commerce department – Techdirt (original) (raw)
Israel Gives Blacklisted Spyware Companies The Go-Ahead To Help It Track Israeli Hostages
from the not-just-a-tool-of-oppression! dept
Decades of somewhat-restrained conflict between Israel and Palestine erupted into war again at the beginning of the month. Islamist militant group Hamas followed rocket strikes with a physical invasion, the latter of which included the massacre of hundreds of Israeli civilians. Israeli civilians were also tortured and mutilated.
Hamas also allegedly kidnapped around 200 Israelis, including 30 children. I say “allegedly” because that’s what Hamas claims, not because I don’t believe Hamas is willing and able to kidnap 200 Israelis.
This horrific string of events has resulted in the Israeli government cautiously welcoming a couple of its most notorious resident tech companies back into the fold… at least for now. Here are more details from Gwen Ackerman and Marissa Newman for Bloomberg:
Israel’s security services are pulling in spyware companies, including the maker of the controversial Pegasus software, to help track hostages in the Gaza Strip, people familiar with the matter said.
NSO Group and Candiru, both of which are blacklisted by the US, are being asked to quickly upgrade their spyware capabilities to meet needs laid out by the country’s security forces, according to four cybersecurity industry sources and an Israeli government official. They, together with several other software firms, are collaborating on the requests and largely offering their services for free, said the people, who asked not to be identified because of they weren’t authorized to comment on military operations.
The Commerce Department blacklist — which followed weeks of negative coverage stemming from the apparent leak of “targets” of NSO customers — led to the Israeli government finally placing limits on who its native malware tech firms could sell to. This reversed the longstanding partnership in which the Israeli government helped NSO and others secure contracts with a variety of known human rights abusers in the Middle East.
It was a severely dysfunctional form of diplomacy, one that blew up in NSO Group’s face. Israel’s government suffered some collateral damage, having assisted a bunch of its former employees (most spyware firms in Israel were formed by former Israeli intelligence operatives) in making the world a worse place for everyone. The leaked list showed a lot of NSO customers weren’t using its powerful Pegasus spyware to track down dangerous criminals and terrorists. Instead, they were using it to spy on critics, journalists, legal advocates, political opponents, and anyone else who might somehow inconvenience those in power.
The fallout led to the government creating some distance between itself and the companies it had indirectly helped to create and directly helped to succeed.
Though Israel has never publicly severed ties with NSO and Candiru, the Israel Defense Forces dismissed some of their employees from military reserve duty after the firms were sanctioned in the US for helping authoritarian regimes track journalists and dissidents.
That gap has been closed a bit in recent weeks. Candiru states that it is volunteering the use of its spyware to help locate and track Israeli captives. The same thing goes for NSO.
NSO has the advantage. It’s Pegasus spyware is a zero-click exploit, which means it only needs to be sent to the phones of kidnapped citizens. It doesn’t require any interaction from the recipient.
While this may be capable of locating phones, it won’t necessarily locate people. No one kidnapped by Hamas would be allowed to keep their phone. However, their captors are certainly in possession of their phones and, in many cases, already have access to their contents. As long as the phones are useful to Hamas, the use of this spyware will allow the government to track the captors. If the phones have been disposed of for exactly this reason — i.e., the possibility they may be converted Israeli government surveillance devices — this effort will go nowhere.
That doesn’t mean it’s not worth trying. And it presents a case study for actually useful, non-harmful deployments of powerful cell phone exploits. This is the sort of situation where citizens would welcome government intrusion, and that’s when governments should be prepared to do things like this.
Obviously, it’s not a great way to make money. Both companies appear to be providing their spyware for free. No local company would want to appear to be making a buck on their fellow citizens’ misery… at least not in cases like these. That they’re willing to help their own government engage in domestic surveillance for truly harmful reasons shows what they’re willing to do for a buck, but they can be altruistic when the situation calls for it.
It’s very possible malware like NSO’s Pegasus exploit has helped law enforcement locate kidnapped people before. Great! But that has been the exception, rather than the rule. And the companies pitching in here know you can’t make good money helping out worthy causes or refusing to sell to autocrats or pulling the plug on contracts the moment any questionable uses are discovered.
So, we have what we have here: a worthwhile use of powerful spyware that will always be an anomaly, no matter how often exploit supplies like this are investigated, curtailed, or blacklisted. Hurting powerless people will always be more profitable than helping them. NSO and its competitors will live on, supplying autocrats with tools to silence criticism and stifle dissent. Because that’s where the money actually is.
Filed Under: commerce department, israel, palestine, pegasus, spyware, surveillance
Companies: candiru, nso group
Federal Agency Acquired NSO Group Malware Via Front Company After NSO Was Blacklisted By Commerce Dept.
from the hark,-a-loophole! dept
A leak of alleged customers’ targets — a list that included journalists, human rights activists, religious leaders, government critics, and political figures — turned a trickle of news about Israel-based NSO Group into a steady stream of harrowing revelations.
NSO was the best in the spyware business, offering customers a zero-click exploit that almost fully compromised targets’ phones. NSO’s “Pegasus” malware was wiretaps on steroids, a powerful tool that allowed the interception of communications, remote activation of mics and cameras, and access to content stored on targeted devices.
Power is supposed to go hand-in-hand with responsibility, but no one was acting responsibly here. NSO sold its malware to notorious human rights abusers. Unsurprisingly, the end result was plenty of abusive surveillance.
The US government reacted to this steady stream of negative revelations by slapping NSO with some sanctions. The Commerce Department put NSO Group (and another Israeli malware purveyor linked to surveillance abuse) on its blacklist, effective November 3, 2021. This blacklisting forbade the issuing of licenses for “exports, reexports, or transfers (in country) to the persons added to this Entity List.”
While this blacklisting did not specifically forbid US government agencies from acquiring NSO malware, you’d think they’d assume it would be best to steer clear of companies currently under sanctions. But common sense didn’t prevail here. According to this report from Mark Mazzetti and Ronen Bergman for the New York Times, one federal agency decided it wasn’t going to let sanctions and months of bad press separate it from its preferred spyware.
And the agency (which has yet to be identified) knew this would be a PR nightmare, so it decided to let someone else take the fall for this unwise acquisition.
The secret contract was finalized on Nov. 8, 2021, a deal between a company that has acted as a front for the United States government and the American affiliate of a notorious Israeli hacking firm.
Under the arrangement, the Israeli firm, NSO Group, gave the U.S. government access to one of its most powerful weapons — a geolocation tool that can covertly track mobile phones around the world without the phone user’s knowledge or consent.
If the veiled nature of the deal was unusual — it was signed for the front company by a businessman using a fake name — the timing was extraordinary.
The timing, indeed. This deal was signed five days after the Commerce Department sanctions went into effect. Hence the use of a front company and fake person in hopes of flying this questionable purchase under the radar.
But it didn’t work. The New York Times acquired a copy of the contract. However, it’s missing one crucial detail: the name of agency that decided it was worth looking shady as fuck to acquire tech from a company current occupying the spyware Pariah-in-Chief role.
On the other hand, it did work. If administration officials are to be believed, they’re unaware this purchase happened.
Asked about the contract, White House officials said it was news to them.
Obviously, someone knows something. The contract exists and appears to be real. But White House officials (speaking anonymously) claim to know nothing about this. The Director of National Intelligence has refused to provide any comment. If anyone knows anything about this, it’s probably the FBI, because it used the same front company to acquire NSO’s Pegasus malware a few years ago, long before the NSO became internationally infamous.
The secret November 2021 contract used the same American company — designated as “Cleopatra Holdings” but actually a small New Jersey-based government contractor called Riva Networks — that the F.B.I. used two years earlier to purchase Pegasus. Riva’s chief executive used a fake name in signing the 2021 contract and at least one contract Riva executed on behalf of the F.B.I.
The signature on the contract says “Bill Malone,” but people familiar with the front company (and the government’s use of it) say that’s the name used by Robin Gamble, the chief executive of Riva Networks.
And what was being acquired here wasn’t NSO’s flagship malware — the zero-click exploit known as Pegasus. Instead, the unknown government agency wanted another powerful exploit. This one, called Landmark, turns phones into homing beacons, allowing governments to track people wherever they go. NSO’s Landmark has its own sordid past. It has been linked to multiple abuses by Saudi government to track dissidents and government critics.
While I understand front companies might be needed to ensure operational security in extreme cases, this whole thing just looks extremely dirty. A federal agency used a shady company (here’s a photo of Riva’s supposed headquarters) to buy tech from another shady company, all while being fully aware the company it was buying from had been sanctioned by another federal agency. The government is acting like the Mob. And when it does that, it lays the groundwork for abuse of a product the rest of the government doesn’t even know it has.
Filed Under: commerce department, pegasus, sanctions, spyware, surveillance, us government
Companies: nso group, riva networks
The Great TikTok Moral Panic Continues As Senators Thune, Warner Attempt A More Elaborate Ban
from the performative-freak-out dept
Thu, Mar 9th 2023 05:27am - Karl Bode
We’ve noted for a while now how most of the outrage surrounding TikTok isn’t exactly based in factual reality.
There’s no real evidence of the Chinese using TikTok to befuddle American toddlers at scale, and the concerns about TikTok’s privacy issues are bizarrely narrow, with many of the folks proposing a ban seemingly oblivious to the broader problem: namely a lack of data broker oversight and our comical, corruption-fueled failure to pass even a basic U.S. privacy law for the internet era.
Undaunted, Senator Mark Warner and John Thune this week introduced the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act (summary and full bill text), legislation the duo claims will make Americans far more safe and secure by, among other things, eventually, maybe banning TikTok in the United States.
Unlike other proposals that weirdly hyperventilate exclusively about TikTok, Thune and Warner’s proposal claims it will empower the Department of Commerce to more broadly review, prevent, and mitigate “technology transactions” that “pose undue risk to our national security”:
“Today, the threat that everyone is talking about is TikTok, and how it could enable surveillance by the Chinese Communist Party, or facilitate the spread of malign influence campaigns in the U.S. Before TikTok, however, it was Huawei and ZTE, which threatened our nation’s telecommunications networks. And before that, it was Russia’s Kaspersky Lab, which threatened the security of government and corporate devices,” said Sen. Warner. “We need a comprehensive, risk-based approach that proactively tackles sources of potentially dangerous technology before they gain a foothold in America, so we aren’t playing Whac-A-Mole and scrambling to catch up once they’re already ubiquitous.”
Thune and Warner are applauded for at least proposing broader solutions instead of singularly freaking out about TikTok exclusively. Still, the bill’s a bit murky, and generally structured to avoid being vulnerable to a legal challenge as a bill of attainder, something likely to plague a recent House GOP legislative proposal focused on singularly banning TikTok.
That said, these efforts are all largely based on a lot of silly fearmongering that doesn’t have much basis in reality. Before he released the bill, Warner stated that one of his key motivations for it was to thwart TikTok from becoming a tool for Chinese propaganda. But again, there’s no evidence that’s actually happening, and Warner’s proposed theoreticals are just kind of silly:
“What worries me more with TikTok is that this could be a propaganda tool,” Warner said. “The kind of videos you see would promote ideological issues.”
Warner said the app feeds Chinese kids more videos about science and engineering than American children, suggesting the app’s content recommendation system is tuned for China’s geopolitical ambitions.
That’s to say, Warner couldn’t actually come up with any examples of TikTok being used for Chinese propaganda at scale (because there aren’t any yet), so he just effectively made up a claim that the Chinese are intentionally showing Americans fewer science videos to make us stupid, which is just… silly.
Congress’ fixation on TikTok as a theoretical propaganda weapon are amusing coming from a country that’s increasingly so buried in right wing and corporate propaganda, that Americans not only routinely cheer against their own best self interests while parroting conspiracy theories, they’re increasingly likely to become radicalized and commit mass murder. Congress doesn’t seem in much of a rush, there.
The other concern about TikTok: that the Chinese will use TikTok data to spy on Americans, is obviously more valid. Yet proposals to ban TikTok — even elaborate ones like the legislation proposed by Thune and Warner — still aren’t getting at the real heart of the problem.
For decades, we’ve effectively let telecoms, app makers, OEMs, and every other company that touches the internet hoover up every last shred of consumer data. Those companies then consistently not only fail to secure this data, they sell access to it to a rotating crop of global data brokers, which in turn sell access to everything from your daily movement habits to your mental health issues.
It’s trivial for the Chinese, Russian, or American governments to purchase and abuse this data, even if you banned TikTok (and every single other Chinese app in existence) tomorrow.
But you’ll notice that the lion’s share of the Congressfolk who’ve dropped absolutely everything to hyperventilate about TikTok don’t much care about that; an attempt to regulate data brokers or implement meaningful penalties for corporations (and executives) that over-collect data and then fail to secure it might impact the revenues of U.S. companies, and you simply can’t have that.
Freaking out about TikTok is far more politically safe than addressing the bigger problem. It lets you pretend you’re being “tough on China” and genuinely care about national security and consumer privacy, even if your stubborn refusal to hold data brokers accountable or pass a privacy law undermines all the national security goals you claim to be keen on addressing.
Filed Under: chinese surveillance, commerce department, john thune, mark warner, national security, privacy, propaganda, restrict act, security, social media, tiktok ban
Companies: tiktok
Israeli Malware Merchants NSO Group, Candiru Added To Commerce Department Export Blacklist
from the unwelcome-to-the-party,-pals dept
A couple of Israeli spyware purveyors have finally gotten themselves disinvited from the good graces of the federal government of the United States. The Commerce Department’s Bureau of Industry and Security has amended its export regulations to hand NSO Group and the more mysterious Candiru a “presumption of denial,” meaning they’ll have to prove they’re trustworthy again before US entities will be able to do business with them.
The new rules also make it more difficult for NSO and Candiru to sell their products using middlemen who aren’t affected by the regulations.
In addition, the ERC [End-User Review Committee] also determined that no license exceptions should be available for exports, reexports, or transfers (in-country) to the persons being added to the Entity List in this rule.
NSO and Candiru weren’t the only ones affected by this amendment, but they’re the most notable recipients of the export controls.
The ERC determined that NSO Group and Candiru be added to the Entity List based on § 744.11(b) of the EAR: Entities for which there is reasonable cause to believe, based on specific and articulated facts, that the entity has been involved, is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States and those acting on behalf of such entities. Specifically, investigative information has shown that the Israeli companies NSO Group and Candiru developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.
Also added to the blacklist were two other malware purveyors located in countries the United States has a much frostier relationship with.
The ERC determined that Positive Technologies, located in Russia, and Computer Security Initiative Consultancy PTE. LTD., located in Singapore, be added to the Entity List based on their engagement in activities counter to U.S. national security. Specifically, these entities traffic in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide.
US companies and agencies will now have to approach the Commerce Department and ask for permission to purchase exploits from these companies, with the presumption being that their requests will be denied. This effectively shutters a large and presumably profitable market for these companies. It also prevents US-based exploit developers from selling their discoveries to any of the affected companies. And it’s just another reputational hit for NSO Group, which has been remarkably resilient, considering its now fighting a PR battle on multiple fronts while being dragged down by its long, sordid past.
That hasn’t stopped it from complaining that this blacklisting is unfair. Here’s the statement it gave to The Record after the publication of the export regulation amendment.
NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.
We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.
That is hilarious. It will be fun seeing how NSO proves it has the “world’s most rigorous compliance and human rights program” after it has been observed selling its products to countries with dismal human rights records. Combine that statement with its defense that it has no “visibility” into how its customers use its products and it’s pretty clear the “rigorous compliance program” NSO claims to have is about 50% delayed reaction and 50% bullshit.
Filed Under: commerce department, entity list, export regulations, malware, spyware
Companies: candiru, nso group
Oversight Report Says Commerce Dept. Investigative Unit Went Rogue, Engaged In Biased, Retaliatory Investigations
from the power-corrupts dept
Years after it was granted too much power, a federal internal investigations unit created during the presidency of George W. Bush is finally having its dirty laundry aired. The Senate Commerce Committee — years after the fact — is finally delivering some oversight of an entity created to root out internal threats.
The ITMS (Investigations and Threat Management Service) operated largely under the radar, thanks to its housing within the Commerce Department — an entity that very rarely raises too many eyebrows. But its reach extended far past the confines of this department. And it was given broad discretion to initiate investigations — something that led directly to the Justice Department crafting new rules for espionage investigations after a series of failed prosecutions indicated the intel coming from the ITMS was extremely questionable.
It was the ITMS that initiated the investigation of a US citizen of Chinese descent who did nothing more than share publicly-available information with a Chinese government official — an official who happened to be a friend of Department of Weather Services employee Sherry Chen. Chen’s prosecution was just a leading edge indicator of the ITMS’s lack of accountability and incredible amount of power.
The report [PDF] released by the Commerce Committee shows the ITMS wasn’t as much interested in rooting out internal threats as it was in rooting out government employees of certain nationalities.
Although many investigations targeted legitimate threats, the ITMS appears to have opened cases on a variety of employees for the purpose of exaggerating the unit’s ability to uncover security risks within the civil service. The unit targeted visible employees across the Department, including award-winning professionals whose background investigations had been successfully adjudicated by other agencies. These probes often resulted in suspended or revoked security clearances, although subsequent reviews largely determined that the unit’s allegations lacked merit. The ITMS also broadly targeted departmental divisions with comparably high proportions of Asian-American employees, ostensibly to counter attempts of espionage by individuals with Chinese ancestry. Former and current ITMS employees became subjects as well for challenging the lawfulness of the unit’s practices.
Saying the unit went rogue isn’t hyperbole. It’s a fact.
Poor management and weak oversight allowed the ITMS to operate outside the norms of the law enforcement community. Deficient policies and procedures outlining the unit’s investigative capabilities led to repeated instances of malfeasance, including the purposeful prolonging of investigations, unauthorized use of secured messaging systems, and overclassification of documents to protect the unit from external scrutiny.
The first bullet point of the report’s “Findings” spells it out explicitly.
Investigating threats against the Secretary of Commerce and the Department’s assets without a clearly defined mission ultimately led to the mutation of the ITMS into a rogue, unaccountable police force across multiple presidential administrations.
The ITMS originally had no power of its own. Its power was derived from the US Marshals Service, which provides protection to the Commerce Department and its “critical assets.” It’s the last term that caused trouble. Authority to protect “critical assets” allowed the ITMS to abuse the poorly-defined term to open investigations and engage in activities that went beyond its original purview, as well as limits placed on the Marshals Service.
This lack of oversight, accountability, and respect for the Constitution led directly to the DOJ dismissing prosecutions originating from ITMS investigations. ITMS investigators engaged in highly-questionable activities, including concealing their identities, seizing government computers and devices to perform warrantless searches, and picking the locks of government offices and personal storage containers owned by government employees. Whenever these tactics were challenged by government employees, these employees soon found themselves subjected to additional ITMS scrutiny.
Tactics the general public never would have condoned were bought and paid for with tax dollars.
Because of inadequate oversight by the Inspector General’s office, the unit’s improper exercises of law enforcement powers likely resulted in preventable violations of civil liberties and other constitutional rights, as well as a gross abuse of taxpayer funds.
In 2005, the ITMS was limited to protecting tangible assets, like federal facilities. This began to morph as it was given discretion to look for threats to intangible “assets,” like “U.S. economic advancement” and “Departmental functions.” This then expanded to cover anything the ITMS felt was “inadequately protected.” As its purview expanded, the ITMS granted itself plenty of new law enforcement powers, despite receiving no permission or direction to do so from Congress, its apparently-absent oversight, or the US Marshals Service.
Once it had expanded its area of coverage to include whatever it wanted to throw resources and Constitutional violations at, the ITMS began doing things like this:
Without a defined meaning of what constituted a critical asset from the Marshals Service, the ITMS conducted investigations typically reserved for domestic law enforcement agencies. Many were conducted in an overzealous manner whereby agents abused steps in the investigative process. In one instance, the ITMS investigated Sherry Chen, an award-winning, Chinese-born hydrologist employed at the Department, on charges of espionage and providing false statements after she allegedly downloaded and distributed unclassified information to a foreign national. Agents reportedly interrogated her for seven hours and told her she could never discuss the interrogation with anyone, including her superiors. In a lawsuit filed against federal officials, Chen said that ITMS agents “ignored exculpatory evidence throughout the interview, reached false conclusions without even a cursory investigation of underlying facts, and reported false results reflecting their racial and ethnic bias.”
And even when the ITMS couldn’t find anything substantial to justify its investigations, it still found something to bring to federal prosecutors.
In one document, ITMS officials described to agents a broad range of offenses for which referrals to federal prosecutors could be made. Substantive offenses included racketeering, money laundering, and theft of government property, espionage, economic espionage, and computer fraud. More commonly, however, ITMS agents sought to charge targets of its criminal investigations with offenses such as obstruction, conspiracy, making false statements to federal agents, and resistance to search.
The ITMS went past believing it was a law enforcement agency with zero accountability to believing it was an intelligence agency with a similar lack of accountability. And, like other law enforcement agencies who believe themselves to be intelligence agencies, the ITMS engaged in “investigations” predicated on little more than last names or native language.
Whistleblowers claim, for example, that agents were directed to run ethnic surnames through secure databases even in the absence of evidence suggesting potential risk to national security, indicating that immutable characteristics served as a pre-text for initiating investigations. Documents show that the ITMS also ran broad keyword searches of email accounts using a broad variety of terms and phrases in Mandarin Chinese, such as “state key laboratory,” “overseas expert consultant,” “Ministry of Science and Technology,” “funding support,” “government support,” and “highly secret.” Multiple whistleblowers claimed that the unit worked with officials at the CIA and FBI to devise the list of search terms and review the results.
[…]
One former senior Commerce Department official described the indiscriminate targeting of Chinese-Americans as a “fine line between extra scrutiny and xenophobia, and one that ITMS regularly crossed.” This official also discovered a case into a Chinese-American employee at the Department left open for four years without any indication of investigative diligence to close the matter, claiming that the ITMS “targeted her purely because of her ethnic Chinese origin.” The official also believes that ITMS leaders directed agents to “launch the investigation for the purpose of raising the heat so high that she became radioactive and would have to leave the Department,” despite no indication that she presented a national security threat after her emails had been pulled and agents surveilled her on Department premises and at her home.
The ITMS also surveilled US citizens who weren’t government employees, opening investigations into people associated with foreign visitors to Commerce Department buildings. And it monitored social media accounts that raised questions about the 2020 Census’ accuracy, forwarding all flagged posts to the FBI’s Foreign Influence Task Force. Most of the accounts flagged had less than 100 followers. No threats were determined to be credible, and yet the investigations into these accountholders remained open all the way through the end of 2020.
Abuse of power, retaliation, unjustified investigations, violated rights, racial profiling… all of this overseen by no one and tracked solely by an Excel spreadsheet that provided no way for investigators to attach documentation or submit findings. With no internal tracking or external oversight, millions of tax dollars were misspent and resources utilized to engage in fruitless, pointless, or retaliatory investigations. In the end, the ITMS was mainly concerned about sustaining its own existence.
One former senior official even described the network as a “vanity project” designed to showcase an unusual volume of open cases rather than facilitate a user-friendly system for agents to use in processing them. The official said leadership of the ITMS is more interested in appearing productive to retain the ability to investigate a wide variety of purported threats with broad discretion––and continue receiving funding from Congress––than processing cases within an acceptable period of time.
The entire report is harrowing, showing how much damage a government entity can do when its purview is nearly unlimited and its oversight nearly nonexistent. This report will hopefully result in the ITMS being brought into check, but Commerce oversight still needs to explain why it allowed the ITMS to run rogue for more than a decade before it finally decided to step in and do something about it.
Filed Under: china, commerce department, investigations, itms, senate commerce committee
Americans For Prosperity Sue Commerce Department To Find Out Who Was Influencing NTIA's Attack On Section 230
from the interesting-list dept
This is kind of fascinating. The group Americans for Prosperity have announced they’ve filed FOIA litigation against the Commerce Department after it has refused to respond to a FOIA request seeking communications between two former top NTIA officials that we’ve discussed here recently, regarding Section 230.
As background, you’ll recall that after Twitter added two fact checks on Donald Trump’s misleading tweets about mail-in ballots, Trump issued a bizarre executive order, demanding that (among other things) NTIA ask the FCC to reinterpret Section 230. Trump needed to order NTIA to do this because the FCC is supposed to be an independent agency and the President isn’t supposed to order it to do anything. Indeed, as you’ll recall, when Barrack Obama merely made a public statement about net neutrality, without directing the FCC to do anything, basically every Republican, including Donald Trump, whined that he was illegally trying to “bully’ the FCC to do his bidding.
It quickly came out that two NTIA staffers were responsible for crafting the Executive Order: Adam Candeub, a long term critic of Section 230 who had just been hired to NTIA, and Nathan Simington. Candeub was later promoted to run NTIA and just this week was given a top job in the Justice Department. Simington, despite little qualifying experience, has been made an FCC Commissioner.
This was despite a separate FOIA request that revealed that Candeub and Simington, together, had emailed with a Fox News producer, asking to get Fox News host Laura Ingraham to attack Section 230 to help move the NTIA petition forward, and noting that it was important to do so to help re-elect Trump and help with down-ballot Republicans. This, of course, should be disqualifying for either of them to hold government jobs. When you get a job in the government you represent everyone and not just your own political party. You are not supposed to be using your government job to bully the media to do things for purely political reasons.
Given that, there should be tremendous interest in just who Candeub and Simington were talking to about Section 230. And Americans for Prosperity sent a FOIA request seeking exactly that information, asking for any emails between the two of them about Section 230 with a short list of known anti-Section 230 folks, including former Fox lobbyist (and the person responsible for getting FOSTA passed), Rick Lane, anti-230 FCC Commissioner Brendan Carr, AT&T (a company protected by 230, but which has decided to attack the law because it hates Google), DCI Group (a famously sketchy lobbying organization) and a bunch of others.
The full complaint details what happened:
On October 26, 2020, NTIA transmitted its first interim production, which contained 128 records in 35 electronic files. Ex. 5. Thirty-five records were withheld ?in part or in their entirety,? under Exemption 5, but without identifying any relevant privilege. Id. An additional eight records were ?withheld in part under Exemption 6.?
In this production, one record revealed that Mr. Candeub sent an email from a government email address to his private, gmail.com email address.
On November 10, 2020, AFPF asked NTIA whether it could email the next production and when another interim or final production could be expected.
On November 11, 2020, AFPF raised concerns that the first interim production did not include any text messages or instant messages. Id. (?These should be included in ?all communications? as well as e-mail, hand-written notes, etc.?).
On November 16, 2020, NTIA responded that the second interim response was prepared, but the agency required an address clarification. Ex. 8. NTIA also claimed that AFPF?s ?request only specified email, it did not specify text and IM. If [AFPF] would like to request text messages and IM, [it] will need to file another FOIA request for those records.?
AFPF immediately confirmed its mailing address and noted that its initial FOIA request contained ?no reference to seeking only e-mail records,? as it instead mentioned ?all communications.? Id. AFPF further noted that this ?matches the same language in [NTIA?s] . . . clarification confirmation e-mail from September 18 . . . . Therefore, the request covers text messages and IMs.? Id. AFPF also asked how many records were left after the second batch and when AFPF could expect to receive them.
NTIA responded that it does ?not have a final count or an estimate of how many records will be responsive to [AFPF?s] request. Nor d[id it] have an estimate of when this will be completed.? Id. Additionally, NTIA attempted to justify its refusal to include records beyond e-mails in a search for ?all communications? by pointing to a footnote in AFPF?s request that defines the term ?record.?
On November 18, 2020, NTIA transmitted its second interim production, which contained 153 records in 39 electronic files. Ex. 9. Fifty-nine records were withheld ?in part or in their entirety,? under Exemption 5, but without identifying any relevant privilege. Id. An additional twenty-five records were ?withheld in part under Exemption 6.? Id. Additionally, fourteen records were referred to the Department of Justice and three to the Department of Commerce ?for a direct response[.]?
On December 14, 2020, AFPF emailed NTIA noting that both Mr. Candeub and Mr. Simington will reportedly be leaving the agency. Ex. 10. Given these reports, AFPF requested ?that NTIA take affirmative steps to preserve all potentially responsive records, including text message records and any private email account that may contain government records.?
To date, NTIA has not provided a final determination on AFPF?s request, nor has it released another interim or final production of responsive records.
And thus, the lawsuit for failing to comply with FOIA’s requirements. As with most FOIA lawsuits, the main remedy sought is having NTIA actually cough up the records requested, as required by the law. It sure would be interesting to see what’s there, and why NTIA seems unwilling to obey the law and hand over those records.
Filed Under: adam candeub, brendan carr, commerce department, donald trump, executive order, fcc, foia, nathan simington, ntia, rick lane, section 230, transparency
Companies: afp, at&t, dci
Trump Appoints Unqualified Guy Who Hates Section 230 To Top Justice Department Role
from the why-is-he-in-government-at-all? dept
In 2018, we wrote about a law professor named Adam Candeub, who was one of the lawyers for white supremacist Jared Taylor, suing Twitter in a doomed lawsuit for kicking him off its platform. I had a confusing email exchange with Candeub which I wrote about in that piece, which suggested that he was either unaware of Section 230 at the time he filed the lawsuit, or simply confused about the long list of decisions around 230 that made the lawsuit an obvious loser (which is what happened). Candeub and his co-counsel were very angry about my article, and insisted that their alternative interpretation of Section 230 would win the day.
Since being proven wrong, Candeub has spent a tremendous amount of energy trying to twist and torture Section 230 interpretations into his own belief of what they should be. Back in May, Candeub was hired by the Trump administration to be deputy assistant secretary, where he helped guide Trump’s ridiculolus executive order on 230 a few weeks later. It recently came out that he, and new FCC commissioner Nathan Simington, abused their government jobs to try to get Fox News to attack Section 230, telling a producer of Fox News host Laura Ingraham’s show that doing so may help get Trump and down-ballot Republicans elected in the fall.
In normal times, federal government officials are supposed to represent everyone, and not just their own political party. They are not supposed to engage in campaigning or electioneering on the public’s dime, and they certainly aren’t supposed to be working with the press to help elect their own party. Yet, that’s exactly what Candeub and Simington did. In response, Simington got his FCC commissionership (despite basically no relevant telecom law experience) and Candeub… has now been promoted to a senior level Justice Department job:
Adam Candeub, the acting head of Commerce?s National Telecommunications and Information Administration, has been named deputy associate attorney general starting Monday, according to two officials and a third person familiar with the matter, who requested anonymity to discuss the plans. The political appointment does not require congressional confirmation.
The concern, as noted in Politico, is that he’s going to use the remaining month in office to cause problems for the internet:
Candeub has played a central role in carrying out Trump?s executive order targeting social media companies like Twitter and Facebook over allegations they censor conservative viewpoints. The executive order asked federal agencies, including the Federal Communications Commission, to narrow the scope of a crucial set of liability protections that shield online companies from lawsuits over the user content they host. One of Candeub?s advisers at the NTIA, Nathan Simington, was confirmed last week to a five-year term as an FCC commissioner.
Trump has taken increasing aim at the legal shield, a 1996 law known as Section 230, in the twilight of presidency, including vowing to veto a must-pass defense spending bill that overwhelmingly sailed through both the House and Senate because it does not repeal the protections. And he?s rallied his allies across federal agencies and in Congress against the law, which has been widely credited with enabling the creation of today?s thriving online industry.
Candeub, who first joined NTIA earlier this year, has a long history of bashing the social media giants over allegations of an anti-conservative bias. In 2018, Candeub represented a white nationalist in a lawsuit against Twitter alleging the social network censored him.
The article further notes that in writing the NTIA’s petition to the FCC (in response to the executive order that he helped craft), Candeub worked closely with the DOJ, which has itself continued to attack Section 230 (despite the fact that Section 230 has an exemption for any federal criminal laws, and thus does not impact the DOJ at all):
Candeub actively consulted with the Justice Department during this summer?s efforts to draft the administration?s social media petition to the FCC. He also ran draft copy by White House adviser James Sherk, according to emails obtained by POLITICO through a Freedom of Information Act request.
?I?m feeling heavy breathing,? Candeub wrote in one July 13 email pressing DOJ counsel Lauren Willard and DOJ’s Chris Grieco for feedback on the petition, citing pressure from Sherk.
It’s not clear what Candeub can do in the month he has left, but it certainly is alarming that he’s been put in this position. He has shown over his few months in office that he has no interest in representing the American people as a public servant, but rather in trying to twist a law that stymied a high profile lawsuit he was involved in, and he’s implicated in an email to try to do that twisting to help his political allies. There is no way he should be in any government role, let alone a powerful one at the Justice Department.
Filed Under: adam candeub, commerce department, doj, ntia, section 230
DHS Cyber Warriors Issue Warning About Massive Hacking Campaign, Disclose They've Been Hacked A Day Later
from the holy-shit-this-is-bad dept
Welp. Everything is compromised. Again.
Reuters was the first to report suspected Russian hackers had gained access to hundreds of SolarWinds customers, including US government agencies.
Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg.
[…]
The cyber spies are believed to have gotten in by surreptitiously tampering with updates released by IT company SolarWinds, which serves government customers across the executive branch, the military, and the intelligence services, according to two people familiar with the matter. The trick – often referred to as a “supply chain attack” – works by hiding malicious code in the body of legitimate software updates provided to targets by third parties.
A full report by FireEye (which was also a victim of this hacking) details the process used to gain illicit access, which involved leveraging bogus signed components crafted by the hackers and distributed by an unaware SolarWinds. The widespread hacking campaign may have begun as early as March of this year. That it was only discovered now means the fallout from this will continue for months to come.
Here’s how the backdoor works, according to FireEye:
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.
After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.
SolarWinds boasts over 300,000 customers, including 425 Fortune 500 companies, all ten of the top ten telcos, the Pentagon, State Department, NSA, DOJ, and the White House. Its long list of customers (which now returns a 404 error) all but ensures every passing hour will add another victim to the list.
According to SolarWinds’ post-attack-discovery SEC filing, it believes only a small percentage of its customers are affected. But even a fraction of its users is still a gobsmacking number of potential victims.
On December 13, 2020, SolarWinds delivered a communication to approximately 33,000 Orion product customers that were active maintenance customers during and after the Relevant Period. SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.
The attack is serious and widespread enough that the DHS’s cybersecurity arm has issued a warning — one that says the only proven way to mitigate damage at this point is to disconnect affected hardware from the internet and pull the plug on Orion software. The CISA (Cybersecurity and Infrastructure Security Agency) Emergency Directive says this is a persistent threat — one not easily patched away.
CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on:
- Current exploitation of affected products and their widespread use to monitor traffic on major federal network systems;
- High potential for a compromise of agency information systems;
- Grave impact of a successful compromise.
CISA understands that the vendor is working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise.
The directive goes on to mandate reporting on infected systems and for affected agencies to assume the system remains compromised until CISA gives the all-clear. Unfortunately, this grave warning comes from an agency that is also compromised. CISA issued the directive on December 13. Here’s what was reported in the early hours of December 14:
US officials suspect that Russian-linked hackers were behind the recent data breach of multiple federal agencies, including the Departments of Homeland Security, Agriculture and Commerce, but are continuing to investigate the incident, multiple sources told CNN Monday.
CNN learned Monday that DHS’ cyber arm, which is tasked with helping safeguard the nation from attacks by malicious foreign actors, is among at least three US government agencies compromised in the hack.
In addition to CISA, government officials also suspect breaches at the US Postal Service and the Department of Agriculture. And the Defense Department is in the process of assessing its own exposure, if any. If any of its components have been breached, it has yet to be publicly reported.
The Russian government is denying involvement, but the evidence seems to point to “Cozy Bear,” the offensive hacking wing of Russia’s intelligence services. Unfortunately, SolarWinds’ dominance in the network management field made it that much easier for the attack to scale. And with CISA compromised, the government’s attempts to mitigate damage will be slowed as its own cybersecurity wing attempts to rid itself of a persistent threat.
Filed Under: cisa, commerce department, hacking, russia, treasury, vulnerability
Companies: fireeye, solarwinds
Commerce Department Remembers It Was Supposed To Ban TikTok; Says It Won't Enforce For Now
from the oh,-right,-that dept
Yesterday we noted that TikTok had made a filing with the government asking what the fuck was going on with the supposed ban on their application that was supposed to go into effect this week. While a court had issued an injunction saying the Commerce Department couldn’t put the ban into effect, the Trump administration basically hadn’t said anything since then, and the ban was set to go into effect yesterday.
Late yesterday, the Commerce Department put out a notice basically saying that it’s complying with the injunction issued by the court, and therefore not implementing the executive order and the ban:
However, on October 30, 2020, the District Court issued an Order granting the Plaintiffs’ renewed motion for a preliminary injunction. This Order enjoined the Department from enforcing the Identification and the prohibition on transactions identified in Paragraphs 1-6 above.
The Department is complying with the terms of this Order. Accordingly, this serves as NOTICE that the Secretary?s prohibition of identified transactions pursuant to Executive Order 13942, related to TikTok, HAS BEEN ENJOINED, and WILL NOT GO INTO EFFECT, pending further legal developments
Of course, the Commerce Department saying it won’t enforce the order doesn’t answer the larger question of whether or not the US government is still demanding that it sell off all of its US assets — or even whether or not the grifty non-sale to Oracle will suffice.
Basically, highlighting how much of a joke this whole thing was, it seems that the supposed “national security” rationale behind all of this was complete garbage, and since Trump has his hands full trying to pretend he won the election he very clearly lost, everyone’s just going to let this slide until the Biden administration comes in and likely drops the executive order altogether. But kudos to Larry Ellison for getting a lucrative hosting deal.
Filed Under: ban, china, commerce department, donald trump, executive order, injunction, wilbur ross
Companies: bytedance, oracle, tiktok
Three TikTok Influencers Influenced A Judge To Block Trump's TikTok Ban
from the now-that's-influence dept
Remember Trump’s ridiculous executive order to ban TikTok if it wasn’t sold to an American company? Then there was a grifty non-deal in which Oracle agreed to host TikTok’s new American subsidiary, though nothing about that deal appears to have been finalized, and the executive order was still somewhat in place. The first stage of the ban on the app was blocked by a judge in a lawsuit from TikTok itself. But that ruling did not (yet) block the second stage of the executive order which was set to go into effect this month.
So some good news: that too has been blocked thanks to a lawsuit from three TikTok influencers: Douglas Marland, Cosette Rinab, and Alec Chambers. The three of them filed their lawsuit in September, right after the details of the executive order came out. I don’t know much about these influencers, but I will note they had some high-powered, big time lawyers working the case for them (including the firm the judge in this very case worked at prior to being put on the bench…).
The lawsuit noted that the three influencers were a comedian, a fashion creator and a musician “each of whom has developed a significant following by creating and posting content on TikTok.” They argued that the executive order violated their 1st Amendment rights, creating prior restraint of their speech. As they correctly note, even on the flimsy “national security” basis that Trump, Wilbur Ross, and Mike Pompeo made in pushing through this executive order, you can’t just ban speech broadly like that.
The Executive Order and implementing regulations violate the First Amendment because they are unconstitutionally overbroad and an impermissible prior restraint of speech. Purportedly issued to address national security concerns, the Executive Order approaches this alleged problem with a sledgehammer, not a scalpel, as the First Amendment requires. If in fact TikTok poses national security risks, the government must identify those risks and tailor the solution narrowly to address the risks, without unnecessarily trampling on Plaintiffs? constitutional rights. The Executive Order and regulations fail to do so.
The DOJ insisted that this was all normal national security stuff (it’s not) and that the 1st Amendment claims were “meritless.” Honestly, I hope the DOJ lawyers who had to write this feel bad. It’s such a weak argument that they have to know is utter bullshit. They claim that because they’re only banning business transactions (that will make it impossible to use TikTok) that’s not the same as actually banning TikTok. They also claim — again, laughably — that the ban is narrowly tailored to the national security interests of the government. They must have been laughing (or drinking heavily) when they wrote that.
Here, the Executive Order and Commerce Identification prohibit business-to-business economic transactions with a foreign entity and its subsidiaries based on the President?s national security determinations. The fact that those prohibitions may have adverse, downstream effects on a purported forum for Plaintiffs? speech is legally irrelevant:
Let’s just say the judge was not impressed. The opinion cuts through the DOJ’s argument pretty thoroughly. Though Judge Wendy Beetlestone doesn’t issue a full ruling on all of the arguments brought by the influencers, she notes that they have established a likelihood of success that the Commerce Department’s planned implementation of the executive orders is beyond its legal authority (in legal talk: “ultra vires”).
The judge essentially laughs at the DOJ for arguing that courts are not allowed to review decisions made by the Executive Branch under the IEEPA (the national security law that Trump tried to stretch to justify this executive order). The court points out that, contrary to the DOJ’s beliefs, there are plenty of aspects of the IEEPA that courts absolutely can review — including in this case. And, in reviewing it, it seems that the one who has exceeded their authority here is not the court, but the Commerce Department. Specifically, as was noted in the case brought by TikTok that barred the first part of the Commerce Department plan, the IEEPA has a very clear exemption: it can’t be used to block “information or informational materials.” And thus, the implementation here would do that, which is not allowed under the IEEPA.
The next question, then, is whether or not these influencers have shown that they will face irreparable harm if the block goes into effect. And the judge decides that the answer is yes:
Plaintiffs have established themselves as significant influencers based on their ability to engage large audiences on the TikTok platform. If the Commerce Identification goes into effect, Plaintiffs will lose the ability to engage with their millions of followers on TikTok, and the related brand sponsorships. According to Plaintiffs, each has tried and failed to establish a following and work as an influencer on competitive platforms. Shuttering TikTok would in fact shut down Plaintiffs? influencing activities. This harm is not merely possible, but certain to occur after November 12.
Finally, the court notes that an injunction makes sense from a public interest standpoint:
The Government contends that the national security interests identified in the TikTok Executive Order and the Commerce Identification outweigh the harm Plaintiffs will suffer absent injunctive relief. But Congress has already performed a balancing act, and has determined that the President?s ability to exercise his IEEPA authority to respond to a national emergency does not extend to actions that directly or indirectly regulate the importation or exportation of informational materials…. Granting an injunction to prevent a violation of IEEPA?s informational materials exception would be consistent with this congressional determination.
Moreover, the Government?s own descriptions of the national security threat posed by the TikTok app are phrased in the hypothetical. The Government notes that TikTok?s parent company ?ByteDance has significant and close ties to the CCP which could potentially be leveraged to further [the CCP?s] agenda.? It states that one of the risks posed by TikTok ?is the possibility that the PRC government could . . . compel TikTok to provide systemic access to U.S. user?s sensitive personal information.? The Court cannot say the risk presented by the Government outweighs the public interest in enjoining the Commerce Identification, when Plaintiffs have established a clear likelihood that the Identification?s prohibitions contravene IEEPA.
And thus, the Commerce Department is blocked from implementing its planned rules to block TikTok.
There had been some chatter a few weeks back that since Trump got all the headlines he wanted out of his TikTok ban and the Oracle deal, he no longer much cares about it. The assumption was that the administration would likely just let the issue fade away, and now the court is helping that process move along. Of course, this also demonstrates what a preposterous, vindictive, unconstitutional, garbage move this whole thing was in the first place.
Filed Under: alec chambers, authority, commerce department, cosette rinab, donald trump, douglas marland, executive order, ieepa, influencers, information service, tiktok ban
Companies: tiktok