state department – Techdirt (original) (raw)
DC Appeals Court Says CIA Can Continue To Withhold 35-Year-Old Memo Already Published By Another Gov’t Agency
from the DC:-CIA-A-OK dept
Certain government agencies are of the opinion that records requesters shouldn’t even be able to pry the documents they’re seeking from their cold, dead fingers. Long after anyone could be affected and long after the people who’ve created the documents have passed on to the Great Bureaucracy in the Sky, agencies are still refusing to relinquish paperwork that’s long past its (and its creators’) expiration date.
The CIA has been battling a FOIA request in court, using the unlimited amount of time and money it has at its disposal. At the center of the battle is a single memo that was written in 1989, shortly after the fall of the Berlin Wall and the eventual collapse of the USSR. Somehow, this document is too sensitive to be released to the public even though it has _alread_y been (mostly) released to the public. (h/t Short Circuit)
Here’s the background on the document, as recounted by the DC Circuit Court of Appeals in its decision [PDF]:
In 1983, during the Cold War, Leonard H. Perroots, then an Assistant Chief of Staff for Intelligence in the United States Air Forces in Europe, allegedly recommended a course of action to his Commander in response to an elevated alert status demonstrated by the military forces of the Union of Soviet Socialist Republics (“Soviet Union”), which helped avert a nuclear crisis. Subsequently, in January 1989, Lieutenant General Perroots wrote an End of Tour Report Addendum (“Perroots Memo”) to detail the “chain of events” from 1983 to help the U.S. Intelligence Community learn lessons “as relates to our [Indications and Warning] capability and exercise planning.”
Thirty-two years later, the National Security Archive (which is not a government entity, despite its pretty official-sounding name) sent the CIA an FOIA request for the Perroots’ 1989 memo. The CIA refused to hand over the memo itself, but gave the National Security Archive the memo’s cover letter, which did not even come close to fulfilling the request, much less the Archive’s desire to obtain the memo. The Archive sued the CIA, leading to this appeal.
But between the creation of the memo (1989) and the Archive’s request and ensuing litigation (2021), the CIA made the Archive aware of the existence of this document by pretty much publishing the memo in full.
In February 2021, the United States Department of State (“DOS”) published a transcribed version of the Perroots Memo in a volume of the Foreign Relations of the United States (“FRUS”) series documenting 1981–1988.
In order to engage in this publication, the State Department needed to get it declassified by the CIA. Those are the rules, and by the “rules,” I mean federal law. The State Department published the transcription, accompanied by a citation to its CIA source, as well as a written “thank you” to CIA staff for assisting in the declassification review.
The obvious point of the Archive’s request was to compare the transcription published by the State Department with the original memo. There may have been zero difference between the two. But we’ll perhaps never know because the CIA (the agency that apparently assisted the State Dept. with a declassification review) claims the document mostly made public more than 32 years after it was written is still far too sensitive to be turned over to the National Security Archive.
You would think the presumption of disclosure, the prior publication of the declassified transcription, and the age of the document itself would weigh in favor of the Archive. But you’d be wrong. Some secrets get to remain secrets forever, even if they’re (1) barely secret, (2) old enough to start worrying about 401(k) contributions, and (3) of significant historical interest.
The lower court took a look at the Archive’s case and the CIA’s counterarguments and decided to give the government the benefit of the doubt. Nothing has improved by moving up the judicial ladder. The CIA will get to keep its secrets even if it’s extremely improbable there’s anything in there of national security value.
While the DC Appeals Court agrees the Archive suffered a “concrete injury” when the CIA refused to release the original memo, it says the transparency-focused entity will just have to walk it off. It says the official acknowledgement of the document doesn’t prevent the CIA from using FOIA exemptions related to executive orders to refuse to release it. Nor does its apparent cooperation with the State Department in the release of the memo transcription change the FOIA equation.
According to its own previous rulings (which have been largely shaped by litigation involving agencies like the CIA due to the DC Circuit being the most common forum for federal entity targeting FOIA lawsuits), the government can both make a document public and refuse to release pretty much the same document when hit with a FOIA request.
As we have emphasized in our precedent, the mere public disclosure of information does not eliminate potential risks posed by further disclosure to national security interests—and cannot overcome an otherwise valid FOIA exemption.
Supposedly, there are still some secrets in this mostly public document. The National Security Archive doesn’t know what those might be. Neither does the general public. We just have to take the court’s word for it, along with the assertions made by the CIA directly to the judge in the lower court, which weren’t even about the presence of any sensitive info:
We reject these contentions because the record, as observed by the district court, contains classified, supplemental, ex parte, and in camera declarations which establish that the CIA was not involved in the disclosure of the Perroots Memo.
That’s it. That’s all the CIA did. It told the lower court it did not actually help the State Department with a declassification review of the Perroots Memo. Because it (allegedly) did not assist in declassification, it could still consider the memo “classified” and avail itself of multiple FOIA exemptions. The fact that the CIA did nothing to prevent the State Department from publishing a transcription of the memo suggests it had nothing it needed to keep the public from seeing. But when asked for the same document, it played hardball and managed to obtain a ruling saying it can continue to blow off future requests for this memo in seeming perpetuity.
This is a ridiculous outcome. The only way this can be overturned is if the National Security Archive can convince the Supreme Court that’s something worth doing. Considering there’s only a single memo at stake here, it seems unlikely to be something the nation’s top court would be interested in resolving. As it stands now, the CIA is free to invoke FOIA exemptions to withhold documents that are not only decades old, but have been released publicly in one form or another previously. That’s a big win for completely pointless opacity, which seems to be the kind of opacity national security related agencies tend to prefer.
Filed Under: 1st amendment, cia, dc circuit court, foia, lawsuit, national security, state department
As Sanctions Continue, Malware Purveyors Starting To Worry It Won’t Be As Easy To Sell Spyware To Bad People
from the mfers-out-there-griping-about-the-crops-they-planted dept
NSO Group rang the bell. Despite all of its ex-intelligence service expertise and backing from its government, it can’t un-ring it. What’s done is done. And the repercussions just keep on coming, paying back NSO for years of selling powerful phone exploits to some of the worst people on earth.
NSO got sanctioned, along with another Israeli malware merchant, Candiru, by the US Commerce Department following weeks of negative press initiated by the leak of document allegedly listing entities targeted by NSO spyware. The list included journalists, activists, human rights lawyers, religious leaders, dissidents, and opposition leaders. What was pitched (at least publicly) as a way to combat crime and terrorism was instead being abused by powerful people to keep tabs on people they didn’t like.
NSO and Candiru weren’t the only ones hit with sanctions. Following a spyware-targeting executive order issued by President Biden, the blacklist was expanded, bringing in the State Department to add known abusers of phone exploits, as well as their friends and families, to the “keep out” list.
Earlier this month, the Treasury Department entered the arena, dropping sanctions on yet another spyware firm with Israeli ties, Intellexa. This was on top of sanctions handed down by the State Department last year, which put both of Dillian’s companies — Intellexa and Cytrox — on the Department’s “entity list.”
Cytrox’s flagship product is Predator, which has also been discovered infecting phones belonging to journalists, activists, and dissidents. Predator was at the center of a scandal in Greece, where multiple sanctioned exploit developers were implicated. But it was Cytrox’s exploit that was linked to the year-long surveillance of a US citizen by the Greek government.
But the latest sanctions affect more than just Intellexa. It also targets those running the company, ensuring they can’t just rebrand or form another company to get out from under the Treasury Department’s edict.
Under the sanctions, Americans and people who do business with the U.S. are forbidden from transacting with Intellexa, its founder and architect Tal Dilian, employee Sara Hamou and four companies affiliated with Intellexa.
These sanctions, combined with the ones levied recently following Biden’s executive order, now have other malware purveyors worried they won’t be able to sell malware to bad people as easily as they used to. Lorenzo Franceschi-Bicchierai’s report for TechCrunch quotes several perturbed (but anonymous) malware purveyors who have probably developed very strong feelings about NSO and other competitors over the past couple of years.
The first two people quoted do their best to distance themselves from the likes of Cytrox/Intellexa and their apparently careless founder, pointing out that Dillian “moves like an elephant in a crystal shop” and was willing to sell to anyone “willing to pay.” Both of the anonymous sources have already gotten out of the phone exploit business, perhaps sensing the “human rights exploiters” market had been fully exploited.
The third person quoted by TechCrunch suggests that if exploit sellers can’t learn from this string of cautionary tales, they probably can’t be taught.
According to a third person working in the spyware industry, the sanctions against Dilian and his business associate Hamou should make the whole market have a moment of reflection.
“If I had to come back to work actively in this industry, and I couldn’t find an exclusive customer that is extremely trustworthy, [sanctions] would be a risk,” the third person said. “A company, however serious, can never be 100% sure about how its customers act, and the political developments that can embroil them.”
Of course, no one quoted in this article has any skin in the game. They’ve all gotten out of this particularly sordid business. Those that remain may figure they can outlast the current storm. Or maybe they just figure they’ll still be able to get away with selling to human rights abusers by tightening up internal security a bit.
What’s clear is that there will always be a market for phone exploits. And chances are, the entities interested in abusing these powerful tools will be willing to pay a premium for them. Greed and lax regulation have allowed several companies to get rich by helping autocrats become even more awful. There’s no permanent solution to this problem, but for now, what has been done to this point at least appears to be having some sort of deterrent effect.
Filed Under: sanctions, spyware, state department, surveillance
Companies: candiru, cytrox, intellaxa, nso group
Court: You Can’t Add A Lie To An Already-Executed Warrant And Expect Everything To Be Constitutional
from the can't-beat-the-5th-by-ignoring-the-4th dept
This is not a fun case. It’s instructional, but it involves some pretty noxious criminal behavior. And that’s how these things work, usually. People who aren’t facing criminal charges rarely need to challenge warrants. They never need to challenge the evidence used against them because, well, no one’s using any evidence against them. (h/t FourthAmendment.com)
The background here is a series of sex crimes allegedly committed by Brian Raymond. Raymond worked for the US State Department and was staying at a government-leased property in Mexico City. An investigation involving the State Department, FBI, and local law enforcement was initiated after a drugged, naked woman was found screaming for help from Raymond’s balcony.
Further investigation uncovered recordings made by Raymond of him drugging women and molesting them while they were unconscious. When Raymond returned to the United States, he was interviewed by the State Department’s Diplomatic Security Service (DSS), which then obtained a search warrant for his two iPhones.
This is what the warrant stated, as recounted in the DC federal court decision [PDF]:
Specifically, the Phone Warrant authorized the search and seizure of those two phones, “for the purpose of identifying electronically stored data” reflecting records related to AV-1 [Adult Victim 1], sexual assaults more generally, and records “related to the research, purchase, possession, or use” of date rape substances. Law enforcement was further authorized, during the search, to press Defendant’s fingers to the Touch ID sensors of the two phones and to hold both phones to Defendant’s face “for the purpose of attempting to unlock the devices via Face ID.” Law enforcement acknowledged in the warrant, however, that these biometrics may not actually open either phone; sometimes, “a passcode or password must be used instead.” Agent Gajkowski offered an example in her affidavit: “when the device has been turned off or restarted.” Nothing in the warrant authorized law enforcement to obtain passcodes, however––only biometrics.
The warrant also noted the agents intended to use the pretext of a follow-up interview to seize the devices in a public setting. Failing that, the agents would approach him at the hotel and attempt to take the phones then. The agents met with Raymond and asked for his phones. Raymond said he was going to turn at least one of them off first. He also informed the agents, when asked, that they were secured by PINs, rather than biometrics. He also said he wanted to talk to a lawyer before handing over the phones. The DSS said this wasn’t an option and explained the warrant it had obtained. It then took the phones from Raymond and asked him for their passcodes. Raymond refused.
After all of this, the following statement was made as the agents placed the phones in evidence bags.
Agent Gajkowski announced, “The time is 12:26 Saturday, June 6th, and this concludes our interview and search and seizure warrant execution.”
Except Agent Gajkowski didn’t apparently mean what she said, at least not in the legal sense of those words.
Despite law enforcement’s announcement that they had executed the warrant, they returned twice, this time to the lobby of Defendant’s hotel.
Here’s why they did this:
Upon receiving that report, the prosecutor directed law enforcement “to go back and compel [Defendant] to open” his phones, evidently through biometrics. Agent Nelson testified, however, that he understood the prosecutor to have directed law enforcement to use biometrics and, if that method failed, “detain [Defendant] until he gives [law enforcement] pass[words].”
Well, the Fifth Amendment is kind of an issue here. Compelling someone to provide a password can be considered forcing them to testify against themselves. And if that’s the conclusion a court reaches, the evidence obtained is useless. Detaining someone until they cough up passwords adds other parts of the Constitution to the mix, which makes it even more likely any recovered evidence will be worthless.
So, now a bunch of agents and officers were gathered in the lobby of the hotel, in possession of nothing more than a (now-useless) search warrant and the slim hope they might be able to trick Raymond into unlocking his phones. (Emphasis in the original.)
Agent Nelson indicated that Mr. Raymond was “not under arrest” but that “[t]he search warrant compels [him] to open [his] phone” so they had to come back and “get [him] to open his phone.” Agent Gajkowski indicated that “law enforcement personnel [are] authorized to access fingers, including thumb onto the device, and further to hold the phone up to [his] face.” When asked if he could open the phone with a passcode, Mr. Raymond replied, “Yeah. If I’m compelled to do it, sure.” Feet away from both Defendant and Agent Gajkowski, Agent Nelson responded “you are,” i.e., Defendant was legally obligated to use passcodes to open the devices. Agent Gajkowski did not correct Agent Nelson to explain, as they both knew, that the warrant did not compel Defendant to open his phones with anything other than biometrics.
Raymond unlocked both phones and handed them to the agents who tried to change the passcodes but discovered they couldn’t without his Apple account password. They requested this from Raymond while making it far more clear he was not legally compelled to provide this password, much to the confusion of the person they had just lied to moments ago about compelled passcode production.
Then they came back an hour later to ask Raymond to enter his Apple account password so the agents could change the phones’ passcodes. He did this and agents once again left, taking with them the warrant they had stated had been executed in full nearly three hours earlier — a warrant that specifically did not authorize them to compel passcode production.
Based on what agents found on these phones, more warrants were requested, seeking content from several messaging services as well as from Raymond’s iCloud account. It’s unclear how much of this evidence will survive the fallout from this suppression order, though. The court says you can’t tell people a warrant says something when it doesn’t and you especially can’t do it when the warrant you have has already expired due to its previous execution.
Because the warrant expired at the conclusion of the first search, the second and third seizure of Defendant to effect law enforcement’s intended search was unlawful. And because the record does not establish that either iPhone in fact belonged to anyone otherthan Defendant, the contents of both phones are therefore presumptively subject to suppression. These facts, plus the fact that law enforcement would have had to have known that their returnefforts to re-execute an expired warrant would be futile, require the suppression of the phones’ contents.
The warrant that supposedly backs the second and third visits with Raymond had no more power than a random page from a phone book.
A search warrant, like a pumpkin carriage, retains its magical properties only for a certain period of time. For example, after fourteen days, midnight strikes, and the search warrant loses its validity. Fed. R. Crim. P. 41(e)(2)(A)(i). Similarly, a warrant’s authority to search a person or premises expires when “the items described in the warrant h[ave] been seized.”
There are cases where searches can be “paused” during mid-execution. The government cites where officers searching a car spent three days looking for a crowbar to open up the engine block, returning to finish the job after the warrant’s expiration. This isn’t like that, says the DC court. In the cases cited by the government, investigators encountered unexpected issues that made it impossible to fully carry out the authorized search. In this case, the obstacle was not only know, but it was listed in the warrant affidavit and acknowledged by the agents in their conversation with the prosecutor. (Emphasis in the original.)
[U]nlike in Gerber, law enforcement was not met by an unexpected, surmountable challenge. They were faced with passcodes that they anticipated Defendant might have activated, and acknowledged that their form of crowbar, biometrics, would not work under that circumstance. Nevertheless, despite understanding that they had executed the warrant and that a return trip would be futile, Agents Gajkowski and Nelson went one step further to compel not just biometrics but also Defendant’s entry of his passcodes, decidedly beyond the scope of the warrant and contrary to explicit instructions from the prosecutor to Agent Gajkowski before the execution of the warrant. That is not a reasonable, good faith extension of a half-executed warrant. That is a futile, illegal attempt to reanimate a warrant whose authority had already lapsed.
And that eliminates one of the government’s get-out-of-suppression cards:
There is no good-faith explanation for this conduct. To reiterate, Agents Gajkowski and Nelson knew that they had fully executed the Phone Warrant at the end of their first meeting with Defendant. Agent Gajkowski knew that any further interaction to unlock either phone would be futile, unless she somehow convinced or ordered Defendant to take a step not permitted by the warrant––passcodes. She knew that Defendant refused to voluntarily provide or enter them at the first interaction. Yet she returned with Agent Nelson, and permitted, by an act of omission, Agent Nelson to unlawfully compel Defendant to enter a passcode against Defendant’s will.
Nor could the evidence found on the phones have been “inevitably” discovered during the course of the investigation and the subsequent warrants the government obtained relied heavily on this illegal search to find targets for further searches.
In this instance, there were no separate avenues of investigation that were occurring at the same time when the officers illegally searched Defendant’s phones. In the alternative where the officers did not compel Defendant to turnover his passcodes, the agents testified that they would have used the CIF to break into the phone. The evidentiary record establishes that it is indeed wholly speculative that CIF would have ever gained access to either phone’s contents, and even then precisely what would have been forensically imageable. The “brute force” method CIF would have employed has high variance; using brute force can take moments to open a phone, but it can also take years. In some instances, the phone never unlocks. This step alone injects enough uncertainty into this separate, hypothetical line of investigation to vitiate the Government’s invocation of the inevitable discovery doctrine. With no exception to the exclusionary rule on point, the Court must suppress the contents of both phones.
That’s the way it should be. The government should never be allowed to act like a warrant has no end date. Nor should it be allowed to lie about what the warrant authorizes. Unfortunately for Raymond, this probably isn’t going to get him off the hook. The most damning evidence against him was recovered from his iCloud account with a valid warrant — one that remains valid even if everything illegally obtained from phones is stripped from the affidavit. He had two iPhones. It was inevitable he had an iCloud account and investigators stated search his iCloud account would have been the next move, whether or not they were able to unlock the phones.
But what should be suppressed is suppressed. And that’s what matters. What happened here was an embarrassment on top of being an egregious, willing violation of someone’s rights.
Filed Under: 4th amendment, 5th amendment, biometrics, brian raymond, passcodes, passwords, state department, warrant
5th Circuit Continues To 5th Circuit, Issues Yet Another Version Of Its Injunction, This Time Including CISA
from the the-5th-circuit-is-where-law-goes-to-die dept
Look, I don’t want to suggest that maybe the 5th Circuit’s analysis on issues in the Missouri v. Biden case is not particularly well considered, but, um, it’s not at all clear that the 5th Circuit’s analysis on the Missouri v. Biden case is well considered. After all, the original ruling made a series of embarrassing factual errors, falsely presenting comments by White House officials as being about content moderation when they were not, and failing to highlight how certain speech was coercive beyond “we think it is.” It also failed to attribute many of the comments it quoted, so it was impossible to backtrack who said what and in what context, and further failed to distinguish between different platforms who acted very differently.
Even more pointedly, one of the big criticisms of the 5th Circuit ruling was that it provided no standards for understanding what activity crossed the line from government attempts at persuasion (legal) to government attempts at coercion (not legal). It just said that the activity by the White House, FBI, and CDC were over the line and coercive, while the activity of CISA, the State Department, and NIAID were not over the line (and therefore those entities were not limited by the injunction).
This lack of clarity as to why some agencies were included in the injunction and some were excluded is part of why the White House went to the Supreme Court to ask it to put the injunction on hold.
The Supreme Court did put the ruling on hold for a few days (and then a few more days) and then… did nothing. Really. If you look at the docket for this case at the Supreme Court site, you see that Justice Alito initially stayed the 5th Circuit injunction until Friday, September 22nd at 11:59pm.
Then, on the On the 22nd, he gave himself more time, to the following Wednesday the 27th at 11:59pm.
And on the 27th… he did… nothing. Nothing at all. To date that docket has not been updated, other than by the respondents in the case (basically Louisiana and Missouri) updating the court on things. I don’t know if this is because Alito forgot about it, or thought that it didn’t matter any more? Or because of some other confusion over what the 5th Circuit did in the interim.
On September 25th, the 5th Circuit withdrew the original injunction from the 8th. On September 26th, it withdrew the order from the 25th which withdrew the order from the 8th. It was suggested that it did this upon realizing that the order from the 8th was currently under review by the Supreme Court.
So… I guess the fact that Alito has ignored the docket and let his stay expire on the 27th meant that the injunction went back into effect… and now the 5th Circuit can issue another new injunction? Because that’s what it’s done. Yesterday the 5th Circuit basically issued more or less the same injunction that it issued on the 8th… except that this time, CISA is included among the enjoined parties (which was a piece of what the states had asked for whenthey asked the 5th Circuit to review the original ruling).
But all of this is procedurally weird. Not even getting into the injunction withdrawals and withdrawal of withdrawals, this new ruling wasn’t done en banc (with all the judges) or with any oral arguments. Just with the petition from the plaintiffs and the reply from the White House.
I mean, maybe that’s how the 5th Circuit rolls, but it all seem ridiculously ad hoc.
As is the case with the new ruling, which now adds in CISA as an enjoined party. I ran the two opinions through a diff checker, and they are literally the same, except where the original ruling said that while CISA did flag content to social media websites and hold meetings with them, it wasn’t coercive, now it suddenly says that it is. With basically no explanation whatsoever.
Seriously.
The new ruling includes ONE new paragraph saying “oh yeah, CISA too.”
Next, we examine CISA. We find that, for many of the same reasons as the FBI and the CDC, CISA also likely violated the First Amendment. First, CISA was the “primary facilitator” of the FBI’s interactions with the social-media platforms and worked in close coordination with the FBI to push the platforms to change their moderation policies to cover “hack-and-leak” content. Second, CISA’s “switchboarding” operations, which, in theory, involved CISA merely relaying flagged social-media posts from state and local election officials to the platforms, was, in reality, “[s]omething more.” Roberts, 742 F.2d at 228. CISA used its frequent interactions with social-media platforms to push them to adopt more restrictive policies on censoring election-related speech. And CISA officials affirmatively told the platforms whether the content they had “switchboarded” was true or false. Thus, when the platforms acted to censor CISA-switchboarded content, they did not do so independently. Rather, the platforms’ censorship decisions were made under policies that CISA has pressured them into adopting and based on CISA’s determination of the veracity of the flagged information. Thus, CISA likely significantly encouraged the platforms’ content-moderation decisions and thereby violated the First Amendment. See Blum, 457 U.S. at 1008; Howard Gault, 848 F.2d at 555.
This replaces the following paragraph in the original ruling:
Finally, although CISA flagged content for social-media platforms as part of its switchboarding operations, based on this record, its conduct falls on the “attempts to convince,” not “attempts to coerce,” side of the line. See Okwedy, 333 F.3d at 344; O’Handley, 62 F.4th at 1158. There is not sufficient evidence that CISA made threats of adverse consequences— explicit or implicit—to the platforms for refusing to act on the content it flagged. See Warren, 66 F.4th at 1208–11 (finding that senator’s communication was a “request rather than a command” where it did not “suggest[] that compliance was the only realistic option” or reference potential “adverse consequences”). Nor is there any indication CISA had power over the platforms in any capacity, or that their requests were threatening in tone or manner. Similarly, on this record, their requests— although certainly amounting to a non-trivial level of involvement—do not equate to meaningful control. There is no plain evidence that content was actually moderated per CISA’s requests or that any such moderation was done subject to non-independent standards.
There is no discussion as to why the court changed its mind. There is no discussion about the details of what made it persuasion in the first opinion, but coercion in the second opinion. There is… nothing.
To the argument that the White House made that this ruling provides them with no actionable details of how the line is drawn, the fact that the new ruling just rewrites this one paragraph, without details, to switch from “persuasion” to “coercion” is a disaster of jurisprudence.
It’s basically the 5th Circuit admitting that its decision on the difference is not driven by any test (like the rest of the opinion pretended it was setting up), but rather by its somewhat arbitrary whims.
That is not at all how courts should rule.
Beyond replacing that one paragraph with another, the opinions are effectively the same (a few other references to CISA were removed from the rest of the ruling about entities that were not violating 1st Amendment rights).
That does mean that the State Department and NIAID are still excluded from the injunction. But… it gives the government literally nothing to work from in determining what is allowed and what is stomping on people’s rights.
You have to imagine that the White House is going to turn around and go right back to Alito to say “yo, put this on hold until you can review.”
Filed Under: 1st amendment, 5th circuit, cisa, content moderation, fbi, jawboning, louisiana, missouri, niaid, samuel alito, social media, state department, supreme court, vivek murthy
5th Circuit Cleans Up District Court’s Silly Jawboning Ruling About the Biden Admin, Trims It Down To More Accurately Reflect The 1st Amendment
from the that's-much-better dept
We’re going to go slow on this one, because there’s a lot of background and details and nuance to get into in Friday’s 5th Circuit appeals court ruling in the Missouri v. Biden case that initially resulted in a batshit crazy 4th of July ruling regarding the US government “jawboning” social media companies. The reporting on the 5th Circuit ruling has been kinda atrocious, perhaps because the end result of the ruling is this:
The district court’s judgment is AFFIRMED with respect to the White House, the Surgeon General, the CDC, and the FBI, and REVERSED as to all other officials. The preliminary injunction is VACATED except for prohibition number six, which is MODIFIED as set forth herein. The Appellants’ motion for a stay pending appeal is DENIED as moot. The Appellants’ request to extend the administrative stay for ten days following the date hereof pending an application to the Supreme Court of the United States is GRANTED, and the matter is STAYED.
Affirmed, reversed, vacated, modified, denied, granted, and stayed. All in one. There’s… a lot going on in there, and a lot of reporters aren’t familiar enough with the details, the history, or the law to figure out what’s going on. Thus, they report just on the bottom line, which is that the court is still limiting the White House. But it’s at a much, much, much lower level than the district court did, and this time it’s way more consistent with the 1st Amendment.
The real summary is this: the appeals court ditched nine out of the ten “prohibitions” that the district court put on the government, and massively narrowed the only remaining one, bringing it down to a reasonable level (telling the U.S. government that it cannot coerce social media companies, which, uh, yes, that’s exactly correct).
But then in applying its own (perhaps surprisingly, very good) analysis, the 5th Circuit did so in a slightly weird way. And then also seems to contradict the [checks notes] 5th Circuit in a different case. But we’ll get to that in another post.
Much of the reporting on this suggests it was a big loss for the Biden administration. The reality is that it’s a mostly appropriate slap on the wrist that hopefully will keep the administration from straying too close to the 1st Amendment line again. It basically threw out 9.5 out of 10 “prohibitions” placed by the lower court, and even on the half a prohibition it left, it said it didn’t apply to the parts of the government that the GOP keeps insisting were the centerpieces of the giant conspiracy they made up in their minds. The court finds that CISA, Anthony Fauci’s NIAID, and the State Department did not do anything wrong and are no longer subject to any prohibitions.
The details: the state Attorneys General of Missouri and Louisiana sued the Biden administration with some bizarrely stupid theories about the government forcing websites to take down content they disagreed with. The case was brought in a federal court district with a single Trump-appointed judge. The case was allowed to move forward by that judge, turning it into a giant fishing expedition into all sorts of government communications to the social media companies, which were then presented to the judge out of context and in a misleading manner. The original nonsense theories were mostly discarded (because they were nonsense), but by quoting some emails out of context, the states (and a few nonsense peddlers they added as plaintiffs to have standing), were able to convince the judges that something bad was going on.
As we noted in our analysis of the original ruling, they did turn up a few questionable emails from White House officials who were stupidly trying to act tough about disinformation on social media. But even then, things were taken out of context. For example, I highlighted this quote from the original ruling and called it out as obviously inappropriate by the White House:
Things apparently became tense between the White House and Facebook after that, culminating in Flaherty’s July 15, 2021 email to Facebook, in which Flaherty stated: “Are you guys fucking serious? I want an answer on what happened here and I want it today.”
Except… if you look at it in context, the email has nothing to do with content moderation. The White House had noticed that the @potus Instagram account was having some issues, and Meta told the company that “the technical issues that had been affecting follower growth on @potus have been resolved.” A WH person received this and asked for more details. Meta responded with “it was an internal technical issue that we can’t get into, but it’s now resolved and should not happen again.” Someone then cc’d Rob Flaherty, and the quote above was in response to that. That is, it was about a technical issue that had prevented the @potus account from getting more followers, and he wanted details about how that happened.
So… look, I’d still argue that Flaherty was totally out of line here, and his response was entirely inappropriate from a professional standpoint. But it had literally nothing to do with content moderation issues or pressuring the company to remove disinformation. So it’s hard to see how it was a 1st Amendment violation. Yet, Judge Terry Doughty presented it in his ruling as if that line was about the removal of COVID disinfo. It is true that Flaherty had, months earlier, asked Facebook for more details about how the company was handling COVID disinfo, but those messages do not come across as threatening in any way, just asking for info.
The only way to make them seem threatening was to then include Flaherty’s angry message from months later, eliding entirely what it was about, and pretending that it was actually a continuation of the earlier conversation about COVID disinfo. Except that it wasn’t. Did Doughty not know this? Or did he pretend? I have no idea.
Doughty somehow framed this and a few other questionably out of context things as “a far-reaching and widespread censorship campaign.” As we noted in our original post, he literally inserted words that did not exist in a quote by Renee DiResta to make this argument. He claimed the following:
According to DiResta, the EIP was designed to “get around unclear legal authorities, including very real First Amendment questions” that would arise if CISA or other government agencies were to monitor and flag information for censorship on social media.
Except, if you read DiResta’s quote, “get around” does not actually show up anywhere. Doughty just added that out of thin air, which makes me think that perhaps he also knew he was misrepresenting the context of Flaherty’s comment.
Either way, Doughty’s quote from DiResta is a judicial fiction. He inserted words she never used to change the meaning of what was said. What DiResta is actually saying is that they set up EIP as a way to help facilitate information sharing, not to “get around” the “very real First Amendment questions,” and also not to encourage removal of information, but to help social media companies and governments counter and respond to disinformation around elections (which they did for things like misleading election procedures). That is, the quote here is about respecting the 1st Amendment, not “getting around” it. Yet, Doughty added “get around” to pretend otherwise.
He then issued a wide-ranging list of 10 prohibitions that were so broad I heard from multiple people within tech companies that the federal government canceled meetings with them on important cybersecurity issues, because they were afraid that any such meeting might violate the injunction.
So the DOJ appealed, and the case went to the 5th Circuit, which has a history of going… nutty. However, this ruling is mostly not nutty. It’s actually a very thorough and careful analysis of the standards for when the government steps over over the line in violating the 1st Amendment rights by pressuring speech suppression. As we’ve detailed for years, the line is whether or not the government was being coercive. The government is very much allowed to use its own voice to persuade. But when it is coercive, it steps over the line.
The appeals court analysis on this is very thorough and right on, as it borrows the important and useful precedents from other circuits that we’ve talked about for years, agreeing with all of them. Where is the line between persuasion and coercion?
Next, we take coercion—a separate and distinct means of satisfying the close nexus test. Generally speaking, if the government compels the private party’s decision, the result will be considered a state action. Blum, 457 U.S. at 1004. So, what is coercion? We know that simply “being regulated by the State does not make one a state actor.” Halleck, 139 S. Ct. at 1932. Coercion, too, must be something more. But, distinguishing coercion from persuasion is a more nuanced task than doing the same for encouragement. Encouragement is evidenced by an exercise of active, meaningful control, whether by entanglement in the party’s decision-making process or direct involvement in carrying out the decision itself. Therefore, it may be more noticeable and, consequently, more distinguishable from persuasion. Coercion, on the other hand, may be more subtle. After all, the state may advocate—even forcefully—on behalf of its positions
It points to the key case that all of these cases always lead back to, the important Bantam Books v. Sullivan case that is generally seen as the original case on “jawboning” (government coercion to suppress speech):
That is not to say that coercion is always difficult to identify. Sometimes, coercion is obvious. Take Bantam Books, Inc. v. Sullivan, 372 U.S. 58 (1963). There, the Rhode Island Commission to Encourage Morality—a state-created entity—sought to stop the distribution of obscene books to kids. Id. at 59. So, it sent a letter to a book distributor with a list of verboten books and requested that they be taken off the shelves. Id. at 61–64. That request conveniently noted that compliance would “eliminate the necessity of our recommending prosecution to the Attorney General’s department.” Id. at 62 n.5. Per the Commission’s request, police officers followed up to make sure the books were removed. Id. at 68. The Court concluded that this “system of informal censorship,” which was “clearly [meant] to intimidate” the recipients through “threat of [] legal sanctions and other means of coercion” rendered the distributors’ decision to remove the books a state action. Id. at 64, 67, 71–72. Given Bantam Books, not-so subtle asks accompanied by a “system” of pressure (e.g., threats and followups) are clearly coercive.
But, the panel notes, that level of coercion is not always present, but it doesn’t mean that other actions aren’t more subtly coercive. Since the 5th Circuit doesn’t currently have a test for figuring out if speech is coercive, it adopts the same tests that were recently used in the 2nd Circuit with the NRA v. Vullo case, where the NRA went after a NY state official who encouraged insurance companies to reconsider issuing NRA-endorsed insurance policies. The 2nd Circuit ran through a test and found that this urging was an attempt at persuasion and not coercive. The 5th Circuit also cites the 9th Circuit, which even more recently tossed out a case claiming that Elizabeth Warren’s comments to Amazon regarding an anti-vaxxer’s book were coercive, ruling they were merely an attempt to persuade. Both cases take a pretty thoughtful approach to determining where the line is, so it’s good to see the 5th Circuit adopt a similar test.
For coercion, we ask if the government compelled the decision by, through threats or otherwise, intimating that some form of punishment will follow a failure to comply. Vullo, 49 F.4th at 715. Sometimes, that is obvious from the facts. See, e.g., Bantam Books, 372 U.S. at 62–63 (a mafiosi-style threat of referral to the Attorney General accompanied with persistent pressure and follow-ups). But, more often, it is not. So, to help distinguish permissible persuasion from impermissible coercion, we turn to the Second (and Ninth) Circuit’s four-factor test. Again, honing in on whether the government “intimat[ed] that some form of punishment” will follow a “failure to accede,” we parse the speaker’s messages to assess the (1) word choice and tone, including the overall “tenor” of the parties’ relationship; (2) the recipient’s perception; (3) the presence of authority, which includes whether it is reasonable to fear retaliation; and (4) whether the speaker refers to adverse consequences. Vullo, 49 F.4th at 715; see also Warren, 66 F.4th at 1207.
So, the 5th Circuit adopts a strong test to say when a government employee oversteps the line, and then looks to apply it. I’m a little surprised that the court then finds that some defendants probably did cross that line, mainly the White House and the Surgeon General’s office. I’m not completely surprised by this, as it did appear that both had certainly walked way too close to the line, and we had called out the White House for stupidly doing so. But… if that’s the case, the 5th Circuit should really show how they did so, and it does not do a very good job. It admits that the White House and the Surgeon General are free to talk to platforms about misinformation and even to advocate for positions:
Generally speaking, officials from the White House and the Surgeon General’s office had extensive, organized communications with platforms. They met regularly, traded information and reports, and worked together on a wide range of efforts. That working relationship was, at times, sweeping. Still, those facts alone likely are not problematic from a First-Amendment perspective.
So where does it go over the line? When the White House threatened to hit the companies with Section 230 reform if they didn’t clean up their sites! The ruling notes that even pressuring companies to remove content in strong language might not cross the line. But threatening regulatory reforms could:
That alone may be enough for us to find coercion. Like in Bantam Books, the officials here set about to force the platforms to remove metaphorical books from their shelves. It is uncontested that, between the White House and the Surgeon General’s office, government officials asked the platforms to remove undesirable posts and users from their platforms, sent follow-up messages of condemnation when they did not, and publicly called on the platforms to act. When the officials’ demands were not met, the platforms received promises of legal regime changes, enforcement actions, and other unspoken threats. That was likely coercive
Still… here the ruling is kinda weak. The panel notes that even with what’s said above the “officials’ demeanor” matters, and that includes their “tone.” To show that the tone was “threatening,” the panel… again quotes Flaherty’s demand for answers “immediately,” repeating Doughty’s false idea that that comment was about content moderation. It was not. The court does cite to some other “tone” issues, but again provides no context for them, and I’m not going to track down every single one.
Next, the court says we can tell that the White House’s statements were coercive because: “When officials asked for content to be removed, the platforms took it down.” Except, as we’ve reported before, that’s just not true. The transparency reports from the companies show how they regularly ignored requests from the government. And the EIP reporting system that was at the center of the lawsuit, and which many have insisted was the smoking gun, showed that the tech companies “took action” on only 35% of items. And even that number is too high, because TikTok was the most aggressive company covered, and they took action on 64% of reported URLs, meaning Facebook, Twitter, etc., took action on way less than 35%. And even that exaggerates the amount of influence because “take action” did not just mean “take down.” Indeed, the report said that only 13% of reported content was “removed.”
So, um, how does the 5th Circuit claim that “when officials asked for content to be removed, the platforms took it down”? The data simply doesn’t support that claim, unless they’re talking about some other set of requests.
One area where the court does make some good points is calling out — as we ourselves did — just how stupid it was for Joe Biden to claim that the websites were “killing people.” Of course, the court leaves out that three days later, Biden himself admitted that his original words were too strong, and that “Facebook isn’t killing people.” Somehow, only the first quote (which was admittedly stupid and wrong) makes it into the 5th Circuit opinion:
Here, the officials made express threats and, at the very least, leaned into the inherent authority of the President’s office. The officials made inflammatory accusations, such as saying that the platforms were “poison[ing]” the public, and “killing people.”
So… I’m a bit torn here. I wasn’t happy with the White House making these statements and said so at the time. But they didn’t strike me as anywhere near going over the coercive line. This court sees it differently, but seems to take a lot of commentary out of context to do so.
The concern about the FBI is similar. The court seems to read things totally out of context:
Fourth, the platforms clearly perceived the FBI’s messages as threats. For example, right before the 2022 congressional election, the FBI warned the platforms of “hack and dump” operations from “state-sponsored actors” that would spread misinformation through their sites. In doing so, the FBI officials leaned into their inherent authority. So, the platforms reacted as expected—by taking down content, including posts and accounts that originated from the United States, in direct compliance with the request.
But… that is not how anyone has described those discussions. I’ve seen multiple transcripts and interviews of people at the platforms who were in the meetings where “hack and dump” were discussed, and the tenor was more “be aware of this, as it may come from a foreign effort to spread disinfo about the election,” coming with no threat or coercion — just simply “be on the lookout” for this. It’s classic information sharing.
And the platforms had reason to be on the lookout for such things anyway. If the FBI came to Twitter and said “we’ve learned of a zero day hack that can allow hackers into your back end,” and Twitter responded by properly locking down their systems… would that be Twitter “perceiving the messages as threats,” or Twitter taking useful information from the FBI and acting accordingly? Everything I’ve seen suggests the latter.
Even stranger is the claim that the CDC was coercive. The CDC has literally zero power over the platforms. It has no regulatory power over them and now law enforcement power. So I can’t see how it was coercive at all. Here, the 5th Circuit just kinda wings it. After admitting that the CDC lacked any sort of power over the sites, it basically says “but the sites relied on info from the CDC, so it must have been coercive.”
Specifically, CDC officials directly impacted the platforms’ moderation policies. For example, in meetings with the CDC, the platforms actively sought to “get into [] policy stuff” and run their moderation policies by the CDC to determine whether the platforms’ standards were “in the right place.” Ultimately, the platforms came to heavily rely on the CDC. They adopted rule changes meant to implement the CDC’s guidance. As one platform said, they “were able to make [changes to the ‘misinfo policies’] based on the conversation [they] had last week with the CDC,” and they “immediately updated [their] policies globally” following another meeting. And, those adoptions led the platforms to make moderation decisions based entirely on the CDC’s say-so—“[t]here are several claims that we will be able to remove as soon as the CDC debunks them; until then, we are unable to remove them.” That dependence, at times, was total. For example, one platform asked the CDC how it should approach certain content and even asked the CDC to double check and proofread its proposed labels.
So… one interpretation of that is that the CDC was controlling site moderation practices. But another, more charitable (and frankly, from conversations I’ve had, way more accurate) interpretation was that we were in the middle of a fucking pandemic where there was no good info, and many websites decided (correctly) that they didn’t have epidemiologists on staff, and therefore it made sense to ask the experts what information was legit and what was not, based on what they knew at the time.
Note that in the paragraph above, the one that the 5th Circuit uses to claim that the platform polices were controlled by the CDC, it admits that the sites were reaching out to the CDC themselves, asking them for info. That… doesn’t sound coercive. That sounds like trust & safety teams recognizing that they’re not the experts in a very serious and rapidly changing crisis… and asking the experts.
Now, there were perhaps reasons that websites should have been less willing to just go with the CDC’s recommendations, but would you rather ask expert epidemiologists, or the team who most recently was trying to stop spam on your platform? It seems, kinda logical to ask the CDC, and wait until they confirmed that something was false before taking action. But alas.
Still, even with those three parts of the administration being deemed as crossing the line, most of the rest of the opinion is good. Despite all of the nonsense conspiracy theories about CISA, which were at the center of the case according to many, the 5th Circuit finds no evidence of any coercion there, and releases them from any of the restrictions.
Finally, although CISA flagged content for social-media platforms as part of its switchboarding operations, based on this record, its conduct falls on the “attempts to convince,” not “attempts to coerce,” side of the line. See Okwedy, 333 F.3d at 344; O’Handley, 62 F.4th at 1158. There is not sufficient evidence that CISA made threats of adverse consequences— explicit or implicit—to the platforms for refusing to act on the content it flagged. See Warren, 66 F.4th at 1208–11 (finding that senator’s communication was a “request rather than a command” where it did not “suggest[] that compliance was the only realistic option” or reference potential “adverse consequences”). Nor is there any indication CISA had power over the platforms in any capacity, or that their requests were threatening in tone or manner. Similarly, on this record, their requests— although certainly amounting to a non-trivial level of involvement—do not equate to meaningful control. There is no plain evidence that content was actually moderated per CISA’s requests or that any such moderation was done subject to non-independent standards.
Ditto for Fauci’s NIAID and the State Department (both of which were part of nonsense conspiracy theories). The Court says they didn’t cross the line either.
So I think the test the 5th Circuit used is correct (and matches other circuits). I find its application of the test to the White House kinda questionable, but it actually doesn’t bother me that much. With the FBI, the justification seems really weak, but frankly, the FBI should not be involved in any content moderation issues anyway, so… not a huge deal. The CDC part is the only part that seems super ridiculous as opposed to just borderline.
But saying CISA, NIAID and the State Department didn’t cross the line is good to see.
And then, even for the parts the court said did cross the line, the 5th Circuit so incredibly waters down the injunction from the massive, overbroad list of 10 “prohibited activities,” that… I don’t mind it. The court immediately kicks out 9 out of the 10 prohibited activities:
The preliminary injunction here is both vague and broader than necessary to remedy the Plaintiffs’ injuries, as shown at this preliminary juncture. As an initial matter, it is axiomatic that an injunction is overbroad if it enjoins a defendant from engaging in legal conduct. Nine of the preliminary injunction’s ten prohibitions risk doing just that. Moreover, many of the provisions are duplicative of each other and thus unnecessary.
Prohibitions one, two, three, four, five, and seven prohibit the officials from engaging in, essentially, any action “for the purpose of urging, encouraging, pressuring, or inducing” content moderation. But “urging, encouraging, pressuring” or even “inducing” action does not violate the Constitution unless and until such conduct crosses the line into coercion or significant encouragement. Compare Walker, 576 U.S. at 208 (“[A]s a general matter, when the government speaks it is entitled to promote a program, to espouse a policy, or to take a position.”), Finley, 524 U.S. at 598 (Scalia, J., concurring in judgment) (“It is the very business of government to favor and disfavor points of view . . . .”), and Vullo, 49 F.4th at 717 (holding statements “encouraging” companies to evaluate risk of doing business with the plaintiff did not violate the Constitution where the statements did not “intimate that some form of punishment or adverse regulatory action would follow the failure to accede to the request”), with Blum, 457 U.S. at 1004, and O’Handley, 62 F.4th at 1158 (“In deciding whether the government may urge a private party to remove (or refrain from engaging in) protected speech, we have drawn a sharp distinction between attempts to convince and attempts to coerce.”). These provisions also tend to overlap with each other, barring various actions that may cross the line into coercion. There is no need to try to spell out every activity that the government could possibly engage in that may run afoul of the Plaintiffs’ First Amendment rights as long the unlawful conduct is prohibited.
The eighth, ninth, and tenth provisions likewise may be unnecessary to ensure Plaintiffs’ relief. A government actor generally does not violate the First Amendment by simply “following up with social-media companies” about content-moderation, “requesting content reports from social-media companies” concerning their content-moderation, or asking social media companies to “Be on The Lookout” for certain posts.23 Plaintiffs have not carried their burden to show that these activities must be enjoined to afford Plaintiffs full relief.
The 5th Circuit, thankfully, calls for an extra special smackdown Judge Doughty’s ridiculous prohibition on any officials collaborating with the researchers at Stanford and the University of Washington who study disinformation, noting that this prohibition itself likely violates the 1st Amendment:
Finally, the fifth prohibition—which bars the officials from “collaborating, coordinating, partnering, switchboarding, and/or jointly working with the Election Integrity Partnership, the Virality Project, the Stanford Internet Observatory, or any like project or group” to engage in the same activities the officials are proscribed from doing on their own— may implicate private, third-party actors that are not parties in this case and that may be entitled to their own First Amendment protections. Because the provision fails to identify the specific parties that are subject to the prohibitions, see Scott, 826 F.3d at 209, 213, and “exceeds the scope of the parties’ presentation,” OCA-Greater Houston v. Texas, 867 F.3d 604, 616 (5th Cir. 2017), Plaintiffs have not shown that the inclusion of these third parties is necessary to remedy their injury. So, this provision cannot stand at this juncture
That leaves just a single prohibition. Prohibition six, which barred “threatening, pressuring, or coercing social-media companies in any manner to remove, delete, suppress, or reduce posted content of postings containing protected free speech.” But, the court rightly notes that even that one remaining prohibition clearly goes too far and would suppress protected speech, and thus cuts it back even further:
That leaves provision six, which bars the officials from “threatening, pressuring, or coercing social-media companies in any manner to remove, delete, suppress, or reduce posted content of postings containing protected free speech.” But, those terms could also capture otherwise legal speech. So, the injunction’s language must be further tailored to exclusively target illegal conduct and provide the officials with additional guidance or instruction on what behavior is prohibited.
So, the 5th Circuit changes that one prohibition to be significantly limited. The new version reads:
Defendants, and their employees and agents, shall take no actions, formal or informal, directly or indirectly, to coerce or significantly encourage social-media companies to remove, delete, suppress, or reduce, including through altering their algorithms, posted social-media content containing protected free speech. That includes, but is not limited to, compelling the platforms to act, such as by intimating that some form of punishment will follow a failure to comply with any request, or supervising, directing, or otherwise meaningfully controlling the social-media companies’ decision-making processes.
And that’s… good? I mean, it’s really good. It’s basically restating exactly what all the courts have been saying all along: the government can’t coerce companies regarding their content moderation practices.
The court also makes it clear that CISA, NIAID, and the State Department are excluded from this injunction, though I’d argue that the 1st Amendment already precludes the behavior in that injunction anyway, so they already can’t do those things (and there remains no evidence that they did).
So to summarize all of this, I’d argue that the 5th Circuit got this mostly right, and corrected most of the long list of terrible things that Judge Doughty put in his original opinion and injunction. The only aspect that’s a little wonky is that it feels like the 5th Circuit applied the test for coercion in a weird way with regards to the White House, the FBI, and the CDC, often by taking things dramatically out of context.
But the “harm” of that somewhat wonky application of the test is basically non-existent, because the court also wiped out all of the problematic prohibitions in the original injunction, leaving only one, which it then modified to basically restate the crux of the 1st Amendment: the government should not coerce companies in their moderation practices. Which is something that I agree with, and which hopefully will teach the Biden administration to stop inching up towards the line of threats and coercion.
That said, this also seems to wholly contradict the very same 5th Circuit’s decision in the NetChoice v. Paxton case, but that’s the subject of my next post. As for this case, I guess it’s possible that either side could seek Supreme Court review. It would be stupid for the DOJ to do so, as this ruling gives them almost everything they really wanted, and the probability that the current Supreme Court could fuck this all up seems… decently high. That said, the plaintiffs might want to ask the Supreme Court to review for just this reason (though, of course, that only reinforces the idea that the headlines that claimed this ruling was a “loss” for the Biden admin are incredibly misleading).
Filed Under: 1st amendment, 5th circuit, biden administration, cisa, coercion, context, jawboning, joe biden, louisiana, missouri, persuasion, pressure, rob flaherty, section 230, state department, terry doughty, threats, white house
Senator Wyden Asks State Dept. To Explain Why It’s Handing Out ‘Unfettered’ Access To Americans’ Passport Data
from the having-fucked-around,-State-Dept.-now-in-process-of-finding-out dept
There are supposed to be limits on what the federal government can do with all the data it forces people to hand over in exchange for government services. But much of the limiting appears to be left up to the discretion of federal agencies. Discretion is the better part of valor, as they say. If these agencies are ever going to become valorous, they’re probably going to have to steal it.
Customs and Border Protection (CBP) has never exhibited much discretion when it comes to respecting rights. Whatever rights haven’t been waived into irrelevance by the “Constitution-free zone” have been routed around by asking third parties for data the CBP can’t legally obtain directly.
In 2018, a blockbuster report detailed the actions of CBP agent Jeffrey Rambo. Rambo apparently took it upon himself to track down whistleblowers and leakers. To do this, he cozied up to a journalist and leveraged the wealth of data on travelers collected by federal agencies in hopes of sniffing out sources.
A few years later, another report delved deeper into the CPB and Rambo’s actions. This reporting — referencing a still-redacted DHS Inspector General’s report — showed the CBP routinely tracked journalists (as well as activists and immigration lawyers) via a national counter-terrorism database. This database was apparently routinely queried for reasons unrelated to national security objectives and the information obtained was used to open investigations targeting journalists.
That report remains redacted nearly a year later. But Senator Ron Wyden is demanding answers from the State Department about its far too cozy relationship with other federal agencies, including the CBP.
The State Department is giving law enforcement and intelligence agencies unrestricted access to the personal data of more than 145 million Americans, through information from passport applications that is shared without legal process or any apparent oversight, according to a letter sent from Sen. Ron Wyden to Secretary of State Antony Blinken and obtained by Yahoo News.
The information was uncovered by Wyden during his ongoing probe into reporting by Yahoo News about Operation Whistle Pig, a wide-ranging leak investigation launched by a Border Patrol agent and his supervisors at the U.S. Customs and Border Protection’s National Targeting Center.
On Wednesday, Wyden sent a letter to Blinken requesting detailed information on which federal agencies are provided access to State Department passport information on U.S. citizens.
The letter [PDF] from Wyden points out that the State Department is giving “unfettered” access to at least 25 federal agencies, including DHS components like the CBP. The OIG report into “Operation Whistle Pig” (the one that remains redacted) details Agent Rambo’s actions. Subsequent briefings by State Department officials provided more details that are cited in Wyden’s letter.
More than 25 agencies, but the State Department has, so far refused to identify them.
_Department officials declined to identify the specific agencies, but said that both law enforcement and intelligenc_e agencies can access the [passport application] database. They further stated that, while the Department is not legally required to provide other agencies with such access, the Department has done so without requiring these other agencies to obtain compulsory legal process, such as a subpoena or court order.
Sharing is caring, the State Department believes. However, it cannot explain why it feels this passport application database should be an open book to whatever government agencies seek access to it. This is unacceptable, says Senator Wyden. Citing the “clear abuses” by CBP personnel detailed in the Inspector General’s report, Wyden is demanding details the State Department has so far refused to provide, like which agencies have access and the number of times these agencies have accessed the Department’s database.
Why? Because rights matter, no matter what the State Department and its beneficiaries might think.
The Department’s mission does include providing dozens of other government agencies with self-service access to 145 million American’s personal data. The Department has voluntarily taken on this role, and in doing so, prioritized the interests of other agencies over those of law-abiding Americans
That’s the anger on behalf of millions expressed by Senator Wyden. There are also demands. Wyden not only wants answers, he wants changes. He has instructed the State Department to put policies in place to ensure the abuses seen in “Operation Whistle Pig” do not reoccur. He also says the Department should notify Americans when their passport application info is accessed or handed over to government agencies. Finally, he instructs the Department to provide annual statistics on outside agency access to the database, so Americans can better understand who’s going after their data.
So, answers and changes, things federal agencies rarely enjoy engaging with. The answers are likely to be long in coming. The requested changes, even more so. But at least this drags the State Department’s dirty laundry out into the daylight, which makes it a bit more difficult for the Department to continue to ignore a problem it hasn’t addressed for more than three years.
Filed Under: cbp, data protection, operation whistle pig, passports, privacy, ron wyden, state department
State Department Report Repeats Talking Points From Group Who Wants To Ban All Porn
from the seems-odd dept
Last week the State Department released its United States Advisory Council on Human Trafficking Annual Report 2021, and it’s… a weird document in so many ways. Anti-human trafficking policy making is one of those issues that just seems to attract some very, very bizarre people — as you might have noticed from the world of Pizzagate and Q-Anon. Human trafficking is (1) a very real problem, (2) a very serious problem, (3) just generally horrific for all the reasons you know, but (4) happens way less than most people think (especially given how much people focus on it). Obviously, continued efforts to prevent all human trafficking are important, and so I can understand why the State Department set up this advisory council. However, they seemed to staff it with a bunch of folks who have a very clear incentive to play up the issue as much bigger and more threatening than it really is.
And perhaps that explains the report’s incredibly bizarre, incorrect, and just weird thoughts on the internet and Section 230 of the Communications Decency Act. First, they have a section that looks like it was directly written by The National Center on Sexual Exploitation (NCOSE), which while you might think that’s a group with relevant expertise, is not. The group was founded in 1962 as “Morality in Media” and has spent decades trying to stop anything they deem to be smut. They only changed their name to NCOSE because it played better in the media to tie their anti-porn, anti-obscenity obsession to exploitation. They were also a major force behind FOSTA, which they always viewed as a step towards making all porn illegal.
One of the group’s big lobbying campaigns is to convince states to pass laws declaring pornography to be a “public health issue.” It’s not, of course, but this group’s entire existence doesn’t make much sense if they can’t convince more prudes that nekkid people are destroying society. Which, fine, if outlawing porn gets you off, do what you have to do, but I don’t see why the State Department needs to support that kind of nonsense. Yet, right in this report we get:
We recommend HHS, DOJ, and DHS address the gaps and issues relating to the intersection between pornography, human trafficking, and child sexual exploitation.
As of November 2020, 16 U.S. states have passed resolutions recognizing pornography as a public health issue. It is time that the federal government also take deliberate action to acknowledge the direct links between pornography and human trafficking and address it as a threat to society….
They also recommend that HHS “allocate resources to fund research on the public health harms of pornography.” They also cite the number of reports to NCMEC of suspected child sexual exploitation as proof that there’s a real problem — leaving out that (1) reports are not actual evidence of actual exploitation, (2) that social media has gotten better about reporting to NCMEC, and (3) that nuttiness like Q-Anon has resulted in tons of obviously bogus reports. But, no, they insist that such reports are proof of “a pervasive problem.”
And then there’s this:
In addition, the 94 United States Attorneys? Offices are mandated to enforce federal obscenity laws. FBI agents, postal inspectors, and customs officers are responsible for investigating violations of federal obscenity laws. Pornography is the marketing department for sex trafficking. It has been shown to influence sex buying behaviors and much of it is produced by force, fraud, and coercion.[46] A robust enforcement of federal obscenity laws will therefore reduce the demand driving sex trafficking and protect those that are being victimized in the production of pornography. Therefore, we call upon federal law enforcement agencies to investigate and DOJ to prosecute federal obscenity laws actively, aggressively, and to the fullest extent of the law…
The claim that porn is “the marketing department for sex trafficking” seemed weird. It would be extreme already in just an NCOSE press release. It seems wholly irresponsible to put it into a State Dept. document. Meanwhile, I was wondering what the footnote was as evidence for this statement… and it’s citing a Jezebel article from 2018 about two porn actors (understandably!) complaining about abuse, violence, and boundary violations on set. That’s absolutely awful, but says nothing at all about how widespread this is and what any of that has to do with trafficking.
Then, the report suggests that Congress needs to update Section 230. Now, some of you might recall that we already did this. Congress — at NCOSE’s urging — passed FOSTA specifically to try to carve out sex trafficking activity from Section 230 protections. And so far, what it has done is made it significantly more difficult to find and capture actual sex traffickers while also putting the lives of sex workers at risk — often leading them to take risks that made it easier for traffickers to take advantage of them.
All in all, the evidence has shown that FOSTA has done the exact opposite of what was promised and has actually make sex trafficking worse.
But this advisory ignores all that and says we just need to take an even bigger sledge hammer to Section 230:
Sex trafficking of children and adults has proliferated online in part because Section 230 of the Communications Decency Act of 1996 (CDA) has been interpreted by federal and state courts to: 1) prohibit sex trafficking victims from suing websites that advertise them as being for sale; and 2) prevent states from enforcing criminal laws against websites that carry ads for sex trafficking. The technology industry has effectively used Section 230 to avoid responsibility for and profit from illegal activities that continue unabated on their platforms.* Despite the passage of the Allow States and Victims to Fight Online Sex Trafficking Act of 2017 tech-savvy internet traffickers have already leapt ahead using various ploys including utilizing foreign-based corporations and servers, which operate outside the reach of U.S. law, to advertise, exploit, and traffic American children on American soil.
Federal enforcement alone has proven insufficient in combating the growth of online commercial sexual exploitation of children. State, territorial, tribal, and local law enforcement must have the necessary digital forensics tools and clear authority to investigate and prosecute those who profit from these crimes. Additionally, removing civil immunity for companies that are complicit in child sexual exploitation on their platforms will create a necessary incentive for the technology industry to become proactive in protecting the most vulnerable in our society.
Therefore, we recommend Congress amend Section 230 of the CDA to empower victims and their attorneys, and states, territories, tribes, and localities to use all applicable criminal and civil laws to effectively combat human trafficking, including the commercial sexual exploitation of children online.
Except that as it stands right now, Section 230 already allows most of this. It has no impact on federal criminal law, and since the passing of FOSTA does allow for both civil and state criminal lawsuits. And so far, those have been a disaster. Ambulance chasing lawyers going after Mailchimp for cash, because some company that wanted to become the next Backpage signed up to use Mailchimp to send out emails.
All of the “sources” in the 3 paragraphs above… point to NCOSE’s site, which again, is not a trustworthy or honest party in all of this.
I’m used to seeing this kind of nonsense from NCOSE all the time, but why is the State Department allowing its name and credibility to be used to launder this nonsense as if it’s legit?
Filed Under: 1st amendment, human trafficking, obscenity, porn, section 230, sex trafficking, state department, trafficking
NSO Spyware Used To Snoop On US State Department Employees Stationed In Uganda
from the just-another-day-at-work-for-NSO-Group dept
Israeli exploit seller NSO Group has long past reached the limits of its non-denials and deflection attempts. There’s only bad news on the horizon for the tech company, which would be a lot less disheartening for the company if it hadn’t been preceded by months of bad news.
Already considered morally suspect due to its decision to sell powerful phone hacking tools to human rights violators, NSO has since proven to be pretty much amoral. Investigations uncovering abuse of its spyware to hack phones of journalists and activists began to surface three years ago before a leaked database of alleged spyware targets was given to investigators and journalists. Since then, NSO has waged a losing battle with a seemingly endless onslaught of revelations that put its hacking tools in the hands of bad actors and its powerful spyware (Pegasus) in the phones of journalists, activists, lawyers, diplomats, politicians, and religious leaders.
NSO was sued by WhatsApp and Facebook in 2019 for using the messaging app to send malware to targets. It was sued by Apple just a couple of weeks ago for targeting iPhone users. It is facing investigations in a handful of countries, including its home base. It has been blacklisted by the US Commerce Department and its list of governments it can sell to has been drastically trimmed by the Israeli government, from 102 to 37.
The question now is: does NSO Group even feel it when news breaks about additional misuse of its spyware? Or does it just prompt an exasperated “what now?!” from its execs as it tries to figure out how to remain viable in the future? Whatever the case is, this latest revelation isn’t going to get its Commerce Department blacklisting lifted any time soon.
iPhones of at least nine U.S. State Department employees were hacked by an unknown assailant using sophisticated spyware developed by the Israel-based NSO Group, according to four people familiar with the matter.
The hacks, which took place in the last several months, hit U.S. officials either based in Uganda or focused on matters concerning the East African country, two of the sources said.
The intrusions, first reported here, represent the widest known hacks of U.S. officials through NSO technology.
The Reuters report says the source of the hacking hasn’t been identified. But one can assume it was entities opposed to whatever aims the US State Department hopes to achieve in Uganda, which apparently includes simply trying to meet with opposition leaders. People don’t spy on people whose aims are allied with theirs. And attribution has limited worth. Entities willing to abuse spyware to hack the phones of political opponents — especially those operating under diplomatic immunity — aren’t really going to care if their wrongdoing is exposed.
And NSO only has to care now because it has spent years claiming it does everything it can to prevent misuse of its powerful malware — only to have that assertion exposed as a lie with six months of uninterrupted news releases showing its hacking tools have been misused multiple times by multiple entities. Accompanying this steady drip of news reports has been zero evidence of NSO’s asserted oversight or willingness to terminate contracts with entities who’ve abused its malware.
NSO’s response to this report is no different than its response to several others: it will do something about this now that it has made international headlines.
“If our investigation shall show these actions indeed happened with NSO’s tools, such customer will be terminated permanently and legal actions will take place…”
That’s meaningless. NSO claims it has no visibility into its customers’ actions and, if this is true, it has no way of investigating these claims. It’s all just noise, something almost less substantial than a “no comment.” The State Department’s response means more: it simply pointed to NSO’s blacklisting by the federal government. And that’s pretty much all that needs to be said by witnesses and victims of these hacking attempts. NSO is running out of bridges to burn. There will always be a market for easily abused malware. But it’s becoming much more difficult to keep these abuses secret and that’s what has harmed NSO the most.
Filed Under: malware, pegasus, spyware, state department, surveillance
Companies: nso group
Pompeo Says US May Ban TikTok; It's Not Clear That It Can
from the or-should dept
New day, new nonsense. Secretary of State Mike Pompeo did his Pompeo thing and went on Fox News saying that the US is looking at banning apps from China in the US, with a focus on TikTok, the incredibly popular social media app that is owned by the Chinese firm ByteDance:
The United States is “looking at” banning Chinese social media apps, including TikTok, Secretary of State Mike Pompeo said Monday.
Pompeo suggested the possible move during an interview with Fox News’ Laura Ingraham, adding that “we’re taking this very seriously.”
Pompeo was asked by Ingraham whether the United States should be considering a ban on Chinese social media apps, “especially TikTok.”
“With respect to Chinese apps on people’s cell phones, I can assure you the United States will get this one right too, Laura,” he said. “I don’t want to get out in front of the President [Donald Trump], but it’s something we’re looking at.”
It’s difficult to know where to start on this, but let’s at least start by admitting that TikTok has some sketchy issues. We’ve talked about how its content moderation practices may be driven from Beijing’s moral stance (despite denials) and there were recent claims from someone associated with anonymous claiming to have reverse engineered TikTok, saying that it’s a security disaster (it’s not at all clear how accurate that is). At the same time, India just banned TikTok and other Chinese apps over security fears.
So there may be some legitimate concerns here, though a lot of that is based on innuendo and rumor rather than concrete evidence. And, again, we’ve seen this game before. The US spent years spreading security panic about Chinese networking equipment from companies like Huawei and ZTE, without ever actually proving any problems with the hardware (in fact, a massive US government investigation turned up nothing).
But, as we’ve noted, it’s often been difficult to tell where the complaints against Chinese networking hardware end, and where the lobbying from American telco equipment firms like Cisco begin, as there appears to be substantial overlap. There’s no evidence to say that’s true with this new story of an app ban, but it should be noted that Mark Zuckerberg is clearly very, very worried about TikTok, so the US banning the company that seems to be a favorite of the younger generation certainly wouldn’t be protested very much by Facebook.
That said, there are real legal questions about whether or not the US even could ban TikTok in the US. Under what law would they do so? While owned by ByteDance in China, TikTok has spent the last few years separating TikTok’s business from ByteDance, hiring a ton of people in the US and insisting that data from TikTok users is kept in the US (or Singapore) and not in China. ByteDance has also considered selling off TikTok to avoid these concerns.
So it seems incredibly likely that any effort to bar TikTok would raise a whole bunch of legal concerns — starting with a basic 1st Amendment concern. The US government can’t just say “you can’t use that social media app.” That may be how things work in China or India, but not in the US. And, of course, it would likely set off a chain reaction elsewhere as well. China already bans most major US apps and services, but we’re still dealing with a pointless trade war that would only be exacerbated by such a move.
There are plenty of reasons to be concerned about TikTok, it’s connections to China, and the security of the app. But none of that means that the US government has the right to just ban it. While Trump may want to pretend he’s a dictator, and Pompeo may want to pretend he works for a dictator, that’s not how any of this works.
Filed Under: apps, banning apps, china, mike pompeo, state department, tiktok
Companies: bytedance, tiktok
Intelligence Agencies Sued For Refusing To Turn Over Documents Related To Jamal Khashoggi's Brutal Murder
from the letting-the-passage-of-time-do-the-dirty-work dept
The shocking and brutal murder of Washington Post journalist Jamal Khashoggi by members of the Saudi Arabian government late last year was breathtaking in its audacity and execution. Lured to the Saudi consulate in Turkey by Saudi government officials, Khashoggi was strangled and dismembered by a team of Saudi security operatives.
Khashoggi was a legal resident of the United States, in self-imposed exile from Saudi Arabia as a result of the government’s treatment of dissidents. As a lawful resident, Khashoggi was technically protected by the many of the same laws and rights US citizens are. While the US government limits those rights and protections when legal residents (but not citizens) travel out of the country, the US intelligence community still bears a “duty to warn” lawful residents of any violent threats against them.
The IC knew Khashoggi was a target of the Saudi government. It knew Riyadh had “something unpleasant” waiting for Khashoggi should he return to Saudi Arabia. A plan to lure Khashoggi back to Saudi Arabia was intercepted by US intelligence. No one knows whether Khashoggi was ever warned by US intelligence of these plans.
The Committee to Protect Journalists — along with the Knight Institute — wants to know if any attempts were made to inform the murdered journalist of Saudi Arabia’s plans. So far, the Office of the Director of National Intelligence has refused to publicly comment on the IC’s “duty to warn.” These two entities have filed FOIA requests seeking info about the IC’s duty to warn Jamal Khashoggi, asking each of the IC’s five components to release documents detailing their actions/inactions. These were filed shortly after news broke of Khashoggi’s murder. So far, none of the agencies have handed over any documents.
As the Knight Institute points out, there definitely should be documents related to Khashoggi and the government’s “duty to warn.”
Intelligence Community Directive 191 provides that, when a U.S. intelligence agency acquires information indicating an impending threat of intentional killing, serious bodily injury, or kidnapping directed at a person, the agency must “warn the intended victim or those responsible for protecting the intended victim, as appropriate.” The directive further obligates the agencies to “document and maintain records” on any actions taken pursuant to that duty.
“Document” is a key part of “document and maintain,” but so far, the IC agencies haven’t turned over any documents, or even admitted they have any. All five agencies have rejected the request for expedited processing and most haven’t even gotten around to deciding whether or not a fee waiver applies. So, the two entities have sued [PDF], hoping to jolt the Intelligence Community out of its complacency.
Documents pertaining to the IC’s duty to warn are extremely newsworthy… right now. The IC knows this just as much as the plaintiffs know this. But the IC has much more to gain by stonewalling these requests. If these agencies failed to pass on information to Khashoggi — in effect allowing him to end up in the hands of people who wanted him dead — it’s not going to reflect well on the IC. The longer it takes for the news to get out, the greater the chance a new obscenely-disturbing incident will grab the attention of the American public and allow it to walk away from any dereliction of duty unscathed.
If it does have documents and it did warn Khashoggi of the Saudi government’s plans for him, it would make little sense to withhold these facts and allow public perception to fill the void. But the IC tends to indulge in secrecy for secrecy’s sake, viewing frustrated requesters, Senators, and Congresspersons as a reward in itself.
Filed Under: duty to warn, foia, jamal khashoggi, journalism, state department, transprarency, us government
Companies: committee to protect journalists, knight institute