secrecy – Techdirt (original) (raw)
We Shouldn’t Allow A New Super Secret Surveillance Court Cover Up The Civil Liberties Problems Of The Old Super Secret Surveillance Court
from the not-fixing-the-problem dept
For years now we’ve been covering the big ongoing fights between the US and the EU regarding the transfer of user data across the Atlantic. The main issue was that due to somewhat different data protection/privacy laws between the EU and the US, the two keep trying to work out a “deal” that allows (mostly) US companies to stores data from EU users on servers in the US. This transatlantic data flow agreement is important. It would be difficult for many US companies to offer services to EU citizens without it.
But it’s been a fucking mess for over a decade. Almost entirely because of US surveillance programs.
The agreements to handle this have gone by various names, starting with the EU/US Privacy “safe harbor,” and then later the “Privacy Shield.” In both cases, those agreements were eventually rejected by the EU Court of Justice, almost entirely because of the very big problem of the US’s surveillance activities, mostly overseen by the secretive FISA Court. (As a side note, EU government surveillance is in many ways worse than the US’s similar surveillance efforts, but somehow that never comes up in any of these discussions… but, I digress…).
Back in the fall of 2022, the EU and the US excitedly announced a new agreement to replace the old rejected agreements. Yet, as we pointed out at the time, unless they agreed to stop NSA surveillance on basically all electronic communications outside of the US, it wasn’t clear how it would actually fix the underlying reason these agreements keep getting thrown out.
As Politico recently detailed, the way the US has “fixed” this in the new privacy agreement… is to set up an entirely new, entirely secretive surveillance court. What could go wrong?
Officially known as the Data Protection Review Court, it was authorized in an October 2022 executive order to fix a collision of European and American law that had been blocking the lucrative flow of consumer data between American and European companies for three years.
The court’s eight judges were named last November, including former U.S. Attorney General Eric Holder. Its existence has allowed companies to resume the lucrative transatlantic data trade with the blessing of EU officials.
The details get blurry after that.
The court’s location is a secret, and the Department of Justice will not say if it has taken a case yet, or when it will. Though the court has a clear mandate — ensuring Europeans their privacy rights under U.S. law — its decisions will also be kept a secret, from both the EU residents petitioning the court and the federal agencies tasked with following the law. Plaintiffs are not allowed to appear in person and are represented by a special advocate, appointed by the U.S. attorney general.
That doesn’t seem that great.
Also, this new quasi-court has some other oddities, including that it is open to Europeans, but not Americans.
U.S. residents who suspect they are under improper surveillance cannot go to the Data Protection Review Court. Under U.S. law, they can go to a federal court — but only if they can show a concrete wrong or harm that gives them legal standing, which presents a Catch-22, since they can’t prove what they don’t know.
Adam Klein, former chair of the Privacy and Civil Liberties Oversight Board, an independent agency within the Executive Branch, pointed to former Trump campaign adviser Carter Page as the type of individual who could have benefited from a mechanism like the DPRC. Page was surveilled by the FBI during the 2016 presidential election as part of a probe into Russian influence in U.S. politics — and Justice Department inspector general investigation later found a swath of errors and material omissions in the documents used to seek the surveillance warrant. An FBI lawyer ultimately pleaded guilty to altering a document used for that warrant.
But Page himself had little recourse. He filed a lawsuit in 2020 seeking $75 million from the government and several current and former FBI and DOJ officials for violating his constitutional rights. A federal judge called the FBI’s conduct “troubling,” but ultimately found the law bars Page from pursuing a civil lawsuit. An appeal is pending.
Now, with the DPRC in place, “We’re in an odd place when non-residents have easier access to a place to raise their concerns about U.S. government surveillance than Americans do,” said Klein.
But even Europeans have no clear path to using this court that is so secretive no one’s even entirely sure if it’s actually opened for business.
According to the executive order, getting before the DPRC starts with a long preliminary process: a citizen complaint first has to shuttle between an EU data protection official and the U.S.’ Office of the Director of National Intelligence, which decides whether there was a civil rights violation from the data collection.
Regardless of the results, the response to the initial complaint will neither confirm or deny that the EU resident was under U.S. surveillance. The response will say there either was no violation found, or that there was a violation found and that the U.S. government took appropriate steps to resolve it. It won’t specify which one.
The EU resident can then appeal directly to the DPRC in America, — with the assistance of a court-appointed special advocate. That advocate will have the details from the underlying ODNI decision — although that decision remains off-limits to the person making the appeal.
“What are you going to write in the appeal? Nothing, because you don’t know what the answer is,” Schrems said. “As a lawyer, it’s really hard that you’ll ever win a case by saying ‘I appeal’ without saying what your problem is with the decision.”
While this seems to be a setup designed to make bureaucrats on either side of the Atlantic pretend they’re doing something useful, it’s hard to see how it will actually solve the underlying problems. Which, again, are because of NSA surveillance rubber stamped by the other secretive court, the FISA Court.
Stacking up more secretive courts does not seem like a real solution. Fixing overly broad, mass surveillance is.
But apparently that’s off the table.
Filed Under: data protection review court, eu, nsa, privacy shield, secrecy, surveillance, transatlantic data flows
The First Rule Of Owning A Toyota Tundra In Australia Is You’re Not Allowed To Talk About Your Toyota Tundra
from the shhhhhhh dept
Here are two things that cannot simultaneously be true: a company is very confident in the product it produces and that same company is very afraid of public discussion of its product on social media. This is generally true of pretty much every product in every category, but it gets a little more serious when we’re talking about a two-and-a-half ton hunk of metal on wheels that has to be retrofit for driving in a new country.
Which brings us to the introduction of the Toyota Tundra in Australia. The automaker has decided to enter that particular market with the Tundra through its Toyota Insider Program. The wrinkle in this is that Tundra’s are made primarily in Texas for the American market and Australian streets are flipped. The means that the trucks need to be converted from left-hand driving for the steering wheel to right-hand. Toyota has partnered with a local automotive company to do this conversion and will be piloting the program with a few hundred Tundras.
No big deal, right? Well, if Toyota were all that confident in its plans for all of this, why is part of the Insider Program an agreement that you won’t talk about your Tundra on social media, or talk about or provide the vehicle to any local press?
A letter from Toyota to prospective participants in the Tundra Insider Program advises customers will need to make their vehicles available for frequent detailed technical inspections, and to not share their experiences on social media or with motoring media outlets.
While the more frequent technical inspections are understandable – given the program was established to detect early any rectification work that may be required before ramping up production – the ban on social media activity is unusual given the vehicles will be in the public domain and on public roads.
Toyota Tundra customers who take part in the ‘Insider Program’ must agree to “avoid any comment about the Tundra on social media, and refrain from mentioning or discussing the lease agreement, or the Tundra itself, with any media outlets.”
I’d love to know how this is going to be enforced. Is the company going to monitor the social media feeds and activities of everyone in the Insider Program? Creepy! Does Toyota somehow think that these people can’t figure out a way to anonymously speak with the press if they want? Silly!
And here’s the thing: it’s very clear that Toyota has, in the words of the source post, turned “people into beta testers.” And, yeah, beta testers often have to sign NDAs or otherwise agree to keep quiet about the product they’re testing. But they also don’t typically pay for the privilege of being a beta tester, whereas the Insider Program costs over $1,000 a month for a year.
Keep in mind these are going to be vehicles on the public roadways. If Toyota really thinks it can keep everyone silent about these trucks, best of luck to them. And if the Australian press doesn’t have its alarm bells going off as a result of all this attempted secrecy, shame on them as well.
Filed Under: australia, secrecy, toyota insider program, toyota tundra
Companies: toyota
The FBI Is Still Pretending Stingrays Are Super Secret Cop Spy Tech That Shouldn’t Be Discussed In Court
from the WHAT_YEAR_IS_IT.wav dept
When I was but a wee Techdirt boy, the FBI was telling cop shops that had borrowed or obtained Stingray devices they’d best not talk about it in court or it would be their NDA’ed ass on the line. In 2015, documents the FBI hoped no one would see (and actually told local cops they couldn’t release) showed the FBI was forcing Stingray users to drop cases, rather than discuss this repurposed war gear in court.
That was 2015. That was roughly four years after criminal defendant Daniel Rigmaiden managed to sniff out the devices through internet research and public records requests while trying to suppress the evidence that had gotten him arrested three years earlier. In other words, what’s know about Stingray devices traces back to 2008, when Rigmaiden made a concerted effort to discover how the feds had tracked his AirCard, the only thing linking him to where he actually was physically when he was arrested.
A few years after the 2011 article based on Rigmaiden’s findings, Stingrays weren’t really a secret. People generally knew what they were capable of. Still, both the FBI and Harris Corporation swore users to secrecy. If it appeared evidence derived from surreptitious deployment of cell site simulators might be discussed in open court, prosecutors and law enforcement agencies were pressured to drop cases. Or, if the case seemed promising, the FBI encouraged them to engage in “parallel construction,” i.e. finding some other way of duplicating the results obtained from Stingray devices so courts wouldn’t be aware of how this evidence was actually obtained.
We are now eight years past that inflection point. And little has changed, at least in terms of the FBI. The general public is now fully aware law enforcement possesses devices capable of spoofing cell towers to locate phones and their owners. It’s so common it’s now just a consumer commodity, as Dell Cameron reports for Wired:
The controversy around “stingrays” is so old that the tactical advantage they once offered exclusively to military spies works far more efficiently today as a commercial capability. To wit, finding a phone is now a standard feature on nearly all phones.
That’s just one of several points Cameron makes in his article discussing FBI Stingray records obtained by the ACLU. The FBI is still applying pressure, trying to maintain secrecy about a law enforcement product everyone already knows pretty much everything about at this point in time.
Documents obtained by the ACLU show, for example, that police requested technical assistance from the FBI in May 2020 during a manhunt for a gang-affiliated suspect wanted of multiple murders. “This is a serious crime and a good use of our assistance abilities,” an FBI official wrote in response to the request. Though redacted to protect the privacy of the individuals involved, the document indicates the suspect had recently attacked a female victim leaving her greatly injured.
The arguments compelling all this secrecy is difficult to square with the reality that, in the year 2023, both innocent people and criminals alike are far from naïve about how much like a tracking device cell phones actually are.
This apparent effort to terminate a criminal case occurred the same year Harris Technology ditched Stingray development because it considered the product obsolete.
How the FBI managed to justify these ongoing demands for secrecy (if they indeed ended in 2020) remains a mystery. The known ability of phones to act as tracking devices (even if users take general precautions) had long since passed the point of general knowledge. It had seeped into pop culture and from there entered the weird realm of people just trying to get paid for not working. Back to Dell Cameron:
Whether everyday people comprehend that their phones are constantly broadcasting their locations is a question best answered by the man who was caught stowing his phone in a potato chip bag so he could play golf instead of work—a trick so effective (or possibly unnecessary) that, in the end, it took an office snitch to bring him down. It’s hard to imagine the crime spree the man might’ve pulled off had he only applied this advanced telecommunications mastery toward some more felonious endeavor.
While the golfer was hailed widely as a “MacGyver” in the press, the trick he used to deceive his employer was first popularized in the 1998 thriller Enemy of the State. Early in the film, Gene Hackman’s character grabs and stuffs Will Smith’s phone into a potato chip bag (screaming at him, meanwhile, that the NSA can “read the time off your fucking watch.”)
As Cameron points out, if people know the office vending machine is stocked with ad hoc Faraday bags, there’s very little chance criminals — sophisticated or not — realize the entity most likely to rat them out has a 6.3″ screen, multiple cameras, and generates a shitload of data cops can mine without a warrant, much less a [whispers furtively] Stingray.
Give it up, g-men. We all know what you know. Stop pretending Stingrays are anything more secret than dusting for fingerprints or beating suspects with a large [tries to pronounce this correctly] foʊn ˈbʊk (???). It’s a spy tool that spies can’t even use because those being spied upon already know what it is. That it can still be used to capture the careless doesn’t mean it’s too sensitive for public consumption.
Filed Under: 4th amendment, fbi, nda, secrecy, stingrays, surveillance, transparency
Companies: harris corp.
Stupid Patent Of The Month: Clocking In To Work—On An App
from the are-the-owners-of-this-patent-clocking-in? dept
What if we told you the Stupid Patent of the Month has a sponsor, but we don’t know who it is? That would seem shady, wouldn’t it?
This month’s stupid patent, U.S. Patent No. 9,986,435, was brought to you—to all of us, really—from the murky depths of the litigation finance industry. Originally assigned to a shell company linked to giant patent troll Intellectual Ventures, this patent was sold off and is now in the hands of Mellaconic IP LLC, a recently-created Texas shell company. Mellaconic has sued more than 40 companies over claims that a vast array of HR software infringes their patent.
Here is Mellaconic’s key patent claim:
1. A method to perform an action, comprising:
receiving, by a first device located at a first geographical location, one or more messages that indicate geographical location information of a second device located at a second geographical location, and
include a request for a first action to be performed by the first device, wherein the one or more messages are received from the second device, and wherein the geographical location information of the second device acts as authentication to allow the first action to be performed by the first device; and
autonomously performing, based at least on the received one or more messages, by the first device, the authenticated first action.
In other words: A device receives a request from a second device to take action. That action may or may not be performed, depending on the location of the second device.
Mellaconic’s lawyers say this applies to something hourly workers do every week: clock in and clock out of their jobs. Even though their patent doesn’t even discuss clocking in—and despite the fact that clocking in has happened since, well, clocks—they’ve sued a huge swathe of U.S.-based companies that market human resources and payroll software.
For instance, they sued Paychex, saying that the Paychex server is the first device, and the second device is a mobile user with the Paychex Flex app, which, like many HR apps, allows for clocking in and out of a job. Same thing for Hi Bob, a smaller HR company that Mellaconic sued in August. They’ve repeated this allegation—that clocking in (but with an app!) equals infringement of their patent, which means the companies owe money to the people behind Mellaconic.
Who’s Making Money From This Patent?
Mellaconic, like so many patent trolls, has been able to hide its true beneficiaries. Most of the 40 companies that Mellaconic sued have likely paid to settle, because their cases ended within a few months, before any significant hearings. That suggests many defendants settled for less than the hundreds of thousands (potentially even millions) of dollars that it would have cost to fight off this stupid patent.
Unusually in this case, a Delaware federal judge overseeing some of Mellaconic’s cases has insisted that the supposed owner come to testify in court. That’s what led Hau Bui, a Texas restaurateur and food-truck owner who says he owns Mellaconic, to travel to Delaware in November and testify under oath in federal court.
But Hau Bui has now said under oath (see transcript p. 87) that he hasn’t paid anything for Mellaconic’s patent, nor the other patents it hasn’t yet sued over. He hasn’t paid anything to Mellaconic’s lawyers (p. 96), or any other litigation expenses. And Bui said he only collects 5 percent of Mellaconic’s settlement money (p. 91), which has amounted to about $11,000 (p. 98).
Bui was promised this “passive income” stream by Linh Dietz, a person whose name has come up at every stage of the Delaware investigation, and is linked to IP Edge, a large-scale patent troll. Every supposed “owner” of the patent troll entities who have testified in Delaware acquired their patents, for free, by talking to Dietz and signing paperwork she provided.
Patent Trolls Have A Growing Network of Secret Funders
IP Edge is far from the only player in the vast world of patent trolling, which continues to account for the great majority of patent lawsuits against tech companies—more than 88% in 2022. Why do these lawsuits keep coming even while overall patent litigation is going down?
In part, it’s because there is nothing stopping aggressive litigation finance from paying out money to fund patent lawsuits, in the hopes that “investing” in a broad campaign of patent lawsuits will pay off a big return. Unified Patents, a company that sells patent defense services, recently estimated that about 30% of all patent lawsuits are now backed by third-party financing.
That’s one reason why EFF, along with other public interest groups, filed a brief stating that the Delaware investigation must be allowed to continue. The lawyers working for Mellaconic and related shell companies are doing everything they can to shut it down. They appealed to the Federal Circuit, twice, and were rejected both times.
The public deserves to know more about patent trolls that are using our public courts to seek rents for innovations they had nothing to do with. That’s especially true as litigation finance helps spread lawsuits over patented “inventions” like clocking in on an app.
Reposted from the EFF’s Stupid Patent of the Month series.
Filed Under: hau bui, linh dietz, litigation finance, patent finance, patent trolls, patents, secrecy, shakedown, transparency
Companies: hi bob, ip edge, mellaconic, paychex
Congress’ Kids Online Safety Act Puts Kids At Risk Through Fuzzy Language
from the will-this-protect-or-harm-children? dept
The Kids Online Safety Act (KOSA) was voted out of committee with a long list of amendments. Advocates had been warning about some severe unintended consequences that could arise out of this bill, the most concerning of which was forcing tech companies to out LGBTQ+ minors to their parents — potentially against their wishes. The amendments were supposed to fix these issues and more. But did they?
The short answer is there was an honest attempt but I believe it falls short, and I think it falls short for a specific reason.
The background of the bill
In order to understand why this bill has significant problems, we first have to cover some basics and separate the intended and unintended harms from the bill.
Let’s start with what the bill wants to do, which is set a floor of protections for minors. It does that by creating a duty of care to act in the best interest of the minor. The bill then goes on to loosely define what that means and what category of harms online platforms need to be shielding minors against, requiring the creation of certain tools parents can use to monitor their kids, etc.. It also gives platforms plenty of homework, like creating an annual report identifying the risks they think minors will encounter on their platform and what they are doing to mitigate those harms.
So why did I say this bill has intended harms? Well drafting a bill is hard, you have to describe what you mean when you say a company “shall act in the best interests of a minor” to “take reasonable measures” to “prevent and mitigate mental health disorders” or “addiction”. The more granular you get the more confusing it gets and the more broad it’s stated the harder it is to apply to specific facts.
Let’s say I’m playing a game with VOIP and someone calls me a slur. Was that because the game company failed to take reasonable measures? If I want to play a game during all my free time is it because the game is really good or because it was intentionally made to provoke “compulsive usage”? What even are “reasonable measures”? Especially when many of the things the bill describes impacts people differently.
KOSA’s intentional fuzzy language
KOSA’s authors are basically outsourcing to courts how to apply the bill’s fuzzy language to actual facts. Practically, this means that if the bill is passed all platforms will attempt to comply with what they think the text means. Then at least one of the platforms will almost certainly get sued for falling short. Those companies will then have to go through a lot of discovery and judges will just muddle through it.
This will be a lengthy, painful, expensive, and time consuming process. But I think it’s intentional. Many in Congress think that platforms are not doing enough to protect kids, even though they should have the resources to do so. They either don’t see, or don’t care about, the large amount of resources already going into trust and safety divisions to protect all users, including minors. They see a problem that needs to be immediately solved, and believe a strong regulatory response will give platforms enough of a kick in the pants to figure it out. This is the famous “nerd harder” complaint that often gets leveled at Silicon Valley.
If you look at KOSA through this lens, everything kind of makes sense. It doesn’t matter that it sets up a bunch of expensive new compliance efforts that may or may not be productive. It doesn’t matter that it may kill off some companies or force consolidation. It doesn’t even matter that some platforms will try to bar minors from their platform completely (of course we all know that kids will figure out how to get on the platforms anyways). It’s a big extrinsic shock that they hope will shake things up enough so that platforms will finally nerd hard enough.
After all, the enforcement of KOSA is limited to the FTC and state AGs. We can trust them to only bring cases that will advance the welfare of children right?
KOSA’s extremely bad unintended harms
In Normal Times™, this is how the debate on whether to pass KOSA would go: this bill is a mess and will be too painful (and expensive) to sort out — vs. — we really don’t care, the platforms can afford it, and we think it will do something to at least make the world slightly better.
But these aren’t normal times, and advocates have been warning that not only will this bill be painful to sort out, it provides an avenue of attack from ideologues using the legal system to go after marginalized communities. This is a real threat that no lawmaker (especially Democrats) should be complicit in, especially considering that the overturning of Roe has become a starter pistol for using the legal system towards culture wars and extreme ideological ends.
The main avenue of attack built into the original KOSA was towards the LGBTQ community, and the feedback given at the time was that it will out kids to parents that might not be tolerant and could result in things like minors being thrown out of homes or sent to conversion therapy. This is what advocates warned the drafters of, and what new language sought to fix.
So was this fixed? Sort of. They added a provision saying that the bill shouldn’t be interpreted to require the disclosure to parents of things like browsing behavior, search history, messages, content of communications. The tools that platforms are required to provide to parents now seems solely directed at high level things like time used, purchases, etc.. But, there is a sort of dangling requirement that there are “control options that allow parents to address the harms described in” the big section describing the harms they want to stop. What option stops bullying? I’d like to know (maybe it will allow me to stop being T-bagged in multiplayer games).
Sorting that out may or may not sweep some sensitive data back in and expose kids. Sometimes kids keep secrets to protect themselves from their parents. This makes sense to me, I had a friend growing up sent to one of the reform schools Paris Hilton warned us about. However, I’m overall less concerned about forced outing than I was before the amendments.
I’m now more concerned this bill invites a broad attack against platforms allowing a kid to see any pro-LGBTQ content. The culture wars’ Eye of Sauron has turned to harassment and vile behavior towards this community, especially trans persons, and they are doing so under the banner of protecting children.
Unfortunately, the language these people are using to vilify the LGBTQ community is everywhere in the bill. Being trans has been called a mental health disorder, and this bill says platforms are required to protect minors from that. Seeing a drag queen, period, has also been described as sexual exploitation, grooming, and sexual abuse. Again, barred in KOSA. Gender affirming care has been referred to as self-harm, which again platforms are required to protect against under KOSA.
The bill’s fuzzy language, which may have been seen by the drafters as an asset, is now a huge liability. And it’s not just limited to anti-LGBTQ content. For example, a minor seeking information about how to receive a safe abortion could also be described as self-harm.
The bill’s authors might think that they are safe from their bill being used in these culture wars because enforcement is limited to the FTC and State Attorneys General. While I worry less about the FTC (now) it’s easy to imagine certain state AGs getting before the right judge and successfully barring minors from access to basic information they need to understand what they are going through and how to receive help, if they need it. Just look to Florida, where governor Desantis has filed a complaint against a restaurant and bar that allowed kids at a drag brunch and said that parents that allow their children to see a drag performance could be targeted by child protective services.
This bill is throwing a hand grenade into the middle of a particularly dark moment of our legal system. I don’t think that’s wise, or very smart politically when the odds are actually quite high someone decides to take this bill up on its offer.
Matthew Lane is a Senior Director at InSight Public Affairs.
Filed Under: congress, fuzzy language, kosa, lgbtq, nerd harder, parents, protect the children, secrecy, trust and safety
Stingray Manufacturer L3Harris Seeking To Acquire NSO Group
from the oh-no-no-no-dear-god-no dept
Well, this is an unwelcome development.
The US defence contractor L3Harris is in talks to take over NSO Group’s surveillance technology, in a possible deal that would give an American company control over one of the world’s most sophisticated and controversial hacking tools.
Multiple sources confirmed that discussions were centred on a sale of the Israeli company’s core technology – or code – as well as a possible transfer of NSO personnel to L3Harris.
If anyone has any objections, speak now or forever… well, actually there are already objections. The US federal government has some, namely the sanctions it placed on NSO Group (and competitor Candiru) last November.
In a statement, a senior White House official said: “Such a transaction, if it were to take place, raises serious counterintelligence and security concerns for the US government.”
Those are still in place and that would seem to suggest L3Harris (the company resulting from the merger of Stingray manufacturer Harris Corporation and defense contractor L3 Technologies) can’t actually make this purchase. Unfortunately, the statement given to the Guardian suggests the White House may not actually be able to stop the purchase from taking place.
This statement, given to Lucas Ropek of Gizmodo, strays even further from a flat statement saying the acquisition would violate the Commerce Department’s sanctions.
In an email to Gizmodo, a senior White House official said that the government “opposes” the circumvention of U.S. sanctions. “The U.S. Government, and the White House specifically, has not been involved in any way in this reported potential transaction,” said the official. “While we can’t speak to this particular report, the U.S. Government opposes efforts by foreign companies to circumvent U.S. export control measures or sanctions, including placement on the U.S. Department of Commerce’s Entity List for malicious cyber activity.”
The White House will oppose this acquisition but there might be an exploitable loophole in the sanctions. Being acquired by an American company won’t remove NSO from the sanctions list, but it would force the federal government to jump through a bunch of hoops (and, presumably, face litigation) to ensure its sanctions are valid and address actual threats to US entities, including other defense contractors whose offerings might be targeted by foreign purchasers of NSO malware.
What might make it less objectionable (and more likely to result in lifted sanctions) is L3Harris’s customer list, which is largely composed of countries and government entities the US government likes, rather than the sprawling list of human rights violators NSO sold to. That could be something that allows the acquisition to take place with the federal government’s tentative blessing, if the company agrees to trim its customers list down to the US government’s preferred customer list.
Even if it may somewhat whitewash NSO’s reputation, this merger shouldn’t be welcomed by anyone. It adds the abuses of cell tower simulator technology to the abuses of powerful cell phone-compromising exploits. When a single product can force phones to connect with it in order to deploy malware, the abuses observed to date are going to look pretty mild.
Beyond the theoretical combinations of phone-targeting tech, there’s no reason an American company should willingly get in bed with a company currently facing sanctions from the US government. But NSO’s powerful malware may be too tempting to ignore, especially when Harris has played fast and loose with export regulations in the past. Hopefully, this acquisition will remain what it is now: merely one of several possible outcomes.
Filed Under: malware, secrecy, stingray, surveillance
Companies: harris corporation, l3, l3harris, nso group
(Corporate) Information Wants To Be Free
from the let's-give-it-what-it-wants dept
Private companies have a lot of people to answer to. When you ask them, they’ll claim its either shareholders or customers that they owe their ultimate duty to. Ask them a couple of more times and they may admit they’re only accountable to their shareholders.
But there’s more to it than this. The term “private” may suggest the only true accountability is to the market, however it presents itself. But this willfully ignores the reality of the situation. Many industries are heavily regulated, which requires frequent interactions with government agencies. Thousands, if not millions, of private companies secure government contracts, making them de facto extensions of government agencies.
Despite this, the average American citizen cannot approach private companies and demand access to communications, contracts, or regulatory compliance activities. Instead, they have to approach it obliquely, asking government agencies for permission to view (some) of this (secondhand) information. This is rarely successful. Corporations love tax dollars but they have almost zero interest in being honest with taxpayers. Private companies have inserted themselves into court proceedings to prevent people accused of crimes from examining the (private company-supplied) evidence used against them. And when FOIA requesters come knocking on federal or local government doors, corporations swear on all that is profitably unholy that any information leak might destroy their competitive advantage.
That should stop us from demanding answers from corporations closely entwined with government interests — whether it’s via regulation or lucrative contracts laden with NDAs.
A recently published research paper [PDF] by Christopher Morten for the University of Pennsylvania Law Review argues the public has a right to this information. Corporations are the biggest beneficiaries of FOIA laws. Why, then, is it assumed the street doesn’t run both ways?
Federal regulatory agencies in the United States hold a treasure trove of valuable information essential to a functional society. Yet little of this immense and nominally “public” resource is accessible to the public. That worrying phenomenon is particularly true for the valuable information that agencies hold on powerful private actors. Corporations regularly shield vast swaths of the information they share with federal regulatory agencies from public view, claiming that the information contains legally protected trade secrets (or other proprietary “confidential commercial information”). Federal agencies themselves have largely acceded to these claims and even fueled them, by construing restrictively various doctrines of law, including trade secrecy law, freedom of information law, and constitutional law. Today, these laws—and fear of these laws—have reduced to a trickle the flow of information that the public can access. This should not and need not be the case.
Corporations that have secured government contracts shouldn’t be allowed to act like private parties while spending tax dollars. Industries subject to regulation should not be allowed to pretend their interactions with federal and local agencies are “trade secrets” too valuable to be shared with the public that is asked to support their ongoing existence with their tax dollars.
That’s the thrust of this paper, which argues much of what’s shared with public agencies is public. That much would seem obvious, but the government (at all levels) has chosen, far too often, to defer to the interests of the private companies they do business with.
It didn’t always use to be this way. The paper opens with a couple of anecdotes showing regulators and government agencies doing business with private companies used to consider the public their most important stakeholders.
In 1941, a drug manufacturer (Winthrop Chemical Company) was harming users by cutting corners in its manufacturing process by streamlining packaging in a way that made cross-contamination possible, leading directly to deaths by unsuspecting customers. The FDA stepped in, and rather than shield the proprietary packaging process from the public, chose to make its findings public.
After the inspection, Winthrop assured FDA that it could eliminate contamination quietly and resisted publicity of the problem. Despite Winthrop’s efforts to keep its manufacturing processes and problems secret, FDA elected to publicize them. Through a press release widely covered by the news media, the agency informed the public of Winthrop’s deadly contamination and disclosed specific details of Winthrop’s manufacturing processes that had encouraged the accidental contamination (including the inadvisably placed tableting machines). The resulting scandal prompted Winthrop to reform its manufacturing processes (and to replace many executives).
This was an indisputable public good. But, as the years went on, the government increasingly decided it was subservient to companies, rather than the public, resulting in the problems we see today: increasing government and corporate secrecy and private companies repeatedly escaping accountability for their actions.
Here’s how things went down in 2019:
In 2018 and 2019, hundreds of people died, tragically, in two separate crashes of Boeing’s 737 MAX passenger jet. After the first crash but before the second, regulators at the Federal Aviation Administration (FAA) determined that the cause of the crash was the 737 MAX’s flight control system, the Maneuvering Characteristics Augmentation System (MCAS), a combination of hardware and software designed to correct, automatically, the plane’s trajectory when the plan was at risk of stalling.
After the first crash, the president of a major commercial pilots’ union stated, “what we need now is to make sure there is nothing else Boeing has not told the companies or the pilots” about the 737 MAX. Yet Boeing and FAA withheld documentation of MCAS from pilots’ unions, independent experts, watchdog groups, the public at large, and even Congress—and continue to withhold that documentation as of writing—on the theory that those details contain protected trade secrets
A Congressional investigation showed the second crash could have been prevented if the results of the first FAA investigation had been publicized and disseminated to all affected parties. Instead, regulators chose death over transparency.
“But if we’re open and transparent, we’ll no longer be competitive,” I hear companies complain. That may be true in an incredibly small percentage of cases. If you can’t be honest with the public, you shouldn’t have access to the public’s money. The same goes for regulators who choose to cover up problems rather than address or publicize them in response to baseless conjecture about theoretical harm to a company’s bottom line. Regulation and government contracts means your ultimate obligation is to the public. Arguments that “trade secrets” supersede obligations to the public are, in a word, horseshit. There is no legal basis for these assertions.
It is simply untrue, as a matter of law, that trade secrecy law must prevent the sovereign U.S. government from communicating urgent information to its citizens. For an agency to choose to “break” a private trade secret and share it with the public is no more shocking and no less legal than agencies’ well-established powers to exercise eminent domain over real property, or to use privately patented inventions on the public’s behalf.
There is no blanket exemption for so-called “trade secrets,” not when the safety and security of the public is on the line. To be sure, there are limitations to the federal government’s power, as the paper points out, but much of what has been assumed to be applicable in recent years simply isn’t an honest or accurate reading of the law. Instead, government agencies have been deferring to private companies when it comes to information releases instead of making their case and expecting companies to justify their opposition to transparency.
Morten’s paper doesn’t irresponsibly suggest government agencies blow the doors off corporate secrecy in all cases. Instead, it notes the status quo is unacceptable. The government does have the power to lift the lid off of corporate secrecy to ensure the public is not only safe, but fully informed. That it has chosen to side with corporate interests far too often is symptomatic of a problem, but one that can be reversed by regulators and government agencies. All it would take is a more thorough examination of private companies’ secrecy claims and the willingness to weigh those assertions against the interests of the public. The latter party is the one the government is supposed to serve and those interests should be given greater weight than they have been in recent years. The government owes us, not the companies it oversees or does business with. It’s long past time to change the calculus on corporate transparency when corporations do business with public servants.
Filed Under: christopher morten, foia, governments, secrecy, transparency
Even Officials In The Intelligence Community Are Recognizing The Dangers Of Over-Classification
from the apparently-we-can't-trust-the-people-that-have-granted-the-government-this-p dept
The federal government has a problem with secrecy. Well, actually it doesn’t have a problem with secrecy, per se. That’s often considered a feature, not a bug. But federal law says the government shouldn’t have so much secrecy, what with the FOIA being in operation. And yet, the government feels compelled to keep secrets from its biggest employer: the US taxpayers.
Over-classification remains a problem. It has been a problem ever since long before a government contractor went rogue with a massive stash of NSA documents, showing that many of the government’s secrets should have been shared or, at the very least, more widely discussed as the government turned 9/11 into a constitutional bypass on the information superhighway.
Since then, efforts have been made to dial back the government’s proclivity for classifying documents that pose no threat to government operations and/or government security. In fact, the argument has been made (rather convincingly) that over-classification is counterproductive. It’s more likely to result in the exposure of so-called secrets rather than secure the blanket-exemption-formality that keeps secrets from the general public.
Efforts have been made to counteract this overwhelming desire to keep the public locked out of discussions about government activities. These efforts have mostly failed. And that has mainly been due to vague and frequent invocations of national security concerns, which allow legislators and federal judges to shut off their brains and hammer the [REDACT] button repeatedly.
But ignoring the problem hasn’t made the problem go away, no matter how many billions the federal government refuses to throw at the problem. Over-classification still stands between the public and information it should have access to. And it stands between federal agencies and efficient use of tax dollars. The federal government generates petabytes of data every month. And far too often, the agencies generating the data decide it’s no one’s business but their own.
It’s not just legislators noting the widening gap between the government’s massive stockpiles of data and the public’s ability to access them. It’s also those generating the most massive stashes of bits and bytes, as the Washington Post points out, using the words of an Intelligence Community official.
The U.S. government is drowning in its own secrets. Avril Haines, the director of national intelligence, recently wrote to Sens. Ron Wyden (D-Ore.) and Jerry Moran (R-Kan.) that “deficiencies in the current classification system undermine our national security, as well as critical democratic objectives, by impeding our ability to share information in a timely manner.” The same conclusions have been drawn by the senators and many others for a long time.
As this letter hints at, over-classification doesn’t just affect the great unwashed whose power is generally considered to be far too limited to change things. It also affects agencies and the entities that oversee the agencies — the latter of which are asked to engage in oversight while being locked out of the information they need to perform this task.
If there’s any good news here, it’s that the Intelligence Community recognizes it’s part of the problem. But this is just one person in the IC. It’s unlikely every official feels this way.
The government is working towards a solution, but its work is being performed at the speed of government — something further hampered by the back-and-forth of periodic regime changes and their alternating ideas about how much transparency the government owes to its patrons.
The IC letter writer almost sees a silver lining in the nearly opaque cloud enveloping agencies involved in national security efforts.
So far, Ms. Haines said, current priorities and resources for fixing the classification systems “are simply not sufficient.” The National Security Council is working on a revised presidential executive order governing classified information, and we hope the White House will come up with an ambitious blueprint for modernization.
The silver lining is “so far,” and the efforts being made elsewhere to change things. The rest of the non-lining is far less silver: the resources aren’t sufficient and the National Security Council is grinding bureaucratic gears by working with the administration to change things. If it doesn’t happen soon, changes will be at the discretion of the next administration. And the next administration may no longer feel streamlining declassification is a priority, putting projects that have been in the on-again, off-again works since Snowden’s exposes on the back burner yet again.
Our government will never likely feel Americans can be trusted with information about the programs their tax dollars pay for. But perhaps a little more momentum — this time propelled by something within the Intelligence Community — will prompt some incremental changes that may eventually snowball into actual transparency and accountability.
Filed Under: avril haines, classification, foia, jerry moran, over classification, ron wyden, secrecy, transparency
The Governor Who Thinks Examining HTML Is Criminal Hacking Is Now Working To Make Missouri's Public Records Laws Worse
from the thank-you-for-your-self-serving dept
Missouri Governor Mike Parson is perhaps best known these days for trying to convert a right-click menu option into criminal hacking with his relentless (and relentlessly uninformed) desire to turn the people who exposed a security flaw in the state’s Department of Education website into nefarious criminals.
Governor Parson seems to believe intimidation is better than accountability. Whatever can be used to deter normal people from exposing the shortcomings of better people (i.e., government employees) is fair game. For years, the state’s public records law have served this same purpose: increasing the distance between the state’s government and the lowly people who have the misfortune of living in this state.
In 2016, the state’s laws were used to justify something that looked a whole lot like extortion. Non-profit group Reclaim the Records asked the state for birth and death records dating back to 1910. To be sure, this was a big ask. But it wasn’t nearly as big as the state agency portrayed it. According to the state’s Department of Health and Senior Services, compiling these records for release would involve more than 23,000 hours of labor at 42.50anhour,resultingina42.50 an hour, resulting in a 42.50anhour,resultingina1.5 million bill for services rendered.
This wasn’t acceptable to Reclaim the Records, which chose to hire a lawyer rather than issue a $1.5 million check to the Missouri government. Once the group lawyered up, the DHSS changed tack, informing Reclaim the Records it simply wouldn’t be releasing the data at all. It became apparent the agency was only interested in profiting from information it was required to collect and compile. Any third-party with enough money could buy this data from the DHSS. But public records requesters were being asked to pay full retail plus a sizable markup for information the agency was obligated to turn over to them.
A few years later, the transparency rating of the state and its “sunshine law” took another hit when the state’s attorney general arrived in court to argue the government had a First Amendment right to withhold records. The AG deliberately conflated rights afforded to residents (the protection that allows them to make complaints about government officials without fear of retaliation) with the state government’s nonexistent right to withhold records under the First Amendment.
With the state governor and his office undoubtedly facing hundreds of public records requests related to his inexplicable decision to treat responsible reporting of security flaws as criminal hacking, the governor’s office is backing (and directing) efforts that will make it more difficult for public records requesters to obtain documents and data from government agencies.
Amending Missouri’s open records law to permit government agencies to withhold more information from the public — and charge more for any records that are turned over — is among Gov. Mike Parson’s priorities for the 2022 legislative session.
The changes, which were outlined in a presentation to Parson’s cabinet that was obtained by The Independent through an open records request, include a proposal to allow government agencies to charge fees for the time attorneys spend reviewing records requested by the public.
Such a change would reverse a recent Missouri Supreme Court ruling against Parson’s office that found attorney review time was not “research time” under the Sunshine Law and thus could not be charged.
Governor Parson wants to deter requests, which lends itself to the operation of a more-opaque government. Fees are a big part of the amendment. But it also increases the number of records state agencies can withhold. State Rep Bruce DeGroot is running interference for the governor, admitting in earlier statements that the governor directly approached him with suggestions on how to amend the law.
If the law passes, requests will become more expensive. They will also be less likely to be fulfilled.
DeGroot’s bill also redefines what is considered a meeting and makes it easier for agencies to destroy public records.
“It actually makes the Sunshine Law significantly more complex. It creates a lot more reasons that an attorney might find to treat records as closed,” said Dave Roland, director of litigation for the Freedom Center of Missouri, a libertarian nonprofit that promotes government transparency. And that, in turn, could increase the number of hours government attorneys spend reviewing records, driving up the cost.
The governor and his supporters want to make public records a pay-to-play game. Adding fee increases to release restrictions shifts a lot of power back to the state government, diminishing the power of residents to inform themselves about their government’s activities or to attempt to hold them accountable for misdeeds by using their own words and actions against them. The state government has no reason to do this other than the obvious one: to insulate it from the limited power of the governed. But the government gets to make the rules and, without the presence of enough legislators that still feel obliged to serve the public, the government will probably get its way.
Filed Under: foia, freedom of information, mike parson, missouri, secrecy, transparency
There's a Growing Backlash Against Tech's Infamous Secrecy. Why Now?
from the the-time-has-come dept
“How Silicon Valley’s Tech Giants Use NDAs to Create a Culture of Silence,” stated a Business Insider piece on July 27, 2021. “To understand how Non-Disclosure Agreements (NDAs) have come to form the backbone of Silicon Valley’s culture of secrecy,” explained Matt Drange, “Insider reviewed 36 agreements shared by tech workers.” It showed how management mistakes and misconduct hide in the silence of those NDAs. “The secrecy is by design … leaving the true extent of wrongdoing in the workplace a mystery.”
“The use of NDAs, including in trivial or routine circumstances like visiting a tech office, is ironic in an industry that praises openness and transparency,” elaborated Shira Ovide in her New York Times newsletter. She called it an unnecessary “exercise of power.”
Yael Eisenstat, a former Facebook employee, criticized this power in a Washington Post OpEd on August 3, 2021. “A handful of technology companies have unprecedented – and unchecked – power over our daily interactions and lives. Their ability to silence employees exacerbates that problem, depriving the public and regulators of a means to analyze actions that affect our public health, our public square, and our democracy.”
This recent backlash against tech’s infamous secrecy is long overdue. It became possible as a result of a broader uprising against Big Tech, AKA the Techlash (tech-backlash). But for decades, it wasn’t the case. In the power relations between the tech giants and the media, journalists’ access to sources within those companies was tightly controlled, and “access has always been a bargaining chip.”
The Roots of Tech’s Secrecy Culture
In the mid-1990s, when the dot-com boom started to gather steam, Silicon Valley went from semiconductor fab plants in South San Jose to an industry of hot technologies. The tech coverage focused on the brilliance of the tech CEOs who were daring to take on established industries and old hierarchies. The consumers wanted a ‘backstage pass’ to those rock stars. It was also all that the tech reporters wanted, access.
But the common experience for tech journalists was that if their coverage were critical or hard on the companies, their level of access would either go on hiatus or disappear altogether. Many of them complied with this tradeoff.
The most secretive company was always Apple. Tim Cook once said, “One of the great things about Apple is: We probably have more secrecy here than the CIA.”
By keeping the communication channels closed, the companies had leverage over those to whom they give access. “If you want access to Apple, you can’t upset them,” a Gizmodo reporter described. “Apple and Google are masters of grooming reporters to do what they want and provide access only to folks they think will make them look good,” the freelancer journalist Rose Eveleth explained.
The companies also increased their tendency to brief reporters “on background.” In this method, the tech PR teams and companies’ employees agree to talk, but the reporter cannot quote anything said in the conversation. Thus, the information cannot be transmitted to the readers. The experience can be infuriating, as Adrienne LaFrance from The Atlantic described: “I got through an entire interview with a product manager at Apple, only to be told, after the fact, that it was presumed to be ‘on background.’ ‘Everyone knows this is how we do things,’ a spokesman explained apologetically.”
Tech journalists and bloggers acknowledged getting used to “not having an oppositional journalistic culture.” Those who were asking the tough questions had to walk a tight rope when the combination of access and unfavorable coverage was quite rare.
The Intensifying Revolt During the Techlash
The turning point in tech journalism followed Donald Trump’s victory in November 2016. According to research about the emerging tech-backlash, the pivotal year was 2017 as a result of various tech scandals, including foreign election meddling; disinformation wars; extremist content, and hate speech; privacy violations; allegations of an anti-diversity, sexual harassment, and discrimination culture. The accumulation of those issues created a profound sense of concern around content moderation, algorithmic accountability, and monopoly power. The companies’ secrecy became a means of evading responsibility.
“Corporations such as Apple, Google, and Uber have become infamous for their secrecy and unwillingness to comment on most matters on-the-record. Tech reporters, myself very much included, have not done enough to push them to do otherwise,” claimed Brian Merchant from Vice. He called his fellow journalists to push back against these ossified norms: “I am no longer going to listen to a public relations representative try to change my mind ‘on background’ with unquotable statements attributable to no one. No reporter should, not when the stakes are as high as they are.”
His article, from July 2019, generated a ‘call to arms’ by leading journalists, unwilling to propagate it any longer. It reflected a more profound change in the power dynamics between Big Tech and the journalists, who had enough. Later on, the Covid-19 pandemic acted as an accelerator, and the Tech vs. Journalism battle intensified into a full-blown “cold war.” The stakes were even higher than before.
In June 2021, a Mother Jones piece took the allegations against the PR tactics to the next level. It focused on Amazon and described how it “bullies, manipulated and lies to reporters.” Amazon’s press team was accused of engaging in deceitful behavior. The tech reporters also pointed out that “Amazon has recently begun providing more access before a story is published,” but complained it is done “in limited and often unhelpful or unrelated ways, by offering things like off-the-record or background interviews with the press team or approved employees.”
It is often the case that the more important stories are coming from “un-approved” employees. This is how Casey Newton revealed Facebook’s content moderators’ working conditions in The Trauma Floor or Bodies in Seats exposés. The workers openly described how they developed severe anxiety while still in training and struggled with trauma symptoms long after they left.
Other tech employees, who experienced a reckoning around their companies’ role in society, also started approaching the reporters with allegations of corporate misdeeds. Some of them didn’t speak anonymously but instead put their name on it, agreeing to full exposure. The fact that whistleblowers experienced legal risks, retaliation, and emotional scars did not stop additional workers from joining their colleagues. Breaking their NDAs or handing them to a reporter are parts of this growing trend of employee activism.
“You can’t have it both ways,” Scott Thurm from Wired explained in an interview. “If you don’t give us access, then, of course, we are going to rely on other people to tell the story.” The current story is not the one the tech companies want the media to tell. However, in the Techlash, it is precisely what the media is doing.
Dr. Nirit Weiss-Blatt is the author of The Techlash and Tech Crisis Communication
Filed Under: accountability, big tech, nda, secrecy, techlash, transparency