Saturday, July 9, 2016

This Week In Techdirt History: July 3rd - 9th


Five Years Ago



The fight over PROTECT IP was heating up this week in 2011, with law professors joining the ranks of those opposed to the bill while Hollywood ramped up its smear campaign against Senator Ron Wyden, and Senator Jerry Moran removed himself as a co-sponsor of the bill. Of course, this wasn't the only bad bill being considered - there was also the anti-streaming bill, which caught the attention of video game streamers and was met with a mass of YouTube video protests. Meanwhile, the entertainment industry was busy moving ahead of the law by signing the major US ISPs onto a "five strikes" plan for copyright infringement. Those who received strikes would have to pay to contest them, and it looked like the industry had backdoored in the disconnection powers it so desired.



But the most memorable thing to happen this week in 2011 was, of course, the unveiling of the famous (and fascinating/contentious from a copyright perspective) monkey selfie.



Ten Years Ago



This week in 2006, the RIAA was busy suing sites around the globe, with the latest target being Allofmp3.com in the UK. We were skeptical of this approach, but the Associated Press certainly seemed to have bought the scare stories about global piracy in full. The RIAA was also failing on the home front, with university students seeing right through its terrible "free" music service. Hollywood was busy taking down the free promotion it got from its fans, and after a German magazine noted that you can technically pirate a movie by simply screencapping every frame, we wondered how long it would take for the MPAA to try to ban the Print Screen button.



There was a big, memorable moment this week in 2006 too: Senator Ted Stevens offered his infamous "series of tubes" explanation for the nature of the internet.



Fifteen Years Ago



Last week, we noted that Amazon introduced a free shipping program for the first time. This week in 2001, Barnes & Noble followed suit, and managed to do so without raising any prices on Monday. But then, on Friday... Amazon ended its free shipping program, calling it an experiment. Such was the dance of the early online retailers.



We saw the early rumblings of a legal response to the problems of cyber-bullying, and early takes on how to deal with (or possibly flat-out ban) the use of cellphones while driving. We even saw the earliest of baby steps down the long road to Uber with Ireland experimenting with the ability to get cabs by texting. And in a move that may not have seemed revolutionary at the time, but was actually a first step towards opening up lots of enlightening data, Google unveiled its "Zeitgeist" product for exploring the most popular searches and trends.



Twenty-Six Years Ago



Techdirt has been around for a long time, but the folks at the EFF still have a few years on us: it was on July 6th, 1990 that the EFF was founded by John Perry Barlow and Mitch Kapor after both faced inquiries by law enforcement agents who were clueless about technology. Happy birthday, EFF!



Permalink | Comments | Email This Story


Tuesday, July 5, 2016

2015 Wiretap Report Doesn't Have Much To Say About Encryption, But Does Show Feds Run Into Zero Judicial Opposition

The US Courts' 2015 "Wiretap Report" is out and it seems to show that fears of "going dark" are largely overstated. Here's Alex Emmons of The Intercept:



Despite a 21 percent increase in wiretaps authorized by state courts overall between 2014 and 2015, the number of cases where law enforcement encountered encryption decreased from 22 to seven.


And out of 1,403 wiretaps authorized by federal judges, only six encountered encrypted communication. Two of those were decrypted by law enforcement, leaving only four that could not be deciphered.


[...]


That means that in 2015, out of 4,148 total wiretaps, only 11 encountered a form of encryption law enforcement could not break. That's about one quarter of one percent.



Not so fast. The lack of issues in this report doesn't necessarily mean law enforcement agencies aren't encountering encryption. It simply means they're not running into it while utilizing wiretaps. There's a lot this report doesn't cover and there are many instances where the chance of running into encryption that renders wiretaps useless is simply being avoided. Why do the paperwork if there's nothing to be acquired?


This is basically what the FBI told Motherboard in response to questions about the lack of encryption roadblocks shown in the report.



After this story was published, an FBI spokesperson echoed the arguments of Comey and Yates, saying the Wiretap Report numbers ”should not be surprising: agents now recognize when they are likely to encounter encryption and do not waste their time on fruitless endeavors.”



The FBI pointed to other reports more closely aligned with Comey's anti-encryption proselytizing.



The spokesperson added that ”a better representation” of the going dark problem is the number of devices that the Computer Analysis Response Team (CART) and Regional Computer Forensic Laboratory (RCFL), the FBI teams that help state and local police with technical requests, have been unable to unlock due to being encrypted.


”Over the 6-month period from October 1, 2015 – March 31, 2016, approximately 4,000 devices were submitted for digital forensic analysis. About 500 of those could not be unlocked,” FBI spokesperson Christopher Allen said.



Apples and oranges. But that's to be expected. One report deals with wiretap warrants obtained under one legal authority. The other deals with search warrants obtained under another. Wiretaps will rarely run into encryption because there are a wealth of options available to obtain communications that don't involve intercepting them... or more closely reflect the current reality of communications -- which isn't tied to plain old telephone service.


Whatever the government is doing with these other options can't easily be examined by the general public because there are no reporting requirements tied to these, unlike wiretap warrants. So, the number of times where encrypted communications (not contained in locked phones) are holding up law enforcement cannot be nailed down with any certainty. The DOJ could collect and disseminate this data, but it would certainly prefer to keep its reporting requirements to a minimum, even if this data would back up Comey's encryption histrionics.


What hasn't changed, however, is what wiretaps are used for: drugs. 3,367 or 4,148 issued in 2015 were for narcotics investigations. And for those of you who have followed the explosion of possibly illegal wiretaps originating from a single county courthouse in California, it's no surprise the state issuing the most federal wiretap orders is that particular coastal "drug corridor."





And, if law enforcement only ran into encryption in ¼ of 1% of wiretap orders, it ran into adversarial judges even less: every single one of the 4,148 federal wiretap requests was granted in 2015.





Taking James Comey at his word that encryption is a huge problem, it would appear the DOJ would rather withhold any data that supports this assertion than develop a precedent it doesn't like: additional reporting requirements on the ECPA orders, NSLs, and regular old search warrants it uses to obtain digital communications. Almost everything in this report deals with old-fashioned landlines, so its depiction of federal surveillance is woefully incomplete.



Permalink | Comments | Email This Story


Friday, June 24, 2016

How to delete your OK Google Now audio search history

If you're a Google Now power user, you might want to know that Google saves all of your audio searches. You might also want to know how to delete those searches from your account. Jack Wallen shows you how.

Wednesday, June 15, 2016

WWDC 2016: Apple to require HTTPS encryption on all iOS apps by 2017

At a session at the 2016 WWDC, Apple revealed that it would be requiring all iOS apps to use HTTPS connections through an existing feature called App Transport Security by the end of the year.

Tuesday, May 31, 2016

Anonymized Data Really Isn't Anonymous: Vehicle Data Can Easily Be Used To Identify You

Companies increasingly hoover up larger and larger oceans of consumer data, promising that security and privacy aren't much of a worry because data is "anonymized." But as research has shown time and time again, anonymous data isn't all that anonymous -- since it takes only a modicum of effort to either analyze the data -- or cross reference it with other data -- to ferret out personal identities. It doesn't really matter whether we're talking about NSA surveillance troves or social networking data: anonymous data just isn't anonymous.



As yet another example of this, researchers from the University of Washington and the University of California at San Diego have found that the data collected by a car's onboard computer can be surprisingly personal. In fact it's so personal, the researchers found that they could identify a driver -- from a possible list of fifteen drivers -- just by looking at data collected from the brake pedal alone:
"The research team found that 15 minutes' worth of data from the brake pedal - and only the brake pedal - could lead them to choose the right driver, out of 15 options, 90% of the time. Again, with just the brake pedal data, upping that collected data to 90 minutes' worth, allowed them to pick the correct driver 100% of the time. For a 100% hit rate with 15 minutes' worth of data, they just had to collect records from more than one car part.
By itself, especially with the fifteen person pool, this isn't really all that alarming. But as we shift toward self-driving automobiles or just highly connected vehicles, this data is going to increasingly find its way into the hands of insurance companies and others. Verizon, for example, is making a significant push toward selling a $15 per month subscription "Hum" service -- comprised of a device that plugs into the vehicle's OBD port and a Bluetooth-enabled device that is clipped to the vehicle visor. The service not only makes a dumb car smart by providing emergency and other services, it gives Verizon -- a company already awash in consumer cellular location and other behavior data -- a huge amount of additional data to ferret through and monetize.



Especially when cross-referenced with other datasets already in government or corporate collection piles, researchers warn that this opens up the door to allowing insurance companies to dictate rates based on everything from emerging medical problems to when you let your kid drive the car (warning: Wired's ad block blocker still doesn't work properly and may block all users):
"...the fingerprinting study, Enev argues, should serve as a more general warning to car owners about the sensitivity of the data that travels across their vehicles' internal networks. The same data that tells their insurance company when they've let their 16-year-old kid take their car to prom might just as easily be used to identify drunk driving or a medical condition that's altered someone's driving ability, tests Enev claims would actually be simpler than trying to distinguish a driver's identity."
Those examples are likely just the tip of the iceberg, as companies cooperate to use that data to their collective, coordinated advantage in ways we haven't even thought of yet -- while consumers are increasingly treated like criminals should they want to control or access much of this data. And given that the "internet of things" continues to have embedded security that's about as good as no security at all, it's inevitable that this collected data will increasingly find its way into the public domain.

Permalink | Comments | Email This Story


Friday, May 27, 2016

Lawmakers From The Great Theocracy Of Utah Looking To Block Porn On Cell Phones


When we've talked in the past about government attempting to outright block pornography sites, those efforts have typically been aimed at sites hosting child pornography. Blocking child porn is a goal that's impossible to rebel against, though the methods for achieving it are another matter entirely. Too often, these attempts task ISPs and mobile operators with the job of keeping this material out of the public eye, which is equal parts burdensome, difficult to do, and rife with collateral damage. Other nations, on the other hand, have gone to some lengths to outright block pornography in general, such as in Pakistan for religious reasons, or in the UK for save-the-children reasons. If the attempts to block child porn resulted in some collateral damage, the attempts to outright censor porn from the internet resulted in a deluge of such collateral damage. For this reason, and because we have that pesky First Amendment in America, these kinds of efforts attempted by the states have run into the problem of being unconstitutional in the past.



But, as they say, if at first you don't succeed, just try it in an even more conservatively prudish state again. Which brings us to Utah, where state Senator Todd Weiler is leading the effort to purge his state of any access to porn on mobile devices.




Utah Senator Todd Weiler has proposed a bill to rid the state of porn by adding Internet filters and anti-porn software on all cell phones and requiring citizens to opt-in before viewing porn online. It's to save the children, he says. Weiler successfully pushed an anti-porn resolution through the state Senate earlier this year, declaring porn a "public health crisis." He now hopes to take his movement a step further by making it harder for Utah citizens to have access to digital porn.



"A cell phone is basically a vending machine for pornography," Weiler told TechCrunch, using the example of cigarettes sold in vending machines and easily accessed by children decades ago.




This is where we'd usually talk about how this sort of thing is almost certainly unconstitutional, not to mention how easily circumvented the attempt would be. And both of those remain true for this case. But I would like to instead focus on the lazy analogies Weiler chooses to make and let them serve as an example of how easily twisted people's opinions can become if you simply add "saving the children" to the goals of a particular piece of legislation.



Let's start with the quote above, although I promise you there is more from Senator Weiler that we'll discuss. He claims that a cell phone is basically a porno vending machine, like a cigarette vending machine. The only problem with his analogy is how wildly untrue it is. A cigarette vending machine has no other purpose than, you know, vending smokes. A cell phone, on the other hand, has a few other purposes. Like playing video games, for instance. Or serving as a music device. Or making god damned phone calls. A claim that a phone is simply a vending machine for porn shows either a tragic misunderstanding of basic technology or, more likely, is simply a veiled hate-bomb at the internet itself. Regardless, it is not upon government to decide how our property is used lawfully. And it isn't on government to parent children. We have people for that. They're called parents.



But Weiler wasn't done.




The senator says England was successful in blocking porn on the Internet. Prime Minister David Cameron pushed legislation through in 2013 requiring U.K. Internet service providers to give citizen's the option to filter out porn.




The good Senator must have a strange definition for success, because the UK law is easily circumvented, has managed to censor all kinds of educational and informational non-pornography sites and material, and was created by a lovely chap who was later arrested on charges of child pornography himself. If one wishes to draw upon the success of something in order to push his own interests, that something probably shouldn't be a complete dumpster fire.



Local Utah ISPs are already calling the plan unrealistic and comparing it to censorious governments that I am certain Senator Weiler would recoil from. Not that this matters, I guess, since Senator Weiler fantastically admits that he has no idea how this will all work under his law.




Weiler says he doesn't know how it would work but just wants to put the idea out there and that his main concern is kids looking at porn.



"The average age of first exposure to hard-core pornography for boys is eleven years old," he said. "I'm not talking about seeing a naked woman. I'm talking about three men gang-raping a woman and pulling her hair and spitting on her face. I don't think that's the type of sex ed we want our kids to have."




Look, I usually like to back up my rebuttals to these types of things with facts and figures, but I just don't have them in this case. That isn't going to stop me from declaring that the average first exposure to pornography is an eleven year old boy seeing exactly three men gang-raping a woman is a line of bullshit so deep that the Utah Senate certainly must provision knee-high boots to its membership for such a thing to even be suggested. And this should tell you everything you need to know about Senator Weiler's plans: he doesn't know how successful its been elsewhere, he doesn't know how it works, and he's willing to sell it to the public on the basis of a scary lie.



Oh, and it's unconstitutional, so screw your law altogether.



Permalink | Comments | Email This Story


Friday, May 13, 2016

FBI Questions Veracity Of Emails It Released To FOIA Requester While Defending Refusal To Discuss Hacking Efforts


The FBI has entered its explanation for its declaration that it won't discuss the NIT (Network Investigative Technique) in open court or with the defense -- no matter what. Its decision to run a child porn website for two weeks while it deployed the NIT has backfired immensely, resulting in successful challenges of the warrant and the evidence obtained. For the most part, the NIT warrant used by the FBI has been declared invalid because it violates Rule 41's limitations on deployment: a warrant obtained in Virginia can't be used to search computers located in other jurisdictions.



The FBI says it will only discuss the NIT with the judge in an ex parte in camera proceeding, cutting the defense entirely out of the loop. It also argues against the defendant's portrayal of the agency as inherently untrustworthy, what with its long history of hiding information from the courts, starting with its Stingray NDAs.



While not directly related to the subject matter at hand, Jay Michaud's lawyer is buttressing his arguments against the agency's trustworthiness with a wealth of released documents showing the FBI routinely demanded law enforcement agencies hide Stingray-related information from defendants, judges -- even other prosecutors.



Michaud's defense also submitted emails obtained with a FOIA request that showed the agency even hid information on surveillance tech from other FBI agents and federal prosecutors. The choice to cut the latter out of the chain of evidence was based on a supposed trend of prosecutors examining FBI surveillance technology/methods before retiring to work as defense lawyers.



What's most hilarious about the FBI's arguments is the fact that it openly questions the legitimacy of documents it released to Brad Heath and USA Today.


The actual emails (assuming they are genuine) show no improper concealment.

This is an awfully strange thing to say about documents originating from its own offices and released, presumably after a review, to a FOIA requester. If the FBI is forced to assume the emails it released are genuine, it argues that they don't actually say what they appear to say -- which is that information about FBI surveillance techniques must be hidden from damn near everybody but especially those who might be called to testify in court.

Nothing in the email suggests that anyone should be deceived or misled. Rather, the email merely urges the common-sense practice of not disseminating sensitive information unless there is a reason to do so. This concept is called “need to know.” It is familiar to anyone who has worked in the military or law enforcement, and it is an entirely proper way to protect sensitive information.

The government says this shows the FBI does disseminate this info, but only on a "need to know" basis. But it says nothing as to why the "need to know" list doesn't include judges, defendants or prosecutors involved in these cases.



And its other arguments are just as terrible, but at least they don't include the FBI raising doubts as to the legitimacy of documents it generated itself. It claims -- as it has in the past -- that the restrictive NDAs it forces law enforcement to sign before using Stingray equipment aren't restrictive and don't heavily hint (if not state outright) that agencies are to let perps walk rather than introduce Stingray-related evidence in court.

[A] careful reading of this material shows no evidence that the FBI has deceived or misled courts or prosecutors.

Technically true. But plenty of law enforcement agencies have. And when these omissions are challenged, they tend to excuse them by citing the FBI's NDA. So, the FBI ties up agencies with NDAs in hopes of limiting disclosures. Then it throws them under the bus when disclosures aren't made.

[T]he FBI made no false or misleading statements to courts, prosecutors, or anybody else in the Andrews investigation. The pen/trap application and related statements in Andrews were made by local law enforcement and local prosecutors.

Yes, but only because they felt they needed to do so, or because they may have been explicitly told to do so after asking the FBI. The FBI cites only this case because Michaud's defense only cites this case. There are countless others where it's been made apparent evidence of Stingray use has been hidden from everyone but the agency deploying the device.



We don't know what the outcome will be yet, but it's apparent the FBI will not be discussing the details of its NIT in court -- even as it tries to make itself out as a paragon of transparency in this filing. It even says it would prefer to handle this in an adversarial fashion (in the "allow the defense to participate" sense of the word) but simply cannot because it would presumably allow any number of criminals to escape its NIT tentacles in the future.



Permalink | Comments | Email This Story