posted 19 days ago on techdirt
For years, one of the greasier lobbying and PR tactics by the telecom industry has been the use of minority groups to parrot awful policy positions. Historically, such groups are happy to take financing from a company like Comcast, in exchange for repeating whatever talking point memos are thrust in their general direction, even if the policy being supported may dramatically hurt their constituents. This strategy has played a starring role in supporting anti-consumer mega-mergers, killing attempts to make the cable box market more competitive, and efforts to eliminate net neutrality. The goal is to provide an artificial wave of "support" for bad policies, used to then justify bad policy votes. And despite this being something the press has highlighted for the better part of several decades, the practice continues to work wonders. Hell, pretending to serve minority communities while effectively undermining them with bad internet policy is part of the reason Comcast now calls top lobbyist David Cohen the company's Chief Diversity Officer (something the folks at Comcast hate when I point it out, by the way). Last week, we noted how Congress voted to kill relatively modest but necessary FCC privacy protections. You'd be hard pressed to find a single, financially-objective group or person that supports such a move. Even Donald Trump's most obnoxious supporters were relatively disgusted by the vote. Yet The Intercept notes that groups like the League of United Latin American Citizens and the OCA (Asian Pacific American Advocates) breathlessly urged the FCC to kill the rules, arguing that snoopvertising and data collection would be a great boon to low income families: "The League of United Latin American Citizens and OCA – Asian Pacific American Advocates, two self-described civil rights organizations, told the FCC that “many consumers, especially households with limited incomes, appreciate receiving relevant advertising that is keyed to their interests and provides them with discounts on the products and services they use." Of course, folks like Senator Ted Cruz then used this entirely-farmed support to insist there were "strenuous objections from throughout the internet community" at the creation of the rules, which simply wasn't true. Most people understood that the rules were a direct response to some reckless and irresponsible privacy practices at major ISPs -- ranging from charging consumers more to keep their data private, or using customer credit data to provide even worse customer support than they usually do. Yes, what consumer (minority or otherwise) doesn't want to pay significantly more money for absolutely no coherent reason? It took only a little bit of digging for The Intercept to highlight what the real motivation for this support of anti-consumer policies was: "OCA has long relied on telecom industry cash. Verizon and Comcast are listed as business advisory council members to OCA, and provide funding along with “corporate guidance to the organization.” Last year, both companies sponsored the OCA annual gala. AT&T, Comcast, Time Warner Cable, Charter Communications and Verizon serve as part of the LULAC “corporate alliance,” providing “advice and assistance” to the group. Comcast gave $240,000 to LULAC between 2004 and 2012. When a reporter asks these groups why they're supporting internet policies that run in stark contrast to their constituents, you'll usually be met with either breathless indignance at the idea that these groups are being used as marionettes, or no comment whatsoever (which was the case in the Intercept's latest report). This kind of co-opting still somehow doesn't get much attention in the technology press or policy circles, so it continues to work wonders. And it will continue to work wonders as the administration shifts its gaze from gutting privacy protections to killing net neutrality. Permalink | Comments | Email This Story

Read More...
posted 19 days ago on techdirt
As we've discussed for many years, Homeland Security and the Justice Department have convinced too many courts that there is some sort of 4th Amendment "exception" at the border, whereby Customs and Border Patrol agents (CBP) are somehow allowed to search through your laptops, phones, tablets and more just because, fuck it, they can. Now bipartisan pairs in both the Senate and the House have introduced a new bill that would require that CBP get a warrant to search the devices of Americans at the border. On the Senate side, the bill is sponsored by Senators Ron Wyden and Rand Paul, and in the House, it's Reps. Blake Farenthold and Jared Polis. Honestly, it's absolutely ridiculous that this kind of bill is even needed in the first place, because the 4th Amendment should just take care of it. But with DHS and the courts not properly appreciating the 4th Amendment's requirment for a warrant to do a search, here we are. Here's a short summary of the bill as well, that notes: The government has asserted broad authority to search or seize digital devices at the border without any level of suspicion due to legal precedent referred to as the “border search exception” to the Fourth Amendment’s requirement for probable cause or a warrant. Until 2014, the government claimed it did not need a warrant to search a device if a person had been arrested. In a landmark unanimous decision, the Supreme Court (in Riley v. California) ruled that digital data is different and that law enforcement needed a warrant to search an electronic device when a person has been arrested. This bill recognizes the principles from that decision extend to searches of digital devices at the border. In addition, this bill requires that U.S. persons are aware of their rights before they consent to giving up online account information (like social media account names or passwords) or before they consent to give law enforcement access to their devices. That last part is especially important, given how eager Homeland Security has been to start demanding social media passwords as you deplane. Unfortunately, the bill as written only applies to "US Persons" as defined here, meaning that it may not be of much help for a new DHS proposal, also revealed this week, to more aggressively pursue phone and social media searches of foreigners. This is a bad idea for a whole host of reasons we've already discussed, but the short version is that it's bad for security, it's bad for tourism, it's bad for Americans' safety (because other countries will reciprocate). It's just a bad, bad idea. At the very least, this new bill would block this from happening for American citizens or otherwise legal aliens, but it should go much further. And, of course, who knows if this bill will get any traction, or get signed by the President. Permalink | Comments | Email This Story

Read More...
posted 19 days ago on techdirt
Connecticut's legislature has managed to back into legalizing law enforcement use of weaponized drones. In writing a new drone law, lawmakers banned the use of weaponized drones, but made an exception for police. It's not a case of "Hey, let's give the cops weaponized drones!" as much as it is a case of not wanting law enforcement to be unable to have that option. As for how police will or won't be able to deploy weaponized drones, that's still up in the air (I am so sorry): Details on how law enforcement could use drones with weapons would be spelled out in new rules to be developed by the state Police Officer Standards and Training Council. Officers also would have to receive training before being allowed to use drones with weapons. All well and good, but police officers also receive training in things like civil liberties and proper force deployment, and we see daily how much good that has done. The more encouraging parts of the bill -- one that would see Connecticut join North Dakota in police use of weaponized drones -- are the reporting requirements and warrant stipulation. It would require police to get a warrant before using a drone, unless there are emergency circumstances or the person who is the subject of the drone use gives permission. It also would require police to report yearly on how often they use drones and why, and create new crimes and penalties for criminal use of drones, including voyeurism. Unfortunately, Connecticut's bill isn't as limited as North Dakota's. North Dakota's forbids the use of lethal weapons, but it's easy to see some less-than-lethal rounds becoming much more lethal when fired from a few hundred feet in the air. This bill would allow lethal force to be deployed from police drones. One lawmaker sees a pretty rosy future for airborne police weaponry. "Obviously this is for very limited circumstances," said Republican state Sen. John Kissel, of Enfield, co-chairman of the Judiciary Committee that approved the measure Wednesday and sent it to the House of Representatives. "We can certainly envision some incident on some campus or someplace where someone is a rogue shooter or someone was kidnapped and you try to blow out a tire." The problem with tools like these is they lend themselves to mission creep and abuse. Certainly, no law enforcement agency wants to take home the record for "First Civilian Killed by a Drone," but once the seal's broken, lethal force becomes easier and easier to deploy. And it's not as though this is a necessary step to take. Law enforcement often complains about being left behind in the tech race, but it's not as though criminals are taking to the air and endangering citizens with weaponized drones. This would put the police ahead of everybody and move them one step closer to being a military force. And there's no warrant in existence that grants police the license to kill -- only to apprehend. But that might be good enough for airborne Drug Warriors, etc. who believe many criminal acts are punishable by death, should the suspect be unwilling to immediately surrender himself into custody. We've seen plenty of senseless death and destruction stemming from overuse of vehicle pursuits. This is the next step: flying guns shooting at suspects as they flee through "civilian" traffic. Law enforcement officers aren't great shots with both feet planted on the ground. Giving them a gun in the air is a bad idea. Permalink | Comments | Email This Story

Read More...
posted 20 days ago on techdirt
For years now, we've written about the years-long effort, led by the MPAA and others, to put DRM directly into the standard for HTML5 (via "Encrypted Media Extensions" or EME) which continues to move forward with Tim Berners-Lee acting as if there's nothing that can be done about it. It appears that not everyone agrees. Unesco, the United Nations Educational, Scientific and Cultural Organization has come out strongly against adding DRM to HTML5 in a letter sent to Tim Berners-Lee (found via Boing Boing). ... should Internet browsers become configured to work with EME to act as a framed gateway rather than serving as intrinsically open portals, there could be risks to Rights, to Openness and Accessibility. Primarily, there is the issue of the Right to seek and receive information. To date, most filtering and blocking of content has been done at the level of the network, whereas the risk now is that this capacity could also become technically effective at the level of the browser. With standardized EME incorporated in the browser, a level of control would cascade to the user interface level. This could possibly undercut the use of circumvention tools to access content that is illegitimately restricted. While a case can be made for exceptional limitations on accessing certain content, as per international human rights standards such as the International Covenant on Civil and Political Rights, the same human rights standards are clear that this is should never be a default setting. Unfortunately, many instances of limitation of access are not legitimate in international standards as they do not meet the criteria of legality, necessity and proportionality, and legitimate purpose, and it would be regrettable if standardized EME could end up reinforcing this unfortunate situation. One would hope that when even organizations like Unesco are speaking up, that the W3C would take a step back from the ledge and reconsider its position. Permalink | Comments | Email This Story

Read More...
posted 20 days ago on techdirt
For a long time now, "use a VPN" has been the default online privacy advice -- but is it really so effective? Following the recent VPN boom that came on the tails of Congress scrapping new ISP privacy rules, a few security experts have stepped forward to explain how VPNs aren't all they're cracked up to be, and choosing and using one isn't as easy as many articles and social media posts suggest. Among them are this week's guests, Kevin Riggle (who provided a quick and dirty primer with the key suggestion that most people are safer not using a VPN) and Kenn White (who assembled a list of VPNs he deems "terrible" and not without good reason, recommending a roll-your-own solution instead). They join us to dig deeper into the reality of VPNs and hopefully help some people make better choices. Follow the Techdirt Podcast on Soundcloud, subscribe via iTunes or Google Play, or grab the RSS feed. You can also keep up with all the latest episodes right here on Techdirt. Permalink | Comments | Email This Story

Read More...
posted 20 days ago on techdirt
I've got a deep dive story over at The Verge, taking an in-depth look at the fight over taking the Copyright Office out of the Library of Congress. I've written some about that here, but if you want to look at the full history of what's going on, and why this seemingly simple move could be a disaster for copyright on the internet, go take a read: Supporters of this bill (and there are many) argue that the location of the Copyright Office within the Library of Congress is merely an “accident of history,” brought about by the sixth Librarian of Congress, Ainsworth Rand Spofford, who wished to turn the dilapidated and often ignored Library of Congress into a world-class institution with a comprehensive collection of all American created works. Spofford realized that by housing the copyright registration function within the Library, it would mean that everyone wishing to obtain a copyright would have to send a deposit copy, and the Library’s collection would magically grow. The Copyright Act of 1870 made this arrangement the law. But the synergies between the Library and the Copyright Office go way beyond being merely a way to trick people into building the Library. Managing copyrights — effectively a giant database of creative works — is very much a librarian-centric job. Librarians are custodians of information, helping to catalog and organize it while also helping people research and find what they’re looking for. The Copyright Office today, like many old libraries, is filled with card catalogs. It also details why this is so important: Copyright itself has become a much bigger, and more important issue in the past few decades — in large part thanks to the rise of the internet, and the conflicts that arose because of it. In 1978 the copyright law in the US changed to a mandatory system, whereby any new and creative work was given automatic copyright — whether you wanted it or not — for your life plus another 70 years. Prior to that, the system had been opt-in only, where you had to register and follow certain formalities to obtain a copyright, that could, at a maximum last 56 years. This massive expansion of what creative works were covered by copyright only slightly predated the rise of the greatest tool for the creation of new content ever known: the internet. And the internet exists because of computers, which are basically giant copying machines. Every time a song or photo or video is sent across the internet, a copy is made. A copyright system built for a different time, but massively expanded, ran headlong into a world of connected, copying computers, and a lot of lawyers have made a lot of money trying to adapt our copyright law to a culture-defining copying system. [....] The internet is an astoundingly great tool for distributing content. But it does that by copying content, and often stripping out the need for gatekeeper middlemen. And that certainly upset a number of industries whose entire business model was about playing the role of the gatekeeper, and extracting massive sums of money while determine who was allowed through. The internet made at least some of that obsolete, but in a way that just didn’t easily match up with copyright. And the Copyright Office, historically, has not welcomed of the rise of the internet. Much of the leadership of the Copyright Office over the past few decades has come out of legacy industries — publishing, recorded music, movies — that had viewed copyright as a tool to serve a few big industries. The office has been accused of systemic bias from the revolving door of industry executives and lawyers going into the Office, or leaving the Office to go back to those same industries. There's a lot more in the piece as well, including some discussion on the new Librarian of Congress effectively firing the Register of Copyrights, Maria Pallante. I wrote the piece before also finding out about the massive failed IT project under Pallante, which provided an even greater rationale for the firing... and (importantly) much, much bigger reasons to have Congress reject this plan to effectively give more autonomy to the Copyright Office and to remove the oversight of the Librarian of Congress. Permalink | Comments | Email This Story

Read More...
posted 20 days ago on techdirt
We've talked in the past about how government FOIA officers seem to really love exemption b(5) which covers "inter-agency or intra-agency memorandum or letters which would not be available by law to a party other than an agency in litigation with the agency." But, in my experience, I've seen a ton of the next exemption: the b(6) exemption, often called the "privacy exemption." Officially, the law (5 USC 552(b)(6)), says only that "personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." That seems like a perfectly reasonable exemption. Even if it is part of a government discussion, we don't want the government revealing medical files or something of a similar nature. But, over the years, this has gotten abused in weird ways, such as the time a FOIA officer used b(6) to redact Beyonce's name in a FOIA request about Beyonce. Really. However, now I think we've seen the b(6) exemption to end all b(6) exemptions. This came to investigative reporter David Sirota, who filed a FOIA request to find out about emails between Makan Delrahim and employees of the DOJ's antitrust division. This is potentially useful info, because Delrahim was just nominated to head that very division. But, more importantly, Delrahim has been a powerful lobbyist for Anthem who tried to help it get its merger with Cigna approved -- an effort that just recently failed in court, but may have another chance with Delrahim in a position of power. Thus, Sirota made a fairly standard FOIA request for communications between Delrahim and the DOJ's antitrust division during the time that he was working as a lobbyist for Anthem. And, stunningly, the DOJ came back with a Glomar response (you know, the infamous "we can neither confirm nor deny...."), pointing to b(6) as the reason why (along with b(7)(C) which is for records that "could reasonably be expected to constitute an unwarranted invasion of personal privacy" -- kind of a repeat of b(6), really). If you can't read that, the key paragraph notes: Please be advised that we can neither confirm nor deny the existence of records responsive to your request. If records did exist, acknowledging communications between Antitrust Division employees and private individuals without their consent would constitute a clearly unwarranted invasion of personal privacy, and could reasonably be expected to constitute an unwarranted invasion of their personal privacy. Such information is, accordingly, exempt from public discourse in accordance with 5 U.S.C. §§(b)(6) and (7)(C) This is... wrong. That's not even remotely close to how those exemptions work. Tons of FOIA requests to the government regularly turn up emails from private individuals. To say that merely confirming or denying the existence of such records would violate privacy under FOIA is laughable. The FOIA glomar rejection letter is signed by Sue Ann Slates, who is the chief of the FOIA unit at the DOJ's antitrust division, and has been for years. But it literally took me less than 5 minutes to find an example of Slates signing off on FOIA responses that include tons of personal emails from private individuals. Notice, that one (more properly) notes that some portions of the emails may be redacted under (b)(6), but certainly not any admission that such emails exist. Hell, within that very FOIA response, there's this: That's an email header revealing a bunch of emails, both of government officials and private individuals. Such revelations in FOIA responses are quite common. Revealing the simple fact that Delrahim -- as a lobbyist working on antirust issues -- might have emailed the DOJ's antitrust division (where he also used to work) is in no way the kind of "privacy violation" that is intended under FOIA's exemptions against revealing "personnel and medical files." I don't know if Sirota is intending to appeal or file a lawsuit over this, but it feels like, once again, we have FOIA officials abusing their power to avoid responding to legitimate FOIA requests and hiding behind incredibly expansive interpretations of FOIA exemptions. Permalink | Comments | Email This Story

Read More...
posted 20 days ago on techdirt
Whether you're an old pro looking to keep up to date or a newbie just starting out, the Essential JavaScript Coding Bundle has you covered. For $25, you get 15 courses spanning everything from the basics of building a simple game to more advanced subjects like data visualization. You will build professional-looking websites with Bootstrap and Angular, learn about JavaScript libraries such as D3.js, develop mobile apps using Angular and Ionic, and much more. Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team. Permalink | Comments | Email This Story

Read More...
posted 20 days ago on techdirt
Canadian law enforcement brought down a massive criminal conspiracy. Now, thanks to information it doesn't want to release to the court, most of what was brought down will be re-erected by the suspects it's cutting loose. (h/t Techdirt reader Pickle Monger) Thirty five people accused of serious crimes like kidnapping and drug trafficking saw the cases brought against them in a major RCMP investigation into the Montreal Mafia dropped on Tuesday because the Crown no longer wants to prosecute them. The Crown’s sudden change of stance in an investigation dubbed Project Clemenza meant there are only 11 accused left with cases pending following three series of arrests made between 2014 and May last year. Federal prosecutor Sabrina Delli Fraine informed Quebec Court Judge Lori Renée Weitzman of the Crown’s position during a hearing at the Montreal courthouse. One of the defendants released is believed to be one of the leaders of the Montreal Mafia (which sounds like a Chicago mob farm team). The suspects were snared through the interception of communications, many of which appeared to originate on BlackBerry phones. As was covered here a year ago, the RCMP used a built-in BlackBerry "feature" to intercept and decrypt over "one million messages" during its investigation of a Mafia killing. Here's the key part of the interception effort: The RCMP maintains a server in Ottawa that "simulates a mobile device that receives a message intended for [the rightful recipient]." In an affidavit, RCMP sergeant Patrick Boismenu states that the server "performs the decryption of the message using the appropriate decryption key." The RCMP calls this the "BlackBerry interception and processing system." This is part of the reason these Mafia defendants are seeing their charges dropped. The RCMP does not want to publicly discuss its BlackBerry interception methods. The other reason has to do with how the RCMP tracked down the phone numbers it wanted to intercept. The RCMP used a mobile device identifier and Stober ordered that the Crown disclose information like the device’s signal strength and its potential impact on a BlackBerrys ability to make or receive phone calls while text messages are being intercepted from it. This would likely be RCMP Stingray devices. Just like here in the US, Canadian law enforcement would rather see perps walk out of courtrooms than turn over information on interception efforts to defendants. This is the largest of the RCMP's catch-and-release efforts, but it isn't the first. The National Post points out a similar dumping of defendants occurred last year for the same reason. The Crown apparently does not want to disclose the investigative techniques used with the device. Last year, it did an about face in a murder trial and six men who were about to go on trial for the first-degree murder of Mafioso Salvatore Montagna were able to plead guilty to the lesser charge of conspiracy to commit murder. At least in that case, law enforcement still ended up with a few convictions -- albeit on charges lower than what it had hoped to obtain going in. Cell tower spoofers are resulting in a lot of contradictory law enforcement behavior. Cops say they don't want to turn over info on Stingrays to public records requesters for "public safety" reasons, claiming it could compromise methods and techniques and allow criminals to stay out of their reach. They make the same claims in court when refusing to turn over information to defendants, which results in freshly-caught criminals being put back on the streets -- something that certainly doesn't make the public any safer. Permalink | Comments | Email This Story

Read More...
posted 20 days ago on techdirt
Large ISPs like AT&T, Verizon and Comcast spent a significant part of Friday trying to convince the press and public that they didn't just screw consumers over on privacy (if you've been napping: they did). With the vote on killing FCC broadband privacy protections barely in the books, ISP lobbyists and lawyers penned a number of editorials and blog posts breathlessly professing their tireless dedication to privacy, and insisting that worries about the rules' repeal are little more than "misinformation." All of these posts, in lock step, tried to effectively make three key arguments: that the FTC will rush in to protect consumers in the wake of the FCC rules being repealed (not happening), ISPs don't really collect much data on you anyway (patently untrue), and that ISPs' lengthy, existing privacy policies and history of consumer respect mean consumers have nothing to worry about (feel free to pause here and laugh). For more than a decade, large ISPs have used deep-packet inspection, search engine redirection and clickstream data collection to build detailed user profiles, and their longstanding refusal to candidly talk about many of these programs should make their actual dedication to user privacy abundantly clear. Yet over at Comcast, Deputy General Counsel & Chief Privacy Officer Gerard Lewis spent some time complaining that consumer privacy concerns are little more than "misleading talk" and "misinformation and inaccurate statements": "There has been a lot of misleading talk about how the congressional action this week to overturn the regulatory overreach of the prior FCC will now permit us to sell sensitive customer data without customers’ knowledge or consent. This is just not true. In fact, we have committed not to share our customers’ sensitive information (such as banking, children’s, and health information), unless we first obtain their affirmative, opt-in consent." So one, the "commitment" Comcast links to in this paragraph is little more than a cross-industry, toothless and voluntary self-regulatory regime that means just a fraction more than nothing at all. And while Comcast insists it doesn't sell its broadband customers' "individual web browsing history" (yet), they do still collect an ocean of other data for use in targeted ads, and there's really little stopping them from using your browsing history in this same way down the road -- it may not be "selling" your data, but it is using it to let advertisers target you. Comcast proceeds to say it's updating its privacy policy in the wake of the changes -- as if such an action (since these policies are drafted entirely to protect the ISP, not the consumer) means anything at all. Like Comcast, Verizon's blog post on the subject amusingly acts as if the company's privacy policy actually protects you, not Verizon: "Verizon is fully committed to the privacy of our customers. We value the trust our customers have in us so protecting the privacy of customer information is a core priority for us. Verizon’s privacy policy clearly lays out what we do and don’t do as well as the choices customers can make." Feel better? That's the same company, we'll note, that was caught covertly modifying user data packets to track users around the internet regardless of any other data collected. That program was in place for two years before security researchers even noticed it existed. It took another six months of public shaming before the company even provided the option for consumers to opt out. Verizon's own recent history makes it clear its respect for consumer privacy is skin deep. And again, there's nothing really stopping Verizon from expanding this data collection and sales down the road, and burying it on page 117 of its privacy policy. AT&T was a bit more verbose in a post over at the AT&T policy blog, where again it trots out this idea that existing FTC oversight is somehow good enough: "The reality is that the FCC’s new broadband privacy rules had not yet even taken effect. And no one is saying there shouldn’t be any rules. Supporters of this action all agree that the rescinded FCC rules should be replaced by a return to the long-standing Federal Trade Commission approach. But in today’s overheated political dialogue, it is not surprising that some folks are ignoring the facts." So again, the FTC doesn't really have much authority over broadband, and AT&T forgets to mention that its lawyers have found ways to wiggle around what little authority the agency does have via common carrier exemptions. And while AT&T insists that "no one is saying there shouldn't be any rules," its lobbyists are working tirelessly to accomplish precisely that by gutting both FTC and FCC oversight of the telecom sector. Not partially. Entirely. Title II, net neutrality, privacy -- AT&T wants it all gone. Its pretense to the contrary is laughable. Like the other two providers, AT&T trots out this idea that the FCC's rules weren't fair because they didn't also apply to "edge" companies like Facebook or Google (which actually are more fully regulated by the FTC). That's a flimsy point also pushed by an AT&T and US Telecom Op/Ed over at Axios, where the lobbying group's CEO Jonathan Spalter tries to argue that consumers shouldn't worry about ISPs, because their data is also being hoovered up further down the supply chain: "Your browser history is already being aggregated and sold to advertising networks—by virtually every site you visit on the internet. Consumers' browsing history is bought and sold across massive online advertising networks every day. This is the reason so many popular online destinations and services are "free." And, it's why the ads you see on your favorite sites—large and small—always seem so relevant to what you've recently been shopping for online. Of note, internet service providers are relative bit players in the $83 billion digital ad market, which made singling them out for heavier regulations so suspect." Again, this quite intentionally ignores the fact that whereas you can choose to not use Facebook or Gmail, a lack of competition means you're stuck with your broadband provider. As such, arguing that "everybody else is busy collecting your data" isn't much of an argument, especially when "everybody else" is having their behaviors checked by competitive pressure to offer a better product. As well-respected security expert Bruce Schneier points out in a blog post, these companies desperately want you to ignore this one, central, undeniable truth: "When markets work well, different companies compete on price and features, and society collectively rewards better products by purchasing them. This mechanism fails if there is no competition, or if rival companies choose not to compete on a particular feature. It fails when customers are unable to switch to competitors. And it fails when what companies do remains secret. Unlike service providers like Google and Facebook, telecom companies are infrastructure that requires government involvement and regulation. The practical impossibility of consumers learning the extent of surveillance by their Internet service providers, combined with the difficulty of switching them, means that the decision about whether to be spied on should be with the consumer and not a telecom giant. That this new bill reverses that is both wrong and harmful." This lack of competition didn't just magically happen. As in other sectors driven by legacy turf protectors, the same ISP lobbyists that just gutted the FCC's privacy rules have a long and proud history of dismantling competitive threats at every conceivable opportunity, then paying legislators to look the other way. That includes pushing for protectionist state laws preventing towns and cities from doing much of anything about it. It's not clear who these ISPs thought they were speaking to in these editorials, but it's certainly not to folks that have actually paid attention to their behavior over the last fifteen years. The EFF, meanwhile, concisely calls these ISPs' sudden and breathless dedication to privacy nonsense: "There is a lot to say about the nonsense they've produced here," said Ernesto Falcon, legislative counsel at EFF. "There is little reason to believe they will not start using personal data they've been legally barred from using and selling to bidders without our consent now. The law will soon be tilted in their favor to do it." Gosh, who to believe? Actual experts on subjects like security or privacy, or one of the more dishonest and anti-competitive business sectors in American industry? All told, you can expect these ISPs to remain on their best behavior for a short while for appearances' sake (and because AT&T wants its Time Warner merger approved) -- but it's not going to be long before they rush to abuse the lack of oversight their campaign contributions just successfully created. Anybody believing otherwise simply hasn't been paying attention to the laundry list of idiotic ISP actions that drove the FCC to try and pass the now-dismantled rules in the first place. Permalink | Comments | Email This Story

Read More...
posted 20 days ago on techdirt
A recurrent theme here on Techdirt has been the way in which the West has ceded the moral high ground in so many areas involving the tech world. For example, in 2010, we noted that the US had really lost the right to point fingers over Internet censorship. The moral high ground on surveillance went in 2013 for people, and in 2014 for economic espionage. Meanwhile, the UK has been shown to be as bad as the most disreputable police states in its long-running blanket surveillance of all its citizens. The UK's most recent move to cast off any pretense that it is morally superior to other "lesser" nations is the Investigatory Powers Act, which formalizes all the powers its intelligence services have been secretly using for years. One of the most intrusive of those is the power to carry out what is quaintly termed "equipment interference" -- hacking -- anywhere in the world. That means it certainly won't be able to criticize some new rules in China, spotted by the Lawfare blog: The regulations seem to authorize the unilateral extraction of data concerning anyone (or any company) being investigated under Chinese criminal law from servers and hard drives located outside of China. Article 9 of the 2016 regulations provides that the police or prosecutors may extract digital data from original storage media (e.g., servers, hard drives) that are located outside of mainland China (i.e., including servers in Hong Kong, Macau, and Taiwan) "through the Internet" and may perform "remote network inspections" of such computer information systems. Remote network inspections are helpfully defined, in Article 29, as "investigation, discovery, and collection of electronic data from remote computer information systems related to crime through the Internet." The only caveat to this grant of authority is a requirement that investigations be subject to "strict standards." No guidance is provided as to what "strict" means. On its face, the regulation indicates that Chinese officials have authorization to remotely search or extract data anywhere in the world, subject only to the limitations of [China's] domestic law. If the idea of Chinese government agents hacking into your computer doesn't appeal, well, tough luck: the West is doing it too, so there's really nothing governments there can say that isn't deeply hypocritical. That won't stop them, of course, and it may lead to some nasty international name-calling that could escalate dangerously. The fact that pretty much all the main players are hacking everyone else like crazy is yet another argument for not weakening encryption anywhere. However much certain politicians might want magic crypto systems that only let in the good guys and always keep out the bad guys -- perhaps by invoking the necessary hashtags -- they simply don't exist. Morever, the supposedly clear-cut distinction between good guys and bad guys has been blurred so completely by decades of the West losing the moral high ground here that it's not a very useful way of framing things anyway. Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+ Permalink | Comments | Email This Story

Read More...
posted 20 days ago on techdirt
No technology is perfect and facial recognition software is obviously no exception. But whereas law enforcement groups use this flawed technology in too many instances, device manufacturers are beginning to ship out security features that rely on facial recognition software almost ubiquitously. Many might look at this modern technology and imagine defeating it and logging into another person's phone would resemble some kind of Mission Impossible style convolution. Sadly, as proven again recently with the release of Samsung's Galaxy S8, defeating the security feature is laughably simple. With the public's first exposure to the Galaxy S8 happening a few days ago, it was only a matter of time until one of these biometric solutions had some holes poked in it. One of those holes is that Galaxy S8's face recognition can be tricked with a photo. At least this is what a video from Spanish Periscope user Marcianophone purports. About 6 minutes into the 40-minute Spanish-language video, you can see the attendee take a selfie with his personal phone, then point it at the Galaxy S8, which is trained to unlock with his face. It only takes a few minutes of fiddling before the Galaxy S8 gives in and unlocks with just a picture, moving from the "secure" lock screen right to the home screen. Once the user dials in his technique, he shows the trick is easily repeatable. This trick actually goes back quite a ways to earlier versions of the Android OS. Google had attempted to defeat this workaround by requiring users to blink during the facial recognition scan. That was almost immediately defeated by phone-breakers having to have two pictures instead of one, including one with the persons eyes closed and then switching between pictures during the scan. If you aren't laughing as you're picturing this in your head, your sense of humor is broken, because it's fairly hilarious. Less funny is the obvious question: why bother with this stuff at all if it's so easily defeated? Samsung, to its credit, doesn't allow facial recognition to authorize Samsung purchases. If it's not good enough for that, why should it be good enough to serve as a locking mechanism for the phone at all? Other locks, including other biometric locks, perform far better. Maybe it would be best to table this security feature until it's, you know, secure. Permalink | Comments | Email This Story

Read More...
posted 21 days ago on techdirt
If you're of a certain age, you will remember the derision with which video games as an entertainment industry were met some time ago. While many of the claims about gaming encountered during that time, such as the impact of violent games on young minds or the assured claims that playing games would rot the brains of young people who played them, please understand how much louder that silliness was shouted years back. I can personally recall my own father insisting that if I played video games, I would end up having oatmeal for brains. Good one, Dad, except I played them anyway and now I'm a real-life grown-up with a family and two jobs and a house and all that jazz. Jazz, of course, being a previous receptacle for many of these same claims, but I digress. Less vociferous have been those on the other side of the "video games will rot your brain" position, but reverse claims do exist. Some have posited that there could actually be benefits to playing video games, from instilling in players a baseline sense of achievement, improving cognitive ability, or preparing them to be better at business than they would be otherwise. And now a recent study suggests that simple video games may in fact be useful therapeutically for those who have suffered trauma or addiction. Researchers report that Tetris—a classic game that takes hold of spatial and visual systems in the brain as players align irregular polygons—seems to jumble the mind’s ability to process and store fresh traumatic memories. Those improperly preserved memories are subsequently less likely to resurface as intrusive, distressing flashbacks, which can contribute to post-traumatic stress disorder, depression, complicated grief, and other mental health issues. For those struggling with cravings or addiction, other research has found that Tetris’ mental grasp can also diminish the intensity of hankerings and help game players fight off real-life dependencies. Though the conclusions are based on small studies in need of repeating and further investigation, one thing is clear: the potential video-game therapy has scant side-effects and potential harms. Twenty-minutes of Tetris is just good fun, if nothing else. As the article states, more research needs to be done before the American Medical Association begins prescribing Tetris to heroin addicts and victims of car accidents, but the limited studies show rather striking results. In the UK, 71 real-world patients who had been in traumatic vehicle accidents were asked to play 20 minutes of Tetris while at the hospital, while the control group simply logged what would be their normal activity during their stay. Those who played the game reported nearly two-thirds fewer incidents of flashbacks or PTSD. The theory is that playing the game works within the brain to suppress traumatic memory of these incidents, memories that are not useful in a therapeutic sense. When the researchers checked back a month later, the experimental and control groups had similar mental health scores, once the game playing had ceased. Keep in mind we're talking about 20 minutes of play during the hospital stay. As for its impact on addiction, the results for playing Tetris were more muted, but still substantial. In late 2015, a group of English and Australian researchers reported that playing Tetris could dampen cravings for addictive substances, such as nicotine, alcohol, and drugs, as well as other vices, such as food and sex. The study, published in Addictive Behaviors, followed 31 undergraduate volunteers who carried around iPods for a week and filled out surveys seven times a day about their cravings. Fifteen of the participants also got to play three minutes of Tetris after the surveys, then report on their cravings again. When the week was up, the researchers found that playing Tetris consistently reduced craving strength by 13.9 percent—about a fifth. That, the authors explained, could be just enough for people to ignore those cravings and avoid their vice. The researchers again hypothesized that the game’s ability to seize visual and spatial processing in the brain is key to the health benefits. In this case, addiction and cravings are often driven by visual fantasies of having that drink, drug, or what-have-you, the authors explained. As already stated, more studies need to be done before drawing any firm conclusions, but it seems clear that despite all the shouting about the horror of playing video games and its impact on the brain, the flipside to that might actually be true. And then, finally, perhaps the world can move on to its next moral panic. Permalink | Comments | Email This Story

Read More...
posted 21 days ago on techdirt
FOIA clearinghouse MuckRock has been on the receiving end of government antipathy before. Local government agencies aren't happy the service is able to work around location restrictions by offering proxies for out-of-state requesters. So far, this hasn't done much to slow the flow of public records to MuckRock. MuckRock users have been thwarted individually, mainly with FOIA fee requests ranging from $270,000 to $660 million. Various agencies have also cut MuckRock out of fee exemptions, claiming the service just isn't journalistic enough to avail itself of fee waivers. Dell Cameron of the Daily Dot reports a federal agency has decided to screw MuckRock users by making it more difficult to make requests. It's not one of the expected enemies of transparency, however. It's one that's been historically very easy to work with. The National Aeronautics Space Administration has begun rejecting public records requests from users of FOIA request-filing service MuckRock, which doesn’t provide what the agency calls a “personal mailing address,” even though the requirement appears to have no basis under the law. This came in response to the Daily Dot's request for documents related to President Trump's "media blackout" order, where federal agencies were told to route everything -- including social media posts -- through the administration. In its denial of the Daily Dot's request, NASA specifically called out the FOIA clearinghouse as somehow being in violation of nonexistent FOIA requirements. Last week, following nearly two months of back and forth, NASA formally denied the Daily Dot access to any records—which may or may not exist—related to White House decrees affecting its use of social media and other forms of communication. The request, filed less than a week after Trump’s inauguration, was sent using MuckRock’s online submission system and contained MuckRock’s mailing address. “Please be advised, that everyone submitting a FOIA Request via Muckrock, who are not a staff members [sic] must provide their personal mailing address when submitting a requests [sic],” NASA’s FOIA officer, Josephine Shibly, wrote in a letter to the Daily Dot on March 10. This rejection -- with its nod toward nonexistent policies NASA's FOIA team apparently believes exists -- followed a few rounds of discussion between the website and NASA, in which the agency criticized the scope of the original request. It claimed digging up files related to Trump's "media blackout" would force agency personnel to engage in "mindreading" and was not willing to aid journalistic agencies in "fishing expeditions." It's worst argument was that the documents weren't of sufficient public interest to expedite handling. This new antipathy towards FOIA requesters is due to administrative meddling. Any science-related agency seems to have obtained an overseer to ensure their messages align with the White House's talking points. This appears to have been extended to cover public records requests. Between the terse communications with the Daily Dot and blanket, baseless demand for requesters' home addresses -- but only if the request is routed through MuckRock -- the federal government appears poised to top [?] the transparency lows of the Obama era, albeit without the self-congratulatory proclamations of unprecedented openness. Permalink | Comments | Email This Story

Read More...
posted 21 days ago on techdirt
Roughly a year ago, a Canadian court ruled that Vice Media must turn over conversations one of its journalists had with an alleged terrorist to the Royal Canadian Mounted Police. The ruling created a chilling effect, carving a hole in journalistic protections in favor of national security concerns. Not only would it deter journalists from speaking to sources who might, at some point in the future, face criminal charges, but it also would deter sources from speaking to journalists for fear their cover might be blown by law enforcement court orders. Vice appealed the decision. Unfortunately, there's no better news awaiting them at the Ontario Court of Appeals. Elizabeth Raymer of Legal Feeds reports the higher court has upheld the previous ruling. The Court of Appeal for Ontario has upheld a production order requiring a journalist to hand over all his communications with a man charged with terrorism-related offences. Journalist and civil liberties organizations have called the decision a blow to reporters abilities to protect their sources and publish stories in the public interest. The Appeals Court weighed the competing issues -- journalistic protections vs. law enforcement needs -- and decided it was a toss-up. “A free and vigorous press is essential to the proper functioning of a democracy,” Justice David Doherty of the Ontario appellate court acknowledged at the start of his judgment. “The protection of society from serious criminal activity is equally important to the maintenance of a functioning democracy. Those fundamental societal concerns can come into conflict. When they do, it falls to the court to resolve those conflicts. In this case, claims based on the freedom of the press and those based on effective law enforcement collide at two points.” But in the event of a tie, the win goes to law enforcement apparently. From the decision [PDF]: After a careful consideration of the entirety of the record before him, the application judge concluded, at para. 47: I am satisfied that the ITO set forth a basis upon which, after taking into account the special position of the media, the authorizing justice could have determined that the balance between the interests of law enforcement and the media’s right to freedom of expression favoured making the production order. The reasons of the application judge reveal no misapprehension of the evidence, no failure to consider factors relevant to his assessment, or any other form of extractable legal error. It was reasonable, on this record, to find the balancing of the competing interests favoured making the production order. Vice's attempt to quash the production order has been denied. Barring an appeal to the Supreme Court, the RCMP will get their man['s communications]… and encroach a bit further on press protections. Permalink | Comments | Email This Story

Read More...
posted 21 days ago on techdirt
Previously unreleased documents acquired by Techdirt show, fairly conclusively, that Congress will be making a huge and dangerous mistake if it moves forward with changing how the head of the Copyright Office is appointed. And despite the fact that the RIAA & MPAA are eagerly supporting this change, the people it will hurt the most are content creators. Because the Copyright Office is basically incompetent when it comes to modernizing its technology. That's what was found by a thorough (but not publicly released) Inspector General's report, detailing how the Copyright Office not only threw away $11.6 million on a new computer system that it said would cost $1.1 million, but also lied to both Congress and the Library of Congress about it, pretending everything was going great. In reality the project was a complete and utter disaster. It was put together by people who seemed to have no clue how to manage a large IT project, and there was basically zero effort to fix that along the way. After literally wasting $11.6 million on nothing, the entire project was scrapped in October of last year. The timing here is important. October is when Carla Hayden reassigned Maria Pallante, effectively firing her. Pallante had led the Copyright Office since 2011 (soon after the big project began), so she was in charge through the vast majority of this disastrous project. While legacy copyright folks tried to spread evidence-free conspiracy theories about why Hayden fired Pallante, it seems a lot more likely that it was because Pallante had overseen a project that flat out wasted $11.6 million, and during the course of the project the Copyright Office repeatedly lied to the Library of Congress about its status. But here's the astounding thing. Congress is trying to reward the Copyright Office for this scandal, and give it more power and autonomy despite this absolute disaster. Perhaps because, until now, the Copyright Office has been successful in keeping this whole thing hidden. As we've mentioned, Congress is effectively trying to move the Copyright Office out of the Library of Congress by having the new Register of Copyright (who heads the Office) be appointed by the President and approved by the Senate (i.e., making it a political appointee), rather than be appointed by the Librarian of Congress as has been the case since the creation of the Copyright Office. One of the key arguments in favor of this is that the Copyright Office is woefully behind on technology, and needs to be modernized. Almost exactly two years ago, a fairly scathing report from the GAO came out about the lack of leadership on IT issues from then-Librarian of Congress James Billington. Thankfully, Billington is gone and Carla Hayden is in charge now -- and she actually has a history of modernizing a library. Reports from folks at the Library say that Hayden has moved quickly to establish a real modernization plan for the entire Library, including the Copyright Office, and that those efforts are already starting to move forward. And that's got to be better than giving the Copyright Office autonomy to modernize itself. As we're releasing here for the very first time publicly, an Inspector's General report looking at various IT projects related to the Library of Congress is absolutely devastating in revealing how incompetent the Copyright Office is at modernizing itself. Specifically, in 2010, the Copyright Office asked for $1.1 million it said it would need to build its Electronic Licensing System (eLi). Just about everything turned out to be a complete disaster and a waste of money. From the executive summary of the report: [The Copyright Office] did not follow sound [Systems Development Life Cycle -- SDLC] methodologies which resulted in it scrapping the eLi project development after six years and $11.6M in project expenditures. The eLi project began in 2010 with a budget approval of $1.1M, and increased to approximately $2M for full implementation in 2012. Ultimately Copyright spent over $11.6M through 2016 when it decided to terminate the contracts and abandon development activities. During that six-year period, Copyright continued to report in eLCplans (the Library's performance management system) that eLi development was occurring near or on schedule. Again, this is horrifying. Not only did it waste more than 5x what it had been given budget approval for, and not only did it end up with nothing to show for all this money, it also lied about how the project was going so those in the Library of Congress had no idea that the Copyright Office was basically lighting money on fire. It also appears that because of this, the Copryight Office misrepresented what was happening to Congress in its annual budget requests. From the report: Copyright executives at that time did not disclose in the Library's performance management system (eLCplans) and annual Congressional Budget Justifications the magnitude of issues and cost overruns related to the project. As a result, Congress and Library executives did not have adequate information to timely act on and address the issues. Again, forget those conspiracy theories about Pallante getting fired. Lying to your bosses in your annual budget requests about the status of a massive technology project that was way behind and way over budget certainly seems like a fireable offense. A big part of the problem? What appears to be near-total incompetence by the Copyright Office in putting together and managing the project. The USCO project management team did not demonstrate effective, proactive project cost management practices. Over the six-year development period, USCO project management expended $11.6 million in vendor costs. The USCo project management team received specific funding for approximately $1.9 million in the first two years of the project. USCO project management did not update project budgets for the subsequent six years of development activity, nor perform an analysis of estimated cost overruns. Subsequent development funding activites ocurred, inconsistent with initial funding requests. As discussed below, the USCO had no management body to evaluate and approve additional funding requests in conjunction with experienced development delays, analyses, and recommended courses of actions. Additionally, the USCO did not have an oversight body with authority to halt project activites based on cost overruns, delviery delays, and/or lack of functionality until appropriate remediation plans or project management structure was in place. Basically, the ship was almost entirely rudderless when Pallante was in charge. Ask for $1.9 million, spend $11.6 million -- without getting a working system -- and no one seemed to check on any of it. According to the report, the most basic project management concepts were completely lacking at the Copyright Office. Pages 26 through 28 of the document embedded below should elicit gasps from anyone who's done any kind of project management. I won't detail all of it, but here are just a few highlights: No monitoring of the project schedule No project budget approval process at all No periodic reviews to see if things were on schedule and within budget No project management framework at all No comprehensive project management plan for the executiion and monitoring of the project. No official tracking of scope and schedule changes No documentation of departures from planned schedule No plan for what staffing was needed for the project No analysis of alternatives No system requirements baseline No system development plan No requirements for best practices, customer oversight or acceptance of the vendor No technical requirements to ensure user functionality given to the vendor No details on deliverables given to the vendor (seriously -- no requirements to hand over the code or any documentation) No review criteria No defined technical framework No security testing And, again, that's just some of the problems listed in the document. There are more. Rather than admit any of that, the Copyright Office under Pallante pretended each year that everything was moving ahead without a problem. The report includes the comments that the Copyright Office gave to the Library of Congress each year for its Congressional Budget Justification regarding the system: If you can't see that, basically every year all the Copyright Office said was "licensing will continue implementing and refining the reengineered processes and system" (or, in the past two years, that "licensing will continue to work toward a fully automated system for receiving and examining Statements of Account"). This despite the fact that the project was way over budget and apparently totally non-functional. The report also includes the Copyright Office's internal reporting to the Library, in which it needed to give a status report in one of three color codings: green if the project was on-track, amber if it was behind target but adjustments could result in accomplishing the plan on time, and red if it would not meet the annual target. Given what we know now, these should have been red every year. Instead... in 2011, 2013, and 2015 the Copyright Office reported "green." In 2012 it reported "amber." In 2010, 2014, and 2016 the Copyright Office didn't even bother to report on this project status at all. The most amazing thing here is that Pallante wasn't fired years ago for this complete disaster of a project. But the more important question right now is why would Congress be looking to give the Copyright Office more autonomy when it's quite clear that the Office has absolutely no competency when it comes to modernizing its system, and there has been a six-year pattern of throwing away money without a properly managed plan and a longstanding practice of lying about it to Congress itself? Last week, despite all of this, nearly the entire House Judiciary Committee voted to let this happen, and all I can ask is what were they thinking? Why is Congress -- and Reps. Bob Goodlatte and John Conyers in particular -- rewarding this behavior? Permalink | Comments | Email This Story

Read More...
posted 21 days ago on techdirt
Help to protect your privacy with an unlimited subscription to TigerVPN for only $29. You gain access to 15 VPN nodes spread across the globe, and TigerVPN gives you the freedom of protocol choice, including OpenVPN, L2TP, IPSec, and PPTP. They feature native apps for Android, iOS, and Windows, and you can have up to 2 active connections running simultaneously. Learn a bit more about TigerVPN's policies and practices in TorrentFreak's 2015 VPN review survey. Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team. Permalink | Comments | Email This Story

Read More...
posted 21 days ago on techdirt
The DOJ is attempting to prosecute the creator of a remote access software -- not because he used it for nefarious purposes -- but because it can (and has been) used by criminals. Kevin Poulsen has the whole bizarre story at The Daily Beast -- one that involves a 26-year-old programmer and the remote administration tool (RAT) he created and sold. Taylor Huddleston, creator of NanoCore, a RAT that has been linked to intrusions in ten countries, had his home raided by FBI agents on December 6th. The 14-page indictment paints Huddleston as a willing accomplice -- someone who sold his product to bad people to do bad things. But the facts of the case -- things that can be proven with forum chat logs and Huddleston's proactive efforts to prevent his RAT from being abused -- disagree with the government's narrative. NanoCore does all the things an administrative tool is expected to do, including keylogging and granting control to remote administrators. But Huddleston claims he created the tool to be a low-cost solution for cash-strapped businesses and small government agencies. His actions appear to back up the claims that he never intended this to be a plaything for criminal hackers. While Huddleston did debut and offer his product for sale at HackForums -- hardly the best marketplace if one wants to be seen as purely innocent -- he took corrective actions and issued strict warnings about illegal deployment. [H]uddleston found himself routinely admonishing people not to use his software for crime. “NanoCore does not permit illegal use,” he wrote in one post. In another, “NanoCore is NOT malware. It is intended to be used legitimately and I don’t want to see words like ‘slave’ and ‘infect.’” Huddleston backed his words with action. Whenever he saw evidence that a particular buyer was using the product to hack, he’d log in to Net Seal and disable that user’s copy, cutting the hacker off from his infected slaves. Net Seal is another of Huddleston's creations. It allows users to protect their IP by allowing them to shut down questionable copies of their software -- like copies purchased with stolen credit cards. Oddly enough, this IP protection tool is also named in the indictment as more evidence of Huddleston's criminal intent. “Net Seal licensing software is licensing software for cybercriminals,” the indictment declares. For this surprising charge—remember, Huddleston use the licenses to fight crooks and pirates—the government leans on the conviction of a Virginia college student named Zachary Shames, who pleaded guilty in January to selling hackers a keystroke logging program called Limitless. Unlike Huddleston, Shames embraced malicious use of his code. And he used Net Seal to protect and distribute it. That ridiculous claim shows how far the government is willing to go to pin the bad deeds of criminals it can't catch on the creator of the software they're abusing. But the government has to show Huddleston created the software with the intent that it be used for criminal activity. That's going to be extremely tough to prove. So, it looks like the government's hoping to turn Huddleston into a cooperative witness or pressure him into a plea deal that will prevent it from having to climb this evidentiary mountain. One of the tools at the government's disposal is particularly nefarious. Huddleston wrote and sold software to get his head above water financially. The small amount of money he made from selling Net Seal and NanoCore (he fully divested his ownership of the latter late last year for a whole $5,000) allowed him to purchase a very modest $60,000 house for him and his girlfriend. The government wants to seize the house, claiming it was purchased with the proceeds of illegal activity. But it has yet to prove the sale of these two tools was a criminal act in and of itself. The horrible thing about forfeiture is the government can uncouple this from the prosecution and file an administrative claim which would place Huddleston's new home in its hands and shift the burden of proof to the indicted programmer. The only way this case doesn't blow up in the government's face is if it can convince Huddleston not to go to trial. This placement of secondhand guilt on the creator of a remote administration tool is idiotic and disingenuous. No one's going after Microsoft for building the same functionality into its operating system, even though it's routinely abused by criminals and scam artists. What this really boils down to is law enforcement laziness, which it commonly refers to as "efficiency." It's incredibly easy to find the creator of software abused by criminals because a creator who doesn't feel he's committed any criminal act isn't going to do much of anything to cover his tracks or get off the grid. It's punishment that only makes sense to misguided prosecutors and FBI officials who feel any successful bust is a good bust. And if they do succeed in putting Huddleston in prison, absolutely no one will be vindicated. In the meantime, Huddleston has to fight back with his hands tied. He was released on bond but forbidden to use the internet. His arraignment takes place in a city 16 hours from where he lives. His recently-purchased home may not be his for much longer. And all the criminals misusing his product -- the ones he actively fought back against -- are still out there committing criminal acts. Permalink | Comments | Email This Story

Read More...
posted 21 days ago on techdirt
Rep. Devin Nunes, who heads the House Intelligence Committee, has been all over the privacy/security map in recent weeks. He's publicly decried the supposed "illegal surveillance" of former National Security Advisor Mike Flynn while trying to avoid undercutting the NSA programs and presidential authority that make it all this spying possible. His hypocrisy knows no bounds. Nunes has repeatedly suggested NSA spying activities (under Executive Order 12333) should receive even less oversight. Now he's complaining the spy infrastructure he wholeheartedly supports is too big and dangerous, now that it's resulted in Mike Flynn's departure. But it goes even further than that. Nunes is utilizing an informal network of what he calls "whistleblowers" to leak him details of investigations. Then he immediately goes and discusses these investigations in public. Barton Gellman (who handled some of Snowden's leaks) points out just how far Nunes has gone in defending both Mike Flynn and Trump White House. Three named officials—two Trump appointees and arguably his leading defender on the Hill—appear to have engaged in precisely the behavior that the president describes as the true national security threat posed by the Russia debate... The offense, which in some cases can be prosecuted as a felony, would apply even if the White House officials showed Nunes only “tearsheet” summaries of the surveillance reports. Based on what Nunes has said in public, they appear to have showed him the more sensitive verbatim transcripts. Those are always classified as TS/SI (special intelligence) or TS/COMINT (communications intelligence), which means that they could reveal sources and methods if disclosed. That is the first apparent breach of secrecy rules. The second, of course, is the impromptu Nunes news conference. There is no unclassified way to speak in public about the identity of a target or an “incidentally collected” communicant in a surveillance operation. When communications of US persons is "incidentally" collected, the information is minimized and the names redacted. Gellman points out "customers" (other government agencies/officials) can ask for the names to be revealed. But the policies governing dissemination mean the NSA doesn't just hand out this info to anyone. The fact that Nunes knew whose communications were swept up along with the targets means the real breach of privacy isn't the NSA's incidental collection, but the unmasking of those incidentally-collected. That means the same White House that's so upset about Trump being spied on is the one asking for an unminimized copies of the collected communications. The names could only have been unmasked if the customers—who seem in this case to have been Trump’s White House appointees—made that request themselves. If anyone breached the president’s privacy, the perpetrators were working down the hall from him. (Okay, probably in the Eisenhower Executive Office Building next door.) It is of course hypocritical, even deceptive, for Nunes to lay that blame at the feet of intelligence officials… This raises an even more interesting question about what's going on at the White House. Officials are asking for unminimized reports on incidental collections. But for what reason? Gellman theorizes it may be some form of an unofficial backdoor search. There is no chance that the FBI would brief them about the substance or progress of its investigation into the Trump campaign’s connections to the Russian government. Were the president’s men using the surveillance assets of the U.S. government to track the FBI investigation from the outside? If so, it's an interesting way to obtain information a government agency (the FBI) won't share with you: get it from the intelligence agency that's feeding it to the FBI. If this is what's happening, it's another example of the Trump White House -- and those subservient to it -- ignoring national security rules to further their own ends. This abuse likely isn't unusual, but it's definitely hypocritical for those engaging in it to make comments about the sanctity of privacy and/or national security while doing damage to both. Permalink | Comments | Email This Story

Read More...
posted 21 days ago on techdirt
Following the Congress vote to dismantle privacy protections for broadband subscribers, VPNs have suddenly become a very hot area, despite the complex issues surrounding them. We've reported on various instances of authorities around the world either banning VPNs, or flirting with idea of doing so. But there's no doubt that the main battleground over VPNs is in China, where the government has been clamping down on their use with ever-greater rigor. For example, back in 2012, China started blocking VPNs, but in a rather ad hoc and piecemeal way. As Karl reported in January of this year, the authorities have now taken a much harsher line, requiring all VPN providers to obtain prior government approval in order to operate. Although that still allows people to use VPNs, it places them under strict control, and means they can be turned off by ordering suppliers to shut them down. The South China Morning Post (SCMP) reveals that in the major city of Chongqing, the local authorities have taken these measures to their logical conclusion -- banning VPNs completely: Security authorities in the Chinese city of Chongqing have expanded regulations that govern web access, in a bid to plug holes in the Great Firewall that separates mainlanders from the global internet. … They ban individuals and organisations from establishing or using channels to connect to international networks, and target businesses that help users to connect to such services. According to the SCMP article, the rules came into force last year, but have only just been published on the local government's website. The regulations are valid until July 2021, and impose fines of up to $2000 on companies offering VPNs. Individuals caught using them are ordered to disconnect, and receive an official "warning," which is probably not something to be taken lightly. Although this seems to be a purely local initiative, the numbers affected are considerable. According to Wikipedia's entry on the metropolis: Chongqing's population as of 2015 is just over 30 million with an urban population of 18.38 million. Of these, approximately 8.5 million people live in Chongqing city proper; Those figures are equivalent to the population of a typical small country elsewhere. As such, the move to ban VPNs in Chongqing could act as a rather handy test run to find out what the knock-on effects are, particularly for important classes of internet users like businesses and researchers. Whether or not this latest move was ordered by the authorities in Beijing, they will doubtless be watching its roll-out with keen interest. Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+ Permalink | Comments | Email This Story

Read More...
posted 22 days ago on techdirt
This week, after James Comey unveiled his idea for an international encryption backdoor partnership (still impossible to do safely), DannyB racked up the votes to win most insightful comment of the week by reflecting the style of Comey's demands of technologists: Mr. Comey, why can't you catch terrorists without breaking everyone's encryption? Don't tell me it's impossible. I reject the 'it's impossible' response. I think you just haven't actually tried it. Meanwhile, a debate broke out this week about whether a boycott was a proper (or even feasible) response to problems with internet service providers, with some suggesting that if people don't like the privacy rules they should go without internet rather than expect to "have your cake and eat it too". Roger Strong won second place for insightful with a good summation of why this line of thinking is flawed: In most boycotts you still have cake. You simply refuse to buy it from one baker, even if it costs a bit more elsewhere. That baker does not have a government-granted monopoly on an essential service or basic infrastructure. For editor's choice on the insightful side, we start out with one further reply on that topic in which an anonymous commenter spotted another problem with ISP boycotts: Who are you boycotting? Boycotting your ISP also mean boycotting the sites that you rely on or desire. Such a boycott is likely to strengthen the corporate hold on the Internet, as they can withstand the storm better than all the small players that are also hurt by the lack of visitors. Next, we head back to last week's comments post, where the conversation about good ebook publishers continued with some recommendations from an anonymous reader: I agree with my fellow anonymous coward about Baen. They were the publisher that got me back into reading after a five-year gap, and I haven't looked back. I've bought every single monthly bundle they've ever put out. They've always been free of DRM infestation and respect their readers. Baen, Bookstrand, Weightless Books, Wildside, Manning, O'Reilly, and other publishers who don't charge eye-gouging prices and don't permit DRM infestation are on my "WILL buy/WON'T pirate" list. Other publishers are evaluated on a case by case basis. I'm also wondering when the publishers will wake up to the fact that DRM actually encourages piracy. Over on the funny side, first place is another win for Roger Strong who was unsurprised about the latest "reputation management" fail: Has there ever been a reputation management firm that wasn't in dire need of a reputation management firm? Of course, we also slipped a reference to a certain dictator into that post, and Mason Wheeler won second place for funny by calling foul: Wow. Usually we get into the comments before someone Godwins it... For editor's choice on the funny side, we start out on our post about the worrying findings from a review of the DEA's "oversight" of cash seizure and forfeiture, where TechDescartes noticed some appropriate ambiguity: So when you Google "define oversight," you get two definitions: an unintentional failure to notice or do something. "he said his failure to pay for the tickets was an oversight" synonyms: mistake, error, omission, lapse, slip, blunder the action of overseeing something. "effective oversight of the financial reporting process" Which one are they using in the title of this report? I can't tell. Finally, we head to the news that farmers are using pirated firmware to get around John Deere's onerous restrictions on repair, where one anonymous commenter wondered if it'd make it into a certain meticulously detailed PC game: I can't wait for this to be in the DLC for Farming Simulator 2018. That's all for this week, folks! Permalink | Comments | Email This Story

Read More...
posted 23 days ago on techdirt
Only Available Until Monday Night: Necessary Hashtags GearEuropean Shipping | US Shipping We don't do annoying April Fools posts here at Techdirt, so when I tell you that time is running out to get your Necessary Hashtags gear, you know I'm deadly serious. The gear is only available until 8pm PT on Monday night (that's 3am Tuesday in GMT). So if you want to show the UK Home Secretary that you might be the expert she's looking for, don't delay! And remember, all our gear now has European shipping options available. When you look at any of our products with an IP address from outside the US, you should be given the option to choose your fulfillment center — or you can go directly to the European shipping or US shipping page for this latest design. Check out the Techdirt Gear store for Necessary Hashtags and more » Permalink | Comments | Email This Story

Read More...
posted 23 days ago on techdirt
Our ongoing Reclaim Invention campaign urges universities not to sell patents to trolls. This month's stupid patent provides a good example of why. US Patent No. 8,473,532 (the '532 patent), "Method and apparatus for automatic organization for computer files," began its life with publicly-funded Louisiana Tech University. But in September last year, it was sold to a patent troll. A flurry of lawsuits quickly followed. Louisiana Tech sold the '532 patent to Micoba LLC, a company that has all the indicia of a classic patent troll. Micoba was formed on September 8, 2016, just a few days before it purchased the patent. The patent assignment agreement lists Micoba's address as an office building located in the Eastern District of Texas where virtual office services are provided. As far as we can tell, Micoba has no purpose other than to sue with this patent. So what does Micoba's newly acquired patent cover? Claim 13 reads: A computer system comprising a processor, memory, and software for automatically organizing computer files into folders, said software causing said computer system to execute the steps comprising: a.   providing a directory of folders, wherein substantially each of said folders is represented by a description; b.   providing a new computer file not having a location in said directory, said computer file being represented by a description; c.    comparing said description of said computer file to descriptions of a plurality of said folders along a single path from a root folder to a leaf folder; and d.   assigning said computer file to a folder having the most similar description. In other words, put files into folders that contain similar files. Do it on a "computer system" (in case you were worried office workers from the 1930s might have infringed this patent). For a software patent, the '532 patent is unusually free of patent jargon and pseudo-technical babble. Its specification (this is the description of the invention that comes before the claims) does describe a method for determining when the contents of a file match a folder description. The patent proposes representing folders and files as vectors (which should reflect the frequency of particular words found within). The patent suggests assessing similarity by calculating the dot product of these vectors. But, even assuming this was a new idea when the application was filed in 2003, many of the patent's claims are not limited to this method. The patent effectively captures almost any technique for automatically sorting digital files into folders. The '532 patent issued in June 2013, about a year before the Supreme Court's decision in Alice v. CLS Bank. In that case, the Supreme Court held that an abstract idea (like sorting files into folders) does not become patentable simply because it is implemented on a computer. The '532 patent should be found invalid under this standard. In our view, this patent has no value after Alice except as a litigation weapon. Louisiana Tech represents that it "seeks industrial partners to commercialize the technology developed at Louisiana Tech for the benefit of society." But it completely failed to consider this public interest mission when it sold the '532 patent to Micoba. Within two months of the sale, Micoba had filed nearly a dozen cases in the Eastern District of Texas, suing companies like SpiderOak and Dropbox, alleging they infringed at least claim 13 of the '532 patent. Instead of benefiting society, Louisiana Tech unleashed a torrent of wasteful litigation. According to RPX, Micoba is associated with IP Edge, which itself is associated with eDekka (the biggest patent troll of 2014) and Bartonfalls (the winner of our October 2016 Stupid Patent of the Month for its patent on changing the channel). Bartonfalls' trolling campaign recently collapsed when a judge ruled that its patent infringement contentions were "implausible on their face." If RPX is correct that these companies are connected, Louisiana Tech has hitched its wagon to one of the biggest trolling operations in the nation. EFF's Reclaim Invention project was launched to stop universities from feeding patent trolls like this. The project includes a Public Interest Patent Pledge for universities to sign stating that they will not sell their patents to trolls. We also drafted a model state law to help ensure that state-funded universities don't sell their inventions to patent trolls. You can ask your university to sign the pledge. Reposted from EFF's Stupid Patent of the Month series. Permalink | Comments | Email This Story

Read More...
posted 23 days ago on techdirt
As is commonly said, mistakes happen and it's what we do about those mistakes that is important. Too often when the mistakes are concerning trademark bullying, there is nothing done to acknowledge or address that bullying. The bully will simply state the oft-repeated excuse that they must bully according to trademark law, which isn't remotely the case. And, because there is no acknowledgement that anything was done wrong, the bullying then continues. Well, after a recent dust-up over trademarks between BrewDog, a self-styled "punk brewery," and a family-owned pub, it seems that the brewery is actually going all in on reforming how it approaches trademark issues, and even intellectual property more generally. The brother-and-sister team behind the Wolf pub in Birmingham were forced to drop their original plan to name the establishment the Lone Wolf, after receiving a legal warning from BrewDog, which has launched a spirit bearing the same name. But BrewDog founder James Watt announced a change of heart on Monday after the Guardian’s report sparked a backlash that saw the firm, a vocal critic of large, faceless brewing firms, accused of acting like “just another multinational corporate machine”. Watt had initially tweeted that the brewery's lawyers got "trigger happy" and that the bar could keep using the name. That was on March 27th, although that tweet appears, as best as I can tell, to have been deleted since. In its place were assurances to Watt's followers that all had ended well. Earlier today we contacted Lone Wolf bar and said we would not only cover all costs, but invited them up to make their own gin with us. — James Watt (@BrewDogJames) March 27, 2017 Along with that came a blog post from BrewDog explaining that it had to enforce its trademarks, but both promising to do so more leniently and stating that the company doesn't actually take intellectual property all that seriously. In terms of the Lone Wolf Bar in Birmingham, we paid for and trademarked Lone Wolf in 2015. The Lone Wolf Bar in Birmingham opened in January of 2017. Our wider team and legal partners, acting entirely in our best interests informed them that we owned the name and they would have to stop using it. Just as we'd do if someone opened a bar called BrewDog. However, hands up, we made a mistake here in how we acted. Almost all companies always look to enforce trademarks, whereas at BrewDog we should take the view to only enforce if something really detrimental to our business is happening. And here, I do not think that was the case. As soon as I found out, I reversed the decision and offered to cover all of the costs of the bar. I also invited them up to Ellon to make their own gin with us. This is a mistake that hurt a lot; but like all mistakes, it made us better. This will not happen again. Going even further than that, the brewery has taken the somewhat extraordinary step to publicly release its brew recipes on its own website. Were a company to want to demonstrate more perfectly its commitment to not being an overbearing bully on matters of intellectual property, I'm not sure how they could do a better job of it than this. Working with the former target of the company's lawyers, publicly explaining what happened to its customers and everyone else, and releasing the recipes for its brews publicly for anyone to download: this is a commitment to being open and cool to customers and businesses. Keep in mind that BrewDog could have simply shouted the mantra of having to protect its trademarks at everyone. We here wouldn't have bought that, because we know better, but that tactic must surely work to some degree given how often it is deployed. That BrewDog went another route is a good thing that should be celebrated. Permalink | Comments | Email This Story

Read More...
posted 24 days ago on techdirt
While copyright collection societies the world over tend to be good hosts for the disease of corruption, not all corruption is equal. These collection groups often like to jack up fees when someone points out that they actually have to do their job, to threaten businesses in the most insane ways, and also to, oops, sometimes just totally forget to pay the artists they purport to benefit. Over in Kenya, however, the dominant copyright collection group, MCSK, went for and hit the corruption trifecta by engaging in all of three at the same time. Not a good look for anyone who thinks these collection groups have a role to play for artists. It got so bad, in fact, that the Kenyan government has decided to pull MCSK's license to operate. The Music Copyright Society of Kenya has lost the licence to collect music royalties. MCSK's boss Maurice Okoth was suspended in March last year over corruption claims though he was later acquitted. The copyright board revoked MCSK's license in February after its officials failed to submit their audited financial statements and amounts paid in royalties to their members. Edward Sigei, Kenya Copyright Board executive director, said at the time that MCSK had failed to submit the financial statement despite having been given a grace period of three months to do so. Yes, even after being acquitted of corruption charges, MCSK still couldn't even feign trying to be above board with the government by producing documentation detailing how much its artist-helping organization managed to help any artists. For a group with the singular mission of collecting money in order to pay artists royalties, it's unclear to me how a failure to be able to produce its books on that mission is not deserving of the business death penalty. I also can't imagine how anyone who had to suffer through MCSK's corrupt practices could be anything but entirely soured on the concept of collection societies generally. The Kenyan government, it seems, has a better imagination than I do. It has elected to replace MCSK with another collection society. This follows the decision by the board of directors of Kenya Copyright Board on Monday to approve the licensing of a new body, Music Publishers Association of Kenya Limited, to collect royalties on behalf of authors, composers and publishers from March 2017 to February 2018, effective immediately. "The decision was made after the new association satisfied the requirements of Section 46 of the Copyright Act, 2001, and Regulation 15 and 16 of the Copyright Regulations 2004," read a statement from Kecobo sent to newsrooms. Look, to be fair, it's likely that Kenya's Copyright Board doesn't have the authority to simply state that no collection societies will be granted a license to operate, but someone in the government does. And, even if it is unwilling to go that far, I would think the government would at least want to hear from artists who had the pleasure of not being paid properly by the previously-licensed collection group. At what point do Kenyan artists, if not the Kenyan government, decide there is a better way to conduct business than making deals with the muck? Permalink | Comments | Email This Story

Read More...