computer crimes – Techdirt (original) (raw)
UN Delegates Cheer As They Vote To Approve Increased Surveillance Via Russia-Backed Cybercrime Treaty
from the why-are-we-even-doing-this? dept
For years now, the UN has been trying to strike a deal on a “Cybercrime Treaty.” As with nearly every attempt by the UN to craft treaties around internet regulation, it’s been a total mess. The concept, enabling countries to have agreed upon standards to fight cybercrime, may seem laudable. But when it’s driven by countries that have extremely different definitions of “crime,” it becomes problematic. Especially if part of the treaty is enabling one country to demand another reveal private information about someone they accuse of engaging in a very, very broadly defined “cybercrime.”
The UN structure means that the final decision-makers are nation-states, and other stakeholders have way less say in the process.
And, on Thursday, those nation-states unanimously approved it, ignoring the concerns of many stakeholders.
Some history: two years ago, we warned about how the proposed treaty appeared to be perfect for widespread censorship, as it included considering “hate speech” as a form of cybercrime it sought to regulate. Last year, we checked in again and found that, while updated, the proposed treaty was still a total mess and would lead to both the stifling of free expression and increased surveillance.
No wonder certain governments (Russia, China) loved it.
While the final treaty made some changes from earlier versions that definitely made it better, the end product is still incredibly dangerous in many ways. Human Rights Watch put out a detailed warning regarding the problems of the treaty, noting that Russia is the main backer of the treaty — which should already cause you to distrust it.
The treaty has three main problems: its broad scope, its lack of human-rights safeguards, and the risks it poses to children’s rights.
Instead of limiting the treaty to address crimes committed against computer systems, networks, and data—think hacking or ransomware—the treaty’s title defines cybercrime to include any crime committed by using Information and Communications Technology systems. The negotiators are also poised to agree to the immediate drafting of a protocol to the treaty to address “additional criminal offenses as appropriate.” As a result, when governments pass domestic laws that criminalize any activity that uses the Internet in any way to plan, commit, or carry out a crime, they can point to this treaty’s title and potentially its protocol to justify the enforcement of repressive laws.
In addition to the treaty’s broad definition of cybercrime, it essentially requires governments to surveil people and turn over their data to foreign law enforcement upon request if the requesting government claims they’ve committed any “serious crime” under national law, defined as a crime with a sentence of four years or more. This would include behavior that is protected under international human rights law but that some countries abusively criminalize, like same-sex conduct, criticizing one’s government, investigative reporting, participating in a protest, or being a whistleblower.
In the last year, a Saudi court sentenced a man to death and a second man to 20 years in prison, both for their peaceful expression online, in an escalation of the country’s ever-worsening crackdown on freedom of expression and other basic rights.
This treaty would compel other governments to assist in and become complicit in the prosecution of such “crimes.”
EFF also warned of how the treaty would be used for greater governmental surveillance:
If you’re an activist in Country A tweeting about human rights atrocities in Country B, and criticizing government officials or the king is considered a serious crime in both countries under vague cybercrime laws, the UN Cybercrime Treaty could allow Country A to spy on you for Country B. This means Country A could access your email or track your location without prior judicial authorization and keep this information secret, even when it no longer impacts the investigation.
Criticizing the government is a far cry from launching a phishing attack or causing a data breach. But since it involves using a computer and is a serious crime as defined by national law, it falls within the scope of the treaty’s cross-border spying powers, as currently written.
This isn’t hyperbole. In countries like Russia and China, serious “cybercrime” has become a catchall term for any activity the government disapproves of if it involves a computer. This broad and vague definition of serious crimes allows these governments to target political dissidents and suppress free speech under the guise of cybercrime enforcement.
Posting a rainbow flag on social media could be considered a serious cybercrime in countries outlawing LGBTQ+ rights. Journalists publishing articles based on leaked data about human rights atrocities and digital activists organizing protests through social media could be accused of committing cybercrimes under the draft convention.
The text’s broad scope could allow governments to misuse the convention’s cross border spying powers to gather “evidence” on political dissidents and suppress free speech and privacy under the pretext of enforcing cybercrime laws.
That seems bad!
EFF also warned how the Cybercrime Treaty could be used against journalists and security researchers. It creates a sort of international (but even more poorly worded) version of the CFAA, a law we’ve criticized many times in the past for how it is abused by law enforcement to go after anyone doing anything they dislike “on a computer.”
Instead, the draft text includes weak wording that criminalizes accessing a computer “without right.” This could allow authorities to prosecute security researchers and investigative journalists who, for example, independently find and publish information about holes in computer networks.
These vulnerabilities could be exploited to spread malware, cause data breaches, and get access to sensitive information of millions of people. This would undermine the very purpose of the draft treaty: to protect individuals and our institutions from cybercrime.
What’s more, the draft treaty’s overbroad scope, extensive secret surveillance provisions, and weak safeguards risk making the convention a tool for state abuse. Journalists reporting on government corruption, protests, public dissent, and other issues states don’t like can and do become targets for surveillance, location tracking, and private data collection.
And so, of course, the UN passed it on Thursday in a unanimous vote. Because governments love it for all the concerns discussed above, and human rights groups and other stakeholders don’t get a vote. Which seems like a problem.
The passage of the treaty is significant and establishes for the first time a global-level cybercrime and data access-enabling legal framework.
The treaty was adopted late Thursday by the body’s Ad Hoc Committee on Cybercrime and will next go to the General Assembly for a vote in the fall. It is expected to sail through the General Assembly since the same states will be voting on it there.
The agreement follows three years of negotiations capped by the final two-week session that has been underway.
And then they gave themselves a standing ovation. Because it’s not them who will get screwed over by this treaty. It’s everyone else.
cybercrime treaty adopted. diplomats give a standing ovation.adopted over objections of most human rights orgs. little good will come out of this. all risk. russians get their dream treaty.democracies will regret their spinelessness when countries demand new crimes of 'extremism' &tc.
— David Kaye (@davidkaye.bsky.social) 2024-08-08T21:07:36.751Z
For the treaty to go into force, 40 nations have to ratify it. Hopefully the US refuses to, and also pushes for other non-authoritarian countries to reject this treaty as well. It’s a really dangerous agreement, and these kinds of international agreements can cause serious problems once countries agree to them and they enter into force. Terrible treaties, once ratified, are nearly impossible to fix.
Filed Under: cfaa, computer crimes, cybercrime, cybercrime treaty, data access, russia, surveillance, un
Kansas Cops Raid Small Town Newspaper In Extremely Questionable ‘Criminal Investigation’
from the sorry-about-the-boot-prints-on-your-rights dept
The free press is supposed to be free. That’s what the First Amendment means. Journalists have a long-acknowledged, supported-by-decades-of-precedent right to publish information that may make the government uncomfortable.
When cops start raiding press outlets, everyone takes notice. This isn’t how this works — not in the United States with its long list of guaranteed rights.
But that’s what happened at a small newspaper in Kansas, for reasons local law enforcement is currently unwilling to explain.
In an unprecedented raid Friday, local law enforcement seized computers, cellphones and reporting materials from the Marion County Record office, the newspaper’s reporters, and the publisher’s home.
Eric Meyer, owner and publisher of the newspaper, said police were motivated by a confidential source who leaked sensitive documents to the newspaper, and the message was clear: “Mind your own business or we’re going to step on you.”
The city’s entire five-officer police force and two sheriff’s deputies took “everything we have,” Meyer said, and it wasn’t clear how the newspaper staff would take the weekly publication to press Tuesday night.
While there’s still some speculation about the reason for this raid, this law enforcement action has at least accelerated the demise of the paper’s owner.
Stressed beyond her limits and overwhelmed by hours of shock and grief after illegal police raids on her home and the Marion County Record newspaper office Friday, 98-year-old newspaper co-owner Joan Meyer, otherwise in good health for her age, collapsed Saturday afternoon and died at her home.
She had not been able to eat after police showed up at the door of her home Friday with a search warrant in hand. Neither was she able to sleep Friday night.
She tearfully watched during the raid as police not only carted away her computer and a router used by an Alexa smart speaker but also dug through her son Eric’s personal bank and investments statements to photograph them. Electronic cords were left in a jumbled pile on her floor.
Sure, correlation is not causation, but one can reasonably expect that a law enforcement raid on an elderly person’s home — especially one who had just found out her paper had been raided by the same officers — would not result in an extended life expectancy.
Even if you ignore the death as being nothing more than the result of being 98 years old, you have to recognize the insane overreach that saw a newspaper’s offices raided, followed by a raid of the newspaper owner’s home.
In addition to these raids, officers also raided the home of vice mayor Ruth Herbel.
All anyone knows is what’s stated in the warrant application, as well as a recent bit of friction involving the paper, some leaked DUI records, and a local business owner.
According to Meyer, a retired University of Illinois journalism professor, the raid came after a confidential source leaked sensitive documents to the newspaper about local restaurateur Kari Newell. The source, Meyer said, provided evidence that Newell has been convicted of DUI and was driving without a license—a fact that could spell trouble for her liquor license and catering business.
Meyer, however, said he ultimately did not decide to publish the story about Newell after questioning the motivations of the source. Instead, he said, he just alerted police of the information.
“We thought we were being set up,” Meyer said about the confidential information.
That’s according to the paper’s co-owner, Eric Meyer. These raids were set in motion by information the newspaper didn’t even publish and despite the fact the Marion County Record informed law enforcement about the leaked info.
That’s one theory: that Kari Newell had enough pull to put the police in motion to silence a potential publisher of leaked info that, to this point, had not made the leaked information public.
There’s also another theory, which suggests something even more horrible than a local business owner weaponizing local law enforcement to keep their own misdeeds under wraps.
An interview with Eric Meyer by Marisa Kabas suggests this might have nothing to do with a local restaurateur’s alleged drunk driving. What may actually be happening here is local law enforcement attempting to silence reporting about… well, local law enforcement.
What has remained unreported until now is that, prior to the raids, the newspaper had been actively investigating Gideon Cody, Chief of Police for the city of Marion. They’d received multiple tips alleging he’d retired from his previous job to avoid demotion and punishment over alleged sexual misconduct charges.
And that’s a new wrinkle that makes everything worse. Raiding a newspaper, a newspaper owner’s home, and the home of the vice mayor over unpublished news about a local businessperson’s DUI problems is one thing. Performing these raids to prevent a small paper from publishing what it had discovered about the chief of police is quite another. The first is a horrible infringement of First Amendment rights. The latter is a hideous abuse of law enforcement powers.
According to the warrant, the cops are investigating a couple of crimes. One seems extremely unrelated to either theory: “Identify Theft.” That crime is described as expected: the use of another person’s identity to commit fraud. Nothing in either theory suggests anything like that was committed by the paper, its owners, or the vice mayor. There has been some talk that if you squint and cheat, you could conceivably argue that a possible method of checking Newell’s driver’s license could possibly, technically, violate the state’s identity theft law, but that is an extreme stretch, and still would not justify the full raid and seizures.
The other law cited in the warrant — K.S.A. 21-5839 — is the real problem here. The state law is pretty much the CFAA: a catch-all for “computer” crimes that allows law enforcement (if so motivated) to treat almost anything that might resemble a journalistic effort to gather facts as a crime against computers.
There’s a whole lot of vague language about “authorization,” which means opportunistic cops can use this law to justify raids simply because they did not “authorize” any release of information pertaining to either (a) DUI arrests or citations, or (b) the chief of police’s past history as an alleged sex fiend.
What’s on the record (such as it is) suggests these raids are the acts of officers seeking to protect one of their own: police chief Gideon Cody. The end result of the raids was the seizing of the means of (press) production. Reporters’ computers and phones were seized, along with the small paper’s server — seizures that appear to be designed to silence this press outlet. While ongoing silence would obviously protect the police department, as well as a business owner who may not want the wrong kind of press attention, Occam’s Razor suggests cops will always be far more interested in protecting themselves than taxpayers, no matter how (comparatively) rich they might be.
The Marion, Kansas Police Department has responded to the national outrage generated by its actions. And its official statement uses a whole lot of words to say absolutely nothing.
The Marion Kansas Police Department has has several inquiries regarding an ongoing investigation.
As much as I would like to give everyone details on a criminal investigation I cannot. I believe when the rest of the story is available to the public, the judicial system that is being questioned will be vindicated.
I appreciate all the assistance from all the State and Local investigators along with the entire judicial process thus far.
Speaking in generalities, the federal Privacy Protection Act, 42 U.S.C. §§ 2000aa-2000aa-12, does protect journalists from most searches of newsrooms by federal and state law enforcement officials. It is true that in most cases, it requires police to use subpoenas, rather than search warrants, to search the premises of journalists unless they themselves are suspects in the offense that is the subject of the search.
The Act requires criminal investigators to get a subpoena instead of a search warrant when seeking “work product materials” and “documentary materials” from the press, except in circumstances, including: (1) when there is reason to believe the journalist is taking part in the underlying wrongdoing.
The Marion Kansas Police Department believes it is the fundamental duty of the police is to ensure the safety, security, and well-being of all members of the public. This commitment must remain steadfast and unbiased, unaffected by political or media influences, in order to uphold the principles of justice, equal protection, and the rule of law for everyone in the community. The victim asks that we do all the law allows to ensure justice is served. The Marion Kansas Police Department will nothing less.
First off, the judicial system isn’t what’s being “questioned.” It’s the acts of this particular cop shop, which will always be far less impartial than the judges overseeing their cases. While we would like to know why these search warrants we’re granted, we’re far more interested in why law enforcement sought them in the first place.
The rest of this non-explanation is just CYA boilerplate. We all know how cops are supposed to behave. A cop frontmouth telling us that what we’re witnessing is nothing more than cops behaving they way we expect them to — while refusing to provide any specifics — means nothing at all until the facts come out. The problem is the Marion Police Department thinks the lack of facts means it should be given the benefit of a doubt, rather than recognize this is a situation it will need to fully justify if it expects to salvage what’s left of its eroding reputation.
Either way, what local law enforcement should have immediately recognized, long before the raids were carried out, is that this would draw national attention to these unconstitutional raids as well as give the Marion County Recorder a bunch of fans capable of offsetting the damage done by these blundering officers.
This is from Meyer, the paper’s surviving co-owner:
It is kind of heartwarming: One of the things that I just noticed was we got this incredible swelling of people buying subscriptions to the paper off of our website. We got a lot of them, including some—I’m not gonna say who they’re from—but one of them is an extremely famous movie producer and screenwriter who came in and subscribed to the paper all of a sudden. I mean, it’s like, why are people from Poughkeepsie, New York and Los Angeles, California and Seattle, Washington and, you know, all these different places subscribing to the paper?
But a lot of people seem to want to help, and we’ve had people calling, asking “where can I send money to help you?” And, well, we don’t need money right now. We just are gonna have a long weekend of work to do. But we’ll catch up.
No matter the reason for the raids, the cops fucked up. But it will take a lawsuit to hold them accountable for their actions. No one outside of the participating departments believes these actions were justified. No one believes these raids weren’t carried out for the sole purpose of protecting people in power, whether it was a local business owner or the local police chief. Everything about this is wrong. Hopefully, a court will set this straight, as well as require the PD to explain the motivation for its actions in detail, putting to rest the speculation these oversteps have generated.
Filed Under: 1st amendment, 4th amendment, cfaa, computer crimes, eric meyer, free press, free speech, gideon cody, hacking, identity theft, joan meyer, journalism, kansas, kari newell, marion pd, police raid, ruth herbel
Companies: marion county record
Shocker: DOJ's Computer Crimes And Intellectual Property Section Supports Security Researchers DMCA Exemptions
from the say-what-now? dept
Well here’s a surprise for you. The DOJ’s Computer Crime and Intellectual Property Section (CCIPS) has weighed in to support DMCA 1201 exemptions proposed by computer security researchers. This is… flabbergasting.
In case you don’t know, Section 1201 of the Digital Millennium Copyright Act (DMCA) is the “anti-circumvention” part of the law. It’s the part of the law that makes it infringement to get around any “technological measure” to lock down copyright covered material, even if breaking those locks has nothing whatsoever to do with copyright infringement. It’s a horrible law that has created all sorts of negative consequences, including costly and ridiculous lawsuits about things having nothing to do with copyright — including garage door openers and printer ink cartridges. In fact, Congress knew the law was dumb from the beginning, but rather than dump it entirely as it should have done, a really silly “safety valve” was added in the form of the “triennial review” process.
The triennial review is a process that happens every three years (obviously, per the name), in which anyone can basically beg the Copyright Office and the Librarian of Congress to create exemptions for cracking DRM for the next three years (an exemption — stupidly — only lasts those three years, meaning people have to keep reapplying). Over the years, this has resulted in lots of silliness, including the famous decision by the Librarian of Congress to not renew an exemption to unlock mobile phones a few years back. Many of the exemption requests come from security researchers who want to be able to crack systems without being accused of copyright infringement — which happens more frequently than you might think.
Historically, law enforcement has often been against these exemptions, because (in general) they often appear to dislike the fact that security researchers find security flaws. This is, of course, silly, but many like to take a “blame the messenger” approach to security research. That’s why this new comment from the DOJ’s CCIPS is so… unexpected.
Many of the changes sought in the petition appear likely to promote productive cybersecurity research, and CCIPS supports them, subject to the limitations discussed below.
Incredibly, CCIPS even points out that those who are opposed to these cybersecurity research exemptions are misunderstanding the purpose of 1201, and that it should only be used to stop activity that impacts copyright directly. This is the kind of thing we’ve been arguing for years, but many companies and government agencies have argued that because 1201 helps them, no exemptions should be granted. But here, the DOJ explains that’s not how it works:
Some comments opposing removal of any existing limitation on the security research exemption suggest, implicitly or explicitly, that the DMCA?s security research exemption itself poses a danger merely because it fails to prohibit a type of research to which the commenter objects. However, the purpose of the DMCA is to provide legal protection for technological protection measures, ultimately to protect the exclusive rights protected by copyright. As critically important as the integrity of voting machines or the safety of motorized land vehicles are the American public, the DMCA was not created to protect either interest, and is ill-suited to do so. To the extent such devices now contain copyrighted works protected by technological protection measures, the DMCA serves to protect those embedded works. However, the DMCA is not the sole nor even the primary legal protection preventing malicious tampering with such devices, or otherwise defining the contours of appropriate research. The fact that malicious tampering with certain devices or works could cause serious harm is reason to maintain legal prohibitions against such tampering, but not necessarily to try to mirror all such legal prohibitions within the DMCA?s exemptions.
There’s a lot more in the comment, but… I’m actually impressed. Of course, the letter does note that part of the reason it wants this exemption is to enable security researchers to figure out how to crack into encrypted phones, but that’s actually a reasonable position for the DOJ to take. Far better than seeking to backdoor encryption. Finding flaws is fair game.
All in all, this is a welcome development, having the DOJ’s CCIPS recognize that security research is useful, and that it shouldn’t be blocked by nonsense copyright anti-circumvention rules.
Filed Under: 1201, ccips, computer crimes, copyright, dmca 1201, doj, exemptions, security research, triennial review
Hacker Lauri Love Wins Extradition Appeal; Won't Be Shipped Off To The US
from the phew dept
We’ve been writing about the saga of Lauri Love for almost four years now. If you don’t recall, he’s the British student who was accused of hacking into various US government systems, and who has been fighting a battle against being extradited to the US for all these years. For those of you old timers, the situation was quite similar to the story of Gary McKinnon, another UK citizen accused of hacking into US government computers, and who fought extradition for years. In McKinnon’s case, he lost his court appeals, but the extradition was eventually blocked by the UK’s Home Secretary… Theresa May.
In the Lauri Love case, the situation went somewhat differently. A court said Love could be extradited and current Home Secretary Amber Rudd was happy to go along with it. But, somewhat surprisingly, an appeals court has overruled the lower court and said Love should not be extradited:
Lawyers for the 32-year-old, who lives in Suffolk, had argued that he should be tried for his alleged crimes in the UK and that he would be at risk of killing himself if sent to the US.
The court accepted both of the main arguments advanced by Love?s lawyers that there was no reason he could not be tried in England and that he might suffer serious damage to his health if he were extradited.
Love may now face a trial in the UK — but that is considered a much better option than being shipped overseas. After the ruling, Love noted that this could impact future cases of individuals in similar circumstances, and the link above quotes some lawyers suggesting that it’s going to be much more difficult for the US to extradite people for computer crimes going forward. Given the ridiculousness of the CFAA and the way that the US treats computer crimes, this is clearly a good thing.
Filed Under: cfaa, computer crimes, extradition, hacking, lauri love, uk, us
Rhode Island Attorney General Pushing For A State-Level CFAA That Will Turn Researchers, Whistleblowers Into Criminals
from the 'unauthorized-access'-isn't-always-a-bad-thing... dept
We recently wrote about the Rhode Island attorney general’s “cybercrime” bill — a legislative proposal that seeks to address cyberbullying, revenge porn, etc. with a bunch of broadly — and poorly — written clauses. Two negative comments written months apart could be viewed as “cyber-harassment” under the law, separating it from the sustained pattern of abuse that one normally considers “harassment.”
In addition, the proposed law would criminalize “non-consensual communications.” If the sender does not obtain the recipient’s permission to send a message, it’s a criminal act if the recipient finds the message to be distressing — which could mean anything from emailing explicit threats to posting a negative comment on someone’s Facebook page.
But that’s not Attorney General Peter F. Kilmartin’s only bad idea. It appears he’s behind another legislative proposal — one that would amend the state’s computer crime laws into something more closely resembling the catastrophic federal equivalent: the CFAA.
Here’s the worst part of the suggested amendments:
Whoever intentionally and without authorization or in excess of one’s authorization, directly or indirectly accesses a computer, computer program, computer system, or computer network with the intent to either view, obtain, copy, print or download any confidential information contained in or stored on such computer, computer program, computer system, or computer network, shall be guilty of a felony and shall be subject to the penalties set forth in §11-52-5.
This would make the following Google search illegal:
filetype:pdf site:*.gov “law enforcement use only”
Anything deemed “confidential information” — if accessed by people not “authorized” to do so — falls under the protection of this legislation, even if it can be accessed by any member of the public without actually “breaking into” a company/government/etc. server.
The definition of “confidential information” makes the legislation even more problematic.
“Confidential Information” means data that is protected from disclosure on a computer, computer program, computer system or computer network and that the computer, computer program, computer system or computer network does not transmit or disclose unless initiated by the owner of such computer, computer program, computer system or computer network.
Something accessible by a Google search is not “protected from disclosure” by any stretch of the imagination. But this phrase, “unless initiated by the owner of such computer…,” makes it illegal to obtain documents not otherwise protected. Uploading a sensitive document to a public-facing website crawled by Google is stupid and the person doing the uploading should take any “unauthorized access” as a learning experience. But under the law, it could successfully be argued that the uploading of a document to a publicly-accessible website is not the same thing as “initiating transmission.”
The proposal makes several exemptions for service providers, software manufacturers and (no kidding) advertisers, so that their trawling of confidential information in the course of their businesses won’t be viewed as criminal acts. But what it doesn’t do is carve out an exception for security researchers, who often access confidential information during the course of their work.
In this form, the legislation is dangerous. It will criminalize security research and punish citizens for the stupidity of others. On top of that, the law would pretty much turn every whistleblower into a criminal by treating the access of confidential information as a crime, no matter what the circumstances are. Running it through an editing process involving politicians surrounded by “cyberwar” hype is unlikely to improve it.
Filed Under: cfaa, computer crimes, peter kilmartin, research, rhode island