obstruction of justice – Techdirt (original) (raw)

Former Uber Security Officer Won’t Go To Prison For Covering Up A 2016 Data Breach

from the not-sure-what-this-is-meant-to-deter dept

A rather strange prosecution of a former Uber executive finally comes to an end. And the first tech company executive to be convicted of criminal acts related to a data breach won’t be going to prison, as Joseph Menn reports for the Washington Post.

Former Uber chief security officer Joe Sullivan avoided prison Thursday as he was sentenced for covering up the 2016 theft of company data on 50 million Uber customers while the company was being investigated by the Federal Trade Commission over a previous breach.

Sullivan had been convicted in October of obstruction of justice and hiding a felony, making him the first corporate executive to be found guilty of crimes related to a data breach by outsiders.

To be sure, some poor decisions were made by Sullivan. But this wasn’t a case where a company carelessly exposed user data and then made moves to ensure its users never found out about it. This was extortion by cyber-criminals, an act aided by the accidental exposure of a digital key, which the extortionists used to obtain data on 600,000 drivers and 50 million passengers.

Sullivan’s team tried to satisfy the extortionists with a $10,000 payment under the company’s bounty program but the hackers insisted on a six-figure payout. Sullivan agreed to pay the amount, provided the hackers destroyed the data and never disclosed the breach. These were the acts federal prosecutors claimed amounted to obstruction of justice and hiding a felony.

According to Sullivan, this was done to ensure the data never leaked while also utilizing the back-and-forth with the extortionist to seek clues to their identity. The pair of extortionists was eventually arrested, with one of the two testifying on behalf of the prosecution(!).

With more and more companies paying ransoms to recover data/prevent data distribution, it seems extremely odd the government would go after someone who appeared to be doing what he could to protect drivers and passengers from having their personal data exposed or sold to other criminals.

And it’s not as though Sullivan had a track record of being careless with sensitive data collected by the companies he worked for. That’s the message that came through in the letters of support delivered to the court by more than 180 colleagues and security professionals.

The conviction shocked many security professionals, many of whom saw Sullivan, a onetime federal cybercrime prosecutor, as an industry leader who continued to work in the public interest as the top security executive at Facebook, Uber and Cloudflare.

They also criticized the government for criminalizing questionable judgment in paying off extortionists when the practice has become a regular occurrence at U.S. companies hit by ransomware.

What has now become an acceptable, if a bit unsavory, “solution” to ransom demands was treated as a criminal act in this case. This successful prosecution suggests the feds might go after more big tech targets if it finds out they’ve been secretly negotiating with criminals.

The only assurance we have from the government that it won’t start prosecuting security professionals for paying off crooks isn’t all that assuring:

The FBI has said it will not pursue charges against those who approve payouts that do not go to gangs sanctioned for working in concert with Russian authorities or targeting critical infrastructure.

All well and good, but it’s not like malicious hackers provide targets with business cards and employment history (such as it were…) when trying to extort cash from their victims. Attribution is difficult. With the proper operational security in place, it can be almost impossible. Unless hackers affirmatively declare their affiliation with the Russian government, victims of ransomware attacks won’t actually know where the money is going. And with time being of the essence, sometimes the payment has to be made far ahead of the due diligence.

And it’s not as though the federal government is willing to prosecute its own for careless handling of breaches and lax security practices that invite hackers to partake of massive, government-mandated data collections. This seems like a very selective prosecution meant to show the government won’t let the private sector get away with mishandling their users’ data.

It’s unclear what deterrent effect this is supposed to create. If anything, it encourages companies to take a hands-off approach when dealing with extortionists, increasing the risk exfiltrated data will be publicized or sold to other criminals. That can’t be what the federal government actually wants. But it seems like that’s what it’s going to get.

Filed Under: computer security, doj, extortion, joe sullivan, obstruction of justice, ransomware
Companies: uber

from the good-luck-with-that dept

Thu, Sep 2nd 2021 05:32am - Karl Bode

If you’ve spent any real time digging into Trump GOP era tech policies, you’ve probably noticed they’re a jumbled mess of contradictions and inconsistencies, cloaked in a lot of performative propaganda. The same party that thought net neutrality (the FCC holding telecom giants vaguely accountable) was a government hellscape, pivoted on a dime to try and force the FCC into regulating social media companies. The same GOP that whines incessantly about “big tech” via performative populism, routinely runs for the hills any time somebody actually tries to rein in corporate power or implement genuine antitrust reform.

Of course in the mainstream press (in this context usually The New York Times, Axios, The Washington Post, Politico, and friends), the inconsistency of the GOP’s policy platforms is never really explained. It’s part of the “view from nowhere” disease that has infected mainstream U.S. political coverage, where everything is portrayed in a “he said, she said” frame of perfect symmetry, leaving your readers completely uncertain where the truth actually lies. It’s driven by a fear of upsetting sources and advertisers, and results in a media that simply refuses to call a duck a duck (or bullshit bullshit) when urgently required.

That bubbled up again this week as the GOP bristled at the fact the committee investigating the January 6 attack on the Capitol by a pro-Trump mob has been asking telecom and tech companies to retain relevant communications between lawmakers and organizers. Facebook, Google, Microsoft, Twitter, Signal, Verizon, AT&T, and T-Mobile have all received requests. As Mike has noted there are concerns that the requests are worryingly broad, including troves of internal communications at the companies’ themselves.

At the same time, many of the requests (especially those looking at the text message and call logs from telecom companies) are perfectly legitimate, and if investigators can find text messages showing coordination between the violent Capitol-assaulting mob, its organizers, and the GOP, that kind of seems arguably important in terms of a functioning democracy and avoiding even worse scenarios down the road. After all, guys like Jim Jordan are nervously babbling in interviews like this one for a reason:

Ohio's @Jim_Jordan confirms to me:

?I spoke with [Trump] on Jan. 6th."

Before, during or after attack?

?I spoke with him that day, after? I think after. I don't know if I spoke with him in the morning or not. I just don't know…I don't know when those conversations happened.? pic.twitter.com/h4fbuMYtk0

— Taylor Popielarz (@TaylorPopielarz) July 28, 2021

Several GOP members seem particularly nervous about text messages and phone logs, and are now taking to television threatening to “shut down” telecom companies if they cooperate with the probe in any way whatsoever:

This is, of course, utterly nonsensical, zero calorie, idiot theater. Congress as a whole worships the ground companies like AT&T walk on, and the GOP in particular has never stood up to AT&T on any issue of substance. Ever. Why? Because AT&T’s extremely politically powerful (thanks in large part to its cozy relationship with the NSA), and a major GOP campaign contributor. There’s legitimately a 0.0% chance that AT&T or Verizon see any meaningful penalties for cooperating with legal requests, especially from a party with a thirty year track record of mindlessly kissing telecom’s ass.

The GOP for years has opposed privacy protections and embraced expansive government surveillance. And its entire brand has been built on the worship of purportedly “free markets” without the imposition of government intervention. And the entire Trump GOP has been to take “political norms” in the alleyway and beat the ever loving piss out of them, repeatedly. Yet this morning we saw the Rupert Murdoch editorial pages pretending to care about both telecom privacy and (gasp!) “political norms”:

House Minority Leader Kevin McCarthy also took to Twitter to threaten to shut down private companies for complying with legal information requests (you know, “free markets!” and all that):

Nobody’s violating federal law. It’s a valid inquiry into an extremely dangerous, precedent setting event. And “federal law” on privacy is weak in the first place largely courtesy of forty years of DC policy choices. There’s just layers of gibberish here, particularly the pretense that the GOP gives two flying shits about rampant government surveillance or “political norms.” If Congress is doing something illegal that violates privacy, anyone can sue to stop them. Instead, the GOP is having yet another toddler moment, engaging in hollow bullying to shut down private businesses they know they’ll never actually follow through on.

As Ken White notes, one could argue that this kind of behavior, while likely not prosecutable, qualifies as corruption and obstruction of justice:

Granted, this most likely ends (like the mythical GOP support for “antitrust reform”) with zero penalties for telecom companies, because there’s nothing to penalize. Still, letting a bunch of mindlessly ambitious authoritarians try to overthrow elections with zero meaningful penalty sets a clearly dangerous precedent. As does threatening companies for complying with perfectly valid legal requests.

Shutting down AT&T is a non-starter, so what is the GOP going to do to “punish” telecom companies? Re-establish the FCC’s ability to hold telecom monopolies accountable? Stop blocking efforts to impose broadband privacy rules? Finally start holding them accountable for fraud? Rein in their overly enthusiastic participation in our domestic surveillance program? Force AT&T and Verizon to close up shop and go home? Give me a break.

It’s just empty-headed bullying by GOP lawmakers clearly nervous about what these requests could reveal about one of the dumbest yet most dangerous days in recent U.S. history. And yet courtesy of DC beltway press’ “he said, she said” framing of the situation, a reader walks away from most terrible coverage of this dispute with the impression that the GOP’s position here could be perfectly reasonable. (“Bob the authoritarian says a valid investigation into him is illegal, but his colleague Jane says that’s not true. Who’s right? Who knows?” ?_(?)_/?).

U.S. press outlets need to dramatically improve their ability to call out bullshit or this stuff is all going to get significantly worse. Bad faith bullshit only works when you refuse to identify it as clearly bad faith bullshit. Corruption thrives when your press is too timid to clearly call it corruption when required. And by and large the nation’s biggest media outlets continue to fail painfully at the task of highlighting the GOP’s hard right authoritarian swerve, or the bullshit faux-populist propaganda they’re using to make it happen.

Filed Under: due process, empty threats, evidence, gop, investigation, january 6th, jawboning, kevin mccarthy, marjorie taylor greene, obstruction of justice, subpoena, telcos
Companies: at&t, verizon

Police, Yet Again, Arrest Someone For Filming Them, Saying It's Obstruction Of Justice

from the sad dept

These stories are becoming all too common. The police in Suffolk County, New York (where I grew up, actually), arrested a freelance news photographer who was videotaping the conclusion of a police chase. The police told him to “go away,” while letting others stay. The guy, Phil Datz, moved further away, and started filming again… at which point he was arrested and charged with obstruction. After realizing that they had no case (and after the story got some press attention), it was announced that charges would be dropped and that “officers will undergo media relations training.” But it’s pretty ridiculous that such training is needed in this day and age. There’s simply no way that police should be on the street if they believe it’s illegal to film them in public.

Filed Under: arrests, chilling effects, filming, obstruction of justice, police