communications – Techdirt (original) (raw)

from the literally-just-say-something! dept

The chaos for Xbox keeps on rolling, it seems. We were just talking about how years of muddled communication coming from Microsoft’s Xbox team over exclusives and game ports to other consoles is resulting in a ton of confusion and speculation among the gaming public. The responsibility for all of this lies squarely at the feet of Xbox chief Phil Spencer and his team, which have oscillated between talking out of both sides of their mouths on these exclusives, and just sitting back and not saying a single thing when the confusion shows its head. And what that also allows for is speculation and conspiracy theories when, seemingly, a 3rd party vendor simply makes an oopsie.

GameStop tweeted out a promotion the other day for a in-store demo day where the public could walk into a store and try out some games using “Game Pass,” Xbox’s game-streaming and subscription service. It’s currently called “Xbox Game Pass,” but GameStop’s tweet referred to it as “Microsoft Game Pass.” The result was immediate.

On February 7, the official GameStop Twitter/X/whatever account posted a promo image for an Xbox demo day. Seems fine enough. But when referring to Game Pass, the company used the term “Microsoft Game Pass.” This is odd. Normally, I don’t think anyone would really care. However, we ain’t in normal times right now.

A retweet from Wario64 pointing out the phrase “Microsoft Game Pass” went viral online and theories were quickly spun up, with many pointing to this as more evidence that Microsoft was planning to kill the Xbox brand or use it for hardware only. Others suggested that it was Microsoft rebranding the subscription service— which grants you access to hundreds of games for a monthly fee—so it could be used on Switch or PlayStation.

This was almost certainly a simple mistake. Microsoft has told reporters writing stories about this whole thing that it had nothing to do with the verbiage GameStop tweeted out. But this wild speculation is again the result of one thing: the vacuum the Xbox team has left in place to be filled by conspiracy theories and rumor.

And it only got worse when GameStop subsequently deleted the tweet entirely.

This, as you might expect, convinced some that it was a mistake. It also convinced some “passionate” gamers that it was actually evidence that GameStop let the cat out of the bag too early and the death of Xbox as a brand really is coming soon. The end is nigh and all that.

Anyway, the reality is that GameStop likey made a mistake. Or, someone realized that using the term “Microsoft Game Pass” right now would set off a firestorm of speculation that would lead to more coverage and online discussion of an event that, let’s be real here, would never have been covered by most places or talked about online by gamers if this whole thing hadn’t spiraled out of control.

Correct. The point isn’t that GameStop’s mistake is in and of itself a big deal. It isn’t. The point instead is that the Xbox team has completely failed to get out in front of all of this speculation, allowing everyone’s pet theories to take the place of what should have been clear and proactive communication coming out from Microsoft as to just what in the hell it has planned for the Xbox brand.

Seriously, Spencer and team: just freaking say something, for the love of god.

Filed Under: communications, game pass, phil spencer, video ames, xbox
Companies: gamestop, microsoft

Phil Spencer Internal Comms Leak, In Which He Only Addresses To Most Fringey Conspiracy Theory

from the facepalm dept

And here we go again. I have spent some time pointing out that the Xbox team has demonstrated an unfortunate inability to properly communicate both internally and externally about its various plans. Whether it comes to how it’s going to handle exclusives, game ports, or just the overall direction of the division’s plans, what comes out of the team at Microsoft is often a confusing, vague, jumbled mess that serves only to free everyone to speculate away as to what is actually going to happen. This came to a head recently, with rampant speculation primarily that Microsoft was going to port a number of high profile first-party games to other consoles, and a secondary and more fringe theory that Microsoft was going to get out of the console making business entirely.

Well, Xbox chief Phil Spencer has apparently held an internal open meeting with his team to answer, well, I guess only the fringiest of the speculation. We’ll start with what was actually addressed.

A recent story from reporter Shannon Liao alleges Spencer held an internal town hall meeting with Xbox employees on February 6, following the weekend reports of Xbox porting games to PS5. In that meeting, he reportedly said the company has no plans to stop making consoles and that Xboxes would continue to be a part of the company’s strategy alongside other devices.

This part is easy. I can’t believe any serious person actually ever thought that Microsoft was going to pivot away from its console business entirely. It is true that Sony is kicking Microsoft’s butt overall in the console market. Reports have Sony moving roughly three times the units compared with the Xbox. But selling 7.6 million Xbox units is nothing to sneeze at and it would be baffling to see the company simply walk out of the market entirely.

Which is what makes it so frustrating that Spencer only addressed that rumor and completely ignored the question about game ports.

Interestingly, Liao also reported on X/Twitter that Spencer did not confirm nor deny rumors that Starfield would go to other consoles, even though this meeting took place after those reports cropped up.

Later this week, we will likely find out if any of these rumors and reports of Xbox exclusives coming to other platforms are true. On February 5, the day before the reported town hall meeting, Spencer announced that a “business update event” about the future of Xbox was coming soon and that he would be sharing more details then. Until that time, the Xbox faithful will just have to hold on a little bit longer.

They’re not going to “hold on” at all, as we’ve already seen. They’re going to speculate, theorize, and otherwise fill the information void that Xbox has left in its wake. Sure, we may have answers this week, still. Maybe. Hell, with the Xbox team, you never know.

But leaving the public to generate its own theories will also virtually guarantee that whatever the news Spencer will finally release in his event will piss off or disappoint some percentage of the public that had settled on some theory that won’t come to be.

In other words, this is just not how you handle communicating to either your internal team, nor your customers.

Filed Under: communications, phil spencer, rumors, starfield, xbox
Companies: microsoft

California Court: Passwords Are Communications, Protected By The Stored Communications Act

from the only-so-far-you-can-take-a-subpoena dept

The Stored Communications Act — enacted in 1986 — is not only outdated, it’s also pretty weird. An amendment to the ECPA (Electronic Communications Privacy Act), the SCA added and subtracted privacy from communications.

It’s the subtractions that are bothersome. Law enforcement wasn’t too happy a lot of electronic communications were now subject to warrant requirements. They much preferred the abundant use/misuse of subpoenas to force third-parties into handing over stuff they didn’t have the probable cause to demand directly from criminal suspects.

Private parties — especially those engaged in civil litigation — also preferred to see fewer communications protected by the ECPA. So, this law — which declared every unopened email more than 180 days old free game — was welcomed by plenty of people who didn’t have the general public’s best interests in mind.

The government tends to make the most use of the ECPA and SCA’s privacy protection limitations, using the law and legal interpretations to access communications most people logically assumed the government would need warrants to obtain.

But the SCA also factors into civil litigation. In some cases, the arguments revolve around who exactly is protected by the law when it comes to unexpected intrusion by private parties. In this case — one highlighted by FourthAmendment.com (even as the site owner notes it’s not really a Fourth Amendment case) — it involves international litigation involving US service providers. The case directly deals with the Stored Communications Act and what it does or does not protect.

This lawsuit was brought by Path, an Arizona corporation, and its subsidiary, Tempest. Central to the litigation is Canadian citizen Curtis Gervais, who apparently was hired as an independent contractor by Tempest, which promoted him to the position of CEO in February 2022. A few months later, Gervais allegedly hacked into a competitor’s (Game Server Kings [“GSK”]) computers, leading to Tempest demoting (lol) Gervais to COO (Chief Operating Officer).

This demotion apparently didn’t sit well with Gervais, who allegedly began sharing confidential Tempest information with GSK, utilizing communications platform Discord to hand over this information to GSK employees.

So, it’s three American companies and one Canadian individual wrapped up in a dispute over ex parte demands to disclose information to the plaintiffs (Path/Tempest). Discord challenged the subpoenas, which asked for — among other things — any passwords used by Gervais to log into its services.

That’s where it gets interesting. Very few courts have considered what’s explicitly covered by the SCA and/or what can be obtained with subpoenas issued under this authority.

As is implied by both laws in play here (Electronic Communications Protection Act, Stored Communications Act), the protections (or lack thereof) apply to communications. Path argued that its subpoenas did not exceed the grasp of these laws, despite demanding Discord hand over Gervais’ passwords. According to the plaintiffs, passwords aren’t communications.

But that’s a very reductive view of passwords, something Discord pointed out in its challenge of the subpoenas:

Applicants argue passwords are not afforded protection under the SCA because passwords should not be considered “content.” Discord argues passwords are implicitly included within the SCA’s prohibitions because passwords implicate communications. In other words, Discord argues that passwords are “content “ under the SCA because they are “information concerning the substance, purport, or meaning” of a communication.

The court [PDF] says Discord is correct. But only after a lot of discussion because, as the court notes, this is an issue of “first impression.” It has never been asked to make this determination prior to this unique set of circumstances. But, despite the lack of precedent, the court still delivers a ruling that sets a baseline for future cases involving SCA subpoenas.

It begins by saying that even if the language of the SCA doesn’t specifically include passwords in its definition of “content,” it’s clear Congress meant to add protections to electronic communications with this amendment, rather than lower barriers for access.

The legislative history agrees with a broad interpretation of “content.” Congress explained that the purpose of enacting the SCA was to protect individuals on the shortcomings of the Fourth Amendment. Specifically, Congress enacted the SCA due to the “tremendous advances in telecommunications and computer technologies” with the “comparable technological advances in surveillance devices and techniques.” The SCA was further meant to help “Americans [who] have lost the ability to lock away a great deal of personal and business information.”

With this analysis of the scope of the term “content” under the SCA in mind, the Court now turns to determine if passwords are afforded protection under the SCA under that understanding of the definition of the term “content.” Passwords are undoubtedly a form of “information.” And passwords broadly “relate to” (or are “concerning”) the “substance, purport, or meaning of [a] communication” even if passwords are not themselves the content of a communication. Passwords further relate to a person’s intended message to another; while a password is not the content of the intended message, a password controls a user’s access to the content or services that require the user to prove their identity. As a matter of technological access to an electronic message, a password thus “relates to” the intended message because without a password, the author cannot access their account to draft and send the message (and the user cannot access their account to receive and read the message).

When a person uses a password to access their account to draft and send a message, that author inherently communicates to the recipient at least one piece of information that is essential to complete the communication process: namely, that the author has completed the process of authentication. The password is information or knowledge which is intended to convey a person’s claim of identity not just to the messaging system but also implicitly to the recipient. As such, within the context of electronic communication systems, passwords are a critical element because they convey an “essential part” of the communication with respect to access and security protocols.

The dispute at issue here demonstrates the inherency of communicating about passwords when using a messaging platform such as Discord: when the user of the “Archetype” sent messages demanding ransom for the stolen source code, those messages conveyed to the recipients that the author is or was an authentic or authorized user of the “Archetype” account who used and had access to the password for that account. That password for that account thus is information concerning that communication, even if the password is not itself written out in the content directly.

In addition to all of that, there’s the undeniable fact that if you’re able to obtain login info (including passwords) with a subpoena, it doesn’t matter if courts limit the reach of demands for communications. If you have the keys to the accounts, you have full access to any stored communications, whether or not this access has been explicitly approved by a court.

With this password in hand, a litigant (or their ediscovery consultants) would have unfettered access to all communications within the account holder’s electronic storage, without regard to relevance, privilege, or other appropriate bounds of permissible discovery. In other words, litigants could circumvent the very purpose of the SCA by simply requesting that a service provider disclose the password for a user account, ultimately vitiating the protections of the SCA.

No court would allow the government to claim this is acceptable under the SCA and/or the Constitution. And no court should allow it just because it’s litigation involving only private parties. This particular demand cannot be honored without violating the law. And the companies behind the subpoenas know this because they obviously have zero interest in obtaining nothing more than Gervais’ login info.

The only conceivable use for the passwords here is for Applicants to access the requested accounts (such as “Archetype”) and view the contents of all electronically stored communications in those requested accounts.

That’s clearly the litigants’ intent. And it doesn’t mesh with the legislative intent, which was to create a few new protections for then-newfangled electronic communications. This particular demand is rejected. The subpoenas are still alive, but they’re no longer intact. If the suing entities want access to the defendant’s communications, they’ll have to do it the old-fashioned way: by making discovery requests that remain on the right side of the law.

Filed Under: california, communications, curtis gervais, ecpa, passwords, sca, stored communications act
Companies: discord, path, tempest

Of Course Bank Execs Communicated Via Encrypted Messaging, But That’s Not The Fault Of Encryption

from the this-is-always-going-to-happen dept

I don’t think this is a surprise to anyone, but the SEC and the CFTC combined to issue fines on a bunch of Wall Street firms for execs communicating across encrypted messaging in a manner that wasn’t recorded and preserved as required. Being in a regulated industry means having to deal with all sorts of compliance requirements, that includes preservation of communications. But, of course, that freaks people out, so… they do what everyone does, and figure out ways to communicate outside of “official” channels such that it’s not recorded.

This could come in the form of… talking in person. Or over the phone. Or… by using third party messaging services that are widely available. And, if you’re going to do that, it’s no surprise that you’d use end-to-end encrypted services like Signal or WhatsApp.

The Securities and Exchange Commission today announced charges against 10 firms in their capacity as broker-dealers and one dually registered broker-dealer and investment adviser for widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications. The firms admitted the facts set forth in their respective SEC orders. They acknowledged that their conduct violated recordkeeping provisions of the federal securities laws, agreed to pay combined penalties of $289 million as outlined below, and have begun implementing improvements to their compliance policies and procedures to address these violations.

That’s from the SEC side. From the CFTC we get:

The Commodity Futures Trading Commission today issued orders simultaneously filing and settling charges against swap dealer and futures commission merchant (FCM) affiliates of four financial institutions for failing to maintain, preserve, or produce records that were required to be kept under CFTC recordkeeping requirements, and failing to diligently supervise matters related to their businesses as CFTC registrants.

The settling registrants admit the facts detailed in the orders, are ordered to cease and desist from further violations of recordkeeping and supervision requirements, and are ordered to engage in specified remedial undertakings.

There’s some overlap. Wells Fargo, BNP Paribas, and SG Americas/Société Générale) gets hit by both agencies.

The details are pretty much exactly what you’d expect:

The SEC’s investigation uncovered pervasive and longstanding “off-channel” communications at all 11 firms. As described in the SEC’s orders, the firms admitted that from at least 2019, their employees often communicated through various messaging platforms on their personal devices, including iMessage, WhatsApp, and Signal, about the business of their employers. The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities laws. By failing to maintain and preserve required records, certain of the firms likely deprived the Commission of these off-channel communications in various SEC investigations. The failures involved employees at multiple levels of authority, including supervisors and senior executives.

I’ve seen some people using this as yet another opening to bash encryption, but encryption is not the problem here at all. First of all, encryption did not stop these banks from getting caught and fined. Second, as noted up top, people are always going to try to figure out ways to communicate that isn’t recorded. These messaging apps were convenient.

Indeed, if anything, these fines should (hopefully?) serve to get employees at these banks to be much more careful about how they communicate to avoid future fines. I still expect there to be plenty of attempts to get around the regulatory requirements to preserve communications, and it seems likely that bankers are going to get used to making phone calls or talking in person since that can’t be preserved in the same manner.

But, really, any time you have regulations requiring such archiving of so many communications, you just know that this kind of thing is likely to happen. There’s a reason why these industries are so heavily regulated… but there’s also a reason why the people in those industries really don’t want their communications preserved for future legal enquiries. There’s no perfect answer here, but these kinds of fines, (which, in total, added up to over half a billion dollars) at least suggest that there are financial penalties available for the banks that basically go “off-channel” as a standard way of communicating.

Filed Under: banks, cftc, communications, encryption, preservation, sec
Companies: bnp paribas, sg americas, wells fargo

Trust, Safety, And Communication

from the your-comms-strategy-is-your-trust-strategy dept

One thing that should be evident by now is that every online community eventually learns the need for some level of “trust & safety” or basic moderation to take place. And they quickly find that things are a lot more complex than they seem from the outside. Just try to moderate a medium sized Facebook Group if you want an example. Or play our Moderator Mayhem game.

It’s always interesting to see the points at which community organizers realize this and try to figure out how they’re going to handle this issue or that issue — and begin to realize what an impossible task it is. And while some people think that it’s now been long enough that any new community should have “the basics” figured out, it’s important to recognize that (1) there are always new problems, and (2) the “simple” problems are often a lot more complex than they seem. On top of that, there are thousands of things that any new community “should” have, and at some point the people building them need to weigh “releasing something” against “having every feature in place.” You can disagree with where the line is drawn, but everyone has to draw a line somewhere.

I was thinking about all this over the last week or so as there was some discussion when the (still invite-only beta) Bluesky ran into some issues regarding a username filter (specifically, the filter allowed users to sign up with slurs as their user names). This is, obviously, not good.

The debate on Bluesky morphed over the course of a few days from criticism regarding the pretty major omissions on the filter list, to the lack of communication from the company and its (normally communicative) employees. Basically the entire company went silent, followed eventually by some more bland “corporate” sounding responses that went against the “poasting” style the team had embraced earlier. Indeed, the sudden silence from the team stood out even more given their normal willingness to engage in all sorts of ways on just about everything else. Going from super talkative to silent at the moment of notable controversy is, perhaps, the opposite of a compelling communications strategy.

Still, it’s somewhat understandable when looked at in context. The teams have repeatedly talked about how much they need to accomplish in building both a protocol (which may change the nature of some of these issues) and their own platform as a reference app of that protocol. The service is still in beta for a reason. And when there are thousands of trust & safety things you need to set up in addition to building the platform and the service, raising money, finding a business model, and everything else, it can get a little overwhelming. And that’s especially true when the company had made earlier moves and statements suggesting that they took these issues seriously and were working on solutions. So, when things blow up because they missed some things, it can feel like an attack. The team believes their heart is in the right place, and they’re trying to balance the variety of things they need to do, and yet… they’re still getting yelled at.

But, alas, this is the general rule when you run any sort of online community: you will get yelled at, and at some point you need to decide what issues to deal with and what to focus on. Getting yelled at sucks. And often makes people clam up. Of course, the obvious (and very true!) counter to this is that having to deal with hate, abuse, and racism also sucks. And also makes people want to clam up. So if you’re taking a job to build a social network, you’re signing up for this specific kind of abuse, and you need to be ready for it in order to protect others from abuse.

Back in May, I had written a thing about social media Nazi bars, tradeoffs, and the impossibility of content moderation at scale, which I think remains quite relevant here. There are always tradeoffs, and unlike, say, Substack (which is much larger and much more well resourced), I’ve seen no indication that the Bluesky team is simply abdicating its responsibilities here, but rather prioritizing as best it can, meaning some things that everyone agrees are important won’t get put in place as quickly as some would hope.

For example, regarding the filter list, while it was an obvious failing in how the system was set up, any sort of brute filter list runs into problems over time. If you don’t want to deal with a “Scunthorpe” problem, you need a more sophisticated solution, and more sophisticated solutions require more time and thought, and we’re right back to the line-drawing exercise I mentioned above, where the long list of thousands of things you need to accomplish is at least one item longer (and more complex).

The real difference here seemed to be how much the communications problem exacerbated the more classic trust & safety failing.

And it made me start to think about how communications itself is a strategic trust & safety tool, though rarely considered as such. Some of the communications issue was, as many people noted, the failure of the company to come out and say they were sorry for the errors. And, yeah, it seems like this is a case where company leadership should have done so. But sorry only goes so far. Mark Zuckerberg has to keep going on apology tours, and it’s not clear that it’s really helpful.

Instead, I think the failure might be in the lack of clear communication on the larger roadmap from Bluesky. This applies to lots of other online communities as well, but I’m focused on Bluesky to make this point (although arguably, it applies even more to others). Many people (I think, falsely) focused on this one error regarding to the username filter list, insisting that it showed the company “didn’t care.” That struck me as unlikely, given earlier statements and actions by the Bluesky team, which seemed to indicate not just that they cared about this, but they cared deeply, to the point that they wanted more thoughtful, serious, and comprehensive approaches to dealing with it, rather than slapdash duct tape fixes.

But, unless you’re paying close attention, you might miss all of that. And there’s no clearly laid out roadmap that people might have pointed to to alleviate the concerns of others.

Things might have gone a bit differently if Bluesky had a page with a roadmap regarding its plans for federation, composable moderation, trust & safety tooling, trust & safety hiring, and the like. If such a roadmap existed, that showed exactly how the team was thinking about these things, and made it clear that the team was working towards them deliberately, including at least some public explanation of the tradeoffs of various approaches, it would be more difficult for users to fill in the void with “they just don’t care.”

On top of that, it would similarly give the team breathing room to keep working on that roadmap, rather than having to respond to every emergency (some emergencies will still require emergency reactions, but not every emergency will grind everything else to a halt). This isn’t the answer to everything, of course. Nothing is.

But having clear communications, especially regarding a project that is designed to be decentralized and is being designed for the public benefit, is a key element of building trust, which I guess would be somewhere around 50% of the point of building out trust & safety.

Creating such a roadmap is quite a process in and of itself. As far as I can tell, no one else has done it either. And I’ve already been talking about how the team likely already has too much on its plate. But it does strike me that spending a bit more time on this at this early stage might help prevent some of the problems going forward, both in allowing users to point out some areas where the roadmap may need to be adjusted, or in simply having a better understanding of not just where Bluesky is today, but where it’s heading in the future.

I honestly think this understanding of the communications element of trust & safety could help many other communities as well. Many of the complaints and problems come from a mismatch between expectations and how a company actually makes decisions. And one way to deal with that is to better align the expectations. I think the last decade might have gone differently if Twitter, Facebook and others had been more public and upfront with some of their internal trust & safety discussions as well, so this is hardly unique to Bluesky.

But, at the very least, I think it’s important to start considering the role of communications as a part of a trust & safety strategy.

Filed Under: communications, content moderation, roadmap, trust and safety
Companies: bluesky

Twitch Rolls Out New Tiered Revenue Splits, Pissing Creators Off Yet Again

from the why-is-this-so-hard? dept

Amazon-owned Twitch appears to be running something of an experiment to see just how much it can piss off its creative community before a mass exodus occurs. Reading back through our posts on the platform, you will be left with the understanding that there are two types of policy rollouts when it comes to Twitch. There are the policies the company rolls out and almost immediately has to rescind after everyone gets wildly angry. And then there are the polices the company rolls out that result in just as much anger, but where the platform ignores the anger and gives its creative community the middle finger.

We’ll have to saddle up and wait to just which version Twitch’s latest policy update is, which focuses on how some larger streamers can still earn the 70/30 revenue split despite everyone else getting moved into a 50/50 split tier.

Twitch’s mid-life platform crisis continues. After rolling out controversial new 50/50 revenue splits for top streamers last fall, the massively popular online gaming hangout is now announcing a new “Partner Plus Program” that will return certain channels to the previous 70/30 split, but with tons of caveats. It’s already not going over well.

“We want to help streamers keep doing what they love, so we can all keep loving what they do,” Twitch tweeted on June 15. “Today we’re announcing the Partner Plus program, a new program for streamers to build toward as they continue to grow their businesses,” began the blog post it linked to. From there it outlined how the new program will work when it launches in October, including a bunch of hyper-specific details.

And it’s those details that are pissing off some portion of the creative community. To qualify, streamers must have 350 recurring paid subscribers and there is something of a progressive revenue system at play, where the 70/30 split in the program only applies to the first $100k earned. After that, all money earned reverts back to the 50/50 split that pissed everyone off.

In other words, this is both aimed at placating the platform’s larger streamers while also still clawing a huge portion of the revenue back both among small and larger streamers. And for a majority of those streamers, purely from a revenue sharing standpoint, it’s difficult to see what remains attractive about streaming on Twitch versus other platforms, such as YouTube. Especially for non-established streamers looking to build themselves on the platform.

Listening and communicating: this continues to be the challenge at Twitch and it’s frankly getting very frustrating to tread this same ground over and over again. The easiest way Twitch can lose ground as a platform is by pissing off its most important asset: the creative community. The optics of Amazon’s ownership certainly don’t help matters, given the huge sums of money Amazon already generates for itself.

So come on down from the crystal tower, folks. Come talk to your community and learn what makes them tick. And maybe, just maybe, build a platform around that community rather than trying to dictate to them when they have other options in the marketplace.

Filed Under: communications, revenue split, streamers
Companies: twitch

Law Enforcement Hack Of Encrypted Chat Service Involving 30,000 Phones Being Challenged In European Courts

from the basically-an-untargeted-bulk-collection dept

For at least 3 months in early 2020, France-based EncroChat wasn’t in sole control of its communication services. Its servers had been compromised by European law enforcement — a joint effort involving law enforcement agencies located in France, the UK, and the Netherlands.

Authorized by a single court order from a French court, the Joint Investigative Team (JIT) infiltrated EncroChat servers and began intercepting text messages and recording lock screen passwords. The encryption EncroChat provided was never compromised. Instead, malware deployed via the compromised servers allowed law enforcement to extract data and communications from infected devices and, in some cases, disable remote wipe features.

The fallout from the three-month bulk harvesting of data and communications from nearly 60,000 phones was immense. More than 100 million messages were intercepted, leading to hundreds of raids, thousands of arrests, and thousands of kilograms of drugs seized.

The fallout continues, with hundreds of criminal prosecutions underway in several nations. And hundreds of cases means dozens of evidentiary challenges, especially when it appears the entire operation was authorized by a single court order issued by one judge in only one of the nations where prosecutions are currently occurring.

Matt Burgess of Wired has taken an in-depth look at the ongoing battles over the legality of this hacking and the ensuing massive data haul. Complicating matters for prosecutors is the fact that the data was harvested in France but passed on to law enforcement in other countries, possibly in violation of recipient countries’ laws.

Across Europe, legal challenges are building up. In many countries, courts have ruled that messages from EncroChat can be used as evidence. However, these decisions are now being disputed. The cases, many of which have been reported in detail by Computer Weekly, are complex: Each country has its own legal system with separate rules around the types of evidence that can be used and the processes prosecutors need to follow. For instance, the UK largely doesn’t allow “intercepted” evidence to be used in court; meanwhile, Germany has a high bar for allowing malware to be installed on a phone.

The unknown aspects of the remote access malware is one of the issues being discussed in German courts. Another concern being raised is how the data was shared by European law enforcement, including the German beneficiaries of this France-based infiltration.

There are multiple cases now headed to European Union courts, thanks to questions raised at the local level by defense lawyers. And, as Burgess points out, there’s one major case on the docket that could alter the evidentiary attack plans of others challenging this three-month, 100 million message “search” by the JIT.

In October, the French Court of Cassation questioned previous EncroChat legal decisions and said they should be re-examined. “The judge who authorized this measure was not in charge of 60,000 investigations, but only one, and therefore ordered a disproportionate act,” say lawyers Robin Binsard and Guillaume Martine, who are challenging the collection of the data. “We have to defend our clients without knowing how the investigators acted,” they say.

The issues of these cases are reminiscent of the FBI’s “Playpen” investigation. After compromising a dark web server hosting CSAM, the FBI deployed malware to users connecting to the site, allowing it to harvest device IDs, lP addresses, and other information it could use to identify investigation targets. The FBI’s search was authorized by a single court in Virginia but its malware was distributed to 8,000 computers in 120 countries.

In almost every case, the search performed by the FBI’s NIT (Network Investigative Technique) occurred outside of the jurisdiction it was supposed to be limited to. In almost every case, the FBI came away with a win, with judges deciding the extraterritorial searches violated the law but awarding good faith to the FBI because the (illegal) searches were authorized by a judge.

The same problems are evident in the EncroChat cases, only on a much more massive scale and with dozens of different countries and their laws implicated. And just like in the FBI NIT cases, prosecutors are refusing to hand over information about the malware deployed by law enforcement. We’ll have to see if they’re as willing to dump criminal cases if courts rule this information must be handed over to defendants. It’s going to take a long time to sort this all out. European law enforcement agencies are currently basking in the glow of successful, multi-national disruption of organized crime. But that glow will fade fast if courts begin ruling too much was done with too little judicial oversight — oversight that appears may have been misled about the breadth and depth of the search effort it authorized.

Filed Under: communications, encryption, evidence, france, germany, hacking, privacy, surveillance, uk
Companies: encrochat

TECHLASH 2.0: The Next-Gen TECHLASH Is Bigger, Stronger & Faster

from the escalation dept

The roll-out of the “Facebook Papers” on Monday October 25 felt like drinking from a fire hose. Seventeen news organizations analyzed documents received from the Facebook whistleblower, Frances Haugen, and published numerous articles simultaneously. Most of the major news outlets have since then published their own analyses on a daily basis. With the flood of reports still coming in, “Accountable Tech” launched a helpful aggregator: facebookpapers.com.

The volume and frequency of the revelations are well-planned. All the journalists were approached by a PR firm, Bryson Gillette, that, along with prominent Big Tech critics, is supporting Haugen behind-the-scenes. “The scale of the coordinated roll-out feels commensurate with the scale of the platform it is trying to hold accountable,” wrote Charlie Warzel (Galaxy Brain).

Until the “Facebook Papers,” comparisons of Big Tech to Big Tobacco didn’t catch on. In July 2020, Mark Zuckerberg of Facebook, Sundar Pichai of Google, Jeff Bezos of Amazon, and Tim Cook of Apple were called to testify before the House Judiciary Subcommittee on Antitrust. A New York Times headline claimed the four companies prepare for their “Big Tobacco Moment.” A year later, this label is repeatedly applied to one company out of those four, and it is, unsurprisingly, a social media company.

TECHLASH 1.0 started off with headlines like Dear Silicon Valley: America’s fallen out of love with you (2017). From that point, it becomes a competition “who slams them harder?” eventually reaching: Silicon Valley’s tax-avoiding, job-killing, soul-sucking machine (2018).

In the TECHLASH 2.0 era, the antagonism has reached new heights. The “poster child” for TECHLASH 2.0 – Facebook – became a deranging brain implant for our society or an authoritarian, hostile foreign power (2021). In this escalation, virtually no claim about the malevolence of Big tech is too outlandish in order to generate considerable attention.

As for the tech companies, their crisis response strategies have evolved as well. As TECHLASH 2.0 launched daily attacks on Facebook its leadership decided to cease its apology tours. Nick Clegg, *****Facebook VP of Global Affairs, provided his regular “mitigate the bad and amplify the good” commentary in numerous interviews. Inside Facebook, he told the employees to “listen and learn from criticism when it is fair, and push back strongly when it is not.”

Accordingly, the whole PR team transitioned into (what company insiders call) “wartime operation” and a full-blown battle over the narrative. Andy Stone combated journalists on Twitter. In one blog post, the WSJ articles were described as inaccurate and lacking context. A lengthy memo called the accusations “misleading” and some of the scrutiny “unfair.” Zuckerberg’s Facebook post argued that the heart of the accusations (that Facebook prioritizes profit over safety) is “just not true.”

On Twitter, Facebook’s VP of Communications referred to the embargo on the consortium of news organizations as an “orchestrated ‘gotcha’ campaign.” During Facebook’s third-quarter earnings call, Mark Zuckerberg reiterated that “what we are seeing is a coordinated effort to selectively use leaked documents to create a false picture about our company.”

Moreover, Facebook attacked the media for competing on publishing those false accusations: “This is beneath the Washington Post, which during the last five years competed ferociously with the New York Times over the number of corroborating sources its reporters could find for single anecdotes in deeply reported, intricate stories,” said a Facebook spokeswoman. “It sets a dangerous precedent to hang an entire story on a single source making a wide range of claims without any apparent corroboration.”

Facebook’s overall crisis response strategies revealed the rise of VADER:

Victimage – we’re a victim of the crisis
Attack the accuser – confronting the person/group claiming something is wrong
Denial – contradicting the accusations
Excuse – denying intent to do harm
Reminder – reminding the past good works of the company.

The media critics describe the current backlash as overblown, full of hysteria, and based on arguments that don’t stand up to the research. More aggressively, a Facebook employee told me: “If in this storyline, we are Vader, then the media is BORG – Bogus, Overreaching, Reckless, and Grossly exaggerated.” Leaving aside the crime of mixing “Star Wars” and “Star Trek,” we can draw a broader generalization:

Both the tech coverage and the companies’ crisis responses have evolved in the past few weeks. We moved from a peaceful time (pre-TECHLASH) to a Cold War (TECHLASH 1.0) and now “all Hell breaks loose” (TECHLASH 2.0).

“Product Journalism” still exists around new devices/services, but the recent “firestorm” teaches us a valuable lesson. The Next-Gen of TECHLASH is bigger, stronger and faster – just like the tech companies it’s fighting against.

* In another move from the playbook, Facebook was rebranded as Meta. Since Meta means Dead in Hebrew (to the world’s amusement), I will refer to Facebook as Facebook for the time being.

Dr. Nirit Weiss-Blatt is the author of The Techlash and Tech Crisis Communication

Filed Under: communications, techlash

The Eternal October: Bringing Back Tech Optimism, Without The Naivety

from the time-for-a-rethink dept

For many reasons, it seems we’re deep in the mire of the techlash: everywhere you look, there are stories about the evils of technology. And while it is important to explore the risks and downsides of technology — especially after a few decades dominated by boosterism and PR-pretending-to-be-news — there’s a real danger of throwing out all the good (and potential good) while trying to deal with everything bad.

I think it’s time that we bring back recognition of how innovation, and technology such as the open internet, can actually do tremendous good in the world. I’m not talking about a return to unfettered boosterism and unthinking cheerleading — but a new and better-informed understanding of how innovation can create important and useful outcomes. An understanding that recognizes and aims to minimize the potential downsides, taking the lessons of the techlash and looking for ways to create a better, more innovative world.

A little over a decade ago I toyed with the idea of writing a book about the untapped power of the internet. I worked on a book proposal, found an agent, and talked with a few publishers — and what I heard was somewhat disheartening. I was told everyone was already so positive about the internet that no one thought a book about the good of technology would sell. Instead, I was told, the market was really hungering for contrarian books about how terrible the internet was. And indeed there were several such books published around that time, many of which sold quite well. Of course, over the past few years, the general good feelings about the internet have come crashing down in the public narrative, so I began thinking about finally writing a massively updated and expanded version of what I thought my original book would be about — and this time, I would be the contrarian, pointing out that maybe the techlash has gone too far in dismissing the important benefits of innovation. Again I went around and talked with a few people, and the message I got back was… “no one likes the internet any more, so such a book won’t sell.”

I’m beginning to think it might just be that book publishers don’t like the internet, and aren’t all that interested in publishing a book about its incredible potential for good.

Eternal August, September, & October

Internet old-timers probably know the phrase Eternal September, though I always heard it as “the September that never ended.” It comes from the idea that in the late 1980s and early 1990s, every September there would be an influx of newbies on the internet (mostly on Usenet) as incoming freshmen at colleges would get their very first internet access. And those newbies would blunder around, not understanding the customs and norms, and generally be bad tourists until they settled in and learned how things worked. However, in September of 1993 (incidentally my freshman year in college, and my introduction to Usenet), AOL opened its then-massive doors to Usenet as well. Prior to that, AOL had been a walled garden: a proprietary service, separate from the open internet. However, seeing the writing on the wall, AOL tore down its own walls and sent its massive userbase careening all over the open internet. And thus the bad behavior of my cohort of college freshmen was completely dwarfed by the sheer nonsense of hordes of clueless AOL users.

From then on, the internet was never the same. Hence, the Eternal September.

To some extent, what we’ve seen over the last few years was an enhanced and much more damaging version of the Eternal September. The craziness has taken over parts of the internet. A few weeks back, I was talking about this with a friend and we joked about the goal of the Eternal August — bringing back that moment of hope and potential, before all the newbies came in and ruined things. Indeed, originally this post was going to have Eternal August in the title.

But as I drafted this piece, I realized that it’s not the Eternal August we should be aiming for. Because that would ignore the very real damage and harms that have come from the abuse of technology: the fact that nation states and other actors with bad intent have often captured and abused the internet for their own ends. So instead, I think we should be aiming for a kind of Eternal October. Historically, prior to AOL’s walls coming down, the craziness caused by the September influx of newbies would gradually recede as they learned how everything worked and how to be good digital citizens. There was just a bit of a learning curve. The problem with the Eternal September was that there were just too many of these people for them to all learn how to be good digital citizens. But all these years later, perhaps that’s what we need to (and can) achieve.

That is, we should have a world in which we recognize the amazing opportunity of innovation to empower everyone and to challenge unaccountable power — but not one in which we indulge in naive utopianism or the assumption that progress towards a “good” outcome is inevitable and easy. That is the power of the Eternal October. Eternal August is fun and exciting and optimistic — but can be naive about the dangers downsides. Eternal September is a dystopian hellhole in which you recognize that utopias don’t come about automatically. Eternal October, then, is where we take both into account, and recognize how technology and innovation have amazing potential for good without overlooking the fact that they can also be abused for nefarious purposes. It’s when we explore ways to support the good aspects of innovation, and seek to minimize the potential for and impact of abuse.

In an Eternal October, we recognize a world in which innovation does a tremendous amount of good. Millions of people — often those who were marginalized and whose views were suppressed — have been able to find likeminded connections, to organize, and to speak out. In this world, we see incredible movements like the Arab Spring, the #metoo movement, and many powerful campaigns against hatred and racism. It’s a world in which access to information and people have enabled knowledge to flow, people to become educated, and previously unheard voices to speak out against true injustice.

But in this world we also recognize how those same tools of innovation can be co-opted and put to nefarious intent. We’ve seen how they can be used for targeted harassment campaigns, and how the power of online communities can be leveraged to spread disinformation, hate, chaos, and discord. We seen how the innovative new tools of communication have been put to important use for effecting change and speaking truth to power, but also how the powerful have turned those tools around to further entrench their power and attack the vulnerable.

And this doesn’t just happen on a large scale. Smaller benefits often get lost while focusing on the huge movements: the ability of marginalized and at-risk people in communities with little support to find others on the open internet and realize they are not alone; the ability of individuals in far flung places to simply find their own tribe — the people who truly understand them. But less globe-spanning downsides also can’t be ignored: the abuse can have devastating impact on a small scale as well.

The Eternal October: Focus on Empowerment

So how do we square those two sides? The power of technology to bring people together, to build movements, and to create change is undeniable. Sometimes it’s used for good and, clearly, sometimes it’s used for ill. Some people seem to believe that the fact that it can be used for bad purposes outweighs all else, and means that the technology and the power it creates should be greatly limited and scaled back. I believe otherwise.

For years, there were attempts to place all commentators on tech into one of two camps: techno utopians and techno skeptics. I’ve regularly been called a techno utopian. People can call me whatever they want, but I think the “utopian” framing is incredibly misleading. I’m reminded of Cory Doctorow’s useful response to those who called John Perry Barlow a hopeless utopian optimist:

You don?t found an organization like the Electronic Frontier Foundation because you are sanguine about the future of the internet: you do so because your hope for an amazing, open future is haunted by terror of a network suborned for the purposes of spying and control.

And I think this is also true of those of us thinking about these issues today. We don’t have the naive, blind optimism of the Eternal August, and we recognize the real issues driving this Eternal September of darkness we seem to be living through. But now we want to fight like hell to bring society around to that Eternal October: one in which we do not pull down all that makes the internet so valuable and wonderful, but view it with clear eyes that see how it has been (and will continue to be) abused and misused by some for ill-intent.

To me, the key is to focusing on what the open internet has always done best: empowering individuals. It is the empowerment that underlines all of this. Empowering more people to take control over their digital lives. Empowering more people to push back on unaccountable power — including unaccountable power from large tech companies, from governments, and from a wide variety of organizations that aim to bend people to their own beliefs instead of doing what’s right. That means empowering people to fight back against those forces that want to co-opt the internet for nefarious reasons, and to respond with truth over lies, context over innuendo, and autonomy over dependence.

I don’t think any of this is easy. But, like John Perry Barlow, I still hope for an amazing, open future — even while I fear how it will be taken from us through a combination of those with ill-intent, and those who have the best of intent but don’t realize just how many babies they may toss out with the bathwater.

I don’t know where all of this is going right now, but I do know that I’ve been having conversations along these lines with a bunch of people over the last year or so, and there’s a strong feeling that it’s time for us to reclaim the open internet. To bring it back to the original vision of the earliest proponents and builders of the open web, in which it was all potential, but with the humility and knowledge of how that power can and will be abused. We can have an internet that empowers people, but not with blind optimism. We can recognize that optimism is warranted, but needs to be tempered with a healthy understanding of where things can go wrong. We can look for ways to enable more people to respond to those challenges, rather than relying on large companies and governments to step in and “solve it” for us — often with a sledgehammer directed at the foundational things that make the internet such a valuable tool in the first place.

As regular readers know, I always close my final post of the year on Techdirt with reasons for optimism, and for last year’s post I talked about the need to make the world a better place. And that began with standing up and taking on the responsibility to help do that myself. This post is another step in that direction (and I haven’t given up on my book idea, either): I’m exploring more and more ways to actually bring about the Eternal October.

Expect more to come on this…

Filed Under: communications, eternal august, eternal october, eternal september, movements, open internet, optimism

Defense Department Oversight Thwarted By Defense Department Officials Who Refused To Talk About Trump's Communications

from the cut-to-DoD-officials-tying-gags-over-their-own-mouths dept

Every presidential administration seems to make a game of thwarting oversight. The current one is no different. President Trump is setting himself apart from the pack by firing IGs at an alarming pace. Whatever’s being done in our name at various government agencies is being done in the dark. Whistleblowers and leakers are being hunted down and persecuted/prosecuted (another favorite presidential sport).

What would be considered unlawful obstruction in a criminal investigation is just business as usual at the Executive branch. The latest (but certainly not the last) obstruction was revealed in the investigation of the “JEDI” contract procedure. Amazon really wanted to be a part of American bloodsports, but was beaten out by Microsoft for lucrative Pentagon cloud storage contracts. Amazon sued, alleging it got illegally screwed by the President, claiming his frequent derogatory comments about Amazon and the Jeff Bezos-owned Washington Post pushed the Pentagon towards selecting Microsoft.

An investigation was opened by the Defense Department’s Inspector General. And we’ll never know what really happened because it appears the administration inserted itself into the investigation. Jacqueline Feldscher has more details at Politico:

The Pentagon’s inspector general “could not definitively determine” whether the White House influenced the procurement process for a major cloud computing contract because senior Defense Department officials were barred from answering questions on the subject during interviews, according to a 313-page report released on Wednesday.

Sticking it to the Deep State, I guess. So, what looks like some impropriety now officially only looks like some impropriety because the Defense Department’s general counsel told DoD officials to not answer any questions about communications between the DoD and the White House. “Presidential communications privilege” successfully asserted.

Given the lack of answers, it seems pretty ridiculous for the Pentagon to hang the “Mission Accomplished” banner and declare everything to be above-board. But that’s what has happened because that’s the the kind of government we have. Here’s the Pentagon’s spokesperson pretending there’s nothing to see here.

“This report should finally close the door on the media and corporate-driven attacks on the career procurement officials who have been working tirelessly to get the much needed JEDI cloud computing environment into the hands of our frontline warfighters while continuing to protect American taxpayers.”

Everything is over except its eventual fading into obscurity, washed under the flotsam that is the day-to-day horror of living in an ongoing pandemic. The Pentagon has cleared itself of any wrongdoing by refusing to answer questions related to alleged wrongdoing. The overseers were neutralized by presidential privilege, resulting in the Inspector General drawing inconclusions the Pentagon has declared to be exculpatory with one comment to the press. The IG’s office decided to release the incomplete report anyway, stating it did not want to further delay any reporting on its non-findings since it was apparent no amount of waiting things out was going to get these officials to discuss things they didn’t want to discuss.

As for Amazon, it must be refreshing to be on the other side of impropriety accusations for once. The run-up to the awarding of the contract saw a few DoD officials becoming far too friendly with the cloud service provider.

The inspector general substantiated allegations of ethical misconduct against Deap Ubhi, a Pentagon employee who worked on the early stages of crafting the JEDI program before leaving the department to work for Amazon.

Investigators did not, however, find evidence of ethical misconduct by other senior defense officials, including former Defense Secretary Jim Mattis, who attended a dinner with Amazon officials organized by his former aide Sally Donnelly.

Ah. Well, at least the IG found out something about somebody. The President’s dislike for Amazon and Bezos remains under “presidential privilege” wraps and the swamp will continue draining at its current rate of 0 liters/flush.

Filed Under: communications, contract, dod, donald trump, inspector general, jedi, oversight, retaliation, transparency
Companies: amazon, microsoft