identity theft – Techdirt (original) (raw)

FCC Reveals Some Vague Rules That Pretend To Tackle SIM Hijacking Fraud

from the words-are-but-wind dept

For years we’ve talked about the growing threat of SIM hijacking, which involves a criminal covertly porting out your phone number from right underneath your nose (quite often with the help of bribed or conned wireless carrier employees).

Once they have your phone identity, they have access to most of your personal accounts secured by two-factor SMS authentication, opening the door to the theft of social media accounts or the draining of your cryptocurrency account. If you’re really unlucky, the hackers will harass the hell out of you in a bid to extort you even further.

It’s a huge mess, and the both the criminal complaints — and lawsuits against wireless carriers for not doing more to protect their users — have been piling up for several years. For just as long, Senators like Ron Wyden have been sending letters to the FCC asking the nation’s top telecom regulator to, you know, do its job.

After years of inaction the agency appears to have gotten the message, announcing in 2021 a new plan to consider some new rules to make SIM hijacking more difficult. Several years later and the FCC finally only just voted to approve new rules. Since a lot of SIM hijacking occurs with help from wireless employees getting bribed by criminals, the rules primarily focus on trying to ensure that consumers are consistently updated:

The rules “require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. The new rules require wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts and take additional steps to protect customers from SIM swap and port-out fraud.”

But as with so much the FCC does, the rules are rather vague in a bid to try and avoid upsetting politically powerful wireless carriers. Like the FCC’s “broadband nutrition labels” (which urge ISPs to be transparent in how they’re ripping you off, but do nothing about the fact that ISPs routinely rip you off), the focus is transparency. Like the FCC’s digital discrimination order, there’s no punishment — or even overt criticism — of companies that have routinely failed to protect private consumer information.

As a result, industry watchers aren’t really sure they’ll actually do all that much, given they’re rather vague on what “secure authentication methods” carriers are supposed to adopt, or what penalties carriers will see if they don’t clean up their security practices. This all assumes that the FCC will actually enforce the rules in the first place, which, as we’ve seen with robocall, privacy, and broadband competition issues, is a fairly major and unreliable assumption.

Filed Under: fcc, fraud, identity theft, number porting, sim hijacking

Kansas Cops Raid Small Town Newspaper In Extremely Questionable ‘Criminal Investigation’

from the sorry-about-the-boot-prints-on-your-rights dept

The free press is supposed to be free. That’s what the First Amendment means. Journalists have a long-acknowledged, supported-by-decades-of-precedent right to publish information that may make the government uncomfortable.

When cops start raiding press outlets, everyone takes notice. This isn’t how this works — not in the United States with its long list of guaranteed rights.

But that’s what happened at a small newspaper in Kansas, for reasons local law enforcement is currently unwilling to explain.

In an unprecedented raid Friday, local law enforcement seized computers, cellphones and reporting materials from the Marion County Record office, the newspaper’s reporters, and the publisher’s home.

Eric Meyer, owner and publisher of the newspaper, said police were motivated by a confidential source who leaked sensitive documents to the newspaper, and the message was clear: “Mind your own business or we’re going to step on you.”

The city’s entire five-officer police force and two sheriff’s deputies took “everything we have,” Meyer said, and it wasn’t clear how the newspaper staff would take the weekly publication to press Tuesday night.

While there’s still some speculation about the reason for this raid, this law enforcement action has at least accelerated the demise of the paper’s owner.

Stressed beyond her limits and overwhelmed by hours of shock and grief after illegal police raids on her home and the Marion County Record newspaper office Friday, 98-year-old newspaper co-owner Joan Meyer, otherwise in good health for her age, collapsed Saturday afternoon and died at her home.

She had not been able to eat after police showed up at the door of her home Friday with a search warrant in hand. Neither was she able to sleep Friday night.

She tearfully watched during the raid as police not only carted away her computer and a router used by an Alexa smart speaker but also dug through her son Eric’s personal bank and investments statements to photograph them. Electronic cords were left in a jumbled pile on her floor.

Sure, correlation is not causation, but one can reasonably expect that a law enforcement raid on an elderly person’s home — especially one who had just found out her paper had been raided by the same officers — would not result in an extended life expectancy.

Even if you ignore the death as being nothing more than the result of being 98 years old, you have to recognize the insane overreach that saw a newspaper’s offices raided, followed by a raid of the newspaper owner’s home.

In addition to these raids, officers also raided the home of vice mayor Ruth Herbel.

All anyone knows is what’s stated in the warrant application, as well as a recent bit of friction involving the paper, some leaked DUI records, and a local business owner.

According to Meyer, a retired University of Illinois journalism professor, the raid came after a confidential source leaked sensitive documents to the newspaper about local restaurateur Kari Newell. The source, Meyer said, provided evidence that Newell has been convicted of DUI and was driving without a license—a fact that could spell trouble for her liquor license and catering business.

Meyer, however, said he ultimately did not decide to publish the story about Newell after questioning the motivations of the source. Instead, he said, he just alerted police of the information.

“We thought we were being set up,” Meyer said about the confidential information.

That’s according to the paper’s co-owner, Eric Meyer. These raids were set in motion by information the newspaper didn’t even publish and despite the fact the Marion County Record informed law enforcement about the leaked info.

That’s one theory: that Kari Newell had enough pull to put the police in motion to silence a potential publisher of leaked info that, to this point, had not made the leaked information public.

There’s also another theory, which suggests something even more horrible than a local business owner weaponizing local law enforcement to keep their own misdeeds under wraps.

An interview with Eric Meyer by Marisa Kabas suggests this might have nothing to do with a local restaurateur’s alleged drunk driving. What may actually be happening here is local law enforcement attempting to silence reporting about… well, local law enforcement.

What has remained unreported until now is that, prior to the raids, the newspaper had been actively investigating Gideon Cody, Chief of Police for the city of Marion. They’d received multiple tips alleging he’d retired from his previous job to avoid demotion and punishment over alleged sexual misconduct charges.

And that’s a new wrinkle that makes everything worse. Raiding a newspaper, a newspaper owner’s home, and the home of the vice mayor over unpublished news about a local businessperson’s DUI problems is one thing. Performing these raids to prevent a small paper from publishing what it had discovered about the chief of police is quite another. The first is a horrible infringement of First Amendment rights. The latter is a hideous abuse of law enforcement powers.

According to the warrant, the cops are investigating a couple of crimes. One seems extremely unrelated to either theory: “Identify Theft.” That crime is described as expected: the use of another person’s identity to commit fraud. Nothing in either theory suggests anything like that was committed by the paper, its owners, or the vice mayor. There has been some talk that if you squint and cheat, you could conceivably argue that a possible method of checking Newell’s driver’s license could possibly, technically, violate the state’s identity theft law, but that is an extreme stretch, and still would not justify the full raid and seizures.

The other law cited in the warrant — K.S.A. 21-5839 — is the real problem here. The state law is pretty much the CFAA: a catch-all for “computer” crimes that allows law enforcement (if so motivated) to treat almost anything that might resemble a journalistic effort to gather facts as a crime against computers.

There’s a whole lot of vague language about “authorization,” which means opportunistic cops can use this law to justify raids simply because they did not “authorize” any release of information pertaining to either (a) DUI arrests or citations, or (b) the chief of police’s past history as an alleged sex fiend.

What’s on the record (such as it is) suggests these raids are the acts of officers seeking to protect one of their own: police chief Gideon Cody. The end result of the raids was the seizing of the means of (press) production. Reporters’ computers and phones were seized, along with the small paper’s server — seizures that appear to be designed to silence this press outlet. While ongoing silence would obviously protect the police department, as well as a business owner who may not want the wrong kind of press attention, Occam’s Razor suggests cops will always be far more interested in protecting themselves than taxpayers, no matter how (comparatively) rich they might be.

The Marion, Kansas Police Department has responded to the national outrage generated by its actions. And its official statement uses a whole lot of words to say absolutely nothing.

The Marion Kansas Police Department has has several inquiries regarding an ongoing investigation.

As much as I would like to give everyone details on a criminal investigation I cannot. I believe when the rest of the story is available to the public, the judicial system that is being questioned will be vindicated.

I appreciate all the assistance from all the State and Local investigators along with the entire judicial process thus far.

Speaking in generalities, the federal Privacy Protection Act, 42 U.S.C. §§ 2000aa-2000aa-12, does protect journalists from most searches of newsrooms by federal and state law enforcement officials. It is true that in most cases, it requires police to use subpoenas, rather than search warrants, to search the premises of journalists unless they themselves are suspects in the offense that is the subject of the search.

The Act requires criminal investigators to get a subpoena instead of a search warrant when seeking “work product materials” and “documentary materials” from the press, except in circumstances, including: (1) when there is reason to believe the journalist is taking part in the underlying wrongdoing.

The Marion Kansas Police Department believes it is the fundamental duty of the police is to ensure the safety, security, and well-being of all members of the public. This commitment must remain steadfast and unbiased, unaffected by political or media influences, in order to uphold the principles of justice, equal protection, and the rule of law for everyone in the community. The victim asks that we do all the law allows to ensure justice is served. The Marion Kansas Police Department will nothing less.

First off, the judicial system isn’t what’s being “questioned.” It’s the acts of this particular cop shop, which will always be far less impartial than the judges overseeing their cases. While we would like to know why these search warrants we’re granted, we’re far more interested in why law enforcement sought them in the first place.

The rest of this non-explanation is just CYA boilerplate. We all know how cops are supposed to behave. A cop frontmouth telling us that what we’re witnessing is nothing more than cops behaving they way we expect them to — while refusing to provide any specifics — means nothing at all until the facts come out. The problem is the Marion Police Department thinks the lack of facts means it should be given the benefit of a doubt, rather than recognize this is a situation it will need to fully justify if it expects to salvage what’s left of its eroding reputation.

Either way, what local law enforcement should have immediately recognized, long before the raids were carried out, is that this would draw national attention to these unconstitutional raids as well as give the Marion County Recorder a bunch of fans capable of offsetting the damage done by these blundering officers.

This is from Meyer, the paper’s surviving co-owner:

It is kind of heartwarming: One of the things that I just noticed was we got this incredible swelling of people buying subscriptions to the paper off of our website. We got a lot of them, including some—I’m not gonna say who they’re from—but one of them is an extremely famous movie producer and screenwriter who came in and subscribed to the paper all of a sudden. I mean, it’s like, why are people from Poughkeepsie, New York and Los Angeles, California and Seattle, Washington and, you know, all these different places subscribing to the paper?

But a lot of people seem to want to help, and we’ve had people calling, asking “where can I send money to help you?” And, well, we don’t need money right now. We just are gonna have a long weekend of work to do. But we’ll catch up.

No matter the reason for the raids, the cops fucked up. But it will take a lawsuit to hold them accountable for their actions. No one outside of the participating departments believes these actions were justified. No one believes these raids weren’t carried out for the sole purpose of protecting people in power, whether it was a local business owner or the local police chief. Everything about this is wrong. Hopefully, a court will set this straight, as well as require the PD to explain the motivation for its actions in detail, putting to rest the speculation these oversteps have generated.

Filed Under: 1st amendment, 4th amendment, cfaa, computer crimes, eric meyer, free press, free speech, gideon cody, hacking, identity theft, joan meyer, journalism, kansas, kari newell, marion pd, police raid, ruth herbel
Companies: marion county record

How California's Identity Fraud Law Has Been Interpreted To Criminalize Defamation, Publicity Rights Violations And More

from the yikes dept

Eugene Volokh has a somewhat terrifying look at how very broad interpretations of California’s identity fraud law, California Penal Code § 530.5(a) has been so broadly interpreted by the courts that it, in effect, creates a crime out of things that were normally considered, at best, civil offenses. This includes defamation, publicity rights infringements and disclosure of private facts. He discusses a few cases, but focuses on a key one that we’ve mentioned: the state of California’s recent legal win over Kevin Bollaert, a revenge porn creep. In our writeup, we were mainly concerned with how the ruling seemed to run against Section 230’s protections, but as Volokh makes clear, it’s much, much worse than that.

As Volokh notes, among the charges that Bollaert was found guilty over, there was the § 502.5(a) claim of identity theft. And, he points out, nothing in the ruling limited it to revenge porn or extortion. It was just “identifying information” for the purpose of committing a tort, which suddenly becomes a criminal offense:

But nothing in Bollaert?s ? 530.5 discussion was limited to revenge porn, or to extortion.

Say, for instance, that Kendra Schmollaert, Kevin Bollaert?s second cousin, has a blog with a couple of thousand readers. She publishes a blog post that mentioned an acquaintance?s formerly private sex scandal (or medical problem) and gives the acquaintance?s name. That may well constitute the tort of disclosure of private facts, and maybe Schmollaert should be liable for that. (I think the tort is too broad and vague to be constitutional, but most courts disagree with me on that.) But, to her surprise ? and, I suspect, to the surprise of most media lawyers ? a prosecutor decides to charge Schmollaert criminally. Guilty!

1. Schmollaert willfully published the aquaintance?s ?identifying information? ? the full name, and possibly some indication of location (e.g., if Schmollaert says the acquaintance is Schmollaert?s neighbor). 2. Schmollaert did so with the purpose of committing a tort, namely the disclosure of private facts. (True, Schmollaert wasn?t doing this just for the sake of committing a tort, but neither was Bollaert ? Schmollaert wanted to tell an interesting story, or maybe expose an acquaintance whom Schmollaert disliked, while Bollaert wanted to make money, and both purposefully used people?s identifying information as a means of accomplishing that goal.) 3. Schmollaert didn?t reveal any nude photographs ? but nothing in ? 530.5(a) says anything whatever about nudity, or about photographs; as the courts have interpreted the statute, tortious disclosure of private facts is enough. 4. Schmollaert also wasn?t impersonating anyone ? but neither was Bollaert.

Or say that Schmollaert instead starts selling T-shirts that depict photographs of celebrities, with captions that give the celebrities? names. Under California law, that?s a tort, both statutory and common-law, and might lead to liability. But again Schmollaert also turns out to be guilty of a crime:

1. She willfully published the celebrities? ?personal identifying information? (?full names, ? as well as the ? photographs themselves.? 2. She did so with the purpose of infringing the celebrities? right of publicity.

That’s… crazy. Criminalizing defamation and publicity rights infringement by broadly interpreting an identity fraud law seems very, very problematic. As Volokh notes again, it seems extra troubling that this seems to have happened without any real legislative discussion or deliberation. Again, these things may be civil offenses, but to turn them into criminal offenses is a situation that can and will be abused. Not many people will cry for Kevin Bollaert, but the precedent this sets is potentially terrifying:

I don?t think the California Legislature was trying, with § 530.5, to so broadly criminalize tortious speech. But that?s how California courts have interpreted the statute.

And this also helps show why many commentators ? myself included ? criticize proposed statutes based on the possible scope of their broad and vague language, rather than just focusing on the particular problem that led to the proposal. Once a statute is enacted, prosecutors will often push them to the limits of the language, especially when the defendants are bad people doing bad things (e.g., Bollaert?s revenge porn blackmail racket). And courts will often (not always, but often) read the language broadly. The story of § 530.5 is a classic example.

It remains to be seen how widely this gets abused, but it is certainly a big concern.

Filed Under: cda 230, criminal defamation, defamation, extortion, identity fraud, identity theft, kevin bollaert, publicity rights, section 230

Revenge Porn Creep Kevin Bollaert's Appeal Underway… And Actually Raises Some Important Issues

from the but-he's-still-a-creep dept

Let’s start with the basics: Kevin Bollaert is a creep who did some really horrible and shady stuff. He was something of a latecomer to the revenge porn space, basically copying a few of the more popular revenge porn sites that came before him in creating “YouGotPosted.” He also copied at least some of the “business model” of Craig Brittain’s “IsAnybodyDown” website, which purported to work with a third party (the fictitious “lawyer” “David Blade III”) who you could pay to take down those naked pictures someone leaked to the site. In the case of YouGotPosted, Bollaert set up a companion website, called ChangeMyReputation, where you could pay and that site would magically get images taken down off YouGotPosted (there is some dispute over how clear it was that the two sites were connected). There’s a decent argument that this is a form of extortion, posting naked photos of someone and then demanding cash to get them taken down — but there are also cases in slightly different realms (such as online review sites) that suggest such activity is actually protected by Section 230. Bollaert, about as unsympathetic a defendant as you can possibly imagine was convicted of a variety of things, including not just extortion, but also identity theft, which raises some serious questions, given that Bollaert was only posting info given to him by others.

So when Bollaert got an 18-year sentence over all of this, many felt the sentence to be fairly extreme — even among those who felt that Bollaert is a creep who deserves jail time for what he did. As we expected, Bollaert has appealed and is raising some key defenses, mostly based around Section 230 of the CDA. In short, what he did may have been awful, but you still can’t blame the site operator for content uploaded by users. That’s the whole crux of CDA 230. If the uploader broke the law in posting content, go after them, not the platform on which the content was uploaded.

In this case, the People seek to chip away at the clear protections provided by the Communications Decency Act. The People claim the statute?s protection did not apply to Yougotposted because Yougotposted administered the website and possessed the authority to pick and choose which information was posted. Here the People?s reliance on speculation and conjecture fails to strip appellant of the statute?s immunity. If the People?s arguments are accepted, the approach would provide an avenue for other litigants to end-run the bright-line protections provided by the statute, jeopardizing service providers and undermining speech in the process. This amounts to bad policy.

Bollaert’s lawyers argue, fairly reasonably, that YouGotPosted qualifies for the CDA 230’s safe harbors as a service provider. The state argues that he’s the content provider, who can be liable, rather than just a platform. Bollaert’s lawyer cites all the standard Section 230 cases that establish the fairly broad immunity provided to internet platforms.

Bollaert also argues that what was on YouGotPosted wasn’t identity theft at all because any “unlawful purpose” associated with collection of identifying information was done by third parties, rather than Bollaert, and thus, once again, he’s protected by Section 230.

In its reply brief, the State of California hits back at all of this with what seems like an incredibly weak argument. Basically it argues that because Bollaert required submitters to post personal information, that makes him a content provider, rather than a platform:

By requiring users to post personal identifying information, appellant became an ?information content provider? because he was responsible as a developer and provider of the content he required; thus, he was no longer a mere ?interactive service provider? or ?access software provider?. In any event, because he intended to defraud victims by concealing his true identity as the operator of both websites, the exception appellant relies on would not apply.

Not surprisingly, California relies heavily on the infamous Rommates.com ruling, a rare case where a service provider lost its safe harbors by having a drop down menu that was seen as asking a discriminatory question about roommate preferences, violating fair housing laws. California is arguing that, by requiring uploaders to post user information, YouGotPosted is similar to Roommates.

Here, similar to the situation in Roommate, appellant willfully obtained individuals? personal identifying information by soliciting it from submitters, who were required to include the victims? full name, location (?city, state, country?), age, and a link to the victims? Facebook profile page in order to submit photographs. As in Roommate, appellant became responsible for the illegal content of the postings because the illegal content (i.e., the non-consensual use of someone?s personal identifying information, including their private photos) was a condition of use. Appellant then used that information to harass and annoy victims because he knew?with absolute certainty?that by posting the information, the victims would be contacted by numerous strangers whom the victims would find threatening. Appellant also used the information for the unlawful purpose of unlawfully obtaining money from them by demanding payment in exchange for removing his posts. This conduct does not magically become lawful because appellant did it online, or because he recruited third parties to help him inflict harm on a mass scale.

Except California is playing a little loose with the facts here and mixing and matching things to make its argument look stronger. The key difference was that the roommate preference question was, by itself, discriminatory and against the law. YouGotPosted asking people for identifying information is not. Again, this is not in any way to defend Bollaert or his site. But Section 230 matters quite a lot, and government attempts to limit those protections will have a serious impact on internet platforms and their willingness to allow freedom of expression.

California’s lawyers spend a lot of words trying to argue that requesting identifying information with photos magically makes the whole thing illegal — including claiming that because Bollaert knew that his users would then likely harass the people shown in those photos — that it makes him liable as the content creator. But that still seems to be a fairly blatant misreading of the law as written and the case law itself.

California also insists that it is identity theft, because of the “fraud” of pushing people to another site to pay to have the photos removed:

Here, the evidence amply demonstrated appellant?s intent to defraud. When victims asked to have the offending photos removed, they were either referred to the website ?ChangeMyReputation.com,? or they followed the link to that site…. This extra step was wholly unnecessary. Appellant could have removed the photos by demanding the money directly from the victims as part of the UGotPosted website. But appellant presumably realized that the victims would be less inclined to pay money to the very person responsible for posting their pictures. By creating a separate website, appellant hoped to deceive the victims into believing that they were receiving the legitimate services of a neutral third party who would restore their reputation, and that they were not simply paying blackmail to an extortionist who was the source of their misery.

Responding to California’s attempt to get around Section 230, Bollaert’s lawyers basically just repeat “it’s a platform and the government hasn’t shown any reason it’s not.”

Here, the People claimed the statute?s protection did not apply to appellant because he administered the ?Yougotposted? website and retained the authority to pick and choose which information was posted. This does not make him a content provider. Those actions of appellant are no different than those found by the courts to be protected under the statute…. The People?s argument must fail because accepting their arguments would eviscerate protections provided by the statute, jeopardizing service providers and undermining free speech in the process.

Bollaert also says the whole claim that having two sites suddenly makes it fraud makes no sense at all:

Here, the People produced no evidence in support of their belated claim that appellant possessed personal identification information with the intent to commit fraud. CALCRIM 2401 describes fraud as having deceived another person in order to cause a loss of money or something of value or damage to a legal, financial or property right. The People belatedly raised the claim that payments made through ?changemyreputation.com? were obtained by fraud because the victims were not aware that appellant managed both websites. Problems arise with the argument. First, the link to ?changemyreputation.com? was visible on ?Yougotposted.com.? There was no evidence suggesting appellant was trying to hide the fact that the sites were connected. A number of the victims stated it was ?obvious? that the same person was behind both sites. (4RT pp. 305-306.) Additionally, the People?s argument must fail because the victims clearly believe the payment was to have the photos removed, not because they were ?deceived?.

Separate from all of this, both sides also are arguing about the extortion question, noting that a business model that offers to remove content is just a “standard business practice,” and not extortion. Part of this argument is, again, buttressed by CDA 230, because the uploaded content was not uploaded by Bollaert himself, so (his lawyers argue) you can’t claim that he both uploaded the content and then pushed people to pay him to take it down. It’s that “other people uploaded it and thus, 230” claim that Bollaert argues makes this not extortion:

The People argued that appellant used the posting of the photographs on the website to illegally obtain money from those whose photos were posted and to have the photos removed from the ?Yougotposted? website. The People argued that appellant threatened to injure the victims or ?expose their secrets? by publishing the images on the website. As the CDA provides, interactive computer service providers and access software providers are under no legal obligation to remove postings submitted to their website by third parties, even those postings that are negative in nature. Appellant was simply under no obligation to remove the negative content from his website. He merely offered a service to remove the photos and, by offering such a service, he is engaging in standard business practice and not extortion.

They also argue — and I will admit that this is a morally horrifying argument, if potentially legally sound — that by simply posting the images first, without contacting individuals and asking for money to stop the posting, it’s completely different than posting first and then offering a way to pay to take the content down.

In this case the People proceeded on the theory that the third-party postings constituted exposure of a secret affecting the persons portrayed in the photos. The initial reaction is that appellant?s operation of the website and posting information provided solely by third parties simply does not constitute a threat to expose any secret as to the other persons because the alleged secret (photos) was already in the public domain and had been provided by third parties unaccompanied by any demand for payment. In this case there is absolutely no evidence any request was made through either ?Yougotposted? or ?changemyreputation.com? before the photos had been submitted by the third parties. In this case appellant merely provided a means whereby, for a fee, information already legally posted could be removed.

Bollaert’s lawyers also point to the recent lawsuit against Yelp, where some businesses claimed that Yelp would ask them to pay for advertising with a promise of more favorable reviews (and with some arguing that a failure to pay resulted in negative reviews). In that case (Levitt v. Yelp), the court found that even if that was what Yelp was doing (which Yelp denies), it’s not extortion:

The court found the plaintiffs had no pre-existing right to a positive review and that Yelp! was in no way obligated to refrain from manipulating reviews or creating negative ones. Yelp! was simply offering a service when it offered to remove negative reviews from its web page and that the offering of that service in exchange for money amounted to a legitimate business practice.

And, of course, Bollaert argues that his situation was similar to Yelp’s:

In the present case, appellant, as an interactive computer service provider was under no legal obligation to remove the postings submitted to the website by third parties, even when those postings are negative in nature. As in the above cited cases, Yelp!, Yahoo!, AOL and the dating website in the Carofano case, as well as ?TheDirty.com? case, appellant could legally decline to remove any offending content from his website. Offering a fast, efficient removal service through the site ?changemyreputation.com? amounted to a legal practice, akin to the practices approved in Yelp!. No crime of extortion occurred. Yelp! offered to remove negative content for money. They were under no obligation to remove those negative reviews and they offered the additional service in exchange for a fee. This is a business practice, not extortion.

The lawyers for the state of California, as you might imagine, don’t like this argument very much.

This case, however, is not about incidental harms caused by a free market economy run amok. Appellant is a criminal who intentionally harmed thousands of people, not a legitimate businessman. While many people knew the victims? secrets (only because appellant had exposed them on his website), many others had not yet seen the photos and it was that threat of continued exposure that appellant used to extort money from the victims. Further, because the website contained the victims? PII, and because appellant?s website required posters to provide that PII, appellant was obligated to remove the content and he was not simply providing a service that he otherwise had a legal right to perform.

Basically they try to distinguish Bollaert’s site from Yelp in a variety of ways. They also note that somewhat different laws apply (federal vs. state) and that posting personal naked photos along with identifying information is very, very, very different from posting negative reviews of a business. Frankly, this argument was the one that I expected to be most convincing, but which California’s lawyers breeze through without much detail.

Obviously, it will be interesting to see where the California state appeals court comes down on all of this. I do think that the identity theft claims are incredibly weak, and that the extortion claims look a lot weaker than I first expected. I really expected stronger arguments from California. And, it’s pretty clear that Bollaert’s site was something pretty horrible all around. But does that automatically make it illegal? As with many cases targeting the safe harbors of Section 230, there are important issues being raised about what constitutes an internet platform vs. who is responsible for actual content or behavior.

Remember, with the nearly identical site that Bollaert basically copied, the operator there, Craig Brittain, merely got a slap on the wrist from the FTC for misleading people. It also dragged his name through the mud. Bollaert, at the very least, deserves that level of treatment. But does running a creepy website that enabled harassment create criminal liability that deserves 18 years in jail? That feels like a dangerous stretch of the law to punish a creep for being a creep. And when we start doing that, we create dangerous precedents for other platforms in situations that maybe aren’t so creepy.

Filed Under: appeal, california, extortion, identity theft, kevin bollaert, revenge porn, section 230

IRS Tool Designed To Protect Identity Theft Victims — Exposes Users To Identity Theft

from the bang-up-job dept

Thu, Mar 3rd 2016 03:25pm - Karl Bode

Last year, the personal records of 100,000 taxpayers wound up in the hands of criminals, thanks to a flimsy authentication process in the agency’s “Get Transcript” application. In short, the IRS used all-too-common static identifiers to verify taxpayer identity (information that could be found anywhere), allowing criminals to use the system to then obtain notably more sensitive taxpayer information and ultimately steal finances. At the time, the IRS breathlessly insisted it would be shoring up its security standards, though it failed to really detail how it would accomplish this.

Tax return fraud has since become a burgeoning industry unto itself, with crooks consistently gaming IRS systems to fool the IRS into sending your money to a criminal’s account, something victims only discover when they find their own, legitimate tax returns rejected. To protect these compromised users, the IRS has employed a system wherein it mails these victims a six-digit “Identity Protection (IP) PIN.” That pin has been mailed to some 2.7 million victims, and must be entered into the following year’s tax return. But not-too-surprisingly, this pin system is also notably easy to game, relying heavily on commonly available user data:

…The trouble with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency?s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax. These so-called knowledge-based authentication (KBA) or ?out-of-wallet? questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

So yes, that’s an agency already hit several times by fraud and internal scandals providing an identity theft tool — that can be used to help steal your identity. A CPA by the name of Becky Wittrock, who had fallen victim to identity theft in 2014, notes she’s now been a repeat victim after thieves impersonated her, then used the IRS’s crappy pin system to impersonate her again:

Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., said she received an IP PIN in 2014 after crooks tried to impersonate her to the IRS. Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016. ?So, last year I was devastated by this,? Wittrock said, ?But this year I?m just pissed.?

After spending more time trying to prove her identity to the IRS than the thief apparently did, Wittrock was told that next year the IRS will be ditching the pin system for a murky system that may rely on users’ driver’s licenses. Granted, we do seem to enjoy gutting IRS funding, staffing, authority and overall resources, only to complain that the agency sucks at doing its job. Still, that’s no excuse for not implementing some fundamental authentication common sense. Meanwhile, the IRS’s repeated failures are troubling for a government that’s intent on viewing itself as the foremost expert in cyber-warfare and security, yet still can’t manage to keep wolves out of its own henhouse.

Filed Under: hack, identity theft, irs

IRS Identity Fraud Prevention Specialist Arrested For Identity Fraud, Filing Fraudulent Tax Returns

from the multiple-layers-of-thievery dept

In late spring of last year, more than 100,000 taxpayers had their personally-identifiable information accessed by criminals. It wasn’t a security breach, nor was it accomplished by “hacking.” Instead, it was the result of the IRS using common static identifiers to verify accounts — information that could easily be found elsewhere. These were deployed to access transcripts of taxpayers’ filing histories. The transcripts gave criminals the information they were actually seeking: Social Security numbers, birth dates and current addresses.

The IRS promised to be less easily “hacked” going forward. It didn’t mention any specific steps it would take. “Protocols” would be “strengthened” and taxpayers known to be compromised (likely a smaller number than those actually compromised) were given the consolation prize of free credit monitoring and a “Sorry about that” letter from the IRS.

In addition, efforts were mounted to further protect taxpayers from identity fraud, which, to date, has produced a study, a “working group” and a press release. This may prove fruitful in the future (actual implementation date still TBA…), but it’s too bad the agency couldn’t be bothered to escalate its defensive efforts until after catastrophe had already struck. And it does nothing at all for past hurtful efforts made by “helpful” government employees. (via Overlawyered)

Federal officials today announced arrests and charges in a stolen identity tax-refund scheme believed to involve more than $1 million in false claims and run by an IRS employee who was supposed to be assisting taxpayers experiencing problems resulting from identity theft.

A federal grand jury earlier this month indicted NAKEISHA HALL, JIMMIE GOODMAN and ABDULLA COLEMAN for their involvement in a 2008 to 2011 scheme operated out of Birmingham that involved stealing personal identity information from the Internal Revenue Service to create fraudulent tax returns and collecting the stolen refunds…

Hall, having access to taxpayer information as an IRS employee, apparently orchestrated the scheme. Fraudulent tax refunds were routed to prepaid debit cards. These cards were then sent to a variety of fake home addresses set up by the three conspirators — one of which is already doing time on an unrelated charge.

There you have it. The IRS is unable to protect you from outside threats or inside threats. It’s still generally satisfactory when it comes to closing doors on empty barns, though. And, Nakeisha Hall — tasked with preventing ID theft but instead engaging in it — transfers to the US Dept. of Irony, joining such luminaries as Air Force chief of Sexual Assault Prevention (arrested for sexual assault) and the Obama administration (whose open government workshop was closed to the public).

Filed Under: identity fraud, identity theft, irs, nakeisha hall, scams

Scumbag Revenge Porn Site Operator Arrested… But Many Of The Charges Are Very Problematic

from the bad-cases-make-bad-laws dept

A fair amount of attention has been paid to the announcement from Kamala Harris, the attorney general for California, that Kevin Bollaert, the operator of a revenge porn site, and corresponding “pay me to take down the revenge porn” site, has been arrested and charged with a variety of crimes, including extortion. Make no mistake about it: Bollaert is a scumbag and these revenge porn sites — especially those with the extortionate concept of “pay us to take down those nude photos you never wanted posted in the first place” — are highly problematic. But… as with all kinds of “highly problematic” activities, it all too often happens that law enforcement’s zeal to take down the bad guy means they twist laws in dangerous ways that could have significant consequences for plenty of good sites. That appears to be the case here.

Again, Bollaert is a despicable person. A year ago, Adam Steinbaugh was one of the first to detail the nasty practices of “YouGotPosted” (or “UGotPosted”) and the companion site “ChangeMyReputation.” However, as Eric Goldman details, there are a bunch of dangerous problems with the charges that Harris filed against Bollaert, mainly in that many of them seem to blame him for the way users use the site — something that the site is protected from under Section 230:

The other two asserted unlawful purposes are (1) online harassment per Penal Code 653m(b) (criminalizing “repeated contact by means of an electronic communication device”), and (2) the civil tort of public disclosure of private facts (citing a troubling precedent, In Re Rolando S.). Unlike the extortion claim, both allegations depend on the behavior of the website’s users. The complaint doesn’t allege that Bollaert himself made repeated contacts with victims using an electronic communication device, or that Bollaert himself disclosed anyone’s private facts. Instead, the complaint alleges that Bollaert ran a UGC website where users performed unlawful activities. But that’s exactly what UGC websites do: they let users publish content online for both good and evil. If we hold UGC website operators responsible for the fact that their users sometimes commit crimes, then all UGC website operators are criminals.

Fortunately, that’s not the law. In 1996, in 47 USC 230 (Section 230), Congress said that websites aren’t liable for third party content, even if the third party violates state criminal law. From my perspective, based on the allegations in the complaint and arrest warrant, the identity theft charges predicated on harassment and privacy violations appear to be preempted by Section 230

It’s no secret that the various state attorneys general, including Harris, would love to wipe out Section 230. So perhaps she sees this as a chance to take a case so emotionally charged that she can get a favorable ruling. That’s dangerous, since as Goldman notes, this would effectively wipe out Section 230 for many, many sites that allow user contributed content.

A second problem with the complaint is that it relies on an identity theft law used against Bollaert. But anyone looking at the situation would know right away that this isn’t any kind of identity theft. Again, Goldman explains:

The crime asserted here, Penal Code 530.5(a), has two elements. First, the defendant must willfully obtain personal identifying information. Second, the defendant must use that information for an unlawful purpose.

When applied to actual identity theft, these elements make sense. If I steal your social security number and use it to obtain a credit card that I use to run up fraudulent charges, the two elements are clearly satisfied.

As applied to Bollaert, in contrast, the elements are confusing. (The criminal complaint, as typical for the genre, doesn’t explain how the law applies to the facts). How did Bollaert willfully obtain personal identifying information? He allegedly ran a UGC website where users could submit photos and personal information structured into standardized categories. It seems like this allegation would equally describe how all UGC websites “willfully” obtain content from their users.

The one area where the claim may actually make some sense is the extortion claim — as that definitely seems questionable. However, once again, this can run into some problems. For example, you can see a perfectly legitimate service that charges some sort of processing fee to take down content that had been previously posted. Merely charging to remove content, by itself, shouldn’t be seen as extortion. Hell, we’ve recently had comment spammers who apparently got punished by Google’s search rankings email us about removing the comment spam they were able to sneak through our spam filters. When I mentioned how silly this was on Twitter, many people suggested that we should charge the spammers to remove their spam comments. That actually seems like a reasonable (if amusing) idea. But would that be extortion? Under the claims against Bollaert, it’s possible that such an action would be considered the same thing — but I doubt most people would think the request to spammers would be extortion (not that we’ve done it either way).

And that leaves this whole case in a tricky spot. Bollaert’s site was a problem. What he was doing was despicable in so many ways it’s almost difficult to keep track of them all. But, if the case is allowed against him, it’s quite possible that very bad precedents will be set that lead to significant problems for tons of legitimate sites. As Goldman notes, however, there’s a good chance it will never get this far. Bollaert almost certainly will take a plea deal, and Harris will get yet another headline about how she’s protecting the citizens of California, even if her legal theories might undermine its economy — and many of the sites that people around the globe enjoy.

Filed Under: california, extortion, identity theft, kamala harris, kevin bollaert, liability, revenge porn, section 230
Companies: changemyreputation, yougotposted

John Steele's Property Caretaker Intervenes In Copyright Trolling Case, Alleging Identity Theft

from the prenda-law-comedy dept

Remember the comedy routine that really was a copyright troll court hearing involving notorious copyright troll lawyer John Steele and a bunch of lawyers who all denied representing the plaintiff? We hoped that people would take that transcript and turn it into a movie, and now, apparently, we may have Act II. Ars Technica and Fight Copyright Trolls both have the odd story of a man named Alan Cooper, who just happens to be employed by John Steele… but as a “caretaker” for some property Steele owns in Minnesota. And, well, I’ll let his lawyer explain the details:

My client had for several years acted as a caretaker for a Minnesota property owned by an attorney by the name of John Steele. When visiting his property, Steele had on numerous occasions bragged to my client about a plan involving massive copyright legislation in multiple jurisdictions. He also specifically instructed my client to contact him if anyone asked about various corporations, that Cooper was to call him. When Cooper confronted Steele about that, Steele told him not to worry about it. Needless to say, my client was suspicious, but did not know what to make of this situation. Upon learning about the many lawsuits filed by AF Holdings and learning that AF Holdings has a CEO with an identical name he began to investigate further, eventually prompting him to retain counsel.

[…] When investigating this matter and calling the number listed on the wefightpiracy.com website, I confirmed that Steele is currently “of counsel” with Prenda Law. I called and emailed local counsel, Michael Dugas to give notice of representation and find out if there was in fact a different Alan Cooper with AF Holdings. Within an hour of giving notice to Prenda Law and local counsel of my representation, Steele himself called my client several times in a row and asked if he had been talking to attorneys in Minnesota. Because I had not yet heard from from attorneys Dugas or Steele, I looked for an alternative phone number for attorney Dugas and found a different number than the one that appears on the pleading…. Calling that number, I heard a voicemail message which said “Prenda Law.” I again left a message, but have received no response. Because I have no response from Dugas or Steele, and because Steele has contacted my client, my suspicious are now increased.

Today, I receved an email from another attorney at Prenda Law, Paul Duffy, suggesting that their client, AF Holdings, probably would not volunteer information. I reasserted my request to confirm that there was another Alan Cooper at AF Holdings. Shortly before sending this letter, Duffy emailed me again and said that I should not contact his office again.

My client would like certainty that his identify is not being used without his knowledge and against his will as the would be CEO of AF Holdings, LLC or as a manager of Ingenuity13, LLC….

This letter was sent to the court on a few different cases involving these companies. In at least one, the judge apparently didn’t think this mattered. After saying that it was “reviewed by the court,” the judge also said “the court will take no action on this request.” In the other cases, the lawyer for AF Holdings, Michael Dugas wrote a response which does not attempt to clarify the situation, but instead basically tells the judge it’s false and not to worry about it:

I write to respond to the November 29, 2012 letter filed with the Court by Attorney Paul Godfread. In his letter, Attorney Godfread accuses AF Holdings LLC of being a sham corporation and fraudulently holding his client out as its CEO. Both of these accusations are categorically false.

Attorney Paul Godfread filed an identical letter in a similar case currently pending before the Honorable Judge Joan N. Erickson. In a text entry, the Court indicated it reviewed the letter and “will take no action on [Attorney Godfread’s] request.” Plaintiff respectfully requests that the Court reach similar decision. By way of separate action, Plaintiff will address Attorney Godfread’s egregious behavior.

Note that the letter leaves out the important part. You know, the part where they say that the “Alan Cooper” on these documents is a different Alan Cooper. It seems like that would help settle manners, especially if the initial claims were false.

Filed Under: alan cooper, copyright trolls, identity theft, john steele
Companies: af holdings, ingenuity13, prenda law

Columnist Accuses EA Of 'Identity Theft' For Using Player Likenesses

from the doesn't-pass-the-laugh-test dept

Reader LCD points us to a piece in the New York Daily News that is so utterly stupid I don’t want to spend much time on it—but it deserves (nay, requires) a brief pause for ridicule. According to the column by Andrea Tantaros, who almost exclusively covers politics and should probably stick to that, EA’s use of football players’ likenesses in video games (a topic we’ve covered before) is akin to identity theft:

Identity theft is a huge problem that affects millions of Americans each year. If a crook stole your most personal information and used it to make a buck, you’d be furious.

And, of course, that’s illegal. But if you are a corporation, you can steal all the identities you want for profit.

That’s what video game company Electronic Arts is doing when it deliberately exploits the likeness of the players it uses in popular video games. And it doesn’t pay them a cent.

Uh-huh. Identify theft is about serious criminal fraud, not the violation of publicity rights that may or may not actually exist. To accuse EA of identity theft is hyperbole in the extreme, and makes it hard to take the remainder of the column seriously.

As for that remainder, it makes a little bit of effort to address the real issue, but Tantaros simply takes it for granted that everyone has some sort of innate human right to control any and all usages of their likeness. That’s not at all the case, and while there is room for some reasonable debate on the merits of publicity rights, it isn’t going to stem from frivolous accusations of identity theft.

Filed Under: identity theft, likeness, video games
Companies: ea

Call Ralph Nader: Companies Don't Care About Identity Theft Because It's Cheaper To Just Clean Up The Mess If It Happens

from the class-action,-the-movie dept

Willton writes “Daniel Solove highlights a paper written by Chris Hoofnagle about how one of the reasons identity theft happens is because companies have made the economic decision to let it happen.

In the post, Solove compares the identity theft situation to the famous case involving an accident due to a defect in a Ford Pinto, in which it came to light that Ford knew about the design defect in the car but ignored it because it calculated that paying damages in lawsuits would be less than fixing the design flaw.”

Of course, in the case of the Pinto, the scandalous cost-benefit analysis in question led to 27 deaths, whereas identity theft, at least, hasn’t resulted in anyone’s death (hopefully). However, there is a significant cost to the victim in time, mental anguish, and inconvenience, none of which ever really hits the bottom line of the company involved. That said, since the Identity Theft Enforcement and Restitution Act was passed in 2007, it is now possible to sue scammers for the time and effort spent to repair one’s life after identity theft. If there is gross negligence on the part of a company that contributes to identity theft, perhaps a future class action lawsuit over this issue is not too far off.

Filed Under: identity theft