Tim Cushing’s Techdirt Profile


About Tim Cushing Techdirt Insider

Posted on Techdirt - 15 December 2020 @ 12:04pm

Huawei Is Crafting Facial Recognition Tech That Will Make It Easier For The Chinese Government To Target Citizens It Doesn't Like

from the be-as-evil-as-possible dept

The Chinese government's war against its own citizens continues. The repression and persecution of China's Uighur population has been well-documented. The Chinese government is fighting a surveillance war on multiple fronts, beginning with its own citizens, who must maintain a positive "citizen score" to live life without too much government harassment. Its attempt to hold Hong Kong to the same oppressive standard has been met with significant resistance. But, in the end, China will consummate its takeover of Hong Kong with a removal of its independence.

Uighur Muslims have been the focus of the government's unmitigated wrath for years. China wants these residents either locked up or living in another country entirely. And it's pressuring tech companies to assist in their oppression. Far too many have complied. Documents seen by the Washington Post show Huawei has decided to be the Chinese government's posse, helping the government locate and target Uighur residents.

The Chinese tech giant Huawei has tested facial recognition software that could send automated “Uighur alarms” to government authorities when its camera systems identify members of the oppressed minority group, according to an internal document that provides further details about China’s artificial-intelligence surveillance regime.

The tech Huawei is developing attempts to determine a person's age, sex, and ethnicity using only facial shots. Given that this tech hasn't proven itself able to reliably recognize faces, it seems unlikely it will perform these extra tasks with better accuracy. False positives are guaranteed. And a false Uighur positive in China means citizens will be detained and subjected to a lifetime of brutal punishment just because they happened to trigger a Huawei "alarm."

According to Huawei, this proposed system has not gone live.

Both companies have acknowledged the document is real. Shortly after this story published Tuesday morning, Huawei spokesman Glenn Schloss said the report “is simply a test and it has not seen real-world application. Huawei only supplies general-purpose products for this kind of testing. We do not provide custom algorithms or applications.”

Maybe this is true. But it's also the sort of statement a company would release when being pressured by a government to avoid revealing ongoing surveillance programs.

Even if the system isn't live at the moment, that doesn't change the fact that it will be live at some point in the future. And the Chinese government will have a tool it can use to target a small percentage of its population -- a tool whose ability to recognize faces alone is already questionable. Adding in other factors only increases the possibility of false positives.

Then there's the mission creep. If it "works" for China, other countries looking to target people for their sex, race, or age will have a tool that's been field-tested and ready for deployment. China's not the only authoritarian regime looking for exciting new ways to persecute certain citizens. Following through with development of this tech means Huawei will be the go-to source for countries looking to add to their human rights violation rap sheets.

14 Comments | Leave a Comment..

Posted on Techdirt - 15 December 2020 @ 10:44am

DHS Cyber Warriors Issue Warning About Massive Hacking Campaign, Disclose They've Been Hacked A Day Later

from the holy-shit-this-is-bad dept

Welp. Everything is compromised. Again.

Reuters was the first to report suspected Russian hackers had gained access to hundreds of SolarWinds customers, including US government agencies.

Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg.


The cyber spies are believed to have gotten in by surreptitiously tampering with updates released by IT company SolarWinds, which serves government customers across the executive branch, the military, and the intelligence services, according to two people familiar with the matter. The trick - often referred to as a “supply chain attack” - works by hiding malicious code in the body of legitimate software updates provided to targets by third parties.

A full report by FireEye (which was also a victim of this hacking) details the process used to gain illicit access, which involved leveraging bogus signed components crafted by the hackers and distributed by an unaware SolarWinds. The widespread hacking campaign may have begun as early as March of this year. That it was only discovered now means the fallout from this will continue for months to come.

Here's how the backdoor works, according to FireEye:

SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.

After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.

SolarWinds boasts over 300,000 customers, including 425 Fortune 500 companies, all ten of the top ten telcos, the Pentagon, State Department, NSA, DOJ, and the White House. Its long list of customers (which now returns a 404 error) all but ensures every passing hour will add another victim to the list.

According to SolarWinds' post-attack-discovery SEC filing, it believes only a small percentage of its customers are affected. But even a fraction of its users is still a gobsmacking number of potential victims.

On December 13, 2020, SolarWinds delivered a communication to approximately 33,000 Orion product customers that were active maintenance customers during and after the Relevant Period. SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.

The attack is serious and widespread enough that the DHS's cybersecurity arm has issued a warning -- one that says the only proven way to mitigate damage at this point is to disconnect affected hardware from the internet and pull the plug on Orion software. The CISA (Cybersecurity and Infrastructure Security Agency) Emergency Directive says this is a persistent threat -- one not easily patched away.

CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on:

  • Current exploitation of affected products and their widespread use to monitor traffic on major federal network systems;

  • High potential for a compromise of agency information systems;

  • Grave impact of a successful compromise.

CISA understands that the vendor is working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise.

The directive goes on to mandate reporting on infected systems and for affected agencies to assume the system remains compromised until CISA gives the all-clear. Unfortunately, this grave warning comes from an agency that is also compromised. CISA issued the directive on December 13. Here's what was reported in the early hours of December 14:

US officials suspect that Russian-linked hackers were behind the recent data breach of multiple federal agencies, including the Departments of Homeland Security, Agriculture and Commerce, but are continuing to investigate the incident, multiple sources told CNN Monday.

CNN learned Monday that DHS' cyber arm, which is tasked with helping safeguard the nation from attacks by malicious foreign actors, is among at least three US government agencies compromised in the hack.

In addition to CISA, government officials also suspect breaches at the US Postal Service and the Department of Agriculture. And the Defense Department is in the process of assessing its own exposure, if any. If any of its components have been breached, it has yet to be publicly reported.

The Russian government is denying involvement, but the evidence seems to point to "Cozy Bear," the offensive hacking wing of Russia's intelligence services. Unfortunately, SolarWinds' dominance in the network management field made it that much easier for the attack to scale. And with CISA compromised, the government's attempts to mitigate damage will be slowed as its own cybersecurity wing attempts to rid itself of a persistent threat.

11 Comments | Leave a Comment..

Posted on Techdirt - 15 December 2020 @ 3:26am

Eighteen Sheriff's Deputies Waited 500 Yards Away While A Burglar Terrorized A 70-Year-Old Disabled Man

from the you-get-what-you-pay-for?? dept

I will faithfully serve and protect my community…

- A Hippocratic Oath for Policing, the National Police Foundation

To Protect and To Serve

- The Los Angeles Police Department motto, adopted in 1955

[N]othing in the language of the Due Process Clause itself requires the State to protect the life, liberty, and property of its citizens against invasion by private actors…

- US Supreme Court, DeShaney v. Winnebago County, 1989

There is no legal obligation for police officers to protect citizens. There may be a moral obligation. And there may be the obligation thrust on certain departments who've adopted mottos or decorated their badges with "protection" niceties, but that obligation only goes as far as the courts demand… which is nowhere.

That's why we end up with this sort of protection/service far too often. (h/t WarOnPrivacy)

Seventy-year-old Bill Norkunas, a childhood polio survivor, headed over to the light and flicked it on hoping to scare away whoever was there. Instead, the light was a beacon drawing a young man to his front door, a door made of glass.

And then for the next 15 minutes, Norkunas stood there, barefoot and unclothed, with his crutches, on one side of the glass pane trying to steady a gun in his trembling hand while the stranger stood on the other side, pounding on the door, banging it with his hip or gnawing at the thick hurricane-grade glass with a garden paver.


And as bewildering, and just as terrifying to him, is the knowledge that a squad of Broward sheriff’s deputies responded to his Tamarac neighborhood, but none came close to his home to stop the man. Instead, they waited down the street until he walked over to them and surrendered, witnesses told the South Florida Sun Sentinel.

It wasn't just Norkunas involved in this. The man trying to break into his home had attempted to do the same thing at other houses in the neighborhood. 911 was besieged by calls from Norkunas' neighbors. But apparently nothing they said made the Broward County Sheriff's Department any more willing to confront the reported burglar. For this entire ordeal, deputies waited hundreds of feet away, apparently waiting for the problem to solve itself.

Instead of stopping the would-be-intruder at Norkunas’ door, witnesses said, the deputies stayed down the street and around a corner, some 500 yards away while Norkunas and his neighbors flooded the 911 emergency communications system begging for help for almost 15 minutes.

This was an actual emergency. The 70-year-old man asked 911 operators if it was OK for him to shoot the intruder if he managed to make his way into his house. Neighbors calling the dispatchers expressed similar concerns for the man's safety. Meanwhile, 18 deputies stood by while this information was relayed, never moving for the fifteen minutes it took for the burglar to give up and surrender to law enforcement.

And the Broward County Sheriff's Department -- the same department that received deserved heat for its inadequate response to the Parkland school shooting in 2019 -- has offered no satisfactory explanation for this lack of effort when citizens' lives were on the line.

Norkunas said a sergeant explained procedures for setting up a perimeter so that Johnson could not escape, but also admitted they could have done better.

That's a problem. There were 18 deputies at the scene. It only would have taken a handful to approach Norkunas' house and attempt to apprehend the suspect. Not a single officer did. Instead, the amassed group of useless deputies lucked into an arrest when the suspect found them and turned himself in.

Because of this inaction, the relationship between the neighborhood and their alleged "protectors" has been irreparably damaged. One neighbor installed security cameras. Another stated she no longer "counts on police" to handle dangerous situations. And Nakounas has taken to carrying his gun with him at all times, even when taking his dog for a walk.

When the Supreme Court said police have no obligation to protect citizens, they took this to heart. The end result has been a stream of horrendous and horrifying incidents where police are willing cast aside their moral obligations just because they couldn't be held legally liable for failing to "do better." Not giving a shit still pays off, ensuring officers return home safely every night, even if those paying their salaries end up dead.

32 Comments | Leave a Comment..

Posted on Techdirt - 14 December 2020 @ 1:39pm

Two Studies Show Giving Military Gear To Cops Doesn't Result In Lower Crime Rates

from the law-enforcement:-we-would-like-to-continue-to-define-insanity-tyvm dept

One of President Trump's main goals while in office was to roll back anything his predecessor had put in place. One of his earliest executive orders removed the (minimal) restrictions Barack Obama had placed on the Defense Department's 1033 program. This program allowed local law enforcement agencies to acquire military gear at almost zero cost -- something that had been used and abused for years until the sight of an armored vehicle rolling up on protesters in Ferguson, Missouri proved to be a bit too much for Americans and their Congressional representatives.

Trump's reopening of the 1033 program was based on a couple of factors: his all-encompassing love of all things law enforcement and some dubious research that claimed giving cops access to war gear actually reduced crime.

That was the point made by then-Attorney General Jeff Sessions ahead of the rollback.

President Trump is serious about this mission. He is doing all he can to restore law and order and support our police across America. And that is why, today, I am here to announce that President Trump is issuing an executive order that will make it easier to protect yourselves and your communities. He is rescinding restrictions from the prior administration that limited your agencies' ability to get equipment through federal programs, including life saving gear like Kevlar vests and helmets and first responder and rescue equipment like what they’re using in Texas right now.


Those restrictions went too far. We will not put superficial concerns above public safety.

Those "superficial concerns" included genuine concerns that deploying war gear against US citizens tends to make officers think they're soldiers in a war zone, rather than public servants who need a solid relationship with those they serve to make meaningful changes that reduce crime and increase public safety.

The push for more distribution of military gear was backed by a study by the American Economic Association, which claimed law enforcement agencies that utilized the 1033 program were more effective at lowering crime rates. That data has now been examined by two other sets of researchers, and the conclusions they've reached contradict the AEA's findings.

When Emory scholars read the studies, they noticed statistical flaws in the analysis. They set out to rigorously test those two previous studies’ claims by replicating them. They utilized the same 2014 NPR data and applied the studies’ same methods of analysis.

What immediately got the attention of the Emory scholars was that the studies were doing analysis at the county level, not the municipal level (i.e., the individual jurisdictions of cities). So, there wasn’t a way to directly compare which local agencies received SME and their specific crime rates. That’s because the federal government only reported the 1033 Program data at the county level.

Fortunately, there was more data available now to double-check the claims made by these earlier studies. Obama's 1033 program reforms mandated more reporting on acquisition, which gave these researchers more to work with. The granular detail missing from the first studies was included in the second examination.

It was only after Emory used the new, agency-level data in analysis that they determined the SME didn’t reduce crime.

“It crystalizes so many of the concerns and claims both pro and con about policing in the U.S. It raises the matter of funding the police and how do we provide resources to the police — through money or giving them equipment. It raises the matter of police militarization — that the police look and act like they are soldiers at war against citizens,” [Associate Professor Michael] Owens says. “And it raises questions about efficiency — costs and benefits."

It's not just Emory researchers arriving at this conclusion. A simultaneously-released study by the University of Michigan professor Kenneth Lowande says the same thing:

I use 3.8 million archived inventory records to estimate the magnitude of sources of bias in existing studies of the 1033 Program. I show that most variation in militarization comes from previously unobserved sources, which implies that studies that show crime-reduction benefits are unreliable. I then leverage recent policy changes to evaluate the effect of military equipment: the Obama Administration recalled property under Executive Order 13688, which resulted in a forced demilitarization of several hundred departments. Difference-in-difference estimates of agencies that retained similar equipment show negligible or undetectable impacts on violent crime or officer safety.

Of course, these studies have drawn some criticism. Law enforcement officials -- who've performed no research of their own -- dispute these findings.

"This is just a symptom of the larger defund the police movement and this has turned political," retired police Sgt. Betsy Brantner Smith, a spokesperson for the nonprofit National Police Association, which educates the public on policing in America, told ABC News. "Obama took it away, Trump gave it back, and now we’ll probably see Biden take it away again so that they can say, ‘I took this away from the big bad police.'"

Wow. What a thoughtful counterpoint. On one hand, we have data showing handing cops military hand-me-downs doesn't reduce crime. On the other hand, we have a police union rep claiming math is politicized. At least the other police union rep quoted in piece makes a better point while still disputing the findings.

Patrick Yoes, national president of the Fraternal Order of Police, the world's largest organization of sworn law enforcement officers, also slammed the two studies as "convoluted logic."

"It has never been the contention of the FOP that surplus military equipment prevents crime, but rather that such equipment plays a critical role in protecting police officers and citizens in life-threatening situations such as active shooters at large, civil disturbances, and natural disasters."

But do cops really need war gear to make them safer? Crime rates in most of the country are still at historic lows. Officer safety remains at an all-time high. This last decade has been the safest time in history to be a cop and yet complaints like these are always offered up anytime someone points out the flaws in their logic.

So, military gear given to cops doesn't reduce crime. And it likely doesn't make officers much safer than they are already. What it does do is cultivate a warrior mindset that harms law enforcement's relationship with the public. And maybe that's all law enforcement really wants: more distance between them and those they've declared war on.

17 Comments | Leave a Comment..

Posted on Techdirt - 11 December 2020 @ 10:48am

House Passes PACER Bill As Budget Office Says It Will Cost Less Than $1 Million A Year To Provide Free Access To Court Documents

from the court-system-seems-to-have-embraced-Hollywood-accounting dept

We're one step closer to free access to federal court documents. The House has passed the Open Courts Act of 2020, moving it on to the Senate, which will decide whether the bill lands on the president's desk.

Yes, this sort of thing has happened before. And previous efforts have always died on their way to the Oval Office. But this one might be different. A growing collection of case law says the US Courts system has been overcharging users and illegally spending funds meant to improve the PACER system and, yes, lower the cost for users.

This latest effort has a bit more momentum than its predecessors. And that seems to worrying the US Courts, which has fought back with dubious assertions and even more dubious budget estimates. The court system claims it will cost at least $2 billion over the next several years to overhaul PACER and provide free access to documents. Experts say it will cost far less.

A group of former government technologists and IT experts dispute that figure. In a letter sent last week to the Judicial Conference of the United States, the group estimated the cost of a new system would be $10 million to $20 million over 36 months to build the system and between $3 million and $5 million annually to maintain and develop.

Even more damning is the Congressional Budget Office's estimate. According to its report, fixing the system and providing free access to most users would cost less than $1 million a year.

On net, CBO estimates that enacting H.R 8235 would increase the deficit by $9 million over the 2021-2030 period.

The report says overhauling the system will cost around $46 million. But that will be offset by fees the court system will be able to collect from "high-volume, for-profit users," which the CBO estimates to be about $47 million over the same period. After subtracting some expected revenue declines and indirect tax effects, the court system should net about $37 million over the next decade.

That should end the debate over cost but it probably won't. For whatever reason, the court system continues to insist giving citizens free access to court documents would bankrupt the system. If it can find allies receptive to its bad math in the Senate, it could end this bill's run.

But no one but the court system agrees with the court system's math. It's not just potential beneficiaries of free access providing much lower cost estimates. The government itself disagrees with this branch's budgetary suppositions. Hopefully, the CBO and the tireless work of transparency advocates will finally push free PACER past the Senate and onto the president's desk.

23 Comments | Leave a Comment..

Posted on Techdirt - 11 December 2020 @ 9:34am

Supreme Court Says Muslim Men Can Sue The FBI For Placing Them On The No-Fly List For Refusing To Become Informants

from the faith-based-harassment dept

The FBI really enjoys its take on the War on Terror. Starting with the hassling of Muslims at airports and border entries, the FBI cultivates a large collection of confidential informants. These informants then find pliable individuals to target with extra attention, pushing them towards threatening to engage in violence. Then the FBI swoops in to arrest these supposed "terrorists" -- ones that often seem unable to stay gainfully employed, much less capable of carrying out terrorist attacks. The FBI's favorite targets are impressionable Muslim men with mental health issues -- ones its agents and informants radicalize right into jail cells.

It all starts at our nation's airports. If Muslims want to travel in and out of the United States (or just travel within the US), federal agents are always on hand to pressure them into becoming informants. Veiled threats are made and these targets are subjected to invasive searches and other harassment every time they set foot in an airport.

In some cases, Muslim men were placed on the "no fly" list simply for refusing to become government informants. A lawsuit filed in 2014 accused the FBI of retaliating against several Muslims who resisted the FBI's overtures. The district court ruled against the plaintiffs but the Second Circuit Court of Appeals revived the lawsuit in 2018, saying the men had sufficiently alleged violations of the Religious Freedom Restoration Act (RFRA). The government can't target people simply because of their chosen religion, but that's exactly what appears to be happening.

The case made its way to the Supreme Court and the nation's top court has sided [PDF] with the plaintiffs. The lawsuit can proceed and the FBI agents can be held accountable for violating the RFRA.

The government tried to argue the statute does not provide for lawsuits against federal officers in the personal capacity. Wrong, says the Supreme Court. The statute clearly states lawsuits can be brought against individuals, rather than their agency or the federal government as a whole.

We first have to determine if injured parties can sue Government officials in their personal capacities. RFRA’s text provides a clear answer: They can. Persons may sue and obtain relief “against a government,” §2000bb–1(c), which is defined to include “a branch, department, agency, instrumentality, and official (or other person acting under color of law) of the United States.” §2000bb–2(1) (emphasis added).

The Government urges us to limit lawsuits against officials to suits against them in their official, not personal, capacities. A lawsuit seeking damages from employees in their individual capacities, the Government argues, is not really “against a government” because relief “can be executed only against the official’s personal assets.” Kentucky v. Graham, 473 U. S. 159, 166 (1985).

The problem with this otherwise plausible argument is that Congress supplanted the ordinary meaning of “government” with a different, express definition. [...] A “government,” under RFRA, extends beyond the term’s plain meaning to include officials. And the term “official” does not refer solely to an office, but rather to the actual person “who is invested with an office.”

The Court then looks at whether or not damages can be pursued. This isn't a normal case alleging First or Fourth Amendment violations. The government argued this means damages can't be awarded. Again, the Supreme Court says the government is wrong.

A damages remedy is not just “appropriate” relief as viewed through the lens of suits against Government employees. It is also the only form of relief that can remedy some RFRA violations. For certain injuries, such as respondents’ wasted plane tickets, effective relief consists of damages, not an injunction. [...] it would be odd to construe RFRA in a manner that prevents courts from awarding such relief. Had Congress wished to limit the remedy to that degree, it knew how to do so.

If federal agencies want the law changed to shield them from accountability, they'll have to ask Congress to "fix" this perceived "wrong." The Court isn't going to get into the business of legislating from the bench (at least not in this case).

To be sure, there may be policy reasons why Congress may wish to shield Government employees from personal liability, and Congress is free to do so. But there are no constitutional reasons why we must do so in its stead.

It's an 8-0 shutout in favor of the plaintiffs who are now allowed -- six years after they filed their lawsuit -- to start holding the FBI accountable for its violation of their religious rights.

Read More | 14 Comments | Leave a Comment..

Posted on Techdirt - 11 December 2020 @ 3:16am

ICE Withdraws Demand For Journalists' Sources After Having Its Unconstitutional Demand Outed By BuzzFeed

from the government-is-kindly-invited-to-go-fuck-itself dept

They say "sunshine is the best disinfectant." Sometimes, though, sunshine is the best RAID. When you've got government cockroaches (feel free to pronounce it like Tony Montana) trying to crawl all over your stuff, the best thing you can do is point all the wattage/candlepower you can on its indiscretions.

Earlier this month, ICE tried to pull some fucked up shit. It sent a subpoena -- one issued by its office, not a judge -- to BuzzFeed. It asked the journalists there to turn over information on their sources, apparently in hopes of closing the loop on internal investigations into leaked documents.

BuzzFeed refused. Even better, BuzzFeed posted the bullshit "request" ICE made -- one that asked the site's journalists to remain silent in the face of government overreach. The subpoena came with this request appended;

“You are requested not to disclose the existence of this summons for an indefinite period of time. Any such disclosure will impede this investigation and thereby interfere with the enforcement of federal law.”

BuzzFeed ignored this, along with the rest of the subpoena. Which it should. This was just internal paperwork masquerading as a government-sanctioned order. ICE has no legal right to demand information on BuzzFeed's sources. It seems highly unlikely any court would allow this incursion on First Amendment protections. Bypassing the court by issuing its own paperwork shouldn't be allowed. But somehow it is. Journalistic concerns know these requests are worth less than the paper they're printed on. The problem is that not everyone knows that and degenerates like ICE are counting on people being ignorant of their Constitutional rights and protections.

BuzzFeed knows what the government can and can't do without judicial blessing. So it published its refusal along with ICE's faux "demand" it remain silent about the agency's attempted Constitutional bypass. In response to its garbage being made public domain, ICE has rescinded its attempt to turn confidential sources into government witnesses/prosecution targets.

Immigration and Customs Enforcement officials said Wednesday that it would not enforce a subpoena issued last week demanding BuzzFeed News identify its sources, a retreat from its earlier, stunning attempt to interfere with a news outlet operating under the protections of the First Amendment.

By "won't," ICE means "can't." It would be the rare judge that would approve of ICE violating long-held First Amendment protections for journalists and their sources. Even if they found a compliant judicial pawn, any challenge by BuzzFeed would see this bogus subpoena tossed onto the trash heap of ICE's trash history by the next judge down the line.

The government cannot do this. And the government knows this. That ICE even tried indicates it's been huffing whatever the Trump administration has been shoving into its paper bags. Just because the outgoing Prez has a hard-on for booting brown people out of the country doesn't change the Constitutional calculus.

15 Comments | Leave a Comment..

Posted on Techdirt - 10 December 2020 @ 10:50am

New Report Shows Cellphone Encryption Isn't Really Stopping Cops From Searching Phones

from the complaining-that-99%-access-isn't-100%-access dept

We're still hearing quite a bit about law enforcement's supposedly endless string of losses to criminals and their device encryption. Citing facts not in evidence, consecutive FBI directors -- along with outgoing Attorney General Bill Barr -- have claimed the implementation of encryption has pretty much made it impossible to successfully prosecute criminals.

We know this isn't true for several reasons. But let's begin with the FBI, which has relied on overstated numbers to press the "going dark" theory for a few dozen months at this point. After admitting it couldn't do math -- even when aided by a spreadsheet -- the FBI has refused to update its overblown number of locked devices in its possession. The FBI has not corrected its math for 931 days at this point.

Criminal prosecutions haven't slowed down either. When almost every prosecution ends in a plea deal, it's pretty rich for prosecutors and law enforcement to complain they're being beaten by criminals. And a bunch of federal agencies pad their own numbers, engaging in borderline entrapment to ensure a steady stream of prosecutorial wins.

A new report shows just how little of an effect device encryption has had on law enforcement efforts. Some of the report's highlights are touched on by Lawfare's Susan Landau. We've heard the complaints encryption is keeping law enforcement out of seized cellphones. The reality is much more worrying. Not only is encryption not much of a barrier, but law enforcement tech allows investigators to access pretty much everything before trimming it down to what's been asked for in warrant affidavits.

These forensic tools are quite sophisticated. FBI Director Christopher Wray once complained that “warrant-proof encryption,” like that used on iPhones, prevents law enforcement access to crucial evidence. But Upturn found that the forensic tools copy all the data found on a cellphone. The tools then sort the data so that law enforcement can easily search through it. And MDFTs include some features that make law enforcement’s job even easier. For example, Cellebrite, perhaps the most sophisticated MDFT, can compare a facial image, such as from a police database, to any of the faces in photos stored on the phone. Others MDFTs classify text conversations by topic, such as drugs, money or family.

The MDFTs work on a variety of sophisticated phones. Cellebrite says it can extract data from “all iPhone devices from iPhone 4S to the latest iPhone 11 / 11 Pro / Max running the latest iOS versions up to the latest 13.4.1.” The company claims to be able to handle even locked iPhones and Android devices.

"Going dark" is nothing more than rhetoric. The reality is encryption isn't much of a roadblock. The report by DC think tank Upturn shows there's little standing in the way of law enforcement forensic extractions, no matter how much federal officials claim otherwise. The business of cracking/scraping phones is largely automated -- plug-and-play invasive searches that pretty much ignore efforts owners might make to secure their devices against government intrusion.

Mobile device forensic tools (MDFTs) are so powerful, Upturn recommends the ban on consensual searches of cellphones, given what investigators can access when they're deployed. This makes some sense, given the specious reasons given for some cellphone searches. But that's going to be a really difficult thing to sell to legislators when one of the most recognized exceptions to the Fourth Amendment is the voluntary waiver. (Counterpoint: the definition of "voluntary" could use more examination by courts, which have decided the third-party doctrine applies even when voluntary consent isn't obvious, but still side with law enforcement agencies who have coerced confessions and "consent.")

People may think these powerful tools will only be aimed at the worst criminals -- drug kingpins, child molesters, financial services firms, etc. But they're not. They're used for everything because they're cheap, easy, and convenient.

Law enforcement use these tools to investigate not only cases involving major harm, but also for graffiti, shoplifting, marijuana possession, prostitution, vandalism, car crashes, parole violations, petty theft, public intoxication, and the full gamut of drug-related offenses.

Anti-encryption enthusiasts like FBI directors Chris Wray and James Comey have somewhat acknowledged some powerful tools render device encryption moot. But even while (sort of) admitting their "going dark" claims were overblown, proponents of encryption backdoors claim success rates are too low, tools are too expensive, and solutions provided by government contractors won't scale. Upturn's report says otherwise.

Our records show that at least 2,000 agencies have purchased a range of products and services offered by mobile device forensic tool vendors. Law enforcement agencies in all 50 states and the District of Columbia have these tools. Each of the largest 50 police departments have purchased or have easy access to mobile device forensic tools. Dozens of district attorneys’ and sheriff’s offices have also purchased them. Many have done so through a variety of federal grant programs. Even if a department hasn’t purchased the technology itself, most, if not all, have easy access thanks to partnerships, kiosk programs, and sharing agreements with larger law enforcement agencies, including the FBI.

So, there's plenty of access. Funding isn't a problem. Vendors have solutions that scale because there's plenty of access and plenty of funding. But the complaints continue. And the complaints continue despite how much is being extracted with each deployment.

MDFTs pull every photo on the device, extracting metadata that shows when and where photos were taken. It pulls data from every app that generates it, including location data, which allows law enforcement to track movement without a warrant. The extraction tools can also pull deleted data, allowing investigators to perform digital trash pulls for additional evidence.

Then there's the third parties themselves. While the FBI and others complain about a lack of access, any data/communications stored by cloud services can be recovered without having to deal with device encryption.

The wealth of data available to law enforcement allows them to engage in fishing expeditions for evidence of other crimes. The only thing stopping them is the courts, so it's worth their while to dig through everything, considering the worst case scenario is a dismissed case, rather than fines, fees, sanctions, or anything else that might hurt them more directly.

A city or state might ban facial recognition searches, but cops can still do this without violating the specifics of the ban, thanks to built-in tools.

Cellebrite offers a “search by face” function, whereby law enforcement can compare an image of a face to all other images of faces found on the phone.

They can also look for anything else conceivably incriminating (or titillating) without having to screw with their tools' default settings.

Cellebrite also allows law enforcement to define new image categories by feeding its software a small set of example images to search for (for example, searching for hotel rooms by giving the software a set of five images of hotel rooms that were taken from Google images). As another example, Magnet Forensics’ AXIOM can employ text classification models in attempts to detect “sexual conversations,” or to filter conversations by topics ranging from family, drugs, money, and police.

Even if encryption is the default option, a variety of software and hardware exploits renders this useless in most cases. Patches from developers and manufacturers make this somewhat of an arms race, but this race remains a tie, at worst. Law enforcement isn't losing. And if it's losing access, it's only temporary.

There's another "war" at play here -- one that's rarely referenced by law enforcement officials. Every vendor wants more customers, so they're always improving their tech. The healthy competition makes tools more powerful while dropping their price, ensuring equal access for law enforcement agencies across the nation. The public records obtained by Upturn show there's not a single state in the Union that doesn't have access to forensic tools capable of cracking or bypassing encryption. Funding isn't an issue, given the federal government's interest in making encryption a non-issue.

That means there's thousands of extractions a year -- something that undercuts the FBI's "warrant-proof encryption" narrative at least as much as its inability to count physical items accurately.

The records of use we’ve assembled from 44 law enforcement agencies represent at least 50,000 extractions of cellphones between 2015 and 2019.

There is no going dark. If legislators want to believe there is, they're going to have to do so by ignoring all the evidence to the contrary. What law enforcement wants is convenience -- the ability to crack open phones without having to hook them up to a machine or beat the submission out of an arrestee. The options are there and agencies are obviously using them. Every argument that says encryption is locking law enforcement out is not just disingenuous -- it's dishonest.

9 Comments | Leave a Comment..

Posted on Techdirt - 10 December 2020 @ 3:14am

TSA Oversight Says Agency's Suspicionless Surveillance Program Is Worthless And The TSA Can't Prove It Isn't

from the it-works-in-the-sense-that-it-employs-people dept

The TSA's "Quiet Skies" program continues to suffer under scrutiny. When details first leaked out about the TSA's suspicionless surveillance program, even the air marshals tasked with tailing non-terrorists all over the nation seemed concerned. Marshals questioned the "legality and validity" of the program that sent them after people no government agency had conclusively tied to terrorist organizations or activities. Simply changing flights in the wrong country was enough to initiate the process.

First, the TSA lost the support of the marshals. Then it lost itself. The TSA admitted during a Congressional hearing that it had trailed over 5,000 travelers (in less than four months!) but had yet to turn up even a single terrorist. Nonetheless, it stated it would continue to trail thousands of people a year, presumably in hopes of preventing another zero terrorist attacks.

Then it lost the Government Accountability Office. The GAO's investigation of the program contained more investigative activity than the program itself. According to its report, the TSA felt surveillance was good but measuring the outcome was bad. When you're trailing 5,000 people and stopping zero terrorists, the less you know, the better. Not being able to track effectiveness appeared to be a feature of "Quiet Skies," rather than a bug.

Now it's lost the TSA's Inspector General. The title of the report [PDF] underplays the findings, stating the obvious while also understating the obvious: TSA Needs to Improve Management of the Quiet Skies Program. A good alternative title would be "TSA Needs to Scrap the Quiet Skies Program Until it Can Come Up with Something that Might Actually Stop Terrorists."

I mean…

TSA did not properly plan, implement, and manage the Quiet Skies program to meet the program’s mission of mitigating the threat to commercial aviation posed by higher risk passengers.

In slightly more detail, the TSA did nothing to set up the program correctly or ensure it actually worked. The IG says the TSA never developed performance goals or other metrics to gauge the effectiveness of the suspicionless surveillance. It also ignored its internal guidance to more effectively deploy its ineffective program.

Here's why:

This occurred because TSA lacked sufficient, centralized oversight to ensure the Quiet Skies program operated as intended.

There were some positives, but they were limited. The DHS and TSA set up information sharing programs, and performed quarterly reviews to remove passengers from the Quiet Skies watchlist. But that's about it. And, as the IG points out, these steps don't add up to anything that might quantify its success rate or justify its existence.

The failure had a trickle down effect, showering the air marshals who thought the program was useless (if not illegal) with second-hand shame.

After almost two years of flight coverage, FAMS [federal air marshals] could not provide outcome-based performance measures to show that its surveillance of Quiet Skies passengers who had already received enhanced screening at checkpoints was the most efficient use of its limited resources.

As for the good news about the periodic removal of people from the TSA's suspicionless surveillance, it's not without its bad news. The IG says the TSA didn't do it in a timely fashion or, you know, correctly.

The Implementation Plan requires TSA and DHS to conduct quarterly oversight reviews of Quiet Skies’ risk-based, intelligence-driven rules created and updated by I&A. However, in 2017 and 2018 TSA identified software algorithm and system malfunctions that resulted in passengers not being removed from the Quiet Skies List after [redacted].

And the TSA had problems with the people it had added to this watchlist, failing to ensure they got all the surveillance and checkpoint friskings they apparently deserved.

As currently designed, TSA cannot ensure all Quiet Skies passengers receive enhanced screening at checkpoints in accordance with its Implementation Plan.


We reviewed results from TSA inspections conducted from October 2015 through February 2019, in which inspectors found incidents related to the Boarding Pass Printing Result requirement. From our review of 16 incident reports, we identified [redacted] in which the boarding passes either were not designated as needing enhanced screening or the aircraft operator did not ensure the passenger received enhanced screening at the checkpoint.

Unfortunately, the number of failures is redacted. But given the TSA's track record elsewhere, it's probably safe to assume the failure rate was above 50%.

The IG recommends the TSA fix everything that's broken. That's most of the program, it appears. The TSA agrees… to a point. The TSA disagrees that it did not "properly plan or manage" the program, including its lack of metrics. According to the TSA's response, the fact that a few dozen targets (out of the thousands trailed by the TSA) showed up on other watchlists is an indication the program is a success.

In October 2020, TSA's I&A reviewed Quiet Skies encounters between 2014 and 2019, and found that 58 individuals designated for additional scrutiny by Quiet Skies are now "watchlisted" in the Terrorist Screening Database as a KST [known suspected terrorist]. This data indicates that Quiet Skies are approximately 30 times more likely to pose an actual high risk than a randomly selected passenger, validating Quiet Skies' value in identifying higher-risk travel.

Nice try. But TSA already threw all plausibility out the window back in 2018 with this testimony before Congress.

The officials said about 5,000 US citizens had been closely monitored since March and none of them were deemed suspicious or merited further scrutiny, according to people with direct knowledge of the Thursday meeting.

Tell me again how 58 watchlist hits is a satisfactory metric. Cherry-picking numbers doesn't change the facts already on the record. When you go 0-for-5,000, managing to cross-reference 10-12 targets a year with another highly-questionable database isn't a win.

Read More | 8 Comments | Leave a Comment..

Posted on Techdirt - 9 December 2020 @ 3:23am

DHS Inspector General Is Going To Take A Look At The DHS's Purchase Of Cell Location Data From Data Brokers

from the it's-about-time-someone-other-than-Ron-Wyden-looked-into-this dept

DHS components are buying up cell location data from third parties to track down undocumented immigrants and whoever else ICE and CBP might be interested in. The IRS is doing the same thing. So is the Department of Defense.

The location data is harvested from dozens of phone apps. This data makes its way to a variety of data brokers -- often without the explicit knowledge of app users or developers -- who then sell access to government agencies. This access seems to violate the spirit of the Supreme Court's Carpenter decision (which erected a warrant requirement for cell site location info), if not the actual letter of ruling.

This has drawn the attention of a number of Senators, including Ron Wyden. In response to Senate questions, the Inspector General for the IRS has opened an investigation into the agency's practice of buying location data from private companies.

The DHS is now undergoing the same scrutiny.

The department’s inspector general told five Democratic senators that his office would initiate an audit “to determine if the Department of Homeland Security (DHS) and its components have developed, updated, and adhered to policies related to cell-phone surveillance devices,” according to a letter sent last week to Capitol Hill and shared with The Wall Street Journal.

The letter came in response to a request in October from Sens. Ron Wyden (D., Ore.), Elizabeth Warren (D., Mass.), Sherrod Brown (D., Ohio), Ed Markey (D., Mass.) and Brian Schatz (D., Hawaii) to probe whether the purchase of commercial cellphone data on Americans for law-enforcement purposes was lawful.

This is welcome news, considering no agency has offered up a legal rationale for dodging apparent warrant requirements by purchasing data from third party brokers -- brokers who are an additional hop away from the third parties who collected the data in the first place. When even app developers aren't sure whose buying their data, it's pretty difficult to argue anyone tracked via this method knowingly and voluntarily "shared" their location with the data brokers selling access to the government.

This won't be the only investigation either. The DHS IG is also looking into other "open source" intel gathering performed by DHS agencies. The guidelines for gathering intel from social media accounts and other publicly accessible internet services hasn't been explained sufficiently and/or examined by the DHS's Congressional oversight.

Unfortunately, this investigation may not lead to the termination of this data collection. The DHS's general counsel has already declared this to be legal -- something revealed by BuzzFeed earlier this year.

In an internal memo obtained by BuzzFeed News, the DHS's top attorney, Chad Mizelle, outlined how ICE officials can look up locations and track cellphone data activity to make decisions on enforcement.

Mizelle also believes the agency can use the data without obtaining a warrant or violating the Fourth Amendment, which protects the public against unreasonable searches and seizures.

That's the pitch the DHS is making. It hasn't made that pitch publicly, however. BuzzFeed's reporting covered a leaked memo. This claim hasn't been made on the record and, given the flexible contours of the Supreme Court's Carpenter decision, there's a good chance it won't hold up in court, much less under Congressional scrutiny. But, as it stands now, these agencies are still in the location data buying business until further notice.

6 Comments | Leave a Comment..

Posted on Techdirt - 8 December 2020 @ 11:59am

ICE Sends Subpoena To BuzzFeed, Hoping To Force It To Turn Over Its Sources

from the going-nowhere-with-this-but-still-a-problem dept

Four years of Trump was more than enough time to weaponize federal agencies against journalists. The administration has routinely condemned critical press outlets as "fake news" and Trump's fervent embrace of border patrolling made it easier for the DHS and its agencies to abuse their power.

The Constitution doesn't seem to matter much to those "securing" the nation. The CBP put a bunch of journalists, activists, and immigration lawyers on a watchlist, subjecting them to additional intrusive searches at border crossings and airports. The DHS tried to top this by compiling dossiers on journalists who covered anti-police brutality protests in Oregon, as well as journalists who had published leaked DHS documents.

The assault on the Constitution continues, with another DHS component deciding the protections given to journalists aren't nearly as important as figuring out who's leaking government documents.

Immigration and Customs Enforcement investigators issued a subpoena this week demanding BuzzFeed News identify its sources — an extraordinary attempt by the government to interfere with a news outlet acting under the protections of the First Amendment, and a move that the agency’s former chief lambasted as “embarrassing.”


The subpoena, issued on Dec. 1 by an agent with the ICE Office of Professional Responsibility, concerns emails sent to ICE attorneys on a fast-track deportation program and plans to fine certain undocumented immigrants. It demands that BuzzFeed News “provide all documentation including, but not limited to: (1) date of receipt, (2) method of receipt, (3) source of document, and (4) contact information for the source of the document.”

BuzzFeed has refused to comply with this subpoena. It has also apparently ignored the gag order ICE attached to its demand for info. Not that it was much of a gag order. It "requested" BuzzFeed not disclose the contents of the subpoena but, like the subpoena itself, it's pretty much unenforceable.

A court didn't issue this request. ICE did. It can write its own subpoenas but it really can't make anyone comply without getting a court involved. And it seems unlikely ICE will get a court involved because very few courts are going to sign off on obvious First Amendment violations.

But even if it's useless, it's still a problem. ICE could try to get courts involved and turn journalists into extensions of internal investigations. It could mass mail subpoenas to as many press outlets as it can, hoping for a hit. The problematic part isn't how badly it's being done, but that it's being done at all.

17 Comments | Leave a Comment..

Posted on Techdirt - 8 December 2020 @ 10:47am

Patriot Act Used By The FBI To Collect Internet Browsing Data, Contradicting Claims Made To Oversight

from the oh-no-this-must-be-the-first-time-the-IC-has-lied-to-its-oversight-[faints] dept

The NSA shut down its bulk phone records collection -- authorized under Section 215 -- after it became apparent it wasn't worth the effort. Reforms put in place by the USA Freedom Act prevented the agency from collecting it all and sorting it out later. Instead, it had to approach telcos with actual targeted requests and only haul away responsive records. The NSA somehow still managed to overcollect records, putting it in violation of the law. The NSA hinted the program had outlived its usefulness anyway, suggesting it had far better collections available under other authorities that it would rather not subject to greater scrutiny.

But this didn't end the government's bulk records collections. It just ended the phone metadata program. The NSA still collects other records in bulk, including banking records and, oddly, books checked out by library patrons. The broad authority of Section 215 could be read to allow the government collect other records, like email metadata and internet activity. Reasoning that people voluntarily create records of their internet use by using third-party services to surf the web, the government hinted it could sweep these up just as easily as it had swept up call records.

The government's attempt to collect internet history under this authority ran into some friction earlier this year when the Senate voted to block this collection. Senator Ron Wyden directly asked the director of national intelligence (DNI) to inform the Senate whether or not agencies under its purview had gathered internet use records under this authority. He received this answer.

In a Nov. 6 letter to Mr. Wyden, John Ratcliffe, the intelligence director, wrote that Section 215 was not used to gather internet search terms, and that none of the 61 orders issued last year under that law by the Foreign Intelligence Surveillance Court involved collection of “web browsing” records.

Wyden took this response to mean that implementing a ban on collection of internet history records could be put into place without negatively affecting any intelligence gathering activities. But when the New York Times pressed DNI John Ratcliffe on specifics, a new party inserted itself into the conversation: the DOJ. According to its response, the FBI had already done the thing the DNI had just told Sen. Wyden it hadn't.

In fact, “one of those 61 orders resulted in the production of information that could be characterized as information regarding browsing,” Mr. Ratcliffe wrote in the second letter. Specifically, one order had approved collection of logs revealing which computers “in a specified foreign country” had visited “a single, identified U.S. web page.”

So, the FBI was collecting internet browsing records, albeit with an order that only targeted foreign users visiting one US web page. Still, this wasn't what the DNI originally said to Sen. Wyden. This set Wyden off. Again. The supposedly honest answer he received in response to his questions wasn't actually all that honest. As he pointed out in his statement, the belated admission raised questions about domestic surveillance and potential abuse of Section 215 authority to collect something the DNI said no one was collecting. And, if nothing changed, there was no guarantee the Intelligence Community wouldn't talk itself into believing a collection of internet browsing data would be cool and legal.

“More generally,” Mr. Wyden continued, “the D.N.I. has provided no guarantee that the government wouldn’t use the Patriot Act to intentionally collect Americans’ web browsing information in the future, which is why Congress must pass the warrant requirement that has already received support from a bipartisan majority in the Senate.”

Previous attempts to erect a warrant requirement for the collection of internet data or search histories have failed to reach the president's desk. This latest admission has refueled the fire to protect Americans (or visitors to American websites) from government overreach. Even if such a collection targets only foreign internet users, there's no guarantee it won't sweep up US citizens -- like pretty much every other bulk collection has.

At this point, everything is up in the air. There's a new president headed into office who might be more receptive to reform efforts, but he's also the man who served the Obama Administration -- one that wasn't all that concerned about domestic surveillance until it became impossible to ignore the documents leaked by Ed Snowden. Even then, its response was tepid at best and it still allowed IC surveillance business to continue pretty much uninterrupted -- something it used to justify extrajudicial killings based on little more than metadata. This needs to be fixed, but surveillance reform advocates still lack majority support. And the guy headed to the White House has never seemed all that concerned about surveillance abuses.

8 Comments | Leave a Comment..

Posted on Free Speech - 8 December 2020 @ 3:24am

Federal Court Says Sanctions Are On The Way For Portland PD Over Violations Of Protest Restraining Orders

from the rule-of-law-is-cool-until-it-applies-to-you,-I-guess dept

Police forces -- both local and federal -- greeted Portland protests with violence. To be sure, there were some violent protests. But officers of both varieties felt they should be able to target journalists and legal observers with the same force they were deploying against rioters.

Once the feds rolled into town, things got worse. This was met with litigation, with journalists and observers asking the court to make the cops play by the normal rules of engagement. If journalists and observers weren't committing any crimes, they should be free to report and observe without fear of being beaten, shot at, or gassed.

The court agreed. So did the court above it, albeit belatedly. Injunctions were granted, prohibiting the use of force against the plaintiffs. These injunctions were immediately violated, resulting in more litigation.

It wasn't just the feds, although the feds were the most immediately noticeable violators of this court-ordered relief. The local police were having problems keeping themselves from greeting non-violent protesters with violence. A federal judge has just ruled that the Portland Police Department (PPD) violated his instructions and his restraining order on multiple occasions. (via Courthouse News Service)

Back in June. Judge Marco Hernandez banned the use of tear gas by cops except in life threatening situations. Another modification to his order banned the use of rubber bullets and pepper balls against "people engaged in passive resistance." According to Hernadez's latest ruling [PDF], the Portland Police have continued to violate his orders.

The court cites several instances detailed by protesters. In at least three cases, PPD officers violated the court's instructions on force deployment during a protest on June 30 -- less than a month after Hernandez issued his first order.

As described above, FN303s and 40mm less-lethal launchers must be used “as outlined in PPB Use of Force Directive 1010” and “shall not be used where people engaged in passive resistance are likely to be subjected to the use of force.” FN303s and 40mm less-lethal launchers are impact munitions governed by ¶ 6.4.2 of Use of Force Directive…

The Court finds that three of the eight incidents involving the use of impact munitions violated the Order. These three incidents include: (1) two deployments of fifteen rounds from an FN303 against individuals carrying a banner (Incidents 2 and 3) and (2) the deployment of a few rounds from an FN303 against an individual picking up an unknown object between the protest line and the police line (Incident 9). The remaining incidents did not violate the Order.

In one instance, the PPD tried to justify its excessive force by claiming a banner held by retreating protesters could have injured officers.

Officer Taylor testified that he deployed his FN303 against an individual holding onto a banner because he believed the banner would later be used as a weapon. Specifically, he cited the following circumstances in support of his belief that the banner may be dangerous: (1) the atmosphere of the protest that day; (2) the movement of protestors behind the sign as though it was a shield; (3) the slow pace of the protestors holding the banner, causing interference with the police formation; (4) the protestor’s refusal to let go of the banner; and (5) the use of PVC pipe as the banner’s frame, which he testified can be reinforced with cement or nails.

We're going to need a lot more than pure speculation, says the court.

But none of the circumstances cited by Officer Taylor suggested that this banner was a weapon or would be imminently used by protestors as a weapon.

And it's not like the protesters were operating under the cover of darkness to manufacture a PVC-and-cloth weapon of mass police destruction.

Police officers had ample opportunity to observe the banner before Officer Taylor deployed his munitions. The incident occurred while it was still light out, and video shows that the long PVC banner was flimsy.

Unjustified. And a violation of the judge's order.

And—most importantly—nothing suggested that the individual Officer Taylor targeted was engaged in “[a] threat or overt act of an assault, . . . which reasonably indicate[d] that an assault or injury to any person was about to happen, unless intervention occur[ed].” Use of Force Directive 1010 (Definitions). At most, the record shows that the individual who was refusing to let go of their sign was engaged in passive resistance.

While the PPD has mostly complied with the orders, it has not always complied with all the orders. Being mostly compliant simply isn't good enough. The court says sanctions are incoming.

Defendant has failed to demonstrate that it took all reasonable steps to comply with the Order. The Court acknowledges that Defendant took some steps to ensure compliance on June 30. Captain Passadore, for example, read the requirements of the Order over the radio after calling for attention from all officers involved in crowd control on the evening of June 30. There is also evidence in the record that Captain Passadore directed all supervisors to ensure that all officers were informed of the requirements of the Order. And the Court is cognizant that PPB has been stretched thin over the past few months with the same RRT officers working endless hours in response to ongoing protests. It is also aware of the effect the pandemic has had on PPD's ability to conduct additional trainings. Nevertheless, the Court cannot conclude that a single radio transmission and a discussion with RRT officers and supervisors on June 30, 2020, constitutes “all reasonable steps” Defendant could have taken to ensure compliance with the Order that evening. Accordingly, the Court finds Defendant City of Portland in contempt.

Unfortunately, if this comes down to fines, the City of Portland will just dig into its bag of "Other People's Money" and pay them. But it could result in further restrictions, which isn't going to work out well for an agency that's already demonstrated it can't follow printed instructions.

Read More | 9 Comments | Leave a Comment..

Posted on Techdirt - 7 December 2020 @ 7:37pm

Massachusetts Poised To Become The Next State To (Temporarily) Ban Facial Recognition Tech

from the but-there-are-lots-of-exceptions dept

Another state is looking to join California in banning facial recognition tech by law enforcement. Massachusetts legislators have just passed a bill that would outlaw facial recognition use in the state, following up on similar bans passed by cities within the state.

Massachusetts lawmakers have voted to pass a new police reform bill that will ban police departments and public agencies from using facial recognition technology across the state.

The bill was passed by both the state’s House and Senate on Tuesday, a day after senior lawmakers announced an agreement that ended months of deadlock.

At this point, it's not a full-on ban. But it does prevent law enforcement agencies from acquiring the tech until the end of 2021, at which point legislators will discuss a complete ban or the institution of other restrictions on its use. This moratorium is part of a bigger police reform bill, one that bans chokeholds and rubber bullets while pushing for intervention by police officers if they observe another officer violating rights. Ending qualified immunity in the state is no longer on the table, though, shouted down by the state's police unions.

That being said, this temporary ban is bigger than California's. California's moratorium (effective until 2022) only prevents the use of facial recognition tech in police body cameras. Everything else is still allowed for the time being. The moratorium in Massachusetts would prevent law enforcement agencies from acquiring any version of this tech.

But it would allow law enforcement to run searches through the state's motor vehicle database. The state DMV will still be allowed to use biometrics to verify individuals seeking vehicle licenses and other permits. However, if a law enforcement agency utilizes this option (which is limited to warrant execution and other "immediate danger of death or serious injury" situations), an affidavit justifying the search must be filed with the court and the person targeted by the search notified within 72 hours. The DMV is also obligated to publish periodic reports on searches run by law enforcement agencies.

But there may be some opposition ahead. Even though this has passed both legislative branches, it still needs the governor's signature. Last year, Governor Charlie Baker stated he wasn't interested in regulating this tech at the state level, giving this bizarre response to journalists.

My understanding is most of that’s regulated at this point at the federal level,” Baker told reporters Monday, following a Herald report on the spread of the technology and lack of controls. “Whether or not it should be regulated at the state level is something we’ve had conversations about, but they’re not to the point where we’d be ready to file legislation.”

The tech is very definitely not regulated at the federal level. The only legislation targeting this tech has been passed by cities and states. Congress may have expressed an interest in taking on the tech, but nothing has made its way to the president's desk, much less made it out of committee. Federal agencies -- especially those operating under the DHS's unwatchful eye -- are big fans of biometric surveillance and very few federal legislators seem interested in tempering their acquisition and deployment of the tech.

The tech remains highly problematic and under-regulated. If this bill becomes law, it will at least force the state of Massachusetts to confront these issues before moving forward with tech acquisitions. A little more scrutiny might go a long way.

4 Comments | Leave a Comment..

Posted on Techdirt - 7 December 2020 @ 1:48pm

Provision Added To Defense Bill That Would Make Federal Officers Policing Protests Identify Themselves

from the accountability-increases! dept

We've heard a lot about the latest defense authorization bill in recent days, thanks mainly to President Trump's (empty) threats to withhold funding for the military (the guys he says he loves!) if it doesn't include a Section 230-stripping poison pill (aimed at the guys he hates!). Congress has belatedly developed a backbone and is threatening to override the President's promised veto -- something Trump is promising to do because, apparently, funding the military is less important than making sure people on Twitter don't treat him like the idiot he is.

Trump's tantrum notwithstanding, the bill will pass with or without his support. No other mildly rational legislator actually believes preventing social media platforms from being sued over third-party content is a "national security" issue. Plus, the sitting president will soon be forced to stand, pack his shit into file boxes, and make his way towards the exit.

There's some good stuff in the NDAA (National Defense Authorization Act), even if you believe America isn't obligated to protect the world from everyone. Yes, America's war machine is a trillion dollar industry that shows little sign of slowing down. Its excesses allow cops to avail themselves of war gear and the nastiest end of its spectrum sends legislator-blessed death from above to perform extrajudicial killings.

But, as Dan Friedman reports for Mother Jones, there's an addition to the latest NDAA that would prevent Gestapo-esque bullshit from being carried out by federal agents sent to quell anti-government protests in American cities. If this bill passes as written, there will be no more disappearing of protesters by unidentified federal cops. Going forward in 2021, federal law enforcement agents will have to be clearly identified while tossing protesters into unmarked vehicles.

Congress is set to approve a defense policy bill that bars unidentified federal law enforcement officers from policing protests. The bill responds to a phenomenon that Mother Jones flagged in June: Unidentified federal law enforcement officers with no identifying insignia joined in the Trump administration’s coordinated crackdown on protests against police violence in several cities earlier this summer.

This would also allow people whose rights have been violated to figure out who they need to sue. Officers who fail to identify themselves make it difficult to name defendants. A lack of identifiable defendants allows the government to sidestep a lot of litigation and prevents plaintiffs from shoring up their allegations. This NDAA provision makes it easier for citizens to hold the government accountable for its abuses and rights violations.

On top of that, it makes it easier for citizens everywhere to see who's doing what in their name. Taxpayers are paying for this "protection." The least the government can do is make it clear to everyone who's providing this "protection" and which officers are overstepping their bounds.

51 Comments | Leave a Comment..

Posted on Techdirt - 7 December 2020 @ 9:35am

Federal Court System Pushes Back Against Free Access To Court Documents

from the your-tax-dollars-hard-at-work-demanding-more-tax-dollars dept

Never underestimate the desperation of a government entity being asked to manage its money better. After years of mismanaging the millions of dollars the court system rakes in every year, the federal judiciary has believed for years that "free and open access" to court documents should be way less than free. The court's PACER system puts a paywall between citizens and court documents. On top of this, it places an antiquated front end that further separates citizens from court documents, charging them per page of useless search results.

The PACER system has been a frequent target of litigation and legislation. Unfortunately, these efforts haven't resulted in an overhaul of the system. The system continues to treat infinite goods as paper documents, charging users per page of downloaded PDFs or docket listings. It also charges per search, allowing the system's far-from-useful search functions to generate revenue for the courts. The money from PACER was supposed to make PACER better and lower the cost of usage. Instead, it has been used to buy furniture and flat screen TVs for those fortunate enough to live within walking/driving distance of a federal courthouse. As for everyone else, the government collects up front and provides very little in the way of improvements for telecommunicators.

Legislators are once again pushing for the system to be free for most citizens. And the courts are pushing back, claiming being unable to charge per page fees would irreparably harm the recipients of these fees.

Leaders of the federal judiciary are working to block bipartisan legislation designed to create a national database of court records that would provide free access to case documents.


James C. Duff, director of the Administrative Office of the Courts, has asked House leaders not to schedule a vote on the bill that he said would require a hefty increase in court filing fees to pay for a “massive, untested, disruptive, and costly overhaul.”

“The idea of making it free for everyone is certainly attractive, but it’s not free,” Duff said in an interview.

Duff is right. It isn't free. Taxpayers pay judges and clerks to generate documents. Taxpayers front every civil and criminal action the federal government gets involved with. Citizens also pay filing fees when they engage in private litigation. So there's plenty of money flowing into the system. But the system seems to believe this should be a one-way stream of revenue that provides almost no benefits to those funding it.

James Duff seems to believe the "costs" of providing PDF downloads for free should be "offset." And he's asking taxpayers to continue offsetting the costs of documents they've already paid for. Somehow Duff has talked himself into believing filing fees would skyrocket, preventing people the court system is already screwing with PACER fees from utilizing this avenue of redress.

Duff said higher fees for litigants in civil and bankruptcy cases could represent an “outright barrier to seeking relief in the federal courts.”

LOL but no. Plaintiffs who can't pay the fees can ask the court to waive their fees. It's not impossible for poorer plaintiffs to file lawsuits. This disingenuous complaint misrepresents the fact that most plaintiffs do not ask for waivers and are willing to pay fees to litigate in federal courts. The litigants who most often seek fee waivers are federal prisoners, a taxpayer burden few government officials ever find time to complain about.

Duff also sees himself as the great equalizer, even if protecting the PACER status quo will continue to negatively affect our nation's poorest citizens. According to Duff, free access to all will make corporate fat cats even fatter.

A free database, he added, would be a “financial windfall” for the large banks, legal-database companies and research institutions that currently fund 87 percent of the costs of the online court records service.

First off, it seems like the judiciary could continue to collect fees from PACER "whales," much in the way many free internet services do. Second, this refusal to allow free access to millions doesn't suddenly make things "fairer" for them just because the judiciary isn't willing to engage in corporate welfare.

Not only is the judiciary wrong about the pros and cons of free access, it's also wrong about how much free access would actually "cost." The judiciary says it will cost at least $2 billion over the next five years to give citizens free PACER access. Legislators and researchers say it will cost far less: ~$2 million/year. That's an unnoticeable drop in the federal judiciary budget bucket. The judiciary wants $7.65 billion to cover its costs next year. It seems unlikely anyone would miss a 0.026% budget shortfall.

That makes this statement from Judge Reggie Walton (formerly of the FISA Court) unintentionally hilarious.

U.S. District Judge Reggie Walton in Washington said court proceedings and documents should be transparent and accessible. But if Congress mandates the creation of a new, free database of records, lawmakers have to provide the funding. He is concerned about the financial impact on the court’s day-to-day operations.

Whew. Can you imagine trying to do without 0.02% of your yearly budget? You might have to use a coupon on something a few times a year.

This pushback against free access is nothing more than the government feeling it should be able to maintain a wall between what it does and the people that pay for it. The federal judiciary is showing its entire entitled ass. Citizens should have free access to court documents. They've already paid for them once. There's no reason the government should continue to pretend it's the petty librarian manning the Xerox and charging visitors $0.10/page for photocopies. All we're asking is for the judiciary to recognize it shouldn't place a paywall between taxpayers and infinite goods. But, according to courts, this is something we don't deserve and aren't entitled to ask for.

10 Comments | Leave a Comment..

Posted on Free Speech - 4 December 2020 @ 3:28am

French Legislators Outlaw Discriminating Against People Because Of Their 'Regional Accents'

from the most-French-legislation-ever-passed dept

France's relationship with free speech is strange. On one hand, no one protests like the French protest. Given the nation's predilection for targeted vandalism and guillotine construction, it would seem the government would have taken notice of citizens' right to engage in speech that's right on the edge of targeted violence… all without losing sight of the importance of that speech.

But for every bit of slack cut to protesters, the government still targets the people's freedom to express themselves. This results in more protests and more backtracking, but the country's government is surprisingly resilient. It just shrugs off the latest protests and tries again.

The government has passed laws that allow the literal police to literally police the internet for speech the government doesn't like. This law was struck down by the courts but there can be little doubt a replacement is in the works. The government has also sided with extremists by engaging in speech-related prosecutions that target citizens who've criticized extremists. The firebombing of a French satirical newspaper by Islamic extremists hasn't nudged the dial towards freer speech, unfortunately. The government has also made insulting certain politicians a crime and has given itself broad powers to take down internet speech.

So, it's unsurprising the government has gotten itself into the business of regulating ridicule. A new law forbids citizens from denying services to other citizens who may be sporting the "wrong" accents, targeting a cornerstone of French culture: disparaging of people who "aren't from around here."

The Assemblée Nationale of France made discrimination based on regional accents an actionable offense Friday, adopting a bill proposed by deputy Chrisophe Euzet by a vote of 98 to 3. The new law punishes accent discrimination in the same manner as discrimination based on ethnicity, gender or disability. Those who violate the law may face up to three years in prison along with a 45,000 euro fine.

I can't even imagine how this will be enforced, other than "arbitrarily" and "badly." There's some basis for the law, I guess. A report by the Committee on Constitutional Laws claims 27% of respondents have been "mocked" for their accents and 16% have been discriminated against because their accent wasn't considered acceptable.

The Committee -- and the legislators approving this bill -- are hoping to create a cultural shift toward acceptance and tolerance. This shift will be encouraged with a legislative hammer, as the Committee's report insinuates.

The present bill aims to promote the diversity of pronunciation of the French language by prohibiting “discrimination by accent” that we see factually in functions involving, in particular, public expression: the test intends to change attitudes overtime by initiating the modification of the law in force.

"Cultural shifts over time" are possible. Not all of them require new laws and fines. I don't condone discrimination but a new law that hinges on characteristics that are far from immutable opens the door for the government to regulate any number of interactions between private companies and their customers based on little more than the sort of claims that surface in questionable Yelp reviews.

I'm of two minds about this. I don't care for baseless discrimination over something as insignificant as regional dialects. But I also recognize the regional dialect thing can go both ways, allowing those with "wrong" accents to be just as discriminatory against those they think are high-class assholes who deserve to be given a ride just because they happen to come from the "right" places. (See also: Deliverance, Southern small town speed traps, etc.) This is a uniquely French way of dealing with a deep-seated problem, even if evidence of the problem and/or its deep-seatedness doesn't necessarily appear to be on the record.

13 Comments | Leave a Comment..

Posted on Techdirt - 3 December 2020 @ 2:51pm

After Being Notified Of Info It Should Have Already Been Aware Of, LAPD Bans Clearview Use By Investigators

from the ohhhhhhh-those-unauthorized-uses dept

The Los Angeles Police Department is shutting down a very small percentage of its facial recognition searches. Last month, public records exposed the fact that the LAPD had been lying about its facial recognition use for years. Up until 2019, the department maintained it did not use the tech. Records obtained by the Los Angeles Times showed it had actually used it 30,000 times over the past decade.

The most recent development in the LAPD's mostly dishonest use of this tech is that it will not allow personnel to mess around with certain third-party offerings. As Buzzfeed reports, the LAPD has forbidden the use of Clearview by officers following the release of information the department already should have already been aware of.

Documents reviewed by BuzzFeed News showed that more than 25 LAPD employees ran nearly 475 searches with Clearview AI over a three-month period beginning at the end of 2019.


LAPD officials confirmed that investigators were using Clearview AI but declined to say which officers and which specific cases it was used for. They also refused to say whether the facial recognition software has led to arrests of any suspects.

Now that the public knows what the LAPD already should have known, the department is changing its policy to exclude Clearview… and probably not much else.

The Los Angeles Police Department has banned the use of commercial facial recognition systems, following inquiries from BuzzFeed News about its officers' use of a controversial software known as Clearview AI.

Have to love the fact that the LAPD needed to be apprised of what its own investigators were doing by journalists. That's the level of internal oversight we've come to expect from the nation's law enforcement agencies. If you don't look for anything, it's almost impossible to find misconduct and abuses of power. No news is the best news. And it can easily be achieved by doing nothing at all.

This ban only affects "commercial" software which means investigators will still be able to use (and misuse) more official products, like the facial recognition system owned by the county -- the same one the LAPD spent years denying it used.

And, although it's an incremental change that seems to only forbid the use of one particular facial recognition product, it's still good to see another law enforcement agency kick Clearview to the curb. Clearview's unproven AI trawls a database of photos scraped from the internet, making it a highly questionable addition to any government agency's surveillance repertoire. And Clearview has been highly irresponsible in its marketing and distribution of its tech, making unverified claims about law enforcement successes while encouraging government employees to test drive the software by feeding it faces of friends, family members, celebrities, etc.

If more agencies uninvite this third-party interloper, law enforcement critical mass will make Clearview's business plan untenable. It's already ditched most of its private customers in response to lawsuits. If the potential customers it has left refuse to do business with it, it will soon become little more than a horrible memory.

7 Comments | Leave a Comment..

Posted on Techdirt - 3 December 2020 @ 9:30am

New York Schools Putting Students In The Crosshairs Of Tech That Targets Minorities, Thinks Broom Handles Are Guns

from the if-at-first-you-don't-succeed,-victimize-minors-again dept

We're turning over discipline of school kids to cops and their tech and it's just making existing problems even worse. We've seen the problems inherent in facial recognition tech. And it's not just us -- this so-called leftist rag (according to our anonymous critics). It's also the National Institute of Standards and Technology (NIST). Its study of 189 facial recognition algorithms uncovered why most legislators seem unworried about the surveillance creep:

Middle-aged white men generally benefited from the highest accuracy rates.

When systems pose no risk to you personally, it's unlikely you'll object to rollouts of unproven AI and questionable tech. If it only hurts people who aren't you or your voter base, any incremental increase in law enforcement "effectiveness" is viewed as an acceptable tradeoff.

Destroying the lives of minorities has never been a major legislative concern. But if we all agree children are our future, it seems insanely destructive to turn a blind eye to the havoc this tech can create. Unless, of course, legislators believe only white children can secure the future (give or take 14 words). Then it's OK, even when it definitely isn't.

Documents obtained by Motherboard show few people care about minorities, no matter what government position they hold. Vetting contractors should be the first check against abuses. But it appears no one involved with regulating the lives of students (who are legally obligated to attend schools that view them as criminals) cares what happens to the minors they subject to the racist tendencies of law enforcement agencies and the tech they deploy.

Ever since they learned that Lockport City School District intended to install a network of facial recognition cameras in its buildings, parents in the upstate New York community—particularly families of color—have worried that the new system will lead to tragic and potentially fatal interactions between their children and police.

Now, documents newly obtained by Motherboard accentuate those fears. They show that SN Technologies, the Canadian company contracted to install Lockport’s facial recognition system, misled the district about the accuracy of the algorithm it uses and downplayed how often it misidentifies Black faces. The records, comprising hundreds of pages of emails between the district and the company, also detail numerous technical issues with SN Technologies’ AEGIS face and weapons detection system, including its propensity for misidentifying objects like broom handles as guns.

Wonderful. The collective shrug of legislators is feeding kids to racist tech with a proven track record of being unable to identify criminal suspects. This one goes a step further. It's unable to detect weapons accurately, which is probably why cops think it works great. Cops can't seem tell a cellphone or a Wii controller from a gun, so whatever justifies the use of force is an acceptable tradeoff for… um… not deploying force, I guess. So, when lives are actually on the line, cops will be chasing down broom handles being held by minorities, rather than weapons held by white people, who are far more likely to engage in school shootings.

The New York State Education Department (NYSED) stands by its approval of this questionable tech… sort of. Lockport officials have refused to comment. So has the police department making use of it. And so has their chosen facial recognition vendor, SN Technologies, which provides the AEGIS tech.

It's not like they didn't have any warning that the tech was faulty. Lockport officials received an email that discusses AEGIS's accuracy and propensity for aggravating racial biases. The AI finished 49 out of 139 respondents in the NIST's test for racial bias. But even that weak finish was overstated. As the NIST pointed out, the algorithm submitted by SN Technologies (which licenses its algorithm from French firm id3 Technologies) wasn't the same one that's being deployed in New York schools.

[A]ccording to Patrick Grother, the NIST scientist who oversaw the testing, the agency never tested an id3 Technologies algorithm that matches the description Flynn gave Lockport officials. “Those numbers don’t tally with our numbers. They’re not even close. What id3 sent to NIST is not what these people are talking about,” Grother told Motherboard.

The documents obtained by Motherboard show something even more nefarious than the submission of an algorithm that didn't actually represent what the company sold to clients. It appears SN Technology lied to school officials about the NIST's test results, claiming the algorithm was nearly twice as accurate as NIST testing actually showed.

But that hasn't stopped the rollout of facial recognition tech that disproportionately misidentifies minorities and/or their non-weapons. Other schools -- some in other states -- seem to believe faulty tech is better than no tech at all, especially if there's a chance the next false positive could prevent a school brooming.

At least 11 other districts in the state have since applied for Smart Schools money to purchase facial recognition systems, according to a NYCLU analysis of the applications. Schools in other states, such as South Carolina, have also deployed similar systems which claim the ability to detect weapons and stop school shootings.

We'll see if the spread of terrible tech slows in the future. Facial recognition is currently the target of lawsuits and legislation in New York. But if past performance is any indicator of future results, the tech isn't going to go away, no matter how poorly facial recognition tech, you know, recognizes faces.

4 Comments | Leave a Comment..

Posted on Techdirt - 2 December 2020 @ 1:27pm

Australian Cops Are Pre-Criming Students Too, Setting Minors Up For A Lifetime Of Harassment

from the procedural-crime-generation dept

It's not just American law enforcement agencies turning kids into criminals. They're doing it in Australia too. In Florida, the Pasco County Sheriff's Office uses software to mark kids as budding criminals, using questionable markers like D-grades, witnessing domestic violence, or being the victim of a crime. The spreadsheet adds it all up and gives deputies a thumbs up to start treating students like criminals, even if they've never committed a criminal act.

Over in Australia, the process seems to be a bit more rigorous, but the outcome is the same: non-criminals marked (possibly for life) as potential criminals who should be targeted with more law enforcement intervention.

Victorian police say a secretive data tool that tracked youths and predicted the risk they would commit crime is not being widely used, amid fears it leads to young people from culturally diverse backgrounds being disproportionately targeted.

The tool, which had been used in Dandenong and surrounding suburbs, was only revealed in interviews with police officers published earlier this year.

Between 2016 and 2018, police categorised young people as “youth network offenders” or “core youth network offenders”.

It takes a bit more to be added to this secret list -- one police have managed to keep hidden from the general public. Even the program's name remains a secret. This means parents are never informed when cops decide their kids are criminals-in-development. It also possibly means schools aren't aware the data they're feeding the police is being used this way.

According to the research paper detailing the program, Victoria police have classified 40-60 students as "core youth network offenders." Another 240 students were classified as "youth network offenders." To get placed on these exclusive lists, students must be charged dozens of times with "offenses," running from 20 for the 10-14-year-old group to over 60 for 18-year-olds. It's unclear from the context of the report whether this means criminal offenses or in-school discipline "offenses," but the latter seems more likely. Someone criminally charged over 60 times before they reached the age of 18 wouldn't need to be on a secret youth offender list to be on law enforcement's radar.

The Victoria police appear to believe the tech is actually magic.

“We can run that tool now and it will tell us – like the kid might be 15 – it tells how many crimes he is going to commit before he is 21 based on that, and it is a 95% accuracy,” one senior officer told [researchers]. “It has been tested.

Actual pre-crime, stripped of all the obfuscating language that normally surrounds statements on profiling/predictive policing programs. This program can actually predict criminal acts… at least according to its proponents and users. Presumably the police aren't locking up listed students ahead of any wrongdoing, but they're certainly increasing their interactions and surveillance of students the tool said will commit [x] crimes over the next few years.

And, like every goddamn predictive policing program that exists anywhere, it focuses on minorities and other disadvantaged residents.

In Dandenong, 67% of households spoke a language other than English at home, more than three times the national average, according to the 2016 census. Almost 80% of all residents had parents who were both born overseas, more than double the national average.

The weekly household income was $412 less than the Australian median, and the unemployment rate of 13% was almost double the national figure.

Cheer up. The cops are here to take everything that sucks about life and make it worse. Rather than address the underlying problems, law enforcement appears content to throw a spreadsheet over it and divert resources towards subjecting certain people to a lifetime of harassment. Then, when things inevitably get worse, they can ask for more money to buy more "smart" policing tech garbage that ensures this hideous, regressive loop remains unbroken.

22 Comments | Leave a Comment..

More posts from Tim Cushing >>


This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it