ACLU Suggests Jury Instructions Might Be A Fix For 'Missing' Police Body Camera Recordings

from the opting-out-of-creating-evidence-means-no-credit-for-not-trying dept

We've written plenty of posts about police body cameras -- how useful they can be and how useless they often are. What should result in additional law enforcement accountability has been turned into a mostly-optional documentation system. The new tech and its accompanying guidelines have done very little to increase accountability.

Body cameras are pretty much mainstream at this point, but when excessive force and/or misconduct are alleged, footage captured by police is often nonexistent. Officers disable recording equipment, delete footage, or simply claim the camera "malfunctioned." Some repeatedly "forget" to activate their cameras ahead of controversial arrests and interactions.

But what can be done about it? So far, law enforcement agencies have done little but promise to create more policies and guidelines -- ones that can continue to be ignored by officers who'd rather not create a permanent record of their actions. There's been some discipline, but what little of it there is hasn't been very severe. And stories of repeated tampering with recording devices in some agencies suggests what is in place isn't much of a deterrent.

The ACLU of Massachusetts has a suggestion: if missing/incomplete recordings are central to a prosecution or a civil rights lawsuit, a better deterrent might be to allow juries to impose evidentiary consequences for failures to record. From the ACLU's "No Tape, No Testimony" report [PDF]:

This instruction would tell the jury that, if it finds that the police unreasonably failed to create or preserve a video of a police-civilian encounter, it can devalue an officer’s testimony and infer that the video would have helped the civilian. If the jury finds that the case involves bad faith, such as the outright sabotage of body cameras, then it should be instructed to disregard officer testimony altogether.

This all tracks back to multiple lies told by officers that have been uncovered by cameras carried by citizens. In the Walter Scott shooting, the officer's narrative of a struggle over a Taser was rebutted by a cell phone recording that showed the officer shoot Scott in the back while he ran away from him and then dropping something that looked like the officer's Taser next to Scott's dead body. The ACLU's report lists several other shootings -- like Laquan McDonald's -- in which recordings directly contradicted official police reports.

While this instruction may encourage some officers to record more questionable arrests and stops, it may also encourage more law enforcement agencies to unofficially instruct officers to hold off on writing reports until after they've reviewed recordings. If there's no way of salvaging the incident, recordings will probably continue to disappear, but at least the officer's testimony will disappear right along with it, should the jury decided the missing/incomplete recording was a "bad faith" effort.

Officers have long relied on "our word against yours" to win testimonial battles. But if an officer cannot produce a recording of an encounter, lesser weight should be given to an "eyewitness" whose testimony could have easily been verified but who chose not to document the incident.

Filed Under: body cameras, jury instructions, police
Companies: aclu

ACLU Sues Government Over Unreleased FISA Court Opinions

from the make-with-the-secrets dept

The US government is still holding onto its opacity ideals while publicly touting transparency directives. The FISA court -- which presides over the NSA's surveillance programs -- has normally been completely shrouded in darkness. Things changed in 2013 after Ed Snowden began leaking documents.

Forced into a conversation about domestic surveillance, the administration responded with more transparency promises and the signing of the USA Freedom Act into law. The new law curtailed the collection of domestic business records (phone metadata and other third-party records) and required the court to make its opinions public following declassification reviews.

All well and good, but the government has apparently decided the new law only requires transparency going forward. FISA opinions dating back to 2001 still remain locked up, despite transparency promises and reform efforts.

The ACLU is now suing the government to force the release of over a decade's-worth of FISC opinions. Many of those still withheld contain rulings on issues that are the very definition of "public interest." The appendix to the motion [PDF] contains a list of opinions the ACLU would like to see released, including the following:

• The order authorizing Yahoo's bulk email scanning.
• Rulings on the FBI's use of NITs and other malware.
• Orders compelling "technical assistance" to weaken encryption or hand over code to the US government.
• Stingray deployments authorized by the FISA court.
• Possible First Amendment violations arising from the Section 215 program.
• A 2013 order detailing "unauthorized NSA surveillance."

The government would like these to remain secret, which is why it's interpreted the new law to only affect decisions reached after the implementation of the USA Freedom Act. But that runs counter to the whole point of surveillance reform and the administration's own transparency directives: to better inform the public about the government's actions. Transparency goes hand-in-hand with accountability and keeping these out of the public's hands does nothing to further either goal.

Filed Under: fisa court, fisc, foia, nsa, transparency
Companies: aclu

ACLU Dumps Docs On Social Media Monitoring Firm Geofeedia; Social Media Platforms Respond By Dumping Geofeedia

from the if-access-is-the-only-thing-you're-selling,-what-happens-when-it's-gone? dept

Surveilling citizens engaged in First Amendment-protected activity? That's just how Geofeedia rolls.

Records obtained by the ACLU show the private company pitched its "firehose" connection to Facebook, Twitter, and Instagram as a way to monitor the situation in Ferguson (during the 2014 protests) and "stay one step ahead of the rioters."

Geofeedia itself didn't do anything illegal. It simply provided a one-stop shop for social media monitoring of public posts. It's the way it was pitched that was a problem. Rather than sell it as a way to keep law enforcement informed of criminal activity, its sales team highlighted its usefulness in monitoring protestors and other First Amendment activity.

The documents the ACLU obtained show the company paid these three social media services for "firehose" attachments -- beefed-up API calls that allowed Geofeedia to access more public posts faster than law enforcement could do on its own.

Instagram had provided Geofeedia access to the Instagram API, a stream of public Instagram user posts. This data feed included any location data associated with the posts by users. Instagram terminated this access on September 19, 2016.

Facebook had provided Geofeedia with access to a data feed called the Topic Feed API, which is supposed to be a tool for media companies and brand purposes, and which allowed Geofeedia to obtain a ranked feed of public posts from Facebook that mention a specific topic, including hashtags, events, or specific places. Facebook terminated this access on September 19, 2016.

Twitter did not provide access to its “Firehose,” but has an agreement, via a subsidiary, to provide Geofeedia with searchable access to its database of public tweets.

Of all of these companies, only Twitter took proactive steps to prevent API calls from being used for proxy surveillance.

In February, Twitter added additional contract terms to try to further safeguard against surveillance. But our records show that as recently as July 11th, Geofeedia was still touting its product as a tool to monitor protests. After learning of this, Twitter sent Geofeedia a cease and desist letter.

Well, it's all over now. It's not just Twitter demanding Geofeedia stop turning its service into an extension of law enforcement's worst urges. It's everyone. The ACLU dumped its documents and, shortly after, the companies dumped Geofeedia.

After reviewing the report, Facebook cutoff Geofeedia’s access to commercially available data from its social platform and from Instagram, which it owns.

On Tuesday, Twitter said they were also cutting off the Chicago social media company’s access.

So much for the business model. Twitter cited its long-standing policy of preventing its service from being used as a surveillance tool -- a policy it exercised earlier this year when cutting off Dataminr's access to its APIs for selling its collected communications to US intelligence agencies.

Facebook simply stated that Geofeedia's API use was "unauthorized," something it probably should have realized well before the ACLU shamed it into cutting off the company's access.

Geofeedia, meanwhile, has stated it will meet with all "stakeholders," which apparently means Twitter, Facebook, and various government agencies. Users of these services haven't been invited to do anything more than vote with their digital feet.

For all the call-and-response, the underlying fact is that Geofeedia didn't have access to anything any individual user didn't. It may have had more of it faster and a front end that made surveillance/monitoring easier, but it wasn't gathering tweets or posts from private accounts or otherwise accessing anything not already viewable by the public.

But its sales tactics were a bit concerning. The company pretty much encouraged law enforcement agencies to engage in some very questionable monitoring.

Using Geofeedia’s analytics and search capabilities and following the recommendations in their marketing materials, law enforcement in places like Oakland, Denver, and Seattle could easily target neighborhoods where people of color live, monitor hashtags used by activists and allies, or target activist groups as “overt threats.” We know for a fact that in Oakland and Baltimore, law enforcement has used Geofeedia to monitor protests.

Geofeedia claims to be interested in protecting the civil liberties of Americans, while at the same time nudging law enforcement agencies towards undermining those protections. Because of that, it's now probably looking at handing out some refunds, seeing as its all-seeing-APIs have been cut off and all it can really offer at this point is part-owner positions in a fast-growing pariahship.

Filed Under: apis, government, monitoring, social media, surveillance
Companies: aclu, facebook, geofeedia, instagram, twitter

Feds Gagged Encrypted Communications Firm Open Whisper Systems Over Massively Overbroad Subpoena

from the and-then-backed-down dept

This morning the ACLU announced that it had convinced the government to remove a ridiculous gag order on a subpoena that had been sent to Open Whisper Systems, the makers of the popular Signal encrypted messaging app, and whose encrypted communication protocol is used by many others, including WhatsApp, Facebook and Google for their encrypted messaging offerings. It's not that surprising that a grand jury would issue a subpoena to Open Whisper Systems demanding "subscriber name, address, telephone numbers, email addresses, method of payment, IP registration, IP history logs and addresses, account history, toll records, upstream and downstream providers, any associated accounts acquired through cookie data, and any other contact information from inception to the present" for certain accounts being investigated. But, of course, Open Whisper Systems has basically none of that data. It "complied" with the subpoena to the extent that it could, which is basically that the only information it has is when the account was created and the last time it was accessed: As Marcy Wheeler rightly points out, the request itself is way too broad, covering information that the government is not allowed to ask for under ECPA (Electronic Communications Privacy Act). But, it's not like the government feels it needs to follow its own laws anyway...

The really concerning part about this, however, is that the subpoena came with an unnecessary and likely unconstitutional gag order. The gag order was, at least, bounded. After years of the DOJ issuing gag orders with no end date, at least this one was limited to one year. However, as the ACLU pointed out, a gag order needs to meet a pretty high bar to get over the fairly large First Amendment hurdle. And this one did not do that:

A magistrate judge signed the gag order, citing “reason to believe that notification of the existence of the . . . subpoena will seriously jeopardize the investigation [under prosecution by the grand jury], including by giving targets an opportunity to flee or continue flight from prosecution, destroy or tamper with evidence, change patterns of behavior, or notify confederates.”

Of course, those risks could be real, and the government’s need for secrecy in law enforcement investigations cannot be dismissed outright. But that general interest applies in virtually every criminal investigation, including those involving the public execution of search warrants. To meet the stringent First Amendment standard, any gag must be justified by something much greater. The First Amendment requires that to close courtrooms or seal evidence—and especially to prohibit a party from speaking publicly on a matter of public concern—the government demonstrate a compelling interest in secrecy, and it must apply that secrecy in the narrowest possible way. But instead, the government appears to seek blanket gag orders by default, without considering precisely what information can be disclosed without harm to its interests.

Open Whisper Systems went to the ACLU. The ACLU reached out to the government with a friendlier version of "WTF?" -- and the government basically backed down immediately, more or less admitting that the gag order was bogus:

To its credit, the government quickly agreed with us that most of the information under seal could be publicly disclosed. But the fact that the government didn't put up too much of a fight suggests that secrecy—and not transparency—has become a governmental default when it comes to demands for our electronic information, and critically, not everyone has the resources or the ability to work with the ACLU to challenge it.

OWS immediately recognized that even though the government required some secrecy over the subpoena, it did not need, nor could it justify, total secrecy. So OWS came to us, and we went to the government, which agreed to reverse its original demand for secrecy—and now OWS’s customers and the broader public can see for themselves just how wildly overbroad the government’s gag order was from the jump. And while this—the only one ever received by OWS—is now public, there are many more like it, hiding in the filing cabinets in the U.S. attorney’s offices across the country.

Of course, this leaves the big open question implied by the ACLU's statement above: how many other companies have also received unconstitutional gag orders, and simply complied? The larger tech companies have gotten much better (in the post-Snowden era) of pushing back against such gag orders, but for smaller companies it's likely that many are just complying, because they don't have either the resources or knowledge that this kind of thing is not actually allowed.

Filed Under: 1st amendment, encrypted communications, encryption, gag order, signal, subpoena
Companies: aclu, open whisper systems

ACLU Launching Campaign To Have President Obama Pardon Snowden

from the timed-to-the-movie dept

The ACLU has been hinting at this for the past few months, but with the end of President Obama's term in office coming up and coinciding with the launch of Oliver Stone's feature film about Ed Snowden, the ACLU, along with Amnesty International, are launching an official campaign to ask the President to issue a pardon for Ed Snowden. They'll be hosting a press conference Wednesday morning, where Snowden will show up via video (perhaps using Robot Snowden?) to discuss. Not surprisingly, the ACLU says they've lined up a bunch of "legal scholars, policy experts, human rights leaders, technologists and former government officials," who will all be supporting a pardon for Snowden.

There will also apparently be a sign-on form on the site PardonSnowden.org, which is currently locked up behind a password (get busy cracking that, NSA).

Not surprisingly, I think the president absolutely should pardon Snowden. I also think there's very, very, very little chance that he actually will. I wouldn't put the chance at 0% -- because it's possible. But I'd still put the likelihood in the single digits. I hope I'm wrong -- and I hope that the President recognizes why pardoning Snowden would be such a good thing, and an important part of his legacy. And I hope that the movie (which I have not seen) properly puts Snowden's actions in context (though I'm not entirely convinced Oliver Stone will do so). So, perhaps I'm wrong. But I just find it super unlikely that President Obama would stick his neck out and take a stand like that.

Filed Under: ed snowden, pardon, president obama, whistleblowing, white house
Companies: aclu

DOJ To Researchers: First Amendment Does Not Protect Violating Websites' Terms Of Services

from the SRO-only-in-the-court-and-not-much-here-to-grab-floor-space dept

The woefully out-of-date CFAA -- the product of panicked early-80s legislating in response to underdeveloped hacker fears -- continues to hold back research (both of the security and non-security kind) when not being wielded like the prehistoric weapon it is by the DOJ and multiple entities who prefer bludgeoning the messenger to fixing their broken systems.

Because of the ongoing misuse and abuse of a badly-written law (aided and abetted by some terrible court decisions), a group of academic researchers has decided to proactively sue the government over its terrible legislation, rather than wait around to get sued/indicted for attempting to determine if individual websites exhibit bias against certain users.

They've enlisted the help of the ACLU, which filed its suit against Attorney General Loretta Lynch back in June. The DOJ has responded with a motion to dismiss [PDF] that claims everything is wrong with the lawsuit, from the issue of standing to multiple failures to state a claim under the First and Fifth Amendments.

Plaintiffs fail to allege an injury in fact sufficient to meet the constitutional minimum of standing. Standing to assert pre-enforcement statutory challenges under the First and Fifth Amendments may exist where the statute in question regulates constitutionally protected conduct and a credible fear of prosecution exists. The challenged provision of the CFAA, however, does not facially regulate protected conduct, and the conduct in which plaintiffs intend to engage—deploying information-gathering software on the websites of non-consenting private entities—is not activity that the First Amendment protects. Moreover, plaintiffs fail to provide any facts indicating a credible threat that the challenged provision will be enforced against them: plaintiffs do not allege to have been investigated by law enforcement or threatened with an enforcement action; plaintiffs do not identify any cases in which the government has sought to enforce the CFAA for harmless terms of use violations that were not in furtherance another crime or tort; and the government has affirmatively stated that it has no intention to enforce the CFAA under the circumstances alleged here. Accordingly, plaintiffs are unable to assert an objectively credible threat of prosecution and, as a result, their complaint must be dismissed on standing grounds.

It is indeed difficult to sue to prevent things from happening, rather than suing to seek recourse after damage has been done. Speculating about future Constitutional violations is even less likely to succeed, as many courts tend to avoid tangling with any civil liberties questions not directly implicated by the case at hand. These two issues alone may find the court agreeing with the DOJ's assertions.

However, other assertions made by the government aren't as solid. While it is true the DOJ tends not to prosecute simple CFAA violations without a connection to other criminal activity, when it does choose to do so, it tends to respond with zealous, fear-based prosecution and incredibly severe sentence recommendations.

That the DOJ has magnanimously offered to not enforce the CFAA against the researchers at this point is heartening, as far as that promise goes. The DOJ may have no intention of doing so now, but if the researchers roll up on the wrong website and set some influential wheels to squeaking, that could change.

The DOJ is on less solid ground when it argues the CFAA does not create a chilling effect. It may be that the research effort (deploying bots to simulate job seekers, home buyers, etc.) is not a form of protected speech, but that doesn't mean speech -- and research efforts -- aren't being deterred by the badly-written and vaguely-interpreted law.

The government doesn't contend, however, that the results of the research won't be protected under the First Amendment -- just that the method of gathering the data isn't.

Here, plaintiffs allege that the challenged provision of the CFAA has chilled their desire to deploy software technology designed to gather information from the websites of private corporations without the permission of those corporations and in a manner that the relevant website terms of use expressly prohibit. The systemic collection of information from the websites of non-consenting private entities is not conduct the First Amendment protects, and thus plaintiffs are unable to assert a reasonable First Amendment chill with respect to that conduct.

[...]

Thus, just as there is no First Amendment right to gather information by personally travelling to a sanctioned country, and no First Amendment right to gather information by visiting a jail without the permission of the warden, and no First Amendment right to access information in electronic form rather than paper form, there is likewise no First Amendment right to gather information controlled by private entities by deploying a data-scraping computer program on the websites of those entities without their permission and in a manner that the entities explicitly prohibit.

And there's the chicken-egg problem with the First Amendment, which follows after the other chicken-egg dilemma of having to wait to be prosecuted (or threatened with prosecution) before being granted standing to challenge the government's enforcement efforts. To use the DOJ's cited equivalents, delivering the news is protected under the First Amendment. Gathering it, however, may not be.

What the DOJ doesn't spend any time explaining is why researchers might get the idea the government would come after them for performing this research. The DOJ has explicitly stated in the past that violating a website's terms of use violates the CFAA, making criminals of millions of pre-teens with Facebook or Twitter accounts. And the DOJ's own suggested rewriting of the CFAA looks to turn previous misdemeanors into felonies, including the sort of activity the researchers are proposing.

...knowingly and willfully traffics... in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section…

The rewrite removes a key phrase: "with intent to defraud." This excision turns the researchers' plan to search for bias in websites into an admission of felonious intent.

That being said, there's a good chance this lawsuit will be tossed quickly. The route to CFAA reform still flows (slowly and sometimes, stupidly) through Congress. Unfortunately, the stakeholders with the loudest voices are those who prosecute under the law, rather than those punished by it. Because of that barrier to true reform, efforts to attack the law from oblique angles are likely to appear periodically until the law is overhauled… or replaced with something worse.

Filed Under: cfaa, chilling effects, doj, first amendment, hacking, research
Companies: aclu

ACLU Seeks To Unseal Docket In FBI's Tor-Exploiting Takedown Of Freedom Hosting

from the keeping-the-public-at-arm's-length dept

The ACLU would like to take a closer look at the government's activities regarding its seizure of Freedom Hosting back in 2013. To date, the docket remains sealed -- as is the case in far too many DOJ prosecutions. In this case, the FBI basically took over Freedom Hosting to serve up its Network Investigative Tool to unmask anonymous Tor users.

The difference between this and its more recent NIT deployment in the Playpen child porn case is that many of those exposed by the malware weren't suspected of any wrongdoing. While letting the exploit run its course, the FBI also helped itself to TorMail's email database, later acquiring a warrant to access the contents of the seized communications.

The ACLU would like to take a look at the warrant authorizing the NIT deployment, especially in light of recent Playpen prosecutions where federal judges have found the warrant used invalid. But the first step is unlocking the docket itself, which remains blocked from public view. Joseph Cox of Motherboard was the first to report on the ACLU's recent filing.

The Washington Post recently confirmed that the FBI used a “network investigative technique” or NIT—the agency's term for a hacking tool—on the TorMail site. According to the article, the FBI had obtained a warrant to hack the owners of certain email accounts suspected of being involved in child pornography, and anonymous sources claimed that, with this approach, only suspects who had been linked to child pornography would be hacked.

But journalists, dissidents, and other individuals used TorMail too, and it seems that the error page was presented to every TorMail user—raising questions about how broad the operation really was.

“That the FBI engaged in a bulk hacking operation against all visitors to TorMail, which had many lawful, valid uses, raises serious concerns about the appropriateness of bulk hacking, and the extents to which courts should be authorizing and supervising such operations,” reads the motion to unseal the docket, which was written by ACLU attorneys Brett Kaufman, Nathan Wessler, and David Rocah and filed last week.

As the ACLU points out in its filing [PDF], the public should be apprised of the details of questionable actions taken by the FBI -- especially the contents of the warrant supposedly authorizing the bulk distribution of malware to Tor users who weren't suspects in criminal investigations.

Even if the government were to argue that unsealing the docket and the contents of the warrant would negatively affect future investigations/prosecutions (and it surely will argue this…), the court shouldn't find that assertion particularly compelling. From the motion to unseal:

Once the First Amendment right of access attaches, the burden to overcome it “rests on the party seeking to restrict access, and that party must present specific reasons in support of its position.” Access may only be denied if the party can demonstrate a “compelling governmental interest” in support of closure and prove that closure is “narrowly tailored to serve that interest.”

There is, to be sure, a legitimate governmental interest in protecting the integrity of an ongoing investigation. As the Fourth Circuit has recognized, however, “it is not enough simply to assert this general principle without providing specific underlying reasons for the district court to understand how the integrity of the investigation reasonably could be affected by the release of [the] information [sought].”

[...]

The malware warrant in question here was issued by this Court in mid-2013, and by the end of 2014 the sole prosecution known to the ACLU to have resulted from it had already been resolved. See Klein Press Release. The existence of the malware operation, moreover, has been officially acknowledged by the FBI. 2013 Pouslen Article. Thus, “the genie is out of the bottle” with respect to information the government may have once had a legitimate interest in protecting.

What remains secret, however, is the very “index” to the proceedings that authorized the deployment of malware. Perversely, then, the public is aware of the investigation’s existence, and experts have even been able to analyze the malware used by the government, but the most basic details regarding the circumstances under which this operation was judicially authorized remain hidden. The public has a vital interest in knowing this information, which would greatly contribute to the ongoing public debate about the use of malware by law enforcement, and the government has no legitimate interest in keeping it secret.

The deployment of malware by a law enforcement agency -- a deployment that affected website visitors from around the world -- using a single warrant issued by a single judge is something that has never specifically been addressed by legislators. When cases like this arrive, the DOJ is quick to point out that the lack of a specific legislative permission slip should be construed as a lack of definitive "no," rather than a suggestion the agency shouldn't allow its reach to extend its statutory grasp.

But despite having the permanent ear of many sympathetic legislators, the FBI has never sought to codify its questionable hacking tactics. The closest it's come is the proposed Rule 41 changes, which would allow the agency to obtain a search warrant from the most accommodating magistrate judges and deploy them in jurisdictions where permission might not be so easily obtained.

As the ACLU points out, the FBI's refusal to discuss this openly with legislators is being aided and abetted by courts far too willing to lock up any supposedly public documents the DOJ feels the public -- including legislators -- shouldn't be able to access.

“The breadth and potency of malware as a law-enforcement tool raises concerns that can only be properly debated if legislators and the general public are aware of instances in which it is being used, the ways in which law enforcement seeks to use it, and the extent of judicial supervision,” the motion reads. “The sealing of docket sheets with warrants authorizing the use of malware prevents this critical public debate from happening, in violation of the public’s right of access.”

Allowing the government to maintain this secrecy only encourages further abuse of existing statutes. The longer secrets can be protected, the longer the FBI can use questionable methods backed by even more questionable legal authority. The DOJ's insistence on secrecy in all things tech-related has led it to directly encourage parallel construction, order prosecutors to drop cases rather than reveal means and methods, and basically turn normal law enforcement into Black Ops: Domestic Edition.

Filed Under: exploits, fbi, malware, tor
Companies: aclu, freedom hosting

EFF, ACLU Asks Ninth Circuit Court To Rehear Two Recent CFAA Cases

from the let's-not-criminalize-even-MORE-common-activity dept

The EFF and ACLU are pushing the Ninth Circuit Court of Appeals to hold full en banc rehearings (with all 11 judges, rather than just three) of two recent CFAA-related cases. The first case, US v. Nosal, is the more (in)famous of the two. In this decision, the court read the language of the CFAA broadly enough to criminalize a mostly-harmless everyday activity participated in by thousands of Americans: password sharing.

The court tried to couple this with some "authorization" wording to make it appear as though the court wouldn't entertain frivolous prosecutions using interpretation of the CFAA, but that gives the court (and the DOJ) far more credit than they have earned.

The other case -- Facebook v. Power Ventures -- is dangerous in its own way, even if it involves two private companies, rather than the US government's prosecutorial arm. The same appeals court didn't go quite as far as it did in the Nosal decision in terms of criminalizing password sharing, but instead made the district's stance even more confusing by arriving at a seemingly-contradictory conclusion.

The Ninth Circuit found that Power Ventures violated the CFAA when it accessed Facebook’s data after receiving the cease and desist letter, on the ground that the letter gave the company notice that Facebook had revoked its authorization to access users’ Facebook accounts. The court acknowledged that Facebook users could give Power Ventures valid authorization to access their accounts without running into a CFAA violation—the step back from Nosal II’s blanket criminalization of password sharing. That was true even though Facebook’s terms of service expressly prohibit password sharing or letting anyone else use your account.

"Seemingly" is the key word. The conclusion reached by the three-judge panel finds no bright line for determining authorized access, instead opting for a reading that leaves it all up to the party moving forward with a lawsuit/prosecution. Here's Mike attempting to make some sense of the ruling:

At what point is access revoked? Does it require a full cease and desist letter? Or what if I add a drop-down telling visitors from certain IP addresses they're not welcome? What if I just type here that visitors from the state of New York are no longer allowed to visit Techdirt? If they continue to do so, is that a potential CFAA violation in the making? The same court has already ruled that a mere terms of service violation is not a CFAA violation but where's the line between a terms of service violation and a cease-and-desist letter? Or me just telling you to stop visiting my website? It seems wide open to abuse.

At best, the decisions -- when taken together -- are an incoherent mess. At worst, they're vehicles for bogus lawsuits and prosecutions, taking the CFAA even further away from its original intent: to punish malicious hackers/criminals who break into accounts, servers, etc. So, rather than activity simply being a violation of corporate policies and Terms of Service, it's now also a potential violation of federal law. The Ninth Circuit Appeals Court has, in two decisions, created a hefty, new CFAA book to be thrown at violators, who now might see themselves facing federal prosecution, rather than a writeup in their personnel file or a suspended account.

If nothing else, a full en banc hearing would at least hopefully generate a coherent, more-unified stance from the Appeals Court. The two decisions are not polar opposites, but there is some friction. The downside, of course, is that the full panel will create an even worse interpretation of the CFAA. But, even if so, at least those residing in the Ninth Circuit will know where they stand when it comes to "authorized" access, password sharing, etc.

[Nosal petition PDF] [Power Ventures petition PDF]

Filed Under: 9th circuit, authorized access, cfaa, hacking
Companies: aclu, eff

ACLU Challenges Gag Orders Issued To Tech Companies By The DOJ

from the hey,-we-notified-SOMEBODY...-that-counts-for-something dept

The ACLU is hoping to intervene in Microsoft's legal battle against the government, challenging gag orders attached to warrants and subpoenas issued under the Electronic Communications Privacy Act (ECPA). Microsoft sued the DOJ back in April, arguing for the right to notify customers that their communications and data have been handed over to the government.

Microsoft didn't have a problem with the government's gag orders in every case. It's just that the demand for secrecy accompanied more than half of the ~300 orders per month Microsoft receives. And nearly 70% of those gag orders arrived with no fixed end date.

The ACLU petitioned the court to intervene in the case on its own behalf, citing its position as a Microsoft customer. The DOJ filed a motion to dismiss Microsoft's lawsuit, hoping the court will find Microsoft has no standing to challenge gag orders on its customers' behalf. The ACLU is trying to prevent this from happening until the DOJ addresses the issues raised by the ACLU's (attempted) intervention. In its opposition [PDF] to the DOJ's motion, the ACLU points out that the government's "no standing" argument pretty much nullifies any sort of due process for Microsoft customers (including the ACLU) who've been targeted by the DOJ's super-secret warrants, relegating them to a Kafka-esque legal purgatory.

The government attempts to insulate its refusal to provide notice from judicial review, arguing that neither Microsoft nor the ACLU has standing to raise these important constitutional questions. By the government’s logic, Microsoft does not ever have standing to defend its customers’ right to notice, and Microsoft’s customers, including the ACLU, may not defend their own right to notice until after they receive the primary relief they would seek—that is, notice. In the government’s view, the only plaintiffs who have standing to sue for notice are those who have already gotten it, and those deprived of notice forever have no ability to seek a remedy at all. That is not the law.

The hope here is to not only find the open-ended gag orders unconstitutional, but also the law granting this secrecy -- the ECPA -- unconstitutional as well. The shift from physical "papers" to digital files was addressed by legislators in the worst way possible. The ECPA did away with the notification requirement attached to searches of physical places. When a home or business is searched, the owner or resident is served with a warrant. For electronic communications, a third party is approached. Legislators apparently felt as long as someone was notified, that was good enough -- even if that someone isn't the target of the search warrant.

That's basically the government's argument: notice is served to the site of intrusion. If the affected parties don't actually reside there (but their "papers" do), too bad.

The government’s argument conflates a historical anachronism with a constitutional principle. The government is correct that officers traditionally provided Fourth Amendment notice at the physical site of the intrusion. But that is so because, for the first 175 years of the Fourth Amendment’s application, it was understood to cover primarily physical trespasses. See Katz, 389 U.S. at 353. As a result, notice provided at the site of the intrusion was notice to the individual whose Fourth Amendment rights were at stake. It is no surprise, therefore, that Federal Rule of Criminal Procedure 41 reflects that historical context. Under Rule 41(f), an officer executing a warrant must “give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken or leave a copy of the warrant and receipt at the place where the officer took the property.”

The ECPA is the DOJ's argument committed to paper. Notice only needs to be provided to the third party where communications and documents are held. To ensure the party whose documents/communications are being taken is kept out of the loop, the DOJ takes the wording of the law to heart and ignores the intent behind the Fourth Amendment protections granted to citizens.

The ECPA does not require the government to provide notice when it relies on a warrant, and so the government now routinely searches and seizes individuals’ electronic communications without providing any notice—delayed or otherwise—to those whose private information it has obtained. According to Microsoft’s Complaint, nearly half of the federal demands it has received under ECPA in the last eighteen months were accompanied by gag orders, the majority of which contained no time limit. Accordingly, a substantial portion of the individuals whose electronic communications the government demands from Microsoft receive no notice whatsoever, from either the government or Microsoft.

The law undercuts the Fourth Amendment by preventing those affected from challenging the lawfulness of the search or seeking redress through the judicial system for violations. Gag orders that run indefinitely allow the government to avoid being held accountable for any wrongdoing. In addition, the service of warrants to third parties is done without any meaningful oversight, putting the DOJ in the position of policing itself -- something it does with no particular enthusiasm or effectiveness.

Filed Under: doj, ecpa, gag order, standing, subpoena, surveillance, warrants
Companies: aclu, microsoft

ACLU Files Challenge To CFAA Over Blocking Research Into Discrimination Online

from the fix-the-cfaa dept

There's been a lot of talk lately about the possibility of discrimination being built into the algorithms that determine our lives. In the past year, multiple publications have discussed what happens when algorithms are racist in a time when algorithms decide more and more of our lives. Just recently, we talked about judges using proprietary algorithms in sentencing, and how those algorithms themselves may judge people based on things like skin color. And just a few days ago, there was a fascinating NY Times article about inherent bias in artificial intelligence systems. I even went to a conference recently, where there was a whole discussion on the question of what do you do "if your algorithm is racist." It's not an easy question to answer, honestly, but one thing that we should not be doing is holding back research into these systems.

And yet... that's exactly what's happening. And the culprit, once again, is the Computer Fraud & Abuse Act (CFAA), which we've written about for years. The law, which is woefully out of date, and was passed (literally) by a Congress that was freaked out over the movie WarGames, is supposed to target evil "computer hackers." But it's written so broadly, including terms like "unauthorized access" or "exceeding authorized access," that it's been used against things like violating a terms of service (that you didn't read or even agree to) or against downloading too many files. And that's scaring the hell out of researchers.

Given that, the ACLU has now filed a lawsuit on behalf a group of academic researchers, computer scientists and journalists who want to investigate these issues, but are held back by the CFAA.

Our plaintiffs want to investigate whether websites are discriminating, but they often can’t. Courts and prosecutors have interpreted a provision of the CFAA—one that prohibits individuals from “exceed[ing] authorized access” to a computer—to criminalize violations of websites’ “terms of service.” Terms of service are the rules that govern the relationship between a website and its user and often include, for example, prohibitions on providing false information, creating multiple accounts, or using automated methods of recording publicly available data (sometimes called “scraping”).

The problem is that those are the very methods that are necessary to test for discrimination on the internet, and the academics and journalists who want to use those methods for socially valuable research should not have to risk prosecution for using them. The CFAA violates the First Amendment because it limits everyone, including academics and journalists, from gathering the publicly available information necessary to understand and speak about online discrimination.

In terms of the specific challenge, the ACLU is arguing that it violates both the First Amendment and the due process clause of the Fifth Amendment. The crux of the First Amendment argument in the filing:

The Challenged Provision impermissibly burdens speech about business practices and other activity on the internet because websites can determine what speech and expressive activity to prohibit, and these prohibitions become criminal violations of the Challenged Provision. In other words, a website can explicitly target speech or expressive activities. For example, if a website’s terms of service provide that access by certain types of speakers (such as researchers) is unauthorized, or that engaging in certain speech (false or misleading speech, for example, or subsequent disparaging speech about the website) renders access unauthorized, then violations of those private terms of service become crimes through the phrase “exceeds authorized access” in the Challenged Provision. Such speech or expressive activity thus becomes prohibited under pain of criminal sanctions simply because it occurred on the internet.

Because the Challenged Provision incorporates websites’ terms of service into the federal criminal code, its applications are virtually infinite; any speech or expressive activity that the private operator of a website has prohibited as a condition of access to its website becomes a criminal violation, even where that prohibition covers speech subsequent to the visit and in a different forum. In a good number of cases, a website’s ToS will prohibit speech that cannot constitutionally be prohibited. Accordingly, although the Challenged Provision may have legitimate applications, its unconstitutional applications are substantial in relation to its legitimate scope.

There's some more as well, including the idea that setting up fake profiles to test a site for discrimination may be considered a terms of service violation and one that violates the free speech of the researchers.

As for the Fifth Amendment:

The Challenged Provision fails to notify ordinary people of what conduct is criminal because the phrase “exceeds authorized access” does not provide sufficient notice that an individual must comply with a website’s written terms of service at all times. The plain meaning of the phrase “exceeds authorized access” does not clearly cover instances where a website places no barriers, such as technological or physical barriers, to access by individuals.

While I've been quite vocal for years about the problems of the CFAA and how it chills a variety of activities, including ones similar to those described here, and while I have enormous respect for the ACLU, I do wonder how successful this case will be. Courts are not always happy to take on cases that can be seen as more "speculative" than over a clear issue (i.e., after someone's been charged with violating the CFAA for this kind of activity). At the same time, courts also like to avoid dealing with Constitutional questions, if they can avoid it -- and so far, multiple courts have rejected attempts to claim that mere terms of service violation violates the CFAA. So they can get out of handling the Constitutional question by just saying "well, that particular use is not a CFAA violation."

So while I think this is a really important issue, and I'd love to see a constitutional challenge to these aspects of the CFAA succeed, I'm at least somewhat skeptical of the chances of this particular case. Hopefully, I'm proven wrong.

Filed Under: 1st amendment, 5th amendment, academics, algorithms, cfaa, discrimination, journalism, research, terms of service
Companies: aclu