database – Techdirt (original) (raw)
Researcher Finds Russian Cybersecurity Far Shittier Than The Mythology Suggests
from the shoe-on-the-other-foot dept
For much of the last decade, Vladimir Putin has attempted to compensate for various shortcomings (like a less sophisticated real world military) by launching cyber and propaganda attacks on much of the world. And while this, for a while, resulted in a mythology that Russia was in a league of its own when it comes to hacking and cybersecurity, the reality isn’t nearly that exciting.
Jeremiah Fowler, co-founder of the cybersecurity company Security Discovery, spent much of the last year investigating Anonymous’ attacks on Russia as a response to the Russian invasion of Ukraine. In a random sampling of 100 Russian databases, he found 92 of them to have been compromised recently.
That’s in addition to widespread DDOS attacks, hack and leak attacks on numerous companies still doing business in Russia, the hacking of Russian printers to show anti-war messages, hacking retail receipt printers to transmit anti-war messages, and even the hacking of Russian streaming services to show heavily propagandized Russian citizens real-time war footage:
The hacking collective #Anonymous hacked into the Russian streaming services Wink and Ivi (like Netflix) and live TV channels Russia 24, Channel One, Moscow 24 to broadcast war footage from Ukraine [today] pic.twitter.com/hzqcXT1xRU
— Anonymous (@YourAnonNews) March 6, 2022
Fowler began his investigation rather underwhelmed at the claims being made by Anonymous and other hacking groups, noting a lack of evidence in most media reports. But when he actually began investigating the found the attacks to be widespread and Russia’s defenses fairly pathetic:
“Anonymous has made Russia’s governmental and civilian cyber defenses appear weak,” he told CNBC. “The group has demystified Russia’s cyber capabilities and successfully embarrassed Russian companies, government agencies, energy companies and others.”
“The country may have been the ‘Iron Curtain,‘” he said, “but with the scale of these attacks by a hacker army online, it appears more to be a ‘paper curtain.’”
Russia’s great innovative contributions to the twenty-first century have so far been implementing online propaganda (“flooding the zone with shit” to destabilize truth itself, as fascists like to say) at global scale, carpet bombing children at shopping malls, and completely removing even the faintest pretense of ethical considerations from nation state hacking attacks.
Online propaganda, war crimes, and reckless global hacking obviously aren’t exclusive to Russia (or the U.S., or China, or Israel), but the idea that Russia’s pioneering efforts on this front meant it was somehow technologically exceptional in any way don’t appear to actually be based on much of anything.
Filed Under: cybersecurity, database, ddos, hacking, privacy, propaganda, russia
Journalists Publish List Of Convicted Cops The State's Attorney General Said Was Illegal For Them To Have
from the bluff-called dept
The list of convicted cops the California Attorney General tried to keep secret has just been made searchable by the Sacramento Bee. It contains hundreds of current and former police officers who’ve been convicted of criminal acts over the last ten years.
This collaboration of multiple newsrooms and journalism advocates began with an unforced error by a state agency. Taking advantage of a new state law allowing the public to access police misconduct records, journalists asked the California Commission on Peace Officer Standards and Training for relevant documents. The agency handed over a list of 12,000 former and current officers — a list that apparently was never supposed to be made public.
The state’s Attorney General claimed the journalists had broken the law simply by possessing a document the Commission never should have given them. This couldn’t be further from the truth, but AG Xavier Becerra continued to make this claim, as though it were possible to codify something just by saying it out loud often enough.
I can see why AG Becerra wants this list buried. There’s nothing on it that makes cops or their oversight (which includes Becerra) look good. While the 12,000 officers in the database are a small percentage of the total number of California law enforcement officers employed over the past ten years, this small portion includes a number of cops who were never fired from their agencies despite committing criminal acts that would have put regular people out of a job.
Reporters found at least a dozen deputies with prior convictions are still on the roster at the Los Angeles County Sheriff’s Department. And the five officers with convictions working for the Riverside police include the acting chief — Larry Gonzalez was a lieutenant in 2013 when he pleaded guilty to DUI after reportedly crashing a city-owned SUV with a blood-alcohol level nearly twice the legal limit.
There’s a Kern County Sheriff’s deputy still working despite a conviction for manslaughter after running over two people while recklessly speeding to a call. And a Santa Clara County Sheriff’s deputy is back on the force after dozing off at the wheel and killing a pair of elite cyclists on a training ride.
Sheriff’s departments are especially fond of hiring and retaining the worst people. They’re the agencies most willing to overlook long histories of misconduct and the most hesitant to hand down significant punishments when laws are broken by law enforcers on their payroll. The L.A. Sheriff’s Department is filled with suspicious individuals who hang out in a high crime area every time they show up at the office.
The list has been trimmed considerably since its surprising release to journalists. Due to the lack of cooperation from law enforcement agencies and the general sloppiness of large-scale bureaucracies, the names in the database are only those that have been verified by journalists. The original list had 12,000 names but the database only contains 630 current and former officers.
Even so, there’s plenty to be concerned about. Some officers have multiple convictions but were never fired. Officers have driven drunk, left their children in cars with their loaded guns, and engaged in fraud. There’s also lots of domestic abuse — most of which has gone unaddressed by officers’ employers.
Richard Sotelo was an Imperial County Sheriff’s Department correctional officer in February 2013 when he was charged with domestic violence for assaulting his estranged wife. He was allowed to keep working despite the pending charges. But months later he was accused of a crime again, this time sexual battery against a male co-worker. He was charged for that as well. Sotelo ultimately took plea deals and was convicted in both cases and left the force.
[…]
In one incident investigated by the Bell Police Department months before his reckless driving, [LAPD Officer David] Guerrero allegedly “threatened, assaulted and battered” a woman who was in a dispute with his girlfriend, according to court records.
“That’s how you do it, LAPD style,” Guerrero allegedly said as he drove away.
The DA’s office didn’t file charges. It also didn’t prosecute Guerrero in 2013 when he allegedly threatened to kill the mother of his child, court records show.
The recycling of California cops isn’t going to stop unless the state legislature steps up and makes it possible for officers to lose their certification following a conviction. California is one of only five states with no decertification process, so officers can avoid accountability simply by drifting from agency to agency in the (apparently unlikely) event they’ve been fired. A few more firings will probably occur as a result of increased access to misconduct records, but that’s hardly going to budge the needle when some agencies in the state have shown they don’t feel staffing their departments with known criminals is a problem.
Filed Under: california, database, journalism, police, xavier becerra
What3words Is A Clever Way Of Communicating Position Very Simply, But Do We Really Want To Create A Monopoly For Location Look-ups?
from the word-in-your-ear dept
The BBC News site has one of those heart-warming stories that crop up periodically, about how clever new technology averted a potentially dangerous situation. In this case, it describes how a group of people lost in a forest in England were located by rescue services. The happy ending was thanks to the use of the What3words (W3W) app they managed to download following a suggestion from the police when they phoned for help. W3W’s creators have divided the world up into 57 trillion virtual squares, each measuring 3m by 3m (10ft by 10ft), and then assigned each of those squares a unique “address” formed by three randomly-assigned words, such as “mile.crazy.shade“. The idea is that it’s easier to communicate three words generated by the What3words app from your position, than to read out your exact GPS longitude and latitude as a string of numbers. It’s certainly a clever approach, but there are number of problems, many of which were discussed in a fascinating post by Terence Eden from earlier this year. The most serious one is that the system is not open:
The algorithm used to generate the words is proprietary. You are not allowed to see it. You cannot find out your location without asking W3W for permission.
If you want permission, you have to agree to some pretty long terms and conditions. And understand their privacy policy. Oh, and an API agreement. And then make sure you don’t infringe their patents.
You cannot store locations. You have to let them analyse the locations you look up. Want to use more than 10,000 addresses? Contact them for prices!
It is the antithesis of open.
Another issue is the fact that the physical locations of addresses are changing in some parts of the world:
Perhaps you think this is an edge case? It isn’t. Australia is drifting so fast that GPS can’t keep up.
How does W3W deal with this? Their grid is static, so any tectonic activity means your W3W changes.
Each language has its own list of words, and there’s no simple way to convert between them for a given location. Moreover, there is no continuity in the naming between adjacent squares, so you can’t work out what nearby W3W addresses are. Fortunately, there are some open alternatives to W3W, many of them listed on a page put together by the well-known OpenStreetMap (OSM) group. OSM also points out the main danger if W3W is widely used — Mongolia has already adopted it as an official addressing system for the country:
What3words is fairly simple from a software point of view, and is really more about attempting establish a standard for location look-ups. It will only succeed through the network effect of persuading many people to adopt and share locations. If it does succeed, then it also succeeds in “locking in” users into the system which they have exclusive monopoly over.
Given that problem, it seems questionable that, according to the BBC story, the UK police are urging “everyone to download a smartphone app they say has already saved several lives”. Since when has it been the police’s job to do the marketing for companies? Moreover, in many emergencies W3W may not be needed. Eden mentions a situation described given by a W3W press release:
Person dials the emergency services Person doesn’t know their location Emergency services sends the person a link Person clicks on link, opens web page Web page geolocates user and displays their W3W location Person reads out their W3W phrase to the emergency services
Here’s the thing… If the person’s phone has a data connection — the web page can just send the geolocation directly back to the emergency services! No need to get a human to read it out, then another human to listen and type it in to a different system.
There is literally no need for W3W in this scenario. If you have a data connection, you can send your precise location without an intermediary.
That seems to have been the case for the people who were lost in the forest: since they were able to download the W3W app, as suggested by the police, a Web page could have sent their geolocation to the emergency services directly. Maybe that boring technical detail is something the BBC should have mentioned in its story, along with all the heart-warming stuff.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Filed Under: closed, database, location data, open, police
Companies: what3words
WIPO Says Websites In Its Pirate Database Don't Deserve Due Process Because 'They Know What They're Doing'
from the they-know-what-they're-doing dept
You may recall that, recently, I posted on WIPO’s bizarre decision to host a database of “pirate” sites that it would share with advertisers, encouraging them to block ads from appearing on any of the sites in the “Building Respect for Intellectual Property” (BRIP) database. As we noted in our original post, previous attempts at such databases showed how problematic they could be, as they almost always swept up perfectly legal sites, and they provided no due process, no checks and balances or anything of the like. I also had a list of questions about this for WIPO, which I noted were unanswered at the time of posting. WIPO actually did get back to me, but we’ll get to that.
First, I wanted to point to a Twitter thread by New Zealand internet lawyer Rick Shera, who, in response to the news of the BRIP database, gave a real world example of how such databases create real harms for internet services through false accusations with no due process. Here’s a lightly edited part of Shera’s tweetstorm (the full thing is longer, but you get the point). After describing how the database is set up, he tells a story relating to one of his own clients:
WIPO does not disclose who the ?Authorized Contributors? are, but, according to TorrentFreak, they are expected to be a mix of law enforcement, and industry groups such as MPAA and RIAA. Which reminds me of what happened to my client Mega a few years ago. In 2014 a UK-based online brand management agency NetNames published ?Behind the Cyberlocker Door: A report on how shadowy cyberlocker businesses use credit card companies to make millions” commissioned by Digital Citizens Alliance, a US rightsholder lobby group.
Mega was included in the report as a ?cyberlocker?, without being given any opportunity to comment or rebut. Even by the report?s own criteria, Mega?s inclusion was patently incorrect.
But don?t take my word for it. Mega commissioned Olswang, one of the leading IP, media and IT law firms in the UK, which in turn had Grant Thornton in New Zealand analyse Mega?s systems. Olswang concluded the NetNames report was clearly false and defamatory. NetNames and Digital Citizens Alliance of course refused to withdraw the report and, at that early stage in its operation, it was uneconomic for Mega to take defamation action in the UK.
But it?s what happened next that provides a salutary lesson on the dangers of copyright guilt on accusation. The NetNames report was picked up by US Senator Patrick Leahy, who, also without the courtesy of checking with Mega, wrote to Visa and MasterCard encouraging them to cease providing payment services to anyone listed in the report. Here?s his letter to MasterCard.
> The NetNames report was picked up by US Senator Leahy, who, also without the courtesy of checking with Mega, wrote to Visa and MasterCard encouraging them to cease providing payment services to anyone listed in the report. Here?s his letter to MasterCard. pic.twitter.com/26nV1pMWgU > > — Rick Shera (@lawgeeknz) July 24, 2019
Visa and MasterCard blacklisted Mega, again, without notice. That resulted in PayPal ceasing service literally overnight. This despite the fact that PayPal had itself conducted exhaustive due diligence on Mega before giving it a clean bill of health just months earlier. Mega is not a cyberlocker. It complies with NZ and with European and US copyright laws. It is one of a handful of companies in NZ that publish a transparency report. Naturally, as a privacy protective business, it has put a huge effort into GDPR compliance. It has excellent relationships with law enforcement agencies worldwide operating under its takedown guidance policy.
And yet a spurious report, commissioned by a non accountable industry backed lobby group, was able to run roughshod over all that. If Mega was not so well supported by its users and stakeholders, that false accusation would have driven it out of business. This is the danger in WIPO encouraging advertisers to cease service based on unsubstantiated allegations by non publicly accountable third parties. The allegations alone, which may be false, as they were for Mega, can kill a business.
That’s a great example of the kind of mistake that is quite often made. We highlighted some other examples in our original post. Also, it’s important to note that early innovations in new spaces often appear to be infringing. Imagine a similar rule in the time before the Supreme Court ruled that the VCR was perfectly legal. If retail shops relied on a “list” from the MPAA on what they shouldn’t stock, it certainly would have meant they never would have sold VCRs (the same VCRs that helped drive the home video market, which quickly surpassed the box office market and saved Hollywood in the 1980s).
Back to WIPO’s list, however. I had reached out to them before my story went up — and they responded saying they’d be happy to set up someone for me to talk to, though that email was sent right around the time my original story went out. I told them I was hoping to do a follow up story and would like to speak to someone there. After a number of emails back and forth, WIPO eventually told me that since this database is “under formal discussion by WIPO member states at a meeting of the Advisory Committee on Enforcement” in early September, WIPO felt that it was best not to comment until after it’s too late for it to matter and after the member states have discussed it. That strikes me as odd.
However, a WIPO employee, Jeremy Thille, decided to come into our comments and take it upon himself to give, as he called it, “WIPO’s reply.” Thille is a web developer, who notes that he helped build the database. I am quite sure that Thille thought he was being helpful here — and, he actually was being super helpful in revealing WIPO’s complete and utter disgust for basic due process on issues that impact speech and innovation. Most tellingly, he responded to my question about whether or not sites are notified that they’re being put in this database that can literally put them out of business by saying:
No. They know what they’re doing.
This isn’t a surprise. In two decades of doing work in and around the copyright space, this attitude is pervasive. It ignores, of course, that throughout all of this time, those in legacy industries are often way too quick to declare something, or some tool or service, “dedicated to infringement,” when it is not. It ignores that making mistakes here have massive impacts on both free expression and innovation. This is especially galling given that WIPO is a part of the UN and the UN is supposed to be bound by the principles of free expression in the Universal Declaration of Human Rights. To brush off such blatant censorship without any due process as “they know what they did” is astoundingly cavalier.
Other parts of Thille’s responses (er… “WIPO’s reply”) are equally enlightening, if not surprising. He argues that there really aren’t any problems with WIPO keeping such a censorship database, because it’s all really maintained by member countries:
The BRIP platform is merely a central repository for national authorities such as HADOPI in France, AGCOM in Italy, or Roskomnadzor in Russia.
These authorities are governmental and they declare websites as infringing, as they legally have the power to do so. We don’t have this power, so we don’t add or remove anything from the database.
He leaves out the earlier statements that industry representatives get to take part as well. He also leaves out the, uh, rather checkered history of some of the agencies he names in censoring the internet. Remember, when the company that Hadopi employed to run its copyright enforcement program decided that the DNS address 127.0.0.1 was a pirate site? (For the non-technically savvy, 127.0.0.1 is your own local machine). Or how about the time that Roskomnadzor used its copyright naughty list to shut down an entire news site. AGCOM? Remember how they ordered a user-generated-content platform blocked throughout Italy based on claims of 11 infringing works, and then ignored the fact that the site quickly removed all 11 works when informed?
Odd that the three examples of “trusted” government agencies that WIPO uses as examples for its database all have histories littered with problematic sites and censorship. Seems like, maybe, something WIPO should have considered, rather than merely assuming that if a government says “kill this site” that it must “know what they did.”
Thille also passes the buck on WIPO’s database, noting that while WIPO won’t remove stuff, it will be left up to those problematic trusted authorities to create any due process. Though, he is candid that basically, any site in the database is fucked:
If they have been flagged by their national supreme internet authority, it will be difficult to contest, but here again, this is a process we have noting to do with. Displeased websites will have to try and contact their national authority directly, as they alone can remove a website/domain from their list in the BRIP database. Technically, we could of course remove a website from an official list, but legally we absolutely can’t.
That’s fascinating. Given just how hard all of the industry reps have been fighting over the years to argue that the maintainer of a website should have liability for what’s in it, it does seem just slightly ironic for WIPO and the industry to team up on a database while insisting they have no liability whatsoever for putting companies into it incorrectly, even if it cuts of free expression or innovation.
Thille further clarifies — as we expected — that there is literally no way for the public, or even an NGO, to check the database and review it for accuracy. So it’s a hidden, secretive database, put together by organizations that have a troubled history of censorship, that will be used to starve sites out of existence, and there is no due process, no transparency, no way to review, no way to appeal. But it’s all cool because, WIPO believes, those sites “know what they’re doing.”
Of course, as we saw with Mega, yes, those sites know that they’re complying with the law. And it didn’t matter.
I asked WIPO whether or not it would like to comment on Thille’s clarifications, suggesting that as an organization pushing such a database, it would probably be in their interest to have a better response to these questions. WIPO declined to respond and has provided no additional comment. It seems like the kind of thing that might help member states have a more informed discussion at their meeting September 2 – 4, at which there will be a discussion on “recent activities” regarding the BRIP database.
Unfortunately, responding to pesky journalists asking silly questions about censorship and due process is not on the agenda. I guess, the best you can say about WIPO and this database is… “they know what they’re doing.”
Filed Under: accusations, brip, copyright, database, due process, free speech, infringement, innovation, wipo
Companies: mega, wipo
Be Careful What You Wish For: 'Privacy Protection' Now Used As An Excuse To Cut Off Investigative Journalists From Key Database
from the tradeoffs dept
We’ve been explaining for a long time that many people don’t really understand “privacy.” Privacy is a tradeoff not a “thing.” Assuming that privacy is a thing — and that “it” must be protected — leads to some bad results. Lexis Nexis has a tool called Trace IQ, that is widely used by investigative journalists to find out information about people — including their addresses and phone numbers. Some people might argue that just addresses and phone numbers should be kept private, but it really wasn’t that long ago that such information wasn’t just widely available to the public, but every six months or so a giant yellow-covered book was thrown in front of our doors with listings of everyone’s phone number and address in your geographic region. Remember that?
However, Lexis Nexis is now cutting investigative journalists off from this service because “privacy.”
A Cardiff-based company is banning journalists from accessing a powerful database of names, phones numbers and addresses, in a move the Centre for Investigative Journalism says is symptomatic of the way “popular anxieties about privacy” are gagging investigative reporting.
Lexis Nexis isn’t explaining exactly why it’s doing this, but various journalism organizations think that it has to do with the new focus on privacy and new laws like the GDPR:
The Director of the Centre for Investigative Journalism, James Harkin, said the industry has come under threat from legislation in recent times, pointing to the Investigatory Powers Act passed in 2016 and the proposed Espionage Act.
But Harkin said Lexis Nexis’ decision to shut out journalists from Trace IQ shows investigative journalism can also be gagged by the new “popular anxieties about privacy”.
“In many ways concerns about the Data Protection Act, and concerns about data protection more generally, are more subtle and more insidious, and more directly relevant to the day-to-day work of journalists,” Harkin told BuzzFeed News.
Now, I know that some will think that it’s no fair that journalists had access to this information in the first place, but those are likely the same people who were just recently complaining in our comments about how awful it is that some in the media publish stories without first talking to everyone involved. One way that you talk to everyone involved is getting the information necessary to talk to them. And things like TraceIQ make that possible. Or did.
Meanwhile, it appears that TraceIQ will still exist for other types of users: debt collectors. Apparently, it’s fine for them to get access to this information, but it’s not okay for reporters doing their jobs. Yes, privacy is important, but we have to learn that “protecting privacy” means recognizing the appropriate situations and cases where information can be accessed and shared, and recognizing what the tradeoffs in those decisions are. It does not mean that we should cut people off entirely from accessing data. Unless they’re debt collectors.
Filed Under: database, information, journalism, privacy, trace iq
Companies: lexis-nexis
FBI Debuts 'First And Only' Police Shooting Database That Is Neither 'First' Nor 'Only'
from the now-with-70-percent-less-data! dept
The FBI — late to the party — proudly announces it’s the first guest to arrive. (via Axios)
The FBI has launched the nation’s first and only database that collects information about police-involved shootings and use-of-force incidents.
Most of this announcement is incorrect. The Washington Post has been collecting data on shootings by cops for a few years now. The Guardian put a couple of years into this project before dropping it. Fatal Encounters has been around since 2012 — the side project of former newspaper editor D. Brian Burghart… one that now requires 10 hours a day to maintain. There’s even a database of dogs killed by police officers, something no one in the government has ever offered to track.
So, the FBI is far from the first. It’s not even the “only.” But it could have been both.
The FBI had a head start. The DOJ’s been charged with collecting this data for more than 15 20 years now. Its efforts on this front have been nonexistent. The DOJ decided the best way to obtain compliance from the nation’s law enforcement agencies was to do nothing at all. Reporting was completely voluntary, putting the FBI well behind private parties unwilling to wait for law enforcement agencies to pass along data on shootings.
After 15 years of nothing, the FBI vowed to redouble its efforts. It overhauled the voluntary reporting system in 2015 and replaced it with a brand new voluntary system. Now, after having done nearly nothing to track shootings and nudge the dial towards accountability, the FBI is announcing it has the “first and only” database of its type.
Even its own truncated (and recorded!) statement makes it clear this won’t be the most or first anything:
Halpern: The repository has the support of law enforcement agencies across the country who voluntarily submit the data.
Halvorsen: It kicked off on January 1, 2019, and as of February 2019, we already have approximately 4,600 law enforcement agencies that are participating in this collection.
4,600. Wow. Oh wait.
According to the DOJ’s 2013 statistics, there are 15,388 law enforcement agencies in the nation. The almighty FBI has managed to secure 30% compliance with its voluntary reporting project. Spectacular.
What this database will have that others won’t is information on use of force incidents that don’t involve an officer killing someone. That data will be useful. But it will also be woefully limited, seeing as it won’t include 70% of the nation’s law enforcement agencies.
While it is much better than the decade-plus of the nothing the FBI traded our tax dollars for, it’s simply not acceptable for the agency to believe 30% compliance is worth announcing publicly. Unfortunately, it will probably take an act of Congress to make this reporting mandatory. Until this happens, the public is being better served by journalists reporting on killings by cops, rather than waiting around for cops to tell on themselves.
Filed Under: database, doj, fbi, police shootings
Another Massive Credit Reporting Database Breached By Criminals
from the 'opting-in'-by-existing dept
Lots of companies like gathering lots of data. Many do this without explicit permission from the people they’re collecting from. They sell this info to others. They collect and collect and collect and it’s not until there’s a problem that many people seem to feel the collection itself is a problem.
The Equifax breach is a perfectly illustrative case. Lenders wanted a service that could rate borrowers quickly to determine their trustworthiness. This required a massive amount of data to be collected from numerous creditors, along with personally-identifiable information to authenticate the gathered data. The database built by Equifax was a prime target for exploitation. That this information would ultimately end up in the hands of criminals was pretty much inevitable.
But Equifax isn’t the only credit reporting service collecting massive amounts of data but failing to properly secure it. TransUnion not only collects a lot of the same information, but it sells access to cops, lenders, private investigators, landlords… whoever might want to do one-stop shopping for personal and financial data. This includes criminals, because of course it does.
From January to June 2018, seven members of [Tony] Da Boss’ gang pleaded guilty to various identity theft charges. In total they had caused about $1.2 million in damage, using stolen identities to buy luxury cars and iPhones and to lease apartments in Charlotte. Both they and their crimes would have been quickly forgotten as garden variety larceny were it not for the way they stole those identities.
Cops alleged Da Boss and his co-conspirators had access to the Holy Grail for any Internet-age scam artist: a surveillance technology that police and debt collectors use to track most of the United States’ 325 million inhabitants via their Social Security numbers, license plates, address histories, names and dates of birth. The mass-monitoring tech, called TLO, is a product of the Chicago-based credit reporting giant TransUnion, which last year had revenues of nearly $1.9 billion. One brochure for the service promises access to a startling amount of personal data drawn from myriad sources: more than 350 million Social Security numbers of dead and living Americans, 225 million employment histories and four billion address records. Add to that billions of vehicle registrations and call records and you have one of the largest commercial surveillance databases in existence.
The only thing surprising about this is that it only resulted in $1.2 million in damage. The database — originally designed to help hunt down child predators — promises users a “360-degree profile of virtually any person, business or location in the US.” In addition to the wealth of personal and financial data, the database also includes surveillance cam photos and license plate numbers, which makes it even more attractive to government agencies and the occasional criminal.
One of the charged suspects worked for a debt collection firm, selling off personal info to criminals for $100/victim. The rest of the gang’s access relied on swiped credentials. TransUnion is making millions authenticating US residents who can’t even opt out of its collection. But it’s not doing much to ensure only authorized users are accessing its system.
Live by the tech, die by the tech.
In June last year, Postal Service investigator Berkland obtained a warrant ordering Google to hand over all the data related to [the gang’s Nest] cameras. The company complied, shipping surveillance footage back, along with personal details of its owners. It’s the first known case in the United States in which a federal law enforcement agency has demanded information from a Nest provider, and it has obvious implications for anyone who has purchased a smart home appliance that contains a camera or a microphone.
Unhappily, TransUnion told Forbes this wasn’t the first time criminals have gained access to its TLO database. And it certainly won’t be the last, either. The privacy and security of Americans is in the hands of companies who collect this information without their permission and which can seldom be bothered to treat this massive stash of personal info with the respect it deserves.
Filed Under: breach, credit, database, tlo, tony da boss
Companies: transunion
Threats To Pull Database Access Increasing Misuse Reporting By Cali Law Enforcement Agencies
from the still-more-to-be-done,-unfortunately dept
Who polices the police? They can’t be trusted to do it themselves. This much has been proven time and time again as misconduct and criminal behavior is greeted with minimal discipline or graceful exits that allow bad apples to move from barrel to barrel spreading rot.
What oversight actually exists tends to be beholden to law enforcement. In a few cases, truly independent oversight boards are in place, but their efforts are blunted by agencies that rarely hand out the punishment boards recommend or otherwise do everything they can to ensure this oversight is starved for information.
In California — much like in other states — abuse of law enforcement databases remains a problem. The EFF has been focusing on this state’s efforts to curb abuse, raising it above the zero effort previously expended. This is, unfortunately, possibly one of the better years on record in California, and it still looks like this:
The records obtained by EFF show a total of 143 violations of database rules—the equivalent of an invasion of privacy every two and half days.
These numbers represent the first comprehensive accounting of misuse of the California Law Enforcement Telecommunications System (CLETS). While the acronym is not well known by the public, everyone with a driver’s license or criminal record has information accessible through CLETS. Police and other public safety employees access this sensitive information approximately 2.8 million times a day during the regular course of business.
The EFF’s efforts led to a reform effort by the state’s Attorney General. New rules were handed down by the California DOJ mandating reporting on misuse of law enforcement databases. The AG swore to “proactively enforce this requirement,” and it appears to be having a positive effect.
_In 2017, only 704 agencies disclosed these records—approximately 53% compliance. Following an overhaul of the oversight system, in 2018 the Attorney General gathered information from 1,285 agencies—98 percent complianc_e.
The teeth in the mandate are linked to database access. Failure to comply means revoked access department-wide. Local law enforcement officials aren’t going to want to have to hold press conferences explaining their inability to close investigations or whatever because their database access has been severed for refusing to report misuse.
But that’s not the end of the line for the state AG. Compliance is way up, but there appears to be some under-reporting occurring. The EFF reports the LAPD — which has blown off reporting for years — finally started turning in numbers, but the reporting is beyond belief. The LAPD claims it only had to investigate misuse three times in 2017. This means one of two things: the LAPD’s employees are among the finest and most honest in the United States, or lots of misuse is going un-investigated or unreported.
The AG needs to follow up with agencies to ensure the reported numbers are accurate and that investigations are prompt and thorough. Otherwise, it will be tempting for agencies to just hand in their homework every year without making any real changes to discourage misuse of law enforcement databases.
Filed Under: california, clets, database, law enforcement, privacy
Norwegian Court Orders Website Of Public Domain Court Decisions Shut Down With No Due Process
from the this-is-messed-up dept
What’s up Europe? We’ve been talking a lot about insanity around the new copyright directive, but the EU already has some pretty messed up copyright/related rights laws on the books that are creating absurd situations. The following is one of them. One area where US and EU laws differ is on the concept of the “database right.” The US does not grant a separate copyright on a collection of facts. The EU does. Studies have shown how this is horrible idea, and if you compare certain database-driven industries in the US and the EU, you discover how much damage database rights do to innovation, competition and the public. But, alas, they still exist. And they continue to be used in positively insane ways.
Enter Hakon Wium Lie. You might know him as basically the father of Cascading Style Sheets (CSS). Or the former CTO of the Opera browser. Or maybe even as the founder of the Pirate Party in Norway. Either way, he’s been around a while in this space, and knows what he’s talking about. Via Boing Boing we learn that: (1) Wium Lie has been sued for a completely absurd reason of (2) helping a site publish public domain court rulings that (3) are not even protected by a database right and (4) the judge ruled in favor of the plaintiff (5) in 24 hours (6) before Lie could respond and (7) ordered him to pay the legal fees of the other side.
I’ve numbered these because I had to break out each absurd part separately just to start to try to comprehend just how ridiculous the whole thing is. And now, let’s go through how each part is absurd in turn:
1. Wium Lie is being sued as an accomplice to the site rettspraksis.no by an operation called Lovdata. Wium Lie tells the entire history in his post, but way back in the early days of the web, while he was helping to create CSS, Wium Lie also helped put Norway’s (public domain) laws online. At the time, that same company, Lovdata, was charging people 1−per−minutetoaccessthelaws.Really.Eventually,LovdatadroppedthefeesandistheofficialfreepublishersofthelawsinNorway.Ofcourse,statutorylawisjustonepartof“thelaw.”Caselawisalsoquiteimportantand(thankfully)courtorders(thatmakeupthebulkofcaselaw)arealsointhepublicdomaininNorway.However,Lovdatachargesanabsurd1-per-minute to access the laws. Really. Eventually, Lovdata dropped the fees and is the official free publishers of the laws in Norway. Of course, statutory law is just one part of “the law.” Case law is also quite important and (thankfully) court orders (that make up the bulk of case law) are also in the public domain in Norway. However, Lovdata charges an absurd 1−per−minutetoaccessthelaws.Really.Eventually,LovdatadroppedthefeesandistheofficialfreepublishersofthelawsinNorway.Ofcourse,statutorylawisjustonepartof“thelaw.”Caselawisalsoquiteimportantand(thankfully)courtorders(thatmakeupthebulkofcaselaw)arealsointhepublicdomaininNorway.However,Lovdatachargesanabsurd1,500 per year to access those decisions. And, it claims a database right* on the collection it makes available online.
2. And yet, Wium Lie is still being sued. Why? When he saw that the website rettspraksis.no was trying to collect and publish these decisions, he borrowed Lovdata CD-ROMs from the National Library in Oslo. He borrowed the 2002 version of the CD-ROM. This date is important, because the EU’s database rights last for… 15 years. 2002 databases (and, yes, Wium Lie points out that it’s odd to call a stack of documents a database…) are no longer protected by the database rights.
3. So, yeah, the data is clearly in the public domain, and Wium Lie didn’t violate anyone’s copyright or database rights. Wium Lie notes that Lovdata didn’t even try to contact him or rettspraksis.no before suing, but just told the court that they must be scraping the expensive online database:
I’m very surprised that Lovdata didn’t contact us to ask us where we had copied the court decisions from. In the lawsuit, they speculate that we have siphoned their servers by using automated ?crawlers?. And, since their surveillance systems for detecting siphoning were not triggered, our crawlers must have been running for a very long time, in breach of the database directive. The correct answer is that we copied the court decisions from the old discs I found in the National Library. We would have told them this immediately if they had simply asked.
4. This is the most perplexing to me in all of this. I can’t read the Norwegian verdict (which, for Lovdata’s lawyers, I did not get from scraping your site!), and don’t know enough about Norwegian law, but this seems positively bizarre to me. It seems to go against fundamental concepts of basic due process, but how could a judge come out with a verdict like this?
5. ?!?>#$@!%#!%!@!%!#%!!
6. Again: is this how due process works in Norway? In the US, of course, there are things like preliminary injunctions that might be granted pretty quickly, but even then — especially when it comes to gagging speech, there is supposed to be at least some element of due process. Here there appears to have been something close to none. Furthermore, in the US, this kind of thing would only be allowed if one side could show irreversible harm from leaving the site up. It is difficult to see how anyone could legitimately argue irreversible harm for publishing the country’s own (public domain) court rulings.
I find it shocking that the judge ordered the take down of our website, rettspraksis.no, within 24 hours of the lawsuit being filed and WITHOUT HEARING ARGUMENTS FROM US. (Sorry for switching to CAPS, but this is really important.) We were ready and available to bring forth our arguments but were never given the chance. Furthermore, upon learning of the lawsuit, we, as a precaution, had voluntarily removed our site. If the judge had bothered to check he would have seen that what he was ordering was already done. There should be a much higher threshold for judges to close websites that just the request of some organization.
7. And, even if this was the equivalent of an injunction, to also tell Wium Lie and rettspraksis.no that they need to pay Lovdata’s legal fees is just perplexing.
the two of us, the volunteers, were slapped with a $12,000 fee to cover the fees of Lovdata’s own lawyer, Jon Wessel-Aas. So, the judge actually ordered that we had to pay the lawyer from the opposite side, WITHOUT HAVING BEEN GIVEN A CHANCE TO ARGUE OUR CASE.
This whole situation is infuriating. Being sued is a horrible experience in the first place. But the details here pile absurd upon preposterous upon infuriating. The whole database rights concept is already a troublesome thing, but this application of it is positively monstrous. Wium Lie now has some good lawyers working for him, and hopefully this whole travesty will get overturned, but what a clusterfuck.
* A separate tangent that I’ll just note here rather than cluttering up all of the above. I was a bit confused to read references to the EU’s database directive/database rights, because Norway is not part of the EU. However, since it is a part of the European Economic Area (yes — this can all get confusing), it has apparently agreed to enact legislation that complies with certain EU Directives, including the Copyright and Database Directives.
Filed Under: caselaw, copyright, court rulings, css, database, database rights, due process, hakon wium lie, norway, public domain
Companies: lovdata, rettspraksis.no
Mozilla's Open Letter To Expert Committee Drafting India's First Data Protection Law Slams Aadhaar Biometric Identity System
from the the-lizard-wrangler-speaks dept
Techdirt has been covering India’s monster biometric database, Aadhaar, since 2015. Media in India, naturally, have been on the story longer, and continue to provide detailed coverage of its roll-out and application. But wider knowledge of the trailblazing identity project remains limited. One international organization that has been working to raise awareness is Mozilla, home of the Firefox browser and Thunderbird email client.
Last May, an opinion piece entitled “Aadhaar isn’t progress — it’s dystopian and dangerous“, by Mozilla Executive Chairwoman and Lizard Wrangler Mitchell Baker and Mozilla community member Ankit Gadgil, appeared in India’s Business Standard newspaper. In July 2017, Mozilla released a statement on the Indian Supreme Court hearings on Aadhaar. A blog post in November pointed out that the Aadhaar system is increasingly being used by private companies for their services, something Techdirt covered earlier. Similarly, after it was revealed that anybody’s Aadhaar details could be bought for around $8 each, Mozilla issued a statement saying “this latest, egregious breach should be a giant red flag to all companies as well as to the UIDAI [Unique Identification Authority of India] and the [Indian] Government.”
Following the creation of a committee to draft India?s first comprehensive data protection law, Mozilla has now paid for an open letter to appear in The Hindustan Times. It was written by Baker, and co-signed by 1,447 Mozilla India community members. Although the letter welcomes the work being carried out by the committee of experts, it criticizes Aadhaar for its many failings, and points out some serious omissions in the committee’s report on data protection:
The current proposal exempts biometric info from the definition of sensitive personal information that must be especially protected. This is backwards, biometric info is some of the most personal info, and can?t be “reset” like a password.
The design of Aadhaar fails to provide meaningful consent to users. This is seen, for example, by the ever increasing number of public and private services that are linked to Aadhaar without users being given a meaningful choice in the matter. This can and should be remedied by stronger consent, data minimization, collection limitation, and purpose limitation obligations.
Instead of crafting narrow exemptions for the legitimate needs of law enforcement, you propose to exempt entire agencies from accountability and legal restrictions on how user data may be accessed and processed.
Your report also casts doubt on whether individuals should be allowed a right to object over how their data is processed; this is a core pillar of data protection, without a right to object, consent is not meaningful and individual liberty is curtailed.
On a Web page called “Key challenges and the way forward“, Mozilla calls on the Indian government to “pause further roll out of Aadhaar until the major problems with Aadhaar have been addressed.” It also has a further suggestion:
The Indian government must release Aadhaar as true open source software rather than use language of open source, and encourage the use, development, and adoption of open source as a pillar of the Aadhaar system
Of course, you might expect an open source foundation like Mozilla to say that, but nonetheless it’s good to see what is at heart a software organization engaging with global problems that affect huge numbers of people in this way. Others should do the same.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: aadhaar, biometrics, database, india, privcy
Companies: mozilla