing, but again, it will take someone dedicated and tenacious to ensure the requirements aren't watered down into uselessness on its way to the governor's desk. Permalink | Comments | Email This Story

Read More...
posted 11 days ago on techdirt
Being in law enforcement often means brushing right up against the edges of the Fourth Amendment. It's your job to catch criminals, and most criminals have zero interest in being caught. The resulting surface tension is easily broken. Some breaks are inadvertent. Others are much more deliberate. But in this case, the circumstances are ambiguous at best. A recent case presided over by Judge Neil Gorsuch of the Tenth Circuit Court deals with these stretched edges. [via Orin Kerr] Convicted felon Steven Denson stopped meeting with his probation officer and holed up in his house, where he was subsequently arrested for parole violations and the illegal possession of firearms. (The guns hadn't been used in any criminal activity, but Denson's previous felony conviction made it illegal for him to possess them.) We know Denson was in his house because the end result bears that out. Leading up to the entrance of his residence, the police gathered other information indicative of Denson's whereabouts: utilities registered in his name, his lack of employment and electricity usage that surpassed that of an empty house. Denson challenged the arrest and the post-arrest seizure of weapons on the basis of a single act performed by the officers prior to entry: the use of Doppler radar to determine whether someone was actually on the premises. While it's never specifically stated as such, the gist appears to be that the Doppler radar was considered a warrantless search by Denson -- something that should negate the actions of the officers following the radar's use. The police had no warrant to search the premises, only a warrant to effect an arrest. While he was being arrested, police swept his home (without a warrant), uncovering the illegal weapons. Judge Gorsuch -- after some discussion on whether the police had enough "probable cause" to believe Denson was at home -- tackles the issue of the radar itself, something that presents Fourth Amendment concerns. [pdf link] Separately and as we alluded to earlier, the government brought with it a Doppler radar device capable of detecting from outside the home the presence of “human breathing and movement within.” All this packed into a hand-held unit “about 10 inches by 4 inches wide, 10 inches long.” The government admits that it used the radar before entering — and that the device registered someone’s presence inside. It’s obvious to us and everyone else in this case that the government’s warrantless use of such a powerful tool to search inside homes poses grave Fourth Amendment questions. See, e.g., Kyllo v. United States, 533 U.S. 27, 33-35 (2001) (holding that using warrantless thermal imaging to show activity inside a home violated the Fourth Amendment) New technologies bring with them not only new opportunities for law enforcement to catch criminals but also new risks for abuse and new ways to invade constitutional rights. Denson argues the police had no reason to enter his home, much less search it. The only reason they did was because the Doppler radar indicated someone was in the house. He also argues that the use of the radar should have negated the officers' stated need to perform a sweep of the house for other individuals -- this protective sweep being the instrument of discovery for Denson's weapons stash. The single mention of a precedential case (Kyllo v. United States) is inserted near the discussion about "grave Fourth Amendment questions," and never mentioned again. It would appear that the Doppler radar was a warrantless search of Denson's premises, at least under this Supreme Court ruling, but Gorsuch ignores this and focuses on the probable cause factors justfying entry of the home in the first place. Gorsuch examines the protective sweep more closely, and finds it wanting, considering the pre-entry radar deployment. On one hand, Denson's history of violent crime and known violent criminal associates would have justified a "protective sweep" during his arrest. But, on the other hand, the cops already knew no one else was on the premises. But what — again — about the radar? Before the officers entered, their radar search suggested the presence of one person inside. And given that, one might well wonder: did the officers’ questionable search outside the home paradoxically negate their otherwise solid case for a search inside the home? Surely, after all, the government isn’t entitled to perform searches to guard against phantom risks, ones they know don’t exist. If radar (or any other investigative technique for that matter) dispels the possibility of a hidden danger, a search predicated on that possibility becomes constitutionally unreasonable. The government cannot take the benefit of a questionable radar search without having to live with its costs. Neither does the government seek to justify its protective sweep in this case on the presence of any threat (say, traps or bombs) that its radar wasn’t designed to detect. The government’s only professed fear was the presence of persons, something its radar was admittedly designed to detect. Gorsuch could have pushed a bit more on this point, but unfortunately, defers to the unknown. Even so, without more facts about the radar, its capacities and how it was used, we just can’t say it “dispel[led]” the officers’ “reasonable suspicion of danger” in this case. We know the radar suggested the presence of someone inside. But how far inside the structure could it see? Could the device search the whole house and allow the officers to be sure that they had located every person present? Could it distinguish between one person and several? We just don’t know. Our record lacks any answers. As a result, we simply aren’t in a position to say that the radar search negated the officers’ otherwise specific and articulable reasons to worry about a compatriot lurking inside. And that's where it ends. Gorsuch notes that the use of these devices means this sort of thing will be discussed again. As for the police department, it's safe to assume it isn't interested in divulging further details about its technology, even if what it withholds may jeopardize the evidence it obtained. But behind it all, there were two searches performed -- both without a warrant. First, there was the Doppler "search," which determined someone was home. Then there was the search performed under the guise of a "protective sweep." The guns were uncovered in a closet, something that would be checked during a sweep, but the question falls back to whether the sweep itself was justified. Gorsuch says basically that he just doesn't know and the question remains open until the situation presents itself again. The troubling aspects about the Doppler radar align with concerns about Stingray devices. Police have used IMSI catchers to track down suspects without having to deal with search warrants -- something radar can do as well. In both cases, details about capabilities are left to the courts' imaginations. No one in law enforcement wants to talk about the level of intrusion or the inherent limits of the tech and, for the most part, their silence has been unchallenged.Permalink | Comments | Email This Story

Read More...
posted 11 days ago on techdirt
As of this year, James Bond is in the public domain in Canada. Since the term of copyright in Canada is the life of the author plus fifty years, and Ian Fleming died in 1964, the copyrights in all of his James Bond novels and short stories expired on January 1st. That means that Canadians can freely make copies of the Bond novels, make their own film versions of them, and write stories featuring James Bond in his role as a member of the British Secret Service. (It doesn't mean they can distribute copies of the movies at will, though—those copyrights exist separately from those of the books.) US fans of the series shouldn't start casting their home adaptations of Thunderball just yet, though., Since copyright terms in the US were retroactively extended in 1998, we have to wait another 20 years before Bond hits the public domain in the US. But Bond is nothing if not a world traveler, and Canada is just a step away. What happens if Canadian reprints of a Fleming novel make their way here? The New Books Can Come In The first sale doctrine (embodied in the US Copyright Act here) says that if a copy of a work is lawfully made, someone who owns that copy can legally import it into the United States. So according to that law (and bolstered by a 2012 Supreme Court decision), someone should be able to fill a bag with paperback Bond novels in Toronto and bring them back into the US for sale. (Note: this may not stop that someone from getting sued, but they should win under the current law. Eventually.) The margins on this sort of activity seem like they would be low enough that I doubt that US branches of book publishers are too worried about declining sales of the novels. The same should be true of audiobook versions—with one odd caveat: if I try to play the audiobook to a public audience, or if I arrange a public reading of one of the stories, I'd be infringing the copyrights of the works. That's because while the law lets me distribute copies that I own, I still can't make public performances of the copyrighted works. We'll get into this more as we talk about film adaptations. The New Films are more Complicated But enough about the books; what about film? Bond might have his origins in text, but he's more famous as a screen character. What if a Canadian made a new film based upon the Fleming novels? So long as they take nothing that came from the existing movies, but did a novel-based reboot of sorts, they'd be in the clear in Canada. But could copies of those new Canadian Bond movies come into the US? While making an adaptation of a copyrighted work would be an infringement, someone merely importing a copy of that adaptation isn't the one making the adaptation. Their copy is already made. Let's assume that all of the adapting is being done in Canada. Since Bond is in the public domain there, the adaptation is lawfully made. Now, let's assume that the new filmmakers produce an authorized DVD—that's lawfully made too. So if I buy a few copies of that across the border and come back with them, I should be in the clear just as much as with the paperbacks. Showing a Boring Film Would be A Problem But what happens when I try to arrange a public screening of one of these movies? Things get a little weird. If the "adaptation" were something as direct (and as dull) as a film of someone reading the novel aloud verbatim, I might have a problem. See, while the first sale doctrine gives the owner of a lawfully made copy the right to distribute it without permission, making a public performance of that same work is still prohibited. So even if I had a legally made Canadian copy of Dr. No, I still couldn't read it aloud as a public performance in the US without permission. It doesn't matter where the particular copy I'm reading from was made; the words I'm saying are the same, and still infringing. Our boring "adaptation" of, say, Alex Trebek reading the book aloud would likely be analyzed under the same framework. In this case, the adaptation, while a new work, still embodies the old one. If I exhibited this movie, I'd likely be sued for publicly performing the original novel, not for exhibiting the movie, which would, in Canada, have its own copyright, with completely different copyright owners. Showing an Interesting Film May Be But movie adaptations of James Bond are not exactly known for their fidelity to the books. What if the new Canadian production of Goldfinger included only the occasional phrase from the original, or even had all of its dialogue rewritten, had scenes omitted or amended, and its setting changed? Sure, it's a derivative work, but remember, that's not the question. What is at issue is whether or not you can discern a performance of the original novel inside the elements of the new movie. To see whether someone's "performing" the novel by exhibiting the film, you first have to ask whether or not the copied bits, taken as a whole, are protectable. Things that aren't protectable include general ideas, or standard plot tropes, or stock characters. If, in adapting the novel into a film, I've removed all but these, I'm probably not infringing the original novel. You then have to ask if the performance of the film contains those copyrightable elements in a way that is encompassed by the rights of the original novel. If the new movie still resembles the novel enough to be considered an actual adaptation, though, it seems like it might still carry within it enough of the original novel for my public screening to be considered at least a partial "public performance" of the novel, and thus infringing. But fidelity to the original story isn't necessarily a hallmark of the Bond oeuvre. The underrated 2008 Quantum of Solace movie bears zero relation to the Fleming short story from which it takes its title, and it's hardly the first Bond movie to fit that pattern. What if our Canadian filmmakers make a James Bond movie, title it The Spy Who Loved Me, and make it about a plot to hack British military drones instead of a tense standoff in an Adirondack motel? Which Bond is Best? (Or Why Character Copyright Makes No Sense) Having removed the potential infringement from the book, we're left with whether the mere use of the character known as "James Bond" is enough to support a copyright infringement based on public performance in the US. Showing the Canadian movie arguably is a "public performance" of the James Bond character, which is still in copyright in the US—but what does that even mean? The character isn't a known series of words, sounds, or images; it's in many ways more akin to an idea, and ideas in themselves are definitely not copyrightable. But the current state of the law allows characters to be separately copyrightable in their own stead. This, for better or worse, is where a court's more subjective sense of literary merit might have an effect on the outcome of a case. If it thinks Fleming's characterization of Bond is flat, it might classify him as a sort of stock character of a secret agent and find that simple concept uncopyrightable. But it doesn't take a ton of shared details to make a stock character something that the courts will recognize as copyrightable. (The fact that many different actors with different styles have played adaptations of Bond could cut both ways here: in indicating that the scope of the copyrighted Bond character is broad, or, conversely, that he's just a flat stereotype—a stuffed tux.) The fact that our Canadian-produced James Bond shares the same name and job description as Fleming's might be enough, in this case, to block screenings of the film in the US. But Wait, There's More! Don't worry, it gets weirder. Imagine a copy of this new Canadian Goldfinger movie is imported into the US, and then copied here, without the permission of the Canadian filmmakers. Let's assume that the copy wasn't made as a fair use. Can the Canadian filmmakers sue the US copier? Actually, the answer seems to be yes. While the Canadian moviemakers might have created a work that would be infringing to exhibit in the US, since the movie takes elements from works with an active US copyright, they also will have added copyrightable expression of their own in creating the film. And while someone taking from the Fleming-created expression embodied in the movie might not be able to be sued by the Canadians (though they'd certainly be open to a suit from the Fleming rightsholders), taking from their newly added creativity opens you up to a suit from the new creators. Basically, making unauthorized copies of the unauthorized Canadian James Bond movie could get you sued by two different people. So there you have it. James Bond is in the public domain in Canada, and that single fact throws into relief a number of open questions and absurdities in the first sale doctrine -- what parts of a work can and can't be protected by copyright, how characters can be copyrighted apart form the works in which they appear, and how infringers can be rightsholders in their own right. It's a wealth of complexity and gray areas, in many ways in desperate need of a solution. Clearly, that solution is to just reduce our copyright terms to match Canada's.Permalink | Comments | Email This Story

Read More...
posted 11 days ago on techdirt
Another day, another good ruling on copyright. Yesterday, we had the 9th Circuit ruling saying that Costco can buy watches abroad and sell them in the US and it's not copyright infringement (and, in fact, may be copyright misuse to allege otherwise), and late last night (just as the State of the Union was going on), a district court in California released a redacted version of a ruling (that was actually made last week) that said that Dish's Hopper technology does not infringe on copyrights. We've been covering this case for a while. Dish offered up a technology that would automatically record prime time TV shows and then skip over the commercials, and the various networks all sued. While Dish has unfortunately negotiated away this innovation in deals with CBS and ABC, the case involving Fox was still moving forward (the NBC version of the case was put on hold pending the Fox version). The latest ruling is not a complete victory for Dish, but it is a complete victory on the copyright issues. Where Dish may run into trouble is on contractual agreements. But, this ruling is definitely a win for copyright. There are a few different issues and different parts of Dish's offering that were under scrutiny here, so let's break them out (as the court does). The first issue, was that Fox claimed that the Supreme Court's Aereo ruling now meant that Dish was engaging in a public performance with its Dish Anywhere offering. But the court doesn't buy it. First, it notes that, even under the "looks like a duck" Aereo test, Dish's service doesn't look enough like a duck. The Aereo Court cited three points of comparison that established Aereo’s “overwhelming likeness” to traditional cable providers: (1) Aereo sold a service that allowed subscribers to watch television programs almost as they were being broadcast; (2) Aereo used its own equipment, housed in a centralized warehouse, outside of its users’ homes; and (3) by means of its technology (antennas, transcoders, and servers), Aereo’s system received programs that had been released to the public and carried them by private channels to the additional viewers.... DISH Anywhere also allows subscribers to watch television programs almost as they are being broadcast.... DISH Anywhere depends on equipment and technology both inside and outside of the user’s home.... DISH does not, however, receive programs that have been released to the public and then carry them by private channels to additional viewers in the same sense that Aereo did. DISH has a license for the analogous initial retransmission of the programming to users via satellite.... Aereo streamed a subscriber-specific copy of its programing from Aereo’s hard drive to the subscriber’s screen via individual satellite when the subscriber requested it, whereas DISH Anywhere can only be used by a subscriber to gain access to her own home STB/DVR and the authorized recorded content on that box.... Any subsequent transfer of the programming by DISH Anywhere takes place after the subscriber has validly received it, whereas Aereo transmitted its programming to subscribers directly, without a license to do so. .... The ultimate function of DISH Anywhere is to transmit programming that is already legitimately on a user’s in-home hardware to a user’s Internet-connected mobile device. Relying on external servers and equipment to ensure that content travels between those devices properly does not transform that service into a traditional cable company. Aereo’s holding that entities bearing an “overwhelming likeness” to cable companies publicly perform within the meaning of the Transmit Clause does not extend to DISH Anywhere. From there, the court takes on the question of "volitional conduct" -- which many thought would be the key point on which Aereo would turn, until the Supreme Court decided to go swimming with ducks. The key part being who is actually making the copies (or whose conduct is making the copies) and are they infringing. And, as in the Cablevision case (on remote DVRs), the court notes that it's the user doing the key action, not Dish, the company: This process depends to some extent on external equipment and services provided by DISH, but it is the user who initiates the process, selects the content, and receives the transmission. No DISH employee actively responds to the user’s specific request or directly intervenes in the process of sending the programming between the devices.... DISH subscribers, not DISH, engage in the volitional conduct necessary for any direct infringement. Okay, but what about secondary infringement? Does Dish somehow push its subscribers to infringe? Nope. Once again, because there's no public performance, and thus no infringement. Again, the court relies on the distinctions with the Aereo ruling, and how nothing involved with Dish is infringing. Dish has a license for the content. Users are able to make use of that content on their own home device thanks to the Sony Betamax ruling, and thus, where's the infringement? When an individual DISH subscriber transmits programming rightfully in her possession to another device, that transmission does not travel to “a large number of people who are unknown to each other.” The transmission travels either to the subscriber herself or to someone in her household using an authenticated device. This is simply not a “public” performance within the meaning of the Transmit Clause. Because DISH Anywhere subscribers do not directly infringe the public performance right, DISH cannot be liable for secondary infringement. Next up was the "Prime Time Any Time" (PTAT) technology that automatically recorded all the prime time shows for subscribers to watch over the following week. Fox had already lost on this point two years ago, but it tried to bring it back from the dead under Aereo. No dice. The court, again, finds that the volitional conduct remains with the subscriber: Fox contends that Aereo has altered the test for direct infringement by rejecting the argument that only the subscriber who pushes the button initiating the infringing process is liable for direct infringement.... As discussed above, Aereo did not fundamentally alter the volitional conduct requirement for direct infringement. More than one actor may be liable for direct infringement, but there must still be some volitional conduct for direct liability. A system that operates automatically at a user’s command to make a recording does not in itself render the system’s provider a volitional actor for purposes of direct copyright infringement.... While DISH has set certain parameters and controls for PTAT, PTAT is essentially a more targeted version of a DVR that is set to make block recordings or recordings of an entire season of a show. The ability to set a DVR and then leave it to automatically record without having to select individual programs or set it repeatedly for each recording occasion is not unique to PTAT, and is not enough to show direct infringement by the service provider. Separately (and importantly) the court rejects Fox's argument that merely "making available" a work is "distribution." This is a big fight in the copyright world, with copyright system maximalists and defenders insisting that "making available" is synonymous with distribution under the law. The court says no: PTAT does not “distribute” Fox’s programming or “transmit” any public performance under the meaning of the Copyright Act. Distribution under the Copyright Act requires “actual dissemination of a copy” that “changes hands.”... On appeal of this Court’s denial of its request for a preliminary injunction, Fox argued (in the contract breach context) that “distribute” simply means to “make available.”.... While neither the Ninth Circuit nor any other circuit court has addressed the “make available” theory of distribution under the Copyright Act, it has been considered by a number of courts, and “[t]he great majority of courts that have considered the question . . . have stopped short of fully endorsing the ‘make available’ right.”... This Court finds these cases persuasive and concludes that DISH’s act of merely “making available” copyrighted programming to its subscribers through PTAT does not amount to distribution without actual dissemination. The court also rejects Fox's claims that PTAT shouldn't be seen as fair use because it impacts Fox's market for licensing its programs to various internet services. The court points out that this argument "is simply too speculative to defeat a finding of fair use by a time-shifting technology which enables consumers' non-commercial private use of recorded programming." The only copyright "victory" for Fox is the same as the ruling from two years ago: the court says that various Quality Assurance (QA) copies that Dish employees made of programming did infringe the reproduction right, but that's a really, really minor side issue and doesn't really impact the overall service at all. Fox has already said it's disappointed in the ruling, which means there's a decent chance for an appeal... if Dish doesn't cave in and work out an agreement like it did with CBS and ABC. And, of course, as a district court ruling, this ruling doesn't provide much of a precedent for anywhere else, but it's still nice to see a good ruling come out.Permalink | Comments | Email This Story

Read More...
posted 11 days ago on techdirt
Another pile of Snowden documents has been released by Der Spiegel, detailing more of previously revealed NSA/GCHQ activities -- like the harvesting of exploits and hardware shipment "interdiction" -- along with some new stuff, including the NSA's piggybacking on other countries' surveillance to further buttress its massive haystacks. The report digs deeper into the NSA's Tailored Access Operations, noting that the agency's plans for its targets' hardware are even more aggressive than previously indicated. A document [pdf link] details different offerings for NSA "interns," who will be tasked with a variety of operations to not only compromise hardware integrity, but possibly disable or destroy it. Potential interns are also told that research into third party computers might include plans to "remotely degrade or destroy opponent computers, routers, servers and network enabled devices by attacking the hardware." Using a program called Passionatepolka, for example, they may be asked to "remotely brick network cards." With programs like Berserkr they would implant "persistent backdoors" and "parasitic drivers". Using another piece of software called Barnfire, they would "erase the BIOS on a brand of servers that act as a backbone to many rival governments." Despite "tailored" being one of the key words in Tailored Access Operations, the exploits used aren't necessarily targeted. Because the same holes can be exploited by criminals or other "bad guys," non-targeted persons are at risk. And because some of the exploits are by nature self-replicating (documents obtained show the NSA seeking out and deploying trojans and worms), the potential for unintentional collateral damage is always present. In this guerilla war over data, little differentiation is made between soldiers and civilians, the Snowden documents show. Any Internet user could suffer damage to his or her data or computer. It also has the potential to create perils in the offline world as well. If, for example, a D weapon like Barnfire were to destroy or "brick" the control center of a hospital as a result of a programming error, people who don't even own a mobile phone could be affected. One of the most fascinating documents is a presentation that borrows a famous line from There Will Be Blood. [pdf link] The NSA doesn't do all of its own dirty work. Its haystacking efforts also take advantage of surveillance programs deployed by anyone outside of its Five Eyes partnership -- including nominally "friendly" countries like Germany. A combination of hacking and exploits allows the NSA to pursue what it calls "fourth party collections." Some of this is along the lines of what's expected from a national intelligence service -- like the targeting of "unfriendly" countries. In 2009, an NSA unit took notice of a data breach affecting workers at the US Department of Defense. The department traced an IP address in Asia that functioned as the command center for the attack. By the end of their detective work, the Americans succeeded not only in tracing the attack's point of origin to China, but also in tapping intelligence information from other Chinese attacks -- including data that had been stolen from the United Nations. Afterwards, NSA workers in Fort Meade continued to read over their shoulders as the Chinese secretly collected further internal UN data. "NSA is able to tap into Chinese SIGINT collection," a report on the success in 2011 stated. But it goes further than that. Allies outside the Five Eyes partnership are not immune from the NSA's piggybacking. And the NSA goes further than simply utilizing man-in-the-middle attacks to "make copies" of anything interesting other countries' surveillance networks have picked up. The presentation lays out the NSA's use of "fourth party collections" to deploy its own exploits (called "victim stealing") or collect new exploits being deployed by other surveillance agencies. The stuff the NSA pulls from other surveillance networks is then routed away from the agency in order to cover its tracks. Anything that might lead back to the agency is obscured, which could easily result in innocent persons or companies being targeted by irritated foreign surveillance agencies who happen to notice their networks have been accessed by others. In technical terms, the ROC [Remote Operations Center] lays false tracks as follows: After third-party computers are infiltrated, the process of exfiltration can begin -- the act of exporting the data that has been gleaned. But the loot isn't delivered directly to ROC's IP address. Rather, it is routed to a so-called Scapegoat Target. That means that stolen information could end up on someone else's servers, making it look as though they were the perpetrators. Before the data ends up at the Scapegoat Target, of course, the NSA intercepts and copies it using its mass surveillance infrastructure and sends it on to the ROC. But such cover-up tactics increase the risk of a controlled or uncontrolled escalation between the agencies involved. This isn't as deep as the rabbit hole gets, however. The documents leaked by Ed Snowden also detail yet another layer of the NSA's collection-by-proxy efforts. A Q&A pulled from the NSA's internal message boards [pdf link] contains the following discussion: Is there "fifth party" collection? "Fourth party collection" refers to passively or actively obtaining data from some other actor's CNE [computer network exploitation] activity against a target. Has there ever been an instance of NSA obtaining information from Actor One exploiting Actor Two's CNE activity against a target that NSA, Actor One, and Actor Two all care about? ----- Yes. There was a project that I was working last year with regard to the South Korean CNE program. While we aren't super interested in SK (things changed a bit when they started targeting us a bit more), we were interested in North Korea and SK puts a lot of resources against them. At that point, our access to NK was next to nothing but we were able to make some inroads to the SK CNE program. We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil points, and sucked back the data. Thats fourth party. However, some of the individuals that SK was targeting were also part of the NK CNE program. So I guess that would be the fifth party collect you were talking about. But once that started happening, we ramped up efforts to target NK ourselves (as you dont want to rely on an untrusted actor to do your work for you). But some of the work that was done there was able to help us gain access. I know of another instance (I will be more vague because I believe there are more compartments involved and parts are probably NF) where there was an actor we were going against. We realized there was another actor that was also going against them and having great success because of a 0 day they wrote. We got the 0 day out of passive and were able to re-purpose it. Big win. The NSA's long straw surveillance also repurposes vernacular from another arena where the war is neverending and the foes declared so dangerous that every Constitutional violation is justified. Those who are used without their knowledge as "hosts" for information gathered by the NSA's "fourth party" efforts have been given an unflattering nickname. The unwitting victim, whose phone has been infected with a spy program, smuggles the information out of the office. The information is then retrieved remotely as the victim heads home after work. Digital spies have even adopted drug-dealer slang in referring to these unsuspecting accomplices. They are called "unwitting data mules." When the NSA discusses its efforts with its oversight, very few details are given on the means and methods. The general attitude seems to be that if something like this occurs outside of the US, it doesn't matter. The NSA may make minimal efforts to preserve American citizens' rights, but it has absolutely no concern for anyone located outside of America's borders. As Der Spiegel notes, the NSA is operating in a "legal vacuum." The tracks left behind by its milkshake drinking cause it no great concern. While it does make some effort to obfuscate its origins (by saddling uninvolved "data mules" with the consequences), it generally remains unconcerned about being caught in the act. There's no legal process that can truly hold the NSA accountable for its extraterritorial actions -- at least nothing that couldn't easily be deflected by one of the most powerful nations in the world.Permalink | Comments | Email This Story

Read More...
posted 11 days ago on techdirt
Retweet if you want to go to jail! And not regular county jail, but federal prison! Under the DOJ's CFAA proposal, this article (and this tweet linking to it) could be a 10 year felony. That's insane. http://t.co/njE8368lxU — Nate Cardozo (@ncardozo) January 20, 2015 In case you can't read/see the tweet, it says: Under the DOJ's CFAA proposal, this article (and this tweet linking to it) could be a 10 year felony. That's insane. (The link goes to a Techcrunch article featuring SplashData's list of the "worst passwords on the internet.") The DOJ has offered up its preferred version [pdf link] of the CFAA (Computer Fraud and Abuse Act) -- under the ridiculous name of "Updated Law Enforcement Tools" -- and it indeed would make this sort of thing an instant felony. Here's the wording change that does it [strikethrough for deletions; bold for additions]: (6) knowingly and with intent to defraud willfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking; if— (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; The DOJ removes intent and replaces it with feelings. Sharing a list of common (and stupid) passwords could be construed as "willfully trafficking" passwords while "knowing" a "protected computer" could be "accessed without authorization." And that thing about federal prison I opened the post with? That's the way the DOJ wants it. The CFAA currently allows for misdemeanor charges under certain circumstances. But this proposal does away with that. Instead of a misdemeanor-to-3 year sentence range, punishments start at 3 years and escalate to a 10-year cap. Unless, of course, your hacking is part of the commission of another felony, in which case the government proposes it should get to double dip (at minimum). Here's Orin Kerr's take on that part of the proposal: Under the proposal, breaching a written restriction is a crime if the user violated the written condition in furtherance of a state or federal felony crime, “unless such violation would be based solely on obtaining the information without authorization or in excess of authorization.” On one hand, this might seem kind of harmless, or at least redundant: The proposal makes it a felony to break a promise on a computer in furtherance of a felony. One wonders what the point is: Why not just punish the underlying felony? But the real problem is the double-counting issue. Federal and state law is filled with overlapping crimes. Congress might enact three crimes that do the same basic thing, giving prosecutors the choice of which to charge or allowing them to charge all three. State criminal codes often mirror the federal criminal code. That raises a question: If Congress makes it a crime to commit an act “in furtherance of” a different crime, does the existence of overlapping crimes mean that a person’s conduct violates the first crime because it was “in furtherance of” the second? This is a particular problem because every state has unauthorized access crimes a lot like the CFAA. We saw this in the Auernheimer case, where prosecutors argued that the misdemeanor federal unauthorized access alleged in that case should be a felony because it was “in furtherance of” New Jersey’s nearly identical state unauthorized access law. As if we didn't have enough people in prison already, the DOJ proposal mandates felony charges and provides prosecutorial options to ensure very few defendants walk away with short sentences. The proposal also asks users to perform mind-reading when accessing anything computer-based. (6) “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the such computer— (A) that the accesser is not entitled so to obtain or alter; or (B) for a purpose that the accesser knows is not authorized by the computer owner; Going back to the Weev case, Andrew Auernheimer obviously knew AT&T would not "authorize" his access of supposedly private information, even if all he did was alter URL components to achieve this. Now, companies' security failures can be weaponized against those who discover them -- making it highly unlikely that flaws and holes will be pointed out to those who can actually close them. Why risk a few years in federal prison (remember: no misdemeanors) just because some entity decided to shoot the messenger rather than thank them for their help? Permalink | Comments | Email This Story

Read More...
posted 11 days ago on techdirt
What data is harmless in the hands of the government? Apparently, not much. Case in point: the data collected by E-ZPass transponders. While the system helps alleviate traffic congestion, it also tracks drivers' movements. If you thought it just triggered toll payments, you're drastically underestimating the government's desire for data. Back in 2013, Mike covered one NYC driver's experience with his E-ZPass device, finding it was triggered all over the city -- not just on toll roads. The company claimed the signal was scrambled and travel data collected in aggregate. Whether or not that remains true is open for debate, but even the data collected where drivers are expecting data collection can be revealing. E-ZPass data has been used in divorce cases to prove a spouse's whereabouts as well as against a city official, who falsified time sheets. It's also been used in political fights to disparage opponents. The IBTimes reports that two New Jersey government officials obtained Senator Frank Lautenberg's EZPass records and used them as political fodder in a battle over toll increases. "Respectfully, Senator, you only started paying tolls recently," [Port Authority Deputy Chief Bill] Baroni said, according to a transcript of the exchange. "In fact, I have a copy of your free E-ZPass," he continued, holding up a physical copy of the toll pass Lautenberg had received as a benefit from his tenure as a Port Authority commissioner. "You took 284 trips for free in the last 2 years you had a pass." Governor Chris Christie himself disclosed further information about Lautenberg's driving habits. At a press conference, he alleged that the senator didn't "pay for parking at Port Authority facilities" and said Lautenberg went "through the tunnel to New York three or four times a week in 2005 and 2006." I find it interesting, too, by the way, in 2005 and 2006, that he went over the Hudson River 284 times. Where was he going?... I think he needs to answer that. 'Cause he's supposed to be the senator from New Jersey. So what's he doing going over the bridge or through the tunnel to New York three or four times a week for 2005 and 2006?... Did he ever spend any time in New Jersey? Obviously, this is an abuse of government-collected data. Bill Baroni admitted during the 2013 Bridgegate scandal investigation that he possessed driving data on those interrogating him. To add insult to injury, the governor's office claimed it had no records on Lautenberg's driving habits in response to IBTimes' 2012 open records request -- the same records he used to criticize Lautenberg in an earlier press conference. The ACLU points out that not only is this a misuse of private records, but this sort of situation is completely avoidable. EZ Pass and other electronic toll booth systems should have the option for anonymous use, where money on the devices is treated like cash, for users who prefer privacy to the convenience of having named accounts. A driver, in other words, should be able to buy a transponder for cash, and use cash to store and re-load value on it. The Washington DC Metro system, for example, offers this option for users of its contactless transit passes. Obviously, whatever protections the state of New Jersey affords these data are inadequate. Sure, driving in public isn't necessarily private, but the use of travel data to attack political opponents is still an abuse of state-collected data. Supposedly, the data is exempt from public record laws, which locks citizens out of acquiring the data without a subpoena. But nothing's stopping the Port Authority from using it for its own political ends and passing it on to the governor to do the same. Driving on public roads may not be private, but there's a lot that can be ascertained about a person simply by looking at this data -- information that could only otherwise be acquired by nonstop physical "tailing." When collected and stored, it runs the risk of being abused. The Port Authority already grants police open access to the records (limited only to "purposes of discharging their duties," whatever that actually means in practice) and has shown its willingness to puts its self-interest ahead of state law when it comes to disseminating this information. Better policies and practices are in order, and Governor Chris Christie should be waist deep in investigators (a belated call for a DOJ investigation of Christie and Baroni has been issued by NJ Congressman Frank Palone) rather than considering a 2016 presidential run. Permalink | Comments | Email This Story

Read More...
posted 11 days ago on techdirt
Australia's Defence Trade Control Act is meant to stop sensitive military research falling into the "wrong hands". Fair enough -- nobody wants potentially dangerous technology being mis-used. But according to this report on Defence News, it seems that rushed drafting and limited scrutiny has led to some serious unintended consequences (via The Register): this new set of guidelines can also make something as seemingly innocent as a university academic sharing an unrelated email with a fellow academic, who happens to be overseas, punishable by ten years in prison or a AUD 425,000 (GBP 221,700) fine and forfeiture of work. The key problem seems to be that there is no exception for academics, as is the case for similar laws in the US and UK. Here's what that is likely to mean in practice: university researchers would need prior permission from a Minister at the Department of Defence (DoD) to communicate new research to foreign nationals or to publish in any research journals. The logistics, not to mention the time, needed to obtain such permissions without any guarantee they might be granted will probably mean a very large number of students and professors choosing not to undertake research projects. The article details other problems with the Act, including its very broad nature, and the fact that you need to be a lawyer to understand its details. It notes one all-too-predictable consequence of this over-cautious approach: Many will realise the opportunities abroad and take their innovative research elsewhere. Maybe skimping on the legislation's scrutiny was not such a good idea after all. Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+ Permalink | Comments | Email This Story

Read More...
posted 11 days ago on techdirt
This is Copyright Week, in which various people supporting more reasonable copyright laws highlight some of the problems with existing laws and important concepts that should be in copyright reform efforts. Today's topic is "you bought it, you own it," -- a concept that is often held back due to bad copyright laws. A few months ago, a bill was introduced in Congress called YODA -- the You Own Devices Act -- which would allow the owner of computer hardware to sell the devices with the software on it without creating a copyright mess. It was a small attempt to take back basic property rights from copyright law which often stamps out property rights. Hopefully, a similar bill will show up in the new Congress, and become law. Even better would be for copyright law to actually recognize true property rights, rather than limiting them at nearly every turn. One of the biggest attacks on property rights and ownership is Section 1201 of the DMCA, better known as the Anti-Circumvention clause, that says it's against the law to circumvent any "technological measures" that were designed to block copying -- even if the underlying use is non-infringing. That is, if you break technological measures to access content that is not covered by copyright at all, you're still violating the law. This is the law that has made DRM so powerful, and which regularly removes your right to own what you bought. It's a blatant attack on basic property rights, and (even worse) has copyright maximalists pretending that their removal of property rights is actually a move in favor of property rights. Thus, it's great to see the announcement today that Cory Doctorow is returning to EFF to help with its new Apollo 1201 Project, a plan to eradicate DRM in our lifetime. "Apollo was a decade-long plan to do something widely viewed as impossible: go to the moon. Lots of folks think it's impossible to get rid of DRM. But it needs to be done," said Doctorow. "Unless we can be sure that our computers do what we tell them, and don't have sneaky programs designed to take orders from some distant corporation, we can never trust them. It's the difference between 'Yes, master' and 'I CAN'T LET YOU DO THAT DAVE.'" Doctorow has been speaking out on this issue for years. If you haven't watched his 2012 talk at the Chaos Communication Congress on the "war on general purpose computing," it's well worth your time. It's a discussion I've gone back to many times in the two and a half years since he first gave that talk. It highlights not only the absurdity of DRM in general, but why this is an issue that goes well beyond just the idea of locking down some content to protect an obsolete business model. As his speech noted, this is a battle over the right to actually own your computer and not to open it up to censorship and surveillance. The fight over DRM on content was just the beginning: And personally, I can see that there will be programs that run on general purpose computers and peripherals that will even freak me out. So I can believe that people who advocate for limiting general purpose computers will find receptive audience for their positions. But just as we saw with the copyright wars, banning certain instructions, or protocols, or messages, will be wholly ineffective as a means of prevention and remedy; and as we saw in the copyright wars, all attempts at controlling PCs will converge on rootkits; all attempts at controlling the Internet will converge on surveillance and censorship, which is why all this stuff matters. Because we've spent the last 10+ years as a body sending our best players out to fight what we thought was the final boss at the end of the game, but it turns out it's just been the mini-boss at the end of the level, and the stakes are only going to get higher. Permalink | Comments | Email This Story

Read More...