posted 12 days ago on techdirt
The legacy copyright industries keep insisting that it's "easy" to recognize when something is infringing and thus it's "easy" to stop copyright infringement. They're very, very wrong on both counts for a variety of reasons. We could go into the details for why, but it's easier to just let them show us themselves. Not too long ago we wrote about Warner Bros. issuing DMCA takedown notices on its own sites (and also Amazon and IMDB links for its movies), and now TorrentFreak alerts us to Paramount issuing a DMCA takedown on a torrent of Ubuntu, the popular version of Linux that many people use all the time. It's kind of a weird request, and it's not at all clear why it's included in this takedown notice, which is for a variety of movies. In the section on the movie Transformers: Age of Extinction, Paramount (filed by notoriously clueless IP Echelon), it includes a link to a torrent of an Ubuntu iso. So, once again, we have a major Hollywood entertainment entity -- which has been insisting for years that Google and others should "just know" when something is infringing and take it down and block all future infringements -- who can't even properly identify the content that it's claiming to hold the copyright over. And, again, copyright is context specific, meaning that the absolute best party to understand if there's infringement is the copyright holder, rather than some random third party. But in just a week or so, we've seen examples of how two of the biggest studios in Hollywood can't even figure out their own takedown notices properly. How can they possibly expect others to do so for them -- and why should we trust them when they ask for a "notice and staydown" system that will inevitably take down (and keep down) tons of non-infringing material?Permalink | Comments | Email This Story

Read More...
posted 12 days ago on techdirt
Riley Roberts, speechwriter for former attorney general Eric Holder, has a fascinating examination of James Comey's first four years as the head of the FBI. It details his frequently-antagonistic relationship with, well, nearly everyone, as well as his long history of going head-to-head with high-ranking government officials. Roberts says no FBI director since J. Edgar Hoover has acted with such autonomy. The unprecedented public discussion of the agency's Clinton email investigation is just one such example. While Comey was undoubtedly correct that there was significant public interest in not just the outcome, but the inner workings of the investigation, his decision to hold a press conference and release investigative documents came as a surprise to his closest colleagues. By and large, Justice Department lawyers have declined to criticize Comey in public, for fear of angering the FBI director. But in personal conversations and expletive-laden email threads, many were apoplectic at his handling of the Clinton case. One aide described senior officials who should have been involved in the announcement scrambling to watch it on television. Some were particularly incensed by the editorial commentary sprinkled throughout Comey’s statement. While there is some begrudging respect for Comey's refusal to adhere to protocol or outside political forces, there are just as many that feel Comey's actions aren't prompted by a desire to make the FBI look better, but rather to make Comey look better. Comey serves Comey first, something that has led to him touting the heavily-debunked "Ferguson Effect," arguing against long-overdue federal sentencing reform, and fiercely advocating for encryption backdoors when even the Obama administration won't back him up. Comey appears to be the worst kind of idealist: one that clings to his beliefs, but only when they serve his purpose. Comey was a key figure in a highly-publicized fight against NSA overreach back in 2004 -- one that culminated in a bedside visit to a hospitalized John Ashcroft in order to block the Stellar Wind domestic surveillance program. But Comey was only very temporarily a champion of the public's privacy and civil liberties. Senior White House officials descended upon the intensive care unit where Ashcroft was convalescing after emergency surgery, hoping to bully the ailing attorney general into approving the surveillance program. Comey raced to the hospital to head them off, enlisting then-FBI Director Robert Mueller III to accompany him. With backup from Comey and Mueller, the bedridden Ashcroft held firm, the White House was forced to retreat, and the courageous deputy attorney general was hailed—almost universally—as a hero. This is where the story customarily ends: with Comey, who would sooner have resigned (and taken Mueller with him) than violate his principles, riding into the sunset. But like so much of the mythmaking that goes on in Washington, this heroic picture—like Comey’s victory—is incomplete. The truth is that Stellar Wind did not meet an ignominious end in Ashcroft’s hospital room in 2004. It continued through late 2011; some elements remain in place even today. And the program was reauthorized, with slight modifications, not in defiance of Comey’s categorical denunciations, but on his signature—less than a month after this high drama took place. The problem with Comey's willingness to push his own agenda, rather than one that more closely adheres to his agency's, is that his office is pretty much a law unto itself. The agency has no clearly defined mandate that governs its actions, and the director's office isn't overseen directly, but rather grouped into other Congressional and administration oversight efforts -- none of which have been consistently effective in curbing agency misconduct or abuse of its powers. Roberts notes that there could be more trouble ahead. Comey has only served four years of his 10-year appointment, meaning he'll soon be interacting with a new Commander-in-Chief. If it's Hillary Clinton, it's safe to assume the antagonism and resistance to White House instruction and intervention will only become more aggressive. If it's Trump, the end result could be much more unpredictable -- and not in a way that will generate any positive side effects. A Donald Trump presidency, on the other hand, would pit the headstrong FBI director against a know-nothing strongman—a “law and order” president with little regard for the law. Dramatic and likely escalating, clashes would be virtually inevitable. And the potential for lasting damage would be immense. One thing is guaranteed: Comey has cared little for official administration stances on issues like encryption, and installing a new person in the Oval Office isn't going to change that. The question is how long he lasts when faced with an administration -- Trump's or Clinton's -- that might start pushing for an early retirement. Permalink | Comments | Email This Story

Read More...
posted 12 days ago on techdirt
We've long pointed how how broadband usage caps (especially on fixed-line networks) are arbitrary, punitive and confusing. In addition to being totally unnecessary, broadband caps open the door to anti-competitive behavior (like zero rating a company's own content but not a competitor's). The idea that caps are necessary to manage the network has long been debunked, and even the ISPs themselves have admitted that caps have nothing to do with congestion. Broadband caps are little more than glorified price hikes on captive markets, useful to protect legacy TV revenues from streaming video. Despite the profoundly negative impact of usage caps, most Silicon Valley companies remain mute on the subject. One of the few exemptions is Netflix, which not only has been a vocal opponent of caps, but has often taken steps to try and help consumers navigate them. Now the company is once again pushing the FCC to take action in a new filing (pdf), urging the agency to use its authority under Section 706 of the Communications Act to crack down on caps and overage fees:Data caps (especially low data caps) and usage based pricing ("UBP") discourage a consumer's consumption of broadband, and may impede the ability of some households to watch Internet television in a manner and amount that they would like. For this reason, the Commission should hold that data caps on fixed line networks and low data caps on mobile networks may unreasonably limit television viewing and are inconsistent with Section 706.From there, Netflix is quick to reiterate that even ISPs have admitted that caps have no actual technical purpose when it comes to managing the network:"Data caps on fixed line networks do not appear to serve a legitimate purpose: they are an ineffective network management tool. Fixed line BIAS providers have stated that data caps on fixed line networks to not serve a traffic management function. They have been described alternatively as a way to align customers' use of the network with what they pay. As a method of price discrimination however, data caps and UBP are redundant to the speed tiers that consumers are used to. Data caps and UBP raise the cost of using the connections that consumers have paid for, making it more expensive to watch Internet television. The Commission should recognize that data caps and UBP on fixed line networks are an unnecessary constraint on advanced telecommunications capability.Netflix (now technically the world's biggest pay TV company) notes that in addition to being unnecessary, punitive, and potentially anti-competitive, usage caps are simply confusing. The majority of consumers don't know what a gigabyte even is, and by nature will tend to pay for higher tiers of service they don't need just to avoid being penalized (something that's quite easy by ISP design). Netflix is also quick to note that even higher caps may not be sufficient as consumers slowly shift to 4K streaming (not to mention other bandwidth-intensive applications we haven't even invented yet). The problem for Netflix (and any consumer who cares about usage caps) is that the FCC's enforcement or interest in this subject has historically been inconsistent at best. While the agency did manage to prevent Charter from imposing caps for seven years as a recent merger condition, the agency has consistently turned a blind eye while companies like AT&T and Comcast expand their own usage restrictions and overage fees. And while Comcast and AT&T may have recently raised their own caps to 1 terabyte to fend off possible regulatory action, there's no real indication that any broader FCC action is forthcoming. While the FCC has hinted that it may include usage caps as part of a voluntary push for broadband "nutrition labels", it's not likely the commission will do much more than that (even though nobody is confirming meter accuracy). Whether it's the FCC's $300 million broadband availability map that intentionally omits price data, or the agency's failure to even mention the ISP practice of using bogus fees to covertly jack up advertised broadband rates, punishing or even highlighting the price gouging that goes on in the broadband industry on a daily basis has never been the FCC's strong suit.Permalink | Comments | Email This Story

Read More...
posted 12 days ago on techdirt
Last week one of the big stories of the week was Facebook blocking people from posting an iconic photo from the Vietnam War because it showed a young girl, naked, running from an attack. After lots of press and lots of public outcry, Facebook relented and claimed that it would be adjusting its policies. And yet... another week, another set of stories of problems on Facebook. It's unclear how widespread this is, but on Monday there were suddenly reports (on Twitter, of course) of Facebook randomly blocking perfectly reasonable links. The first example I saw of this was reports that Facebook was blocking this story from The Intercept about Rep. Barbara Lee's lone vote against the PATRIOT Act (the only member of the House to vote against it) a few days after September 11th. Seems like the kind of story Facebook would appreciate, but: @ggreenwald @theintercept FYI @facebook blocked my posting the Barbara Lee story direct from the site. https://t.co/0fnFuzuYIu — Leslie Sharr (@LeslieSharr) September 12, 2016 Then I saw famed writer John Scalzi running into similar issues over his blog post mocking some racists on Twitter: People saying this entry of mine is blocked by Facebook: https://t.co/4i9NYPY4vD but I can access it just fine on my devices. So, maybe? — John Scalzi (@scalzi) September 12, 2016 And then there were reports (sure to kick up the conspiracy theories!) that Facebook had blocked a story about Hillary Clinton's health: I just tried to post a political article to Facebook about Sec. Clinton's health and why they lied. Facebook blocked it. — Trey Walpole (@Walpole_III) September 12, 2016 But, on the flip side, someone also reported that trying to post the NY Times job opening for a climate change editor... was also blocked: .@tan123 Tried to share this Briggs' article on Facebook, got this. @mattstat pic.twitter.com/075Yl1k2jQ — Rodger L Nelson (@rln_nelson) September 12, 2016 I could go digging for more -- and there are likely many more examples. This is almost certainly some sort of technical glitch that will be sorted out quickly, if it hasn't been already. But it still should serve as a reminder, to be wary of putting our faith entirely in 3rd party platforms for our media access, when they have the ability to block at will (or even somewhat arbitrarily when the bots go crazy).Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
The ACLU has been hinting at this for the past few months, but with the end of President Obama's term in office coming up and coinciding with the launch of Oliver Stone's feature film about Ed Snowden, the ACLU, along with Amnesty International, are launching an official campaign to ask the President to issue a pardon for Ed Snowden. They'll be hosting a press conference Wednesday morning, where Snowden will show up via video (perhaps using Robot Snowden?) to discuss. Not surprisingly, the ACLU says they've lined up a bunch of "legal scholars, policy experts, human rights leaders, technologists and former government officials," who will all be supporting a pardon for Snowden. There will also apparently be a sign-on form on the site PardonSnowden.org, which is currently locked up behind a password (get busy cracking that, NSA). Not surprisingly, I think the president absolutely should pardon Snowden. I also think there's very, very, very little chance that he actually will. I wouldn't put the chance at 0% -- because it's possible. But I'd still put the likelihood in the single digits. I hope I'm wrong -- and I hope that the President recognizes why pardoning Snowden would be such a good thing, and an important part of his legacy. And I hope that the movie (which I have not seen) properly puts Snowden's actions in context (though I'm not entirely convinced Oliver Stone will do so). So, perhaps I'm wrong. But I just find it super unlikely that President Obama would stick his neck out and take a stand like that.Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
We keep getting back to the whole "nerd harder" aspect of those who don't understand technology insisting that technology can accomplish just about anything, if those darn techies would just put their minds to it. We've seen it a lot in the encryption fight, but it's also been a big part of the copyright fights as well -- with Hollywood in particular repeatedly insisting that if these darn techies are so bright, why can't they just create technology that stops infringement. Of course, it doesn't work that way, but the industry still never seems to get it. A good reminder that technology isn't easy should come from this TorrentFreak story, noting that the "secure" system that Hollywood now uses to send out "screener" copies of movies had some pretty serious vulnerabilities, as found by Chris Vickery. Late August, TorrentFreak was contacted by security researcher Chris Vickery of MacKeeper.com who told us that while conducting tests, he’d discovered an exposed MongoDB database that appeared to be an integral part of Awards-Screeners.com. “The database was running with no authentication required for access. No username. No password. Just entirely exposed to the open internet,” Vickery told TF. The researcher’s discovery was significant as the database contained more than 1,200 user logins. Vickery did not share the full database with TF but he did provide details of a handful of the accounts it contained. Embarrassingly, many belong to senior executives While some will just look at this and mock Hollywood for bad security practices, it does raise more serious questions: if Hollywood can't figure out its own (basic) technology issues, why does it think that the tech industry should solve all its problems for it? If it doesn't even understand the basics, how can it insist that those in Silicon Valley can fix the things that it doesn't understand itself? We're already seeing this with the MPAA's ridiculous and misguided freakout over the FCC's plan to have cable companies offer up app versions so that authorized subscribers can access authorized, licensed content. The MPAA and its think tank friends keep falsely insisting that the FCC's recommendation requires the cable companies to ship the actual content to third parties. But the plan has never said that. It only required that third-party devices be able to access the content -- such as by passing through credentials so that the content could flow from the (licensed) cable service to the end user. The fact that these guys don't seem to understand the basics of how the technology works comes through not just in the fact that they failed to secure their screener system, but also in the policy proposals that they keep making. It's becoming increasingly difficult to take those policies seriously when they seem to be based on a fundamental ignorance of how technology actually works.Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
The twice-hacked Office of Personnel Management has had little to offer but promises of "taking security seriously" and free identity theft protection for the thousands of government employees whose personal information was pried loose by hackers. Twice-hacked, because there was one breach the OPM did discover, and one it didn't. While it spent time walling off the breach it had detected, another went unnoticed, leaking enough info on government employees that the CIA began worrying about the safety of agents located abroad. A new report [PDF] by the Committee on Oversight and Government Reform (which AP refers to but, oddly, does not feel compelled to LINK to, despite it being a completely PUBLIC document) details where the OPM initially went wrong. The government discovered the first hacking in March 2014. A Homeland Security Department team noticed suspicious streams of data leaving its network between 10 p.m. and 10 a.m. — the online equivalent of moving trucks hauling away filing cabinets containing confidential papers in the middle of the night. The government's Einstein intrusion warning system detected the theft. [...] For the next few months, the personnel office worked with the FBI, National Security Agency and others to monitor the hacker to better understand his movements. Officials developed a plan to expel the hacker in May 2014. That effort included resetting administrative accounts, building new accounts for users who had been compromised and taking offline compromised systems. Good moves in the wake of a breach, although I'm sure the thousands affected would have preferred a more proactive approach -- like using available cybersecurity tools to help prevent breaches from occurring in the first place. Those tools are what detected the second, still-ongoing breach that the OPM failed to notice when patching up the first hole. [F]our people familiar with the investigation said the breach was actually discovered during a mid-April sales demonstration at OPM by a Virginia company called CyTech Services, which has a networks forensics platform called CyFIR. CyTech, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPM’s network and discovered malware was embedded on the network. Investigators believe the hackers had been in the network for a year or more. Or, as the report puts it, the malicious code-detecting tool "lit up like a Christmas tree" when deployed. Despite this tool finding malicious code in about one out of every five OPM devices, the report notes the OPM didn't think it was worth paying for. It allowed the trial period to expire before deciding the toolset that found the second breach might be a valuable security asset. Despite housing the personal information of thousands of government employees -- including those with high-level security clearances -- the OPM didn't take security quite as seriously as it claimed to while handing out free credit reporting, post-breach. Jenna McLaughlin of The Intercept points out that the OPM spent less money -- quite a bit less -- than many other government agencies on network security. The personnel agency spent just $2 million in 2015 to prevent malicious cyber activity, while the Department of Agriculture doled out $39 million. The departments of Commerce, Education, and Labor also spent more in this area. Among the categories of cybersecurity spending delineated by the committee — preventing malicious cyber activity, detecting, analyzing, and mitigating intrusions, and shaping the cybersecurity environment — only the Small Business Administration spent as little as OPM (although Small Business Administration spent more overall on cybersecurity). The OPM has responded to the report by stating it fails to account for the agency's, post-double-breach cybersecurity awesomeness. And one contributor to the Committee feels there's just not enough buck-passing in the report. OPM responded by saying the report does not actively reflect the progress the agency has made since the hack, and Rep. Elijah Cummings, D-Md., the ranking Democrat on the House Oversight Committee, insisted the report was flawed, in part because it failed to place blame on or otherwise account for the contractors involved in the agency’s cybersecurity. That the OPM would want the report to focus on its barn door-closing efforts, rather than its eminent hackability, is understandable. But it's also stupid to insist a report detailing past mistakes not spend more time speculating on the agency's presumably glowing cybersecurity future. The report's title is uncharacteristically (for a Congressional report) brutal and does nothing to spare the feelings of an agency that didn't appear to care until it was too late: The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation But there's nothing to be gained by complaining that no one cares about the stuff you're doing correctly now -- not when it's been revealed that an agency that should have known it was, and will always be, a prime target for malicious hackers spent very little on cybersecurity and didn't deploy even the most basic security tools until well after the fact. Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
Last chance this year to get Nerd Harder, Takedown, and more Techdirt gear! » Yes, that's right — it's a September holiday sale! We know it takes some time for your orders to arrive from Teespring, so we're leaving a nice big window for those of you who want to gift some Techdirt gear in December. All our past shirts — plus one brand new design — are available from now until October 3rd. This is the last time we're offering any of this gear in 2016, and we won't be taking reservations once these campaigns close! Most of the shirts will come back eventually, but we can't promise when and it might be a year or more. Also, Nerd Harder is now available on hoodies, mugs and stickers for the first time. As for the Vote2016() gear, this is your last chance ever! Order it now and you'll get it just in time for election month! Remember, you've only got three weeks from today to place your orders, and everything will ship with plenty of time for the holidays. As usual, t-shirts are $20, hoodies are $35, mugs are $14 and stickers are only $4 — though not all designs are available on all products! Hurry up and get your gear before it's too late. Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
More evidence has surfaced that the online reputation management business is shady as all hell. Previously, we've covered the use of fake websites used to generate bogus DMCA takedowns by copy-pasting negative reviews in full and claiming these were the original works of bogus contributors by backdating the posts. We've also covered the even shadier and more legally-dubious tactic of filing bogus lawsuits -- using both fake plaintiffs and fake defendants -- to obtain court orders to delist negative reviews, bypassing the site where they're actually hosted in attempts to force Google, Yahoo, Bing, et al. to make them vanish from search results. Paul Alan Levy of Public Citizen -- thanks to the investigative skills of FIRE employee/Popehat contributor Adam Steinbaugh -- has uncovered another bogus libel lawsuit targeting negative reviews and comments. The standard M.O. is in effect. "Plaintiff" magically locates person behind anonymous review and gets them to sign a retraction. This legal paperwork never makes its way to the site where the review is actually hosted, however. The court order obtained through bogus means is instead served to search engines, resulting in the desired effect: the vanishing of negative content. This follows closely on the heels of a bogus lawsuit in which the person whose name appears as a plaintiff claimed to have no input in the legal proceedings. While the jury (not the courtroom one) is still out on those claims, in this case it's been confirmed that the supposed plaintiff had nothing to do with the lawsuit containing his apparently forged signature. After I wrote about the Patel case, I heard privately from Adam Steinbaugh, who sent me copies of some papers he had located on the ECF site of the US District Court for the District of Rhode Island – a complaint along with a “consent motion” and a proposed “consent order,” also signed by a pro se plaintiff and defendant, that contained some awkward phrasings that are suspiciously similar to the language in the Patel v. Chan papers. This time, though, instead of directing that the order be sent to the site hosting the comments – this time, the "Get Out of Debt Guy" web site, a blog about the debt relief industry which has a policy of not removing comments, preferring that the poster make a public retraction — the “consent order” provided that it was to be provided to Google and other search engines so that the entire article (which was not alleged to have anything tortious) could be removed from search engine databases. Levy happens to know the owner of the site indirectly targeted by the bogus lawsuit. Steve "Get Out of Debt Guy" Rhodes reached out to the supposed plaintiff in the lawsuit, Bradley Smith. Smith claims the signature on the lawsuit is not his own. In addition, the defendant -- located mysteriously swiftly by the apparently fake "Bradley Smith" -- is also a fraud. There's no indication the person named in the lawsuit -- "Deborah Garcia" -- had anything to do with the negative comments targeted. Somehow, "Bradley Smith," acting on his own without the benefit of compelled discovery, managed to locate the person behind the comments and obtain her signature on a proposed consent order. Even more magically, the supposed commenter resides in a state with a very long statute of limitations. Among other things, anonymous comments said nothing about Bradley Smith, although the blog article to which they were posted criticized Smith's company. Another oddity – neither of the URL’s that the “consent order” called on Google to delist was the article to which the comments were posted, although one of them featured comments supposedly received from “Bradley Smith” (whose authenticity Rhode had contested in these comments) And then there was the name of the defendant – the articles were posted using generic pseudonyms, yet plaintiff had apparently managed to identify the commenter by some mysterious means, and by some coincidence both comments had the same author, and she happened to be located in Rhode Island, where the statute of limitations for defamation is three years! Unfortunately for whoever's behind this bogus lawsuit, Steve Rhodes was able to determine the information claimed in the filing was bogus. Garcia’s supposed residence also justified claiming diversity jurisdiction, yet the blog host could tell that the IP addresses for both comments were in California; and the address listed on the documents for Garcia does not exist. Even more unfortunately for the entity behind the bogus, apparently forged filing, Public Citizen has chosen to pick up the case. It's attempting to intervene on behalf of Steve Rhodes -- not just because the filing is clearly bogus, but also because the plaintiff (whoever that actually is) may have taken advantage of an extra-long statute of limitations, but overlooked a more critical factor. As it turns out, assuming that the choice of Rhode Island as the venue may well have motivated by its unusually long limitations period for defamation claims, choosing to sue there was a colossal blunder in a different respect: like California, where Bradley Smith lives and whose anti-SLAPP statute is well-known, Rhode Island has a tough anti-SLAPP statute.   Today we have entered the Rhode Island case to help the Get Out of Debt Guy retain its access to search engine listings as a way of telling consumers about useful information on its web site. Thus, in addition to moving for leave to intervene and to vacate the judgment, we have moved to dismiss the complaint citing the anti-SLAPP provisions, which include an award of attorney fees. It seems to me that the facts here are sufficiently egregious that sanctions may be warranted on an inherent power or bad faith litigation theory. The upshot -- so far -- is that Google is taking a bit more skeptical look at court orders telling it to delist content even though it's not named as a defendant in the lawsuit. The other upshot is that Levy and others are getting closer to identifying the entities behind this extremely shady misuse of the court system to clean up online reputations. Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
The woefully out-of-date CFAA -- the product of panicked early-80s legislating in response to underdeveloped hacker fears -- continues to hold back research (both of the security and non-security kind) when not being wielded like the prehistoric weapon it is by the DOJ and multiple entities who prefer bludgeoning the messenger to fixing their broken systems. Because of the ongoing misuse and abuse of a badly-written law (aided and abetted by some terrible court decisions), a group of academic researchers has decided to proactively sue the government over its terrible legislation, rather than wait around to get sued/indicted for attempting to determine if individual websites exhibit bias against certain users. They've enlisted the help of the ACLU, which filed its suit against Attorney General Loretta Lynch back in June. The DOJ has responded with a motion to dismiss [PDF] that claims everything is wrong with the lawsuit, from the issue of standing to multiple failures to state a claim under the First and Fifth Amendments. Plaintiffs fail to allege an injury in fact sufficient to meet the constitutional minimum of standing. Standing to assert pre-enforcement statutory challenges under the First and Fifth Amendments may exist where the statute in question regulates constitutionally protected conduct and a credible fear of prosecution exists. The challenged provision of the CFAA, however, does not facially regulate protected conduct, and the conduct in which plaintiffs intend to engage—deploying information-gathering software on the websites of non-consenting private entities—is not activity that the First Amendment protects. Moreover, plaintiffs fail to provide any facts indicating a credible threat that the challenged provision will be enforced against them: plaintiffs do not allege to have been investigated by law enforcement or threatened with an enforcement action; plaintiffs do not identify any cases in which the government has sought to enforce the CFAA for harmless terms of use violations that were not in furtherance another crime or tort; and the government has affirmatively stated that it has no intention to enforce the CFAA under the circumstances alleged here. Accordingly, plaintiffs are unable to assert an objectively credible threat of prosecution and, as a result, their complaint must be dismissed on standing grounds. It is indeed difficult to sue to prevent things from happening, rather than suing to seek recourse after damage has been done. Speculating about future Constitutional violations is even less likely to succeed, as many courts tend to avoid tangling with any civil liberties questions not directly implicated by the case at hand. These two issues alone may find the court agreeing with the DOJ's assertions. However, other assertions made by the government aren't as solid. While it is true the DOJ tends not to prosecute simple CFAA violations without a connection to other criminal activity, when it does choose to do so, it tends to respond with zealous, fear-based prosecution and incredibly severe sentence recommendations. That the DOJ has magnanimously offered to not enforce the CFAA against the researchers at this point is heartening, as far as that promise goes. The DOJ may have no intention of doing so now, but if the researchers roll up on the wrong website and set some influential wheels to squeaking, that could change. The DOJ is on less solid ground when it argues the CFAA does not create a chilling effect. It may be that the research effort (deploying bots to simulate job seekers, home buyers, etc.) is not a form of protected speech, but that doesn't mean speech -- and research efforts -- aren't being deterred by the badly-written and vaguely-interpreted law. The government doesn't contend, however, that the results of the research won't be protected under the First Amendment -- just that the method of gathering the data isn't. Here, plaintiffs allege that the challenged provision of the CFAA has chilled their desire to deploy software technology designed to gather information from the websites of private corporations without the permission of those corporations and in a manner that the relevant website terms of use expressly prohibit. The systemic collection of information from the websites of non-consenting private entities is not conduct the First Amendment protects, and thus plaintiffs are unable to assert a reasonable First Amendment chill with respect to that conduct. [...] Thus, just as there is no First Amendment right to gather information by personally travelling to a sanctioned country, and no First Amendment right to gather information by visiting a jail without the permission of the warden, and no First Amendment right to access information in electronic form rather than paper form, there is likewise no First Amendment right to gather information controlled by private entities by deploying a data-scraping computer program on the websites of those entities without their permission and in a manner that the entities explicitly prohibit. And there's the chicken-egg problem with the First Amendment, which follows after the other chicken-egg dilemma of having to wait to be prosecuted (or threatened with prosecution) before being granted standing to challenge the government's enforcement efforts. To use the DOJ's cited equivalents, delivering the news is protected under the First Amendment. Gathering it, however, may not be. What the DOJ doesn't spend any time explaining is why researchers might get the idea the government would come after them for performing this research. The DOJ has explicitly stated in the past that violating a website's terms of use violates the CFAA, making criminals of millions of pre-teens with Facebook or Twitter accounts. And the DOJ's own suggested rewriting of the CFAA looks to turn previous misdemeanors into felonies, including the sort of activity the researchers are proposing. ...knowingly and willfully traffics... in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section… The rewrite removes a key phrase: "with intent to defraud." This excision turns the researchers' plan to search for bias in websites into an admission of felonious intent. That being said, there's a good chance this lawsuit will be tossed quickly. The route to CFAA reform still flows (slowly and sometimes, stupidly) through Congress. Unfortunately, the stakeholders with the loudest voices are those who prosecute under the law, rather than those punished by it. Because of that barrier to true reform, efforts to attack the law from oblique angles are likely to appear periodically until the law is overhauled… or replaced with something worse. Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
Save yourself time and money with a one-year subscription to TextExpander for only $19.98. It allows you to create custom shortcuts that populate any set of text or images you want, to save you the time and effort of typing. Whether it's HTML formatting, a salutation, or even a lengthy email, you'll find minutes and hours freed up. It is available in English, French, German, Italian, Japanese, Russian and Spanish, and there's even a team subscription offered today for an unlimited number of devices. This deal ends September 15, so you need to hurry to take advantage! Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
Briefly noted in an earlier article about the FBI's investigation into Hillary Clinton's personal email server was the existence of communications that pointed towards FOIA-dodging as a possible factor in her decision to set this up. Emails released earlier had hinted at this. The FBI's investigation documents contained part of an email from Colin Powell warning her that if it became public Clinton was using a personal BlackBerry, any communications on that device could become subject to FOIA requests. Powell also pointed out that he had routed around this during his years at the State Department by "not saying much" and "not using systems that captured the data." So, it's not as though government officials need much help from people like Matt Yglesias in keeping more communications related to government work hidden from the public. They've always had plenty of options and appear to be keenly aware of which systems feed into FOIA-able areas. The full email has now been released (h/t Rebecca Shabad and Steve Ragan) and the contents make it clear Powell had ways of routing around FOIA requirements while heading up the State Department. This appears to be the information Clinton was seeking -- how to avoid having to use the systems the State Department already had or being blocked from using her personal BlackBerry while in office. Clinton had noticed Powell used a personal BlackBerry and wanted to know what restrictions he ran into and whether he was allowed to use it while "on site" during his tenure as Secretary of State. She added that she was trying to "bring along" the State Department, presumably towards the private email server/personal device future Clinton envisioned. Powell's response begins with him pointing out he didn't use a Blackberry for stuff he wanted to keep off the FOIA radar. He used his own computer. I didn't have a BlackBerry. What I did do was have a personal computer that was hooked up to a private phone line (sounds ancient.) So I could communicate with a wide range of friends directly without it going through the State Department servers. I even used it to do business with some foreign leaders and some of the senior folks in the Department on their personal email accounts. On one hand, Powell wanted to keep some communications (those with "friends") private, which is understandable. On the other, he clearly states he conducted official business with his private device -- including communications with other State Department officials, who were using their own personal email accounts. It's not just a Powell thing or a Clinton thing. It's a government thing. Many government officials utilize personal devices and accounts. Many of them get away with it. Many government officials say nice things about transparency, too -- all the while creating a stockpile of "public" documents the public never gets a chance to see, much less know exists. The full statement -- which was partially quoted in the FBI investigation documents -- shows routing around FOIA requirements, record preservation policies, and government accountability ideals comes as naturally to government officials as board of directors' positions at favored corporations following retirement from the public sector. After discussing the issues he had with State Department security, the NSA, CIA, etc. about the supposed threat personal devices posed to government security, Powell notes the real threat is… the public. However, there is a real danger. If it is public that you have a BlackBerry and it it government and you are using it, government or not, to do business, it may become an official record and subject to the law. Reading about the President's BB rules this morning, it sounds like it won't be as useful as it used to be. Be very careful. I got around it all by not saying much and not using systems that captured the data. Powell has since defended this email by saying he wasn't attempting to influence her on how to handle potentially FOIA-able communications while running the State Department. Powell backs up this assertion by pointing out Hillary Clinton said his email didn't influence her decision to use private email accounts, private devices, and a private server to handle State Department communications. So, I guess that's all wrapped up and nothing more to see here. [eyeroll] It's impossible to tell if this conversation was supposed to evade FOIA requirements as well. Powell's email address is redacted, but Clinton's is still exposed. As of the date this was sent (February 2009), Clinton had been a Senator for nearly a decade. The email account used, however, was an AT&T address linked to her personal BlackBerry -- which would suggest personal devices/email accounts had been standard operating procedure for quite some time. Also of note is this fact -- pointed out by one-man FOIA wrecking crew Jason Leopold: this "new" revelation of Powell's "How To Beat the State Department and the Public at Their Own Transparency Game" advice is actually about three years old. Apparently, Powell detailed his accountability-skirting measures in his 2012 book titled (no shit) "It Worked for Me." Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
Four and a half years ago, we wrote about our serious concerns about the conviction of Dharun Ravi, a Rutgers student who surreptitiously filmed his roommate engaged in a sexual encounter. The roommate, Tyler Clementi, later killed himself, after finding out that he had been filmed. That part was a big story, and kicked off a variety of discussions, some of which were more reasonable than others. But as we noted back then, what was most troubling about the legal case and conviction of Ravi was that he was really being prosecuted for what Clementi did, rather than what Ravi did. As we noted, Ravi filming Clementi was definitely creepy, immature and dumb. But criminal? If Ravi had just filmed Clementi and nothing happened, there never would have been a prosecution. Ravi was really being prosecuted because Clementi killed himself -- and that's problematic. As we've explained a few times, while there's an obvious emotional reaction to someone killing themselves, no one fully knows why they did it other than the individuals themselves. And, blaming others for mean things they may have done after someone commits suicide is a really dangerous place to go. It actually encourages suicide by letting people think that killing themselves will "punish" those who are tormenting them. But the biggest thing is that we shouldn't blame one person based on the actions of another. It only took four and a half years, but Ravi's conviction has now been overturned by an appeals court. You can read the full opinion here. After Ravi's conviction in 2012, the state Supreme Court in a separate case struck down part of the state's bias crime statute that focused on the victim's state of mind. According to that case, it is the defendant's state of mind and intent that is important, not the victim's. The appellate court said the prosecution conceded in its oral arguments four of Ravi's bias convictions should "be void as a matter of law," and, accordingly, dismissed those charges with prejudice. The court also dismissed Ravi's conviction on hindering his own apprehension and tampering with witnesses. Of course, this isn't over yet. The court ordered a new trial, claiming that the original one was biased -- and there's still a chance that prosecutors may appeal this ruling to the New Jersey Supreme Court. As for the reasoning of the court, it pointed out that prosecutors basically focused on Clementi's actions, rather than the defendant's (Ravi's), and presented an unfair and biased picture to the jury: After carefully reviewing the record developed at trial, it is clear that the evidence the State presented to prove the bias intimidation charges under N.J.S.A. 2C:16-1(a)(3) permeated the entire case against defendant, rendering any attempt to salvage the convictions under the remaining charges futile. The State used evidence revealing the victim's reserved demeanor and expressions of shame and humiliation as a counterweight to defendant's cavalier indifference and unabashed insensitivity to his roommate's right to privacy and dignity. The prosecutor aggressively pressed this point to the jury in her eloquent closing argument. It is unreasonable to expect a rational juror to remain unaffected by this evidence. In light of the Court's ruling in Pomianek, admission of T.C.'s state of mind evidence constituted an error "of such a nature to have been clearly capable of producing an unjust result." In other words, exactly as we've talked about for years: when you go after someone because someone else committed suicide, the emotional aspects of the case are likely to completely steamroll the legal issues. Thankfully, the court has finally recognized that, even if only four years too late. None of that is to suggest that what Ravi did was right, or that Clementi's suicide wasn't tragic. Ravi did something really stupid and immature. But stupid and immature doesn't mean criminal. Hopefully the prosecutors just decide to cut their losses and drop the case altogether.Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
People celebrating the "demise" of Gawker in being forced into bankruptcy by a questionable lawsuit and ruling from Hulk Hogan, financed by Peter Thiel keep insisting that it has no real impact on the freedom of the press. And yet... things keep showing that's wrong. Gawker filed for bankruptcy and sold off its assets to media giant Univision, who agreed to close down the flagship Gawker site, and redistribute some of the reporters to other sites. But late Friday, Univision management made another decision, and this one is horrific: they agreed to delete six stories on the site (with a seventh one being considered) because those stories were the subject of lawsuits against Gawker. The reasoning given by Univision is that it only agreed to buy the assets of Gawker, not the liabilities, and keeping those stories posted gave it liability. First of all, this is wrong on the legal side of things. As Gawker's executive editor, John Cook (who fought this decision) notes, Univision doesn't take on the liability here: Though the posts were published by Gawker Media, and therefore under the so-called “first publication rule” should only be the legal responsibility of the Gawker Media estate being left behind in the transaction, Unimoda’s legal analysis was that the continued publication of the posts under the new entitity would constitute the adoption of liability, and that Unimoda is therefore obligated to delete them. But that's not the most disturbing thing here. The really problematic issue is that the stories that are being removed involve stories where the lawsuits are almost entirely completely bogus SLAPP suits designed to annoy Gawker, rather than with any serious legal basis. So, for example, the two stories that Gawker published about Shiva Ayyadurai, the guy who keeps trying to convince the world that he invented email when he didn't. We've discussed Ayyadurai and his bogus claims many times, and also covered the lawsuit. There is no legitimate reason to take down those posts. Perhaps even more incredible is that Univision also agreed to take down the story that nutty troll Chuck C. Johnson had filed against Gawker over. That's a lawsuit that is so ridiculous it was laughted out of court in Missouri. And while Johnson filed a nearly identical lawsuit (including references to Missouri) in California, it was similarly going nowhere, and Johnson recently said that he'd dropped the case. And yet Univision voted to delete the story anyway. This is... bad. It's one thing to make a decision to pull a story once you've analyzed the situation and decided that the story has problems and should be pulled. But that's not what happened here. Univision execs flat out told Cook that this was solely about not taking on the liability. In other words, Univision has absolutely zero backbone to stand up for its journalists. That's shameful. This move basically immediately does two things. First, it alerts anyone who wants a heckler's veto to threaten Univision with a lawsuit. Second, it should immediately cause any good journalist working for Univision or its properties (including Gawker and Fusion) to start looking for a new job elsewhere. If you can't have your publisher back you up on things like this, that's a dangerous place for a reporter to work. Kudos to Cook for trying to stand up to Univision, but if those execs wouldn't listen to him, the company's got really big problems. I communicated to Felipe and Jay in the strongest terms that deleting these posts is a mistake, and that disappearing true posts about public figures simply because they have been targeted by a lawyer who conspired with a vindictive billionaire to destroy this company is an affront to the very editorial ethos that has made us successful enough to be worth acquiring. I told them that I am proud that this company refused to delete its accurate posts about Shiva Ayudurrai’s false claim to have invented the email system of communication, and that I am proud that our decision not to take down accurate posts about Mitch Williams’ meltdown at a children’s baseball game was vindicated by a federal judge, who ruled in our favor in his case against us. I am mortified to see them taken down now. We are at the center of an unprecedented assault on the ability of reporters and editors to challenge and critique public figures. While I believe that Univision is a company that values and defends aggressive, independent reporting, the decision to remove these posts is, in my view, at odds with its tradition of confronting bullies with honesty. Univision just did a big thing badly. And it sullies the company's reputation and brand and it makes all of the company's remaining journalistic staff look bad. And, of course, this is the internet, where trying to make stuff disappear never works. I went over to archive.is soon after the announcement came out (and before the stories had been taken down) and every single one had been re-archived (many had been previously archived) within the previous hour. So if you're curious what was in the stories too hot for Univisions backboneless execs, here they are: The Inventor of Email Did Not Invent Email? Corruption, Lies, and Death Threats: The Crazy Story of the Man Who Pretended to Invent Email Man Acquitted Of Sexual Assault Sues Blog For Calling Him Serial Rapist Wait, Did Clowntroll Blogger Chuck Johnson Shit On The Floor One Time? Uber Driver in California Will Be Considered Employee, Not Contractor Mitch Williams Ejected From Child's Baseball Game For Arguing, Cursing Witnesses: Mitch Williams Called Child "A Pussy," Ordered Beanball This is why we need publications that don't back down in the face of SLAPP suits. This is why we need stronger anti-SLAPP laws (and a federal anti-SLAPP law). This is why we express concerns about billionaires ganging up to sue publications out of existence in a vengeance play. Publications are vulnerable, but they're supposed to stand up to bogus threats, not cave in out of fear.Permalink | Comments | Email This Story

Read More...
posted 13 days ago on techdirt
When we talk password security here at Techdirt, those conversations tend to revolve around stories a bit above and beyond the old "people don't use strong enough passwords" trope. While that certainly is the case, we tend to talk more about how major corporations aren't able to learn their lessons about storing customer passwords in plain text, or about how major media outlets are occasionally dumb enough to ask readers to submit their own passwords in an unsecure fashion. But for the truly silly, we obviously need to travel away from the world of private corporations and directly into the world of politicians, who often times are tasked with legislating on matters of data security and privacy, but who cannot help but show their own ineptness on the matter themselves. Take Owen Smith, for example. Smith is currently attempting to become the head of the UK's Labour Party, with his campaign working the phones as one would expect. And, because this is the age of social media engagement, one of his campaign staffers tweeted out the following photo of the crew hard at work. The image is such that the problem may not jump out at you. Hopefully one of the many internet-ers that tweeted a response to the campaign will help. Owen Smith's team have the absolute cheek to accuse @jeremycorbyn of "incompetence" the day after this! pic.twitter.com/ZUydXlLdxr — Another Angry Voice (@Angry_Voice) September 5, 2016 Yes, a staffer for the campaign managed to tweet out the full login and password to the phone banks for the campaign's phone jam. That password was also declared weak by the same internet that had managed to suss it out from the photo as well, leading some to complain that politicians that cannot bother to run organizations that adhere to basic security practices shouldn't be trusted to legislate on those matters in government. The tweet has since been deleted and the credentials altered, but password security practices probably start with a first step of: don't send out your l/p to the entire known internet-connected world. Permalink | Comments | Email This Story

Read More...
posted 14 days ago on techdirt
The FBI has been having a real tough time recruiting young tech savants to its cause, and this week our first place winner for insightful is an anonymous comment with some clear and simple thoughts on why that is: He's hoping to attract patriots, except the real patriots are the ones unwilling to help the FBI violate the Constitution and civil liberties at every opportunity. But the agency might not need that expertise — after all, Hillary Clinton thinks the military might be the best response to hacking attacks like the one that targeted the DNC — which gave Wargazm a thought that won second most insightful comment of the week: Are we just going to gloss over the idea that she thinks a *hack of the DNC* is grounds for introducing a new doctrine for dealing with cyber attacks?! Last I heard the DNC is NOT a government agency. What exactly does she propose we defend here? If Russian hackers go after a grandmother's bank account, are we going to put boots on the ground? Or is the goal just to prevent Democrats from being embarrassed during an election year? One more thing: How the hell does she look at the DNC hack and not immediately change her position on encryption? If we had strong, encrypted email services readily available and easily used by anyone...bam, no DNC hack. Instead, she talks about using the military to respond. Christ. For editor's choice on the insightful side, we've got a pair of responses to the astonishing scandal in which Wells Fargo has fired 5,300 employees for fraudulent billing practices. First, That One Guy questioned the idea that this could be any kind of 'mistake' or accidental product of bad incentives: Which might make sense if we were talking about a few, or even a few dozen people doing it across the entire company, but when we're talking about literally thousands of employees the idea that no-one in management had so much as a hunch that something fishy might be going on before the investigation pointed it out to them goes right out the window. As the article and the first AC noted, either upper management knew and looked the other way or they were so grossly incompetent that they never caught on, either way they need to be fired at best given the idea that they really had no clue is minuscule when you consider how many people we're talking about here. Next, we've got a response to that comment from MadAsASnake, who explained how it could be both — a broken incentive system coupled with managerial negligence: This happened a lot in the UK as well. The incentives given to floor staff are usually in terms of "conversion rates". The targets are based on the "best" staff calculated on those conversion rates. The "best" are invariably those that are cheating. In one case I am aware of, one staff member "upgraded" the accounts of all 13 customers she saw that day. In return, she was: - rewarded with a commission for each sale - rewarded with a bonus for being a top op - given recognition throughout the company When her manager reviewed those upgrades, it was plain that the customers had not agreed to them. So what happened? The manager had to contact all 13, explain the "mistake" and put it right. This member of staff: - kept the commission, bonus and recognition - was not reprimanded (how could you having so publicly congratulated her) The new targets the following week were increased in proportion to this record achievement. The reason this gets really out of hand is that those staff not making the targets face criticism and sometimes even dismissal for poor performance. My wife was a co-worker in this branch. As she said, you could do you job with integrity, or you could hit your targets which were spectacularly unattainable. My guess is that stupid incentives structures combined with a refusal to reprimand dishonest behaviour is behind this too. The management need to be sacked whether they knew or not. Over on the funny side, our top comment is one that pops up frequently whenever we level criticisms at Google (this time, over the Feedburner/Goo.gl link shortening fiasco). JD offered up the classic ironic-faux-troll: Clearly this is just more proof that Mike Masnick is a Google shill. Next, we have a quip on a thread about Comcast's broken broadband meters which seemed to be vastly overcharging people. One commenter asked if it would be called fraud to sell 10,000 tickets for a show with a 3,000 seat capacity — and Michael had an answer: No. That would be called an airline. For editor's choice on the funny side, we follow up on that with a good ol' crossover comment from DannyB in response to Trump's lack of a cyber policy against ISIS: Dear Mr. Trump, Here is a simple cyber policy for ISIS. Make them have to use Comcast. Finally, we've got one more response to our problems with Google's link shortener — an anonymous commenter who found the silver lining: And the good news is that you probably won't be charged with a CFAA violation! That's all for this week, folks! Permalink | Comments | Email This Story

Read More...
posted 15 days ago on techdirt
Five Years Ago This week in 2011, copyright was going crazy in Europe. Even though a smart review of the copyright system there suggested that its purpose was to send as much money as possible to US companies, Europe announced plans to extend copyright terms retroactively and wasted no time making them official. Meanwhile, the leaked State Dept. cables were revealing just how big a role US diplomats play in copyright around the world: guiding the dismantling of online civil rights in Sweden, pressuring Canada to enact draconian copyright law (sometimes even at the behest of Canadian politicians, and acting as Microsoft sales staff in Bosnia. Ten Years Ago This week in 2006, HP was embroiled in a massive scandal when it was revealed that Patricia Dunn, the chairperson of the board, was spying on other board members and, it soon turned out, members of the media as well, all over some leaked information a few years earlier. Eventually she spoke out publicly, admitting only that it was embarrassing (though really that's just the getting caught part, I suspect). Before that, HP's spokesperson addressed the whole mess by claiming the fraud and identity theft had something to do with "personal integrity". Fifteen Years Ago Five years before that in 2001, HP was in the news for the rosier reason of its purchase of Compaq in a $25-billion deal. Meanwhile, there was lots of speculation over who might buy Yahoo! (and as we recently found out, that speculation would have to wait another fifteen years to be resolved), and some back-and-forth on the question of whether Apple should buy Palm, or try to make its own way into the handheld market (and I think we all know how that worked out). Also this week in 2001: the Justice Department backed down from seeking a breakup of Microsoft, a critical ruling found eBay not liable for pirated goods sold on the site, and despite the death of Napster more people were trading music online than ever before. Fifty Years Ago I'm sure I'm not the first to tell you that this week was the 50th anniversary of Star Trek, one of the greatest television franchises of all time. But as a Canadian I might be the first to tell you/brag about one lesser-known fact: though September 8th is when the first episode first aired on NBC, up here north of the border we actually got it before you — the very first airing of The Man Trap was two days earlier on CTV. Permalink | Comments | Email This Story

Read More...
posted 16 days ago on techdirt
Back in May we noted that the ridiculous and terrible anti-encryption bill from Senators Richard Burr and Dianne Feinstein was dead in the water. The bill had all sorts of problems with incredibly broad and vague requirements, but the quick summary was that tech companies would have to figure out a way to backdoor all encryption, because if they received a warrant, they'd be required to decrypt any communication. Rather than get the message that this was a really, really bad idea, it appears that Burr and Feinstein have just gone back to the drawing board, trying to recraft the bill. Julian Sanchez got his hands on one of a few prospective new drafts that are being floated around and has an analysis of the update. The draft that Sanchez has seen tries to fix some of the problems, but doesn't really fix the main problems of the bill. As Sanchez points out he sees four major changes in the draft: (1) Narrower scope The original discussion draft required a “covered entity” to render encrypted data “intelligible” to government agents bearing a court order if the data had been rendered unintelligible “by a feature, product, or service owned, controlled, created, or provided, by the covered entity or by a third party on behalf of the covered entity.” This revision would delete “owned,” “created,” and “provided”—so the primary mandate now applies only to a person or company that “controls” the encryption process. (2) Limitation to law enforcement A second change would eliminate section (B) under the bill’s definition of “court order,” which obligated recipients to comply with decryption orders issued for investigations related to “foreign intelligence, espionage, and terrorism.” The bill would then be strictly about law enforcement investigations into a variety of serious crimes, including federal drug crimes and their state equivalents. (3) Exclusion of critical infrastructure A new subsection in the definition of the “covered entities” to whom the bill applies would specifically exclude “critical infrastructure,” adopting the definition of that term from 42 USC §5195c. (4) Limitation on “technical assistance” obligations The phrase “reasonable efforts” would be added to the definition of the “technical assistance” recipients can be required to provide. The original draft’s obligation to provide whatever technical assistance is needed to isolate requested data, decrypt it, and deliver it to law enforcement would be replaced by an obligation to make “reasonable efforts” to do these things. The first change seems like a big deal, but it also is hard to parse out and seems rather meaningless. Changing the requirement from covered entities to those who "control" the encryption? So what. That basically still means backdooring encryption, it just might mean going up a step or two in the ladder. Sanchez reads this as possibly being an attempt to effectively backdoor future types of encryption, less so than what we have today. I won't repeat his whole argument here -- go read it yourself -- but as he notes, this might be a way to calm people down to pass this bill: If this interpretation of idea behind the proposed narrowing is right, it’s particularly politically canny. You declare you’re going to saddle every developer with a backdoor mandate, or break the mechanism everyone’s Web browser uses to make a secure connection, and you can expect a whole lot of pushback from both the tech community and the Internet citizenry. Tell people you’re going to mess with technology their security already depends upon—take away something they have now—and folks get upset. But, thanks to a well-known form of cognitive bias called “loss aversion,” they get a whole lot less upset if you prevent them from getting a benefit (here, a security improvement) most aren’t yet using. And that will be true even if, in the neverending cybersecurity arms race, it’s an improvement that’s going to be necessary over the long run even to preserve current levels of overall security against increasingly sophisticated attacks. As for the other changes, saying that this can't be used for intelligence purposes, but just law enforcement, is also kind of meaningless. The intel community has actually been somewhat opposed to the Burr Feinstein bill anyway -- in part because they can already break into lots of encryption. And if this new backdoor is required, then they'll be able to break into more. The warrants are meaningless to the intel community for the most part, so this "limitation" is no limitation at all. The final change about "reasonable efforts" is clearly an attempt to appease the tech companies that spoke out loudly against the bill. It's definitely better than the "you must decrypt" kind of language in the original, but it's hardly comforting. Remember, the FBI/DOJ insisted that what it was asking of Apple in the San Bernardino iPhone case was a perfectly "reasonable" effort as well. Either way, this shouldn't be much of a surprise, but it's clear that the whole push to outlaw real encryption may have had a setback, but is far from dead.Permalink | Comments | Email This Story

Read More...
posted 16 days ago on techdirt
Lies, damned lies, and the DOJ's FOIA fulfillment rate. Tom Susman, a member of the FOIA Advisory Committee, emailed the heads of the Justice Department’s Office of Information Policy (OIP) and Office of Government Information Services (OGIS) on the discrepancy between the misleading 91 percent FOIA release rate commonly cited by OIP – and repeated by the rest of the government – and the more accurate release rate calculated by the Archive and others of between 50 and 60 percent. The only entity that believes the DOJ has fulfilled 9 out of 10 FOIA requests is the DOJ. Anyone on the receiving end of its "responses" finds this number laughable. First off, the DOJ's apparently including the thousands of requests it fulfills years after they've been requested. It's also including partial responses. And its hit rate is greatly padded by "releases" in which nothing was actually released. [M]y experience has been that including released in part in the overall “disclosure rate” is likely to be very deceptive. In one recent example from the Department of Education, the agency “released” 200 pages of documents to a FOIA requester, only two of which were not totally redacted, and those two were correspondence from the requester. This, of course, would be counted as “released” under the 91 percent tally, but not in my universe. Also likely included in the DOJ's inflated sense of self-worth: - Fulfillments where "no responsive documents can be found," even when it's clear there are documents to be found - Responses where the DOJ has claimed it can't find documents it has already released publicly - Responses where the DOJ has been forced to turn over documents by court decisions The number released by the DOJ is just plain dishonest. It gives the "most transparent administration" a win it clearly hasn't earned and misrepresents the FOIA experience to the general public. It gives the DOJ something to further ward off FOIA reform attempts and implies that those who do complain about its general unresponsiveness are probably blowing things out of proportion. As Lauren Harper of Unredacted points out, the touting of this bogus success rate only makes it less likely the federal government will seriously address its constant FOIA shortcomings. When the White House, DOJ, or others cite a 91 percent “success statistic” their aim is to present a view to the public that FOIA is working 91 percent of the time. Anyone that has looked at the stats – including the blanket denials, redactions, decades long waits – or has filed a FOIA request, knows that this “statistic” is far from the truth. A better track for the administration would be to candidly acknowledge the problems facing FOIA and work openly to fix them. Let's face it: the DOJ isn't going to change until forced to -- "presumption of disclosure" or not. This administration has done almost nothing to push for greater transparency and neither of the incoming presidential candidates -- Hillary "Homebrew" Clinton or Donald "I Can Make My Own Laws, Right?" Trump -- are likely to have a positive effect on government accountability going forward. Certainly, there are still legislators who are pushing for better transparency, but they're stymied by powerful agencies like the DOJ -- and, often, the administration itself. The DOJ presides over agencies which have done everything but order a hit on prolific FOIA requesters like Jason Leopold. And, while the move towards a "release to one, release to all" policy on FOIA responses is better for the public in general, it's also likely intended to discourage journalists from chasing down obscure government secrets by removing the possibility of "scooping" competitors. The worst part is the DOJ likely doesn't care whether the general public believes its inflated response numbers. Like far too many federal agencies, it has long since shrugged off any pretense of acting in the public's interest. Its "91%" whitewash of its FOIA responsiveness covers up a 50-60% response rate -- one that's likely good enough for government work. Especially the sort of work few in the government show any interest in performing. Permalink | Comments | Email This Story

Read More...
posted 16 days ago on techdirt
For years, we've pointed out the ridiculousness of "the view from nowhere" reporting (a phrase coined by journalism professor Jay Rosen). This is the ridiculous belief that being an "objective" journalist means never challenging what someone says to you, but rather just showing "both sides of the story" and not "taking" any side. But, that's ridiculous. If someone claims that the earth is flat, and you do a story showing the person claiming that, alongside someone else saying it's not, but never point out that the person saying the earth is flat is crazy, then you're not doing your job as a journalist. A journalist should be focusing on getting to the truth, and that means calling bullshit when warranted. This issue has come up again this week, thanks to NBC talking head Matt Lauer's inability to challenge Donald Trump's blatantly false statement that he was against the war in Iraq. Trump has been saying this throughout the campaign, and it's simply not true. What's more, plenty of journalists have pointed out that it's not true, and any journalist interviewing the candidate, as Matt Lauer did, should have known that and should have pushed back. But Lauer did not, leading to widespread criticism. What's perhaps even more astounding, however, is that some TV journalists jumped in to defend Lauer, insisting that doing actual fact checking on lies is showing bias: Political talk-show host Chris Matthews, for example, said after the event that if Lauer had called Trump out for lying, that would be equivalent to expressing an opinion, and moderators are supposed to be neutral. Fox News anchor Chris Wallace, who is going to be moderating one of the debates between Trump and Clinton, said something similar in an interview. Wallace said it’s not his job to question the factual accuracy of a candidate’s statement during such an event. “I do not believe it’s my job to be a truth squad,” Wallace said. “It’s up to the other person to catch them on that.” If that's what they think, then they should all find new jobs. Because they're not journalists. The finding of truth is important, and calling out a candidate (or others in power) for false statements when they make them is part of that important role. It's not "biased" to seek the truth. It's not "biased" to call a false statement a false statement. It's the job of a journalist.Permalink | Comments | Email This Story

Read More...
posted 16 days ago on techdirt
Last month, we wrote about a blog post by Public Knowledge questioning why the Copyright Office kept acting like a lobbying firm for Hollywood, often stepping into issues where it has no business and almost always pushing the Hollywood viewpoint. It turns out that was just a sneak peak of a much larger report that PK has now released on The Consequences of Regulatory Capture at the Copyright Office. The full 50-page report is worth a thorough read. It details the obvious bits concerning the revolving door between copyright maximalists and the Copyright Office, with much of top management coming from jobs in the entertainment industries, and then many former top Copyright Office folks going right back into that industry upon leaving. But the more interesting part of the report is looking at how frequently the Copyright Office appears to blatantly misinterpret copyright law in an attempt to expand what the law actually covers. From safe harbor provisions to statutory licenses, the Copyright Office has, for decades, misapplied, ignored, or “creatively interpreted” statutory and common law. It assumed a strained and flatly unfeasible reading of safe harbor provisions in order to strip websites of statutory legal protections when they are sued by certain sound recording rightsholders; concluded against the force of common and statutory law that a broad “making available” right existed where it does not; and mischaracterized key aspects of copyright law with regard to proceedings at the Federal Communications Commission, all in support of the position of rightsholders against other industries and the public That seems like it should be a pretty big concern, no? There are some eye-opening examples of problems as well. For example, the time when the Copyright Office provided a memo in a lawsuit the record labels had filed against Launch Media. It originally included a footnote saying that Launch Media was likely a "non-interactive service" (which has many, many fewer restrictions than an interactive one). Magically, the footnote was then updated to say it wasn't a non-interactive service, but an interactive one. What changed? In a memorandum from Kenneth L. Steinthal, attorney for Launch, admitted into evidence at trial, Steinthal stated that he spoke with the individual in the Copyright Office who drafted the footnote. Steinthal stated that according to that individual, someone from the RIAA had called the Copyright Office and as a result, the substance of the footnote was changed. Yup. Apparently the RIAA can just make a phone call, and the Copyright Office is willing to switch positions overnight. The report also notes how the Copyright Office keeps expanding its own mandate, and keeps getting smacked around for it. The examples of courts looking skeptically at the Copyright Office is fairly telling: Courts have repeatedly taken a dim view of the Copyright Office’s analysis of larger questions—and, on occasion, even of their judgment in their core function of issuing registrations. The Second Circuit in Vimeo took the Office to task, slamming its analysis of safe harbors in the Pre-1972 Sound Recordings report as “arbitrary and without legal foundation,” “incompatible with a literal and natural reading of the text,” and “based in major part on a misreading of the statute.” The Court also commented that the Office’s position was “[a]t the very least, a strained interpretation—one that could be justified only by concluding that Congress must have meant something different from what it said.” The conclusion is that we need to rethink the Copyright Office and how it's set up: The Copyright Office, isolated from effective mechanisms of governmental accountability, has become deeply and troublingly captured by major entertainment industries and other rightsholder interests. As a result, it has regularly disregarded the concerns of other stakeholders, such as libraries, archives, and the public at large. It has frequently aligned itself with the agendas of industry trade groups, pushed for expansion of copyright at the expense of consumers’ established rights, and published reports that embrace extreme interpretations that rise above and beyond the scope of settled law. Of course, it's not too difficult to see how this came about. If you're not deep in the weeds of copyright issues, it's actually fairly natural to assume that the people who best understand copyright law are those in companies who use copyright law to their own advantage. Of course, that ignores that the very purpose of copyright law is not to benefit copyright holders, but the public (this is also something that the Copyright Office has, consistently, gotten wrong). But, that's like saying that the best banking regulators should be former bankers (oh wait...) and the best FCC commissioners should be ex-telco lawyers (oops). In the end, what we're seeing is pure regulatory capture, but it's especially troubling in the copyright context, given that copyright is explicitly designed with the benefits of the public in mind, and it's only over time (thanks to this kind of regulatory capture) that the mission has been warped and twisted to the false belief that maximizing copyright is important, rather than maximizing the public's benefit.Permalink | Comments | Email This Story

Read More...
posted 16 days ago on techdirt
Just a few months ago, we wrote up a decently long post explaining why the upcoming "transition" of a piece of internet governance away from the US government was both a good thing and not a big deal. You can read those two posts on it, but the really short version is twofold: (1) the Commerce Department's "control" over ICANN's IANA (Internet Assigned Numbers Authority) was always pretty much non-existent in the first place; and (2) even having that little connection to the US government, though, only provided tremendous fodder for foreign governments (mainly: Russia & China) to push to take control of the internet themselves. That's what that whole disastrous UN/ITU/WCIT mess was a few years back. Relinquishing the (non-existent) control, with clear parameters that internet governance wouldn't then be allowed to jump into the ITU's lap, helps on basically every point. It takes away a key reason that other countries have used to claim they need more control, and it makes it clear that internet governance needs to remain out of any particular government's control. As we noted, this is all a good thing. But for unclear reasons, Senator Ted Cruz keeps insisting that this "transfer" is about the US giving control over the internet to the UN. He's ramped up this rhetoric lately as the transition gets closer: "Today our country faces a threat to the internet as we know it. In 22 short days, if Congress fails to act, the Obama administration intends to give away the internet to an international body akin to the United Nations," Cruz said in a speech on the Senate floor Thursday. "I rise today to discuss the significant, irreparable damage this proposed internet giveaway could wreak not only on our nation but on free speech across the world." Except that's hogwash. The plan does exactly the opposite. We've made this point over and over again, and thankfully others are doing so as well. Fusion has a long and detailed article that highlights that Cruz's claims are a fantasy and have no basis in reality. It goes through the whole history of IANA (if you don't know the story of Jon Postel and Joyce Reynolds, and how the two of them basically kept the internet running in their spare time for a few decades, you should...), but then points out that Cruz is just wrong: To be clear: ICANN has about as much control over the internet as Ted Cruz has a grasp on how DNS actually works–which is to say, very little. But the perpetuation of the fiction that ICANN controls the internet is representative of the completely understandable human impulse to try and assign control of the internet to someone or something, particularly in a time where the systems that shape most users’ experience of the internet are increasingly opaque and unaccountable to users. Saying any one group controls the internet is as absurd as saying who “controls” capitalism or globalization itself. But everyone has their version of control. Silicon Valley billionaires may insist we surrender to the invisible hand of the network, which simply chooses disruption and convenience over accountability and ethics. For the federal government, it’s far easier to accuse the private sector of being in control and thwarting national security than admit that mass surveillance is an expensive and incompetent tactic. For critics (or those who’d prefer that control be in their hands), it would be far simpler to point at a single oligarch or Bohemian Club or ICANN that needs to be overthrown; it might redeem what today at times seems like a fractal trainwreck of an internet, and somehow bring us back to John Perry Barlow’s never-realized promise of an independent cyberspace. And it also points out that the biggest "threat" to how internet governance is handled is if Cruz actually succeeds in blocking the transition: Mostly, when I asked people at ICANN about worst-case scenarios with the transition, they pointed to Ted Cruz’s efforts. The transition not going through–either through a blocking action from this current Congress through some legislative action or Congress just delaying until the next president comes into office–would not only undermine the work that a lot of people have already put into the transition plan, it also would create even further mistrust and frustration among countries like Brazil that continue to be frustrated by US control. Maybe that would be enough to justify a fragmentation of the root zone. Or it could just make it harder for the multistakeholder model to function by undermining trust in the community as a whole, making consensus harder to achieve. Which is kind of to say it could start to look a lot more like the US Congress. In other words, as we've explained before, Ted Cruz's concerns over the internet here are completely backwards. Up is down, black is white, night is day kind of stuff. Keeping the IANA connection to the US government is the kind of thing that opens up the possibility for Russia/China to exert more control over internet governance by routing around ICANN and its flawed, but better than the alternative, "multistakeholder" setup. Moving ICANN away from the US government, with strict rules in place that basically keep it operating as is, takes away one of the key arguments that foreign countries have been using to try to seize control over key governance aspects of the internet. If Cruz fears foreign governments taking control of internet governance, he should do the exact opposite of what he's doing now. Let the Commerce Dept. sever the almost entirely imaginary leash it has on ICANN. Otherwise, other countries' frustration with the US's roles is a much bigger actual threat to how the internet is managed.Permalink | Comments | Email This Story

Read More...
posted 16 days ago on techdirt
For years, we've pointed to examples of seemingly ridiculous and/or arbitrary examples of Facebook's content moderation team blocking or banning perfectly reasonable content as offensive, often in a manner where it apparently can't distinguish between nudity that is art or newsworthy, from that which is just titillating. The latest example is getting a ton of attention as Facebook deleted an iconic Vietnam War photo of a young girl, Kim Phuc, fleeing a napalm attack. It's one of the most famous war photos ever, and the Norwegian newspaper Aftenposten included it in a story of "seven photographs that changed the history of warfare." The writer of the piece, Tom Egeland, posted it to Facebook as well, and Facebook not only took the post down, but suspended Egeland. This resulted in a front page story at Aftenposten, in which the site's editor published an open letter to Mark Zuckerberg. The conceit there is a little silly -- it's not Mark Zuckerberg specifically banning this. It's a poorly paid team of content moderators who have some basic guidelines and are told to do their best. And a few points are necessary here: (1) the argument that some make that there should be zero moderation at all isn't particularly sustainable. Such sites automatically get overrun by spam. If you agree that spam should be removed, then you accept moderation -- and then the question is how much. (2) Moderating content at scale is more difficult than you think. Yes, we make fun of Facebook for these kinds of things too, but that doesn't mean it's an easy problem to solve. This is one of the reasons why we keep arguing that social media sites should look more towards being protocols instead of platforms and then to provide end user tools that allow individuals to create their own moderated experiences, rather than having a centralized team do the work (which they'll never do well enough). But, in this case, there does seem to be a bigger problem. And it's a problem that we see all too often with larger companies like Facebook. Which is that when alerted to such a problem, rather than recognizing the obvious problem, they double down. Here's the response Facebook originally sent Aftenposten: If you can't read that, it says: We place limitations on the display of nudity to limit the exposure of different people using our platform to sensitive content. Any photographs of people displaying fully nude genitalia or buttocks, or fully nude female breasts, will be removed. Photos of women actively engaged in breast feeding or exposing reconstructed nipples for awareness are allowed. We also make allowances for digitally produced content posted for educational, humorous or satirical purposes, and for photographs of real world art. We understand that these limitations will sometimes affect content shared for legitimate reasons, including awareness campaigns or artistic projects, and we apologize for the inconvenience. Therefore I ask you to either remove or pixelize this picture. What's funny is that many of the "exceptions" listed above are actually examples that Facebook has been mocked in the past for banning, and thus the list looks like it's been amended each time the company gets embarrassed. So, I would imagine that eventually that paragraph is likely to include an exception for "historic photos" or something of that nature. But, in the meantime, Aftenposten has mockingly put up this image: The full letter from Aftenposten's Espen Egil Hansen is worth a read, but I'll leave you with this part: The least Facebook should do in order to be in harmony with its time is introduce geographically differentiated guidelines and rules for publication. Furthermore, Facebook should distinguish between editors and other Facebook-users. Editors cannot live with you, Mark, as a master editor. These measures would still only soften the problems. If Facebook has other objectives than just being as big as possible and earn as much money as possible – and this I am still convinced that you have, Mark – you should undertake a comprehensive review of the way you operate. You are a nice channel for persons who wish to share music videos, family dinners and other experiences. On this level you are bringing people closer to each other. But if you wish to increase the real understanding between human beings, you have to offer more liberty in order to meet the entire width of cultural expressions and discuss substantial matters. And then you have to be more accessible. Today, if it is possible at all to get in touch with a Facebook representative, the best one may hope for are brief, formalistic answers, with rigid references to universal rules and guidelines. If you take the liberty to challenge Facebook’s rules, you will be met – as we have seen – with censorship. And if someone will protest against the censorship, he will be punished, as Tom Egeland was. It's easy for some people to just say "Well, don't use Facebook," but for many people that's not really an option these days. You may have that luxury, but many people do not. Facebook has become a key way to stay in touch with family. It's an important part of many people's jobs as well. And, yes, Facebook has every right to moderate the content on the site, but it seems worth calling out when that moderation comes across as silly and counterproductive, as it does in this case.Permalink | Comments | Email This Story

Read More...
posted 16 days ago on techdirt
It feels like every day now you hear news of another major hacking attack. The fact is, however, that most attacks occur without the user even knowing. The $49 Ethical Hacking, Cyber Security and Forensics Bundle can help you protect your systems from attack. You will learn the mechanisms of spam, phishing, spear-phishing, malware, and social engineering. And you will learn how to structure preventative measures through penetration testing and network vulnerability assessments. Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.Permalink | Comments | Email This Story

Read More...
posted 16 days ago on techdirt
So Karl has already pointed out the ridiculousness of Comcast complaining about the new FCC set top box proposal -- a proposal that is basically identical to the one that Comcast itself had proposed in response to the FCC's original, more comprehensive set top box proposal. And a bunch of other organizations have rushed out statements slamming the FCC proposal as well, despite their previous support for an "app-based" solution. And now the MPAA has stepped into this mess with a hilariously misleading, to downright false, claim that this revised proposal still violates copyright law: If Chairman Wheeler's revised proposal is as it has been described to MPAA members and others in meetings, it still amounts to a compulsory copyright license that the FCC does not have authority to grant. The MPAA does not support compulsory licenses, has never supported compulsory licenses, and we cannot do so here. Whether through a licensing body subject to FCC review or otherwise, the FCC must not encroach upon copyright holders' discretion in how they exercise or license the exclusive rights Congress granted them in section 106 of the Copyright Act, or jeopardize the security of their content, as the Copyright Office explained in its expert analysis." Except, of course, there's nothing in there that's a copyright issue at all (just as there was nothing in the original proposal). The new proposal doesn't impact copyright licensing at all. Just read it. It only requires that TV providers offer apps that are fully controlled by the provider, enabling subscribers to then access licensed content. There is no infringement here. There is no compulsory license. The TV providers still have the same license they've always had with the content providers. The end users still have the same contract they've always had with the TV providers. The only difference is that end users might not have to rent expensive boxes any more, and now the TV providers will make apps available to those subscribers, which can work on various boxes to access the same licensed content. The complaint here is really about the loss of control for the cable providers and the ability to shake down the public in renting boxes. The MPAA's ridiculous complaint seems to be that it doesn't like the content being made available on new devices without some sort of additional payment. But that's not the law, and it's certainly not copyright law. For years, we've known that it's legal to use other devices to access content -- the VCR and DVRs have both been declared legal. The MPAA's complaint here is basically that it doesn't like the fact that those court cases have gone against it, and it's trying to pretend they did not. There is no additional licensing that needs to be done to record TV or movies via a VCR or DVR, just as there is no additional licensing necessary here to make apps available on other devices. The licensed providers aren't doing anything different -- and the content is not going to any unauthorized party. This is just the MPAA (and others) flipping out because they hate the idea that they're losing any amount of control.Permalink | Comments | Email This Story

Read More...