I kinda feel bad for the PR people at T-Mobile. This morning, CEO John Legere put out a completely bullshit statement pretending to respond to the accusations that its BingeOn program is throttling online video. It didn't address the actual issues, made statements that were clearly false, and then accused people questioning the program of being "jerks." That seemed weird, considering the widespread concerns about all of this combined with T-Mobile's attempt to brand itself as the only consumer friendly mobile service provider.
But, if you really wanted to undermine the idea that you're a "consumer-first" operation that "cares about the open internet" and had to pick one group that you shouldn't go off on an unhinged rant about, you'd probably pick EFF. The group, which has been around forever, is somewhat famous for its willingness to fight for the public's digital rights, and unwillingness to compromise its beliefs. It has regularly sued or challenged numerous big companies that have undermined privacy and the open internet, including AT&T and Google.
After giving a misleading response to the actual question, talking about "selecting the bitrate" (which is throttling not optimization), he then gives a little smile and says:
Part B of my answer is: Who the fuck are you anyway EFF? Why are you stirring up so much trouble and who pays you?
This has immediately resulted in widespread mocking across Twitter, with many people tweeting to Legere that they fund EFF and they care a lot more about EFF than T-Mobile:
@JohnLegere /I/ pay @EFF. And I pay T-Mobile. Take care: /one/ of those two things could change really quickly, and it isn't the EFF one.
I've emailed T-Mobile's PR people to find out if Legere really doesn't know what EFF is, or if he really thinks that EFF is somehow a front group for a company attacking T-Mobile. I doubt I'll hear much of a response. But if Legere wanted to totally undermine his pro-consumer position in a single sentence, I don't think he could have picked a much worse one than what he actually came out with.
On Monday we wrote about T-Mobile flat out lying about the nature of its BingeOn mobile video service -- and after a couple of days of silence, the company has come out swinging -- by lying some more and weirdly attacking the people who have accurately portrayed the problems of the service. As a quick reminder, the company launched this service a few months ago, where the company claimed two things (though didn't make it entirely clear how separate these two things were): (1) that the company would not count data for streaming video for certain "partner" companies and (2) that it would be "optimizing" video for all users (though through a convoluted process, you could opt-out).
There were a bunch of problems with this, starting with the fact that favoring some partner traffic over others to exempt it from a cap (i.e., zero rating) is a sketchy way to backdoor in net neutrality violations. But, the bigger issue was that almost everything about T-Mobile's announcement implied that it was only "partner" video that was being "optimized" while the reality was that they were doing it for any video they could find (even downloaded, not streamed). The biggest problem of all, however, was that the video was not being "optimized" but throttled by slowing down video.
Once the throttling was called out, T-Mobile went on a weird PR campaign, flat out lying, and saying that what they were doing was "optimizing" not throttling and that it would make videos stream faster and save users data. However, as we pointed out, that's blatantly false. Videos from YouTube, for example, were encrypted, meaning that T-Mobile had no way to "optimize" it, and tests from EFF proved pretty conclusively that the only thing T-Mobile was doing was slowing connection speeds down to 1.5 Mbps when it sensed video downloads of any kind (so not even streaming), and that actually meant that the full amount of data was going through in many cases, rather than an "optimized" file. EFF even got T-Mobile to admit that this was all they were doing.
So that makes the response of T-Mobile execs yesterday and today totally baffling because rather than actually respond to the charges, they've doubled down on the blatant lying, suggesting that either it's executives have no idea what the company is actually doing, or that they are purposely lying to their users, which isn't exactly the "uncarrier" way that the company likes to promote.
We'll start with the big cheese himself, CEO John Legere, whose claim to fame is how "edgy" he is as a big company CEO. He's now released a statement and a video that are in typical Legere outspoken fashion -- but it's full of blatant lies.
The video and the typed statement are fairly similar, but Legere adds some extra color in the video version.
Let's parse some of the statements. I'll mostly be using the ones from the written statement as they're easier to cut and paste, rather than transcribe, but a few from the video are worth calling out directly.
I’ve seen and heard enough comments and headlines this week about our Binge On video service that it’s time to set the record straight. There are groups out there confusing consumers and questioning the choices that we fight so hard to give our customers. Clearly we have very different views of how customers get to make their choices -- or even if they’re allowed to have choices at all! It’s bewildering …so I want to talk about this.
Of course, this is a nice, but misleading attempt to frame the conversation. No one is complaining about "giving choices to consumers." They're complaining about (1) misleading consumers and (2) providing a worse overall experience by throttling which (3) directly violates the the FCC's prohibition on throttling. The next part I'm taking from the video itself, rather than the printed statement, because Legere goes much further in the video, including the curses, which magically don't show up in the printed version:
There are people out there saying we’re “throttling.” That's a game of semantics and it's bullshit! That's not what we're doing. Really! What throttling is is slowing down data and removing customer control. Let me be clear. BingeOn is neither of those things.
This is flat out wrong and suggests Legere doesn't even know the details of his own service. As the EFF's tests proved (and the fact that YouTube videos are encrypted should make clear) T-Mobile is absolutely slowing down data. In fact, EFF got T-Mobile to confirm this, so Legere claiming it's "bullshit" is... well... bullshit!
But he's playing some tricky word games here, claiming that throttling is not just slowing down data, but also removing customer control. That's (1) not true and (2) also misleading. For all of Legere and T-Mobile's talk about "giving more options to consumers" or whatever, they're totally leaving out the fact that they automatically turned this on for all users without a clear explanation as to what was happening, leading to multiple consumer complaints about how their streaming videos were no longer functioning properly -- even for users on unlimited data plans.
Customer choice? Sure they could "opt-out" after through a convoluted process that many did not understand. But T-Mobile made the choice for all its users, rather than providing a choice for its customers to make.
Mobile customers don’t always want or need giant heavy data files. So we built technology to optimize for mobile screens and stream at a bitrate designed to stretch your mobile data consumption. You get the same quality of video as watching a DVD, but use only 1/3 as much data (or, of course, NO data used when it’s a Binge On content provider!). That's not throttling. That's a huge benefit.
Again, this is both wrong and misleading. There is no optimization. Legere is lying. They are 100% slowing down the throughput on video when they sense it. The EFF's tests prove as much. Yes, for some video providers when they sense lower bandwidth, they will downgrade the resolution, but that's the video provider optimizing, not T-Mobile. T-Mobile is 100% throttling, and hoping that the video provider downgrades the video.
But in cases where that doesn't happen then it doesn't save any data at all (the EFF test confirmed that the full video file still comes through, just slower).
Also, note the play on words "You get the same quality of video as watching a DVD." At first you think he's saying that you get the same video quality overall, but he's not. He's saying as a DVD, at 480p, which is lower than the 1080p that many HD videos are offered at. And that's what many people are complaining about -- that they'd like to watch videos at the full 1080p, but T-Mobile made the choice that they can't do that unless they go through a convoluted process to turn this off.
Rather than respond to any of this, Legere then claims that "special interest groups" and Google are doing this.... "to get headlines."
So why are special interest groups -- and even Google! -- offended by this? Why are they trying to characterize this as a bad thing? I think they may be using Net Neutrality as a platform to get into the news.
Wait, what? Google -- the same Google that absolutely refused to say anything publicly at all about net neutrality for years during the debate suddenly wants to get into the news by jumping on the net neutrality bandwagon? Does Legere have any idea how ridiculous that sounds? And it's not like Google has a problem getting into the news. And what about EFF and others? Does he really think they need to get extra news coverage?
But note the facts here: at no point does Legere respond to the actual charges leveled against the company. He then concludes by yelling at everyone for daring to complain about this:
At T-Mobile we're giving you more video. More choice. And a powerful new choice in how you want your video delivered. What's not to love? We give customers more choices and these jerks are complaining, who the hell do they think they are? What gives them the right to dictate what my customers, or any wireless consumer can choose for themselves?
Nice. I'm part of the contingent complaining about this and I'm also a T-Mobile customer... and the CEO just called me a jerk while telling me he's fighting for his customers? Really now?
And again this whole statement is blatantly misleading. The "choice" was made by T-Mobile for all users, and getting out of it involves a convoluted process that most don't understand and where none of this was made clear to end users. Beyond violating the FCC's "no throttling" rule, I wonder if it also violates the FCC's transparency rules as well, in which they are required to be much more upfront about how the data is being treated.
Also, the statement above is from the video where we're described as "jerks," but in the written version it leaves out the "jerks" claim, but also includes the following bit mocking YouTube for letting users choose to change the resolution on videos:
YouTube complained about Binge On, yet at the same time they claim they provide choice to customers on the resolution of their video. So it's ok for THEM to give customers choice but not for US to give our customers a choice? Hmmm. I seriously don't get it.
But that's bullshit also. YouTube's choice option there is a clear pulldown on every video shown, so that a user just needs to click on the video their watching and set the resolution. T-Mobile's is a process that's not clear at all, with some users reporting they had to call in and get T-Mobile customer service to turn BingeOn off for their account. To compare the two situations is completely bonkers.
As far as I can tell, Legere either doesn't understand what his own company is doing technically, or knows and is purposely misrepresenting it. Neither of those look good and go against the entire "uncarrier" concept they keep pitching. I'd expect better as a T-Mobile customer than being told that I'm a "jerk" for pointing this out.
And it appears he's not the only one among senior execs at T-Mobile who still don't realize what their own company is doing. On Wednesday at a Citigroup conference, T-Mobile's Chief Operating Officer Mike Sievert
spewed some more nonsense suggesting he, too, has no idea what his own company is doing:
At a Citigroup investor conference Wednesday, T-Mobile executives shot back, saying YouTube’s stance is “absurd.” YouTube is owned by Alphabet Inc. “We are kind of dumbfounded, that a company like YouTube would think that adding this choice would somehow be a bad thing,” said T-Mobile Chief Operating Officer Mike Sievert. He said YouTube hasn’t “done the work yet to become part of the free service.”
Taken at face value, that comment makes no sense. If YouTube hasn't done the work yet to become a part of the free service than why the fuck is T-Mobile slowing down its videos? YouTube wasn't complaining about "adding this choice." YouTube was complaining about direct throttling of video content by T-Mobile, in clear violation of the FCC's prohibition on throttling.
Sievert and Legere both don't seem to understand (1) what YouTube and users are complaining about or (2) what his own company is doing. That's... troubling, given that these are the CEO and COO of the company. It really seems like T-Mobile execs might want to spend some time talking to its tech team to understand the fact that the only thing T-Mobile is doing to video is throttling it down to 1.5 Mbps, rather than any actual "optimization" before spewing more nonsense and calling their own customers "jerks." And, they might want to realize that their claim that this is all "bullshit" is actually complete bullshit. And that their bullshit may very well violate the FCC's rules.
One of the big EFF lawsuits against NSA surveillance, Jewel v. NSA, which has been going for many years (since before the Snowden revelations) has just been dismissed by the 9th Circuit appeals court, for "lack of jurisdiction." The issue is really more of a procedural one, than on the substance, but it's still unfortunate. Without going into the details (you can read the full 17 page ruling if you want that), there was an effort to "expedite" (as much as you can use that word for a case that has been going on for almost a decade) a single part of the ruling, and the appeals court basically says you can't do that, and things need to wait until there's a full decision from the lower court.
We are sympathetic to the Jewel plaintiffs’ desire to bring
at least part of this case to a close. But awaiting a decision on
a single claim, which is not a linchpin claim either factually
or legally, does not advance this result. In fact, the result of
this appeal has been to bring the district court proceedings to
a halt. Both sides point fingers as to why no final decision
has been reached. We do not take sides in that debate, except
to say that the parties’ and judicial resources would be better
spent obtaining a final judgment on all of the claims, instead
of detouring to the court of appeals for a piecemeal resolution
of but one sliver of the case.
Earlier this year, the EFF's Rainey Reitman set up the SaveCrypto.org petition, which tied directly into the White House's We the People... petition site. The petition got the necessary 100,000 signatures to demand a response (though the White House isn't always good about doing that). And, now the White House has responded (sorta). The petition itself is pretty clear:
Reject any law, policy, or mandate that would undermine our security.
The government should not erode the security of our devices or applications, pressure companies to keep and allow government access to our data, mandate implementation of vulnerabilities or backdoors into products, or have disproportionate access to the keys to private data.
We demand privacy, security, and integrity for our communications and systems. As a public, we should be confident that the services we use haven’t been weakened or compromised by government mandate or pressure. No legislation, executive order, or private agreement with the government should undermine our rights.
Weakening encryption weakens the entire Internet. Please endorse strong encryption, and encourage other world leaders to do the same.
The response, on the other hand, is not clear at all. It just asks people to provide more info and says it's meeting with the people who put together the petition this week.
We want to hear from you on encryption:
Thank you for signing the petition on strong encryption and speaking out on this important national debate. As the President has said, "There's no scenario in which we don't want really strong encryption." It is critical that the government, the private sector, and other experts regularly engage to understand the impacts of encryption on national security, public health and safety, economic competitiveness, privacy, cybersecurity, and human rights around the world.
This conversation about encryption is also part of a broader conversation about what we, as a nation, can do to fight terrorism as it evolves online. That is why, in his address to the nation on Sunday, the President reiterated the Administration’s call for America’s technology community and law enforcement and counter-terrorism officials to work together to fight terrorism. American technologists have a unique perspective that makes them essential in finding new ways to combat it. They are the best and most creative in the world, and we need them to bring their expertise, innovation, and creativity to bear against the threat of terrorism.
This week, administration officials will sit down with the creators of this petition to hear directly from them about their priorities and concerns.
This is a critical conversation, and we want to hear from as many voices as we can.
Thanks again for your participation in We the People.
Now, there are all sorts of problems with this. First off, Reitman says that contrary to the claims made in the response, no one from the White House has contacted her or anyone else at EFF. So, that claim that the White House is sitting down with the creators of the petition is bogus.
Second, while you should all go to that website and tell the White House what you think about strong encryption, it's absolutely ridiculous that anyone actually thinks that's necessary. The petition itself told the White House what they thought about encryption and that's that it's important in protecting our privacy and security and undermining it is dangerous with almost no real benefit. And, indeed, almost every technology expert who has opined on this subject has said the same thing -- including Ed Felten, the White House's Deputy CTO who supposedly co-wrote this response.
Except he didn't. Because not only does it not sound like him, the letter was actually signed by "Ed Felton" not Ed Felten:
Someone in the White House (Ed?) noticed this eventually and it's since been changed, but it certainly suggests Felten himself had little to nothing to do with this response. The other signature on the letter is from Michael Daniel, the President's cybersecurity czar, whose name you might recognize from that time he bragged about his lack of technology knowledge and skills, claiming it could "be a little bit of a distraction" and later argued that of course backdooring encryption was totally possible, though when asked to name a single technology expert who agreed with him, noted that "I don't have any off the top of my head." We're still waiting.
Of course, I think we know which one of those two names actually wrote this non-response. But if that's the way the government is going to play the game, we might as well make use of the tools they've provided and let them know (yet again) about the importance of strong encryption without backdoors.
So this is interesting. The Electronic Frontier Foundation is
dragging Google in front of the FTC, with a complaint alleging some potentially serious privacy violations concerning tracking of students in schools. The crux of the EFF's complaint:
While Google does not use student data for targeted advertising within a subset of Google sites, EFF found that Google’s “Sync” feature for the Chrome browser is enabled by default on Chromebooks sold to schools. This allows Google to track, store on its servers, and data mine for non-advertising purposes, records of every Internet site students visit, every search term they use, the results they click on, videos they look for and watch on YouTube, and their saved passwords. Google doesn’t first obtain permission from students or their parents and since some schools require students to use Chromebooks, many parents are unable to prevent Google’s data collection.
Looking over the details, I'm not entirely sure what the issue is here. The sync feature isn't designed to violate someone's privacy, but to allow users to access the same websites from different machines -- a feature that could be useful, especially in school settings where there may be a bunch of laptops that are passed around, so students may not always use the same machine. Also, wouldn't Google need to store their saved passwords? It also seems noteworthy that the organizations that put together the Student Privacy Pledge that EFF says Google is violating, have all said that EFF is wrong in its complaint. That said, the EFF is usually really good about these things, so I'll give the group the benefit of the doubt that there could be a problem here and will be paying attention to how this shakes out. No matter what, it will be worth following how the FTC responds.
What's much more interesting to me about this, however, is that this once again shows how the EFF is not a front for Google. There's this weird myth among some in the anti-Google/anti-digital rights world that EFF is just a "shill" for Google. I can't count the number of times I've seen blog posts falsely claim that Google is a major funder of EFF. Hell, resident clueless digital rights commentator Andrew Orlowski at the Register made that claim just a few days ago, saying that EFF "received half of its income one year from Google" even though he knows that claim is hellishly misleading.
You'll notice, first of all, that approximately slightly less than 1/3 of EFF's funding comes from "corporate contributions" -- but the vast, vast majority of that actually comes from contributions from Humble Bundle campaigns (when you buy video games from Humble, you can designate some portion to go to charity, and EFF is almost always one of the supported charities). Thus, it's actually only less than $600,000 of EFF's $13.5 million income that came from corporate donations. That's less than 5% -- and even if Google is one of those contributors, it's likely not the only one. Now, it's also probably true that some of the "individual contributors" work for Google, but it's certainly not corporate donations. And, from what I've heard from multiple EFF people, the actual amount of revenue that comes from Google employees as individual contributors is tiny.
What most of the conspiracy theorists, such as Orlowski, cite when they say that Google provided a ton of money to the EFF is not what it seems at all. It was a one-time payout, first of all, and it was to settle a legal dispute in which EFF also went against Google. Specifically, it was over Google's ridiculous failed "Google Buzz" offering that had some really weak privacy controls. EFF was among many groups who criticized Google over its privacy failings for Buzz, and so part of the class action settlement was that Google would give a chunk of money to a variety of non-profit/public interest groups who focused on privacy protection -- with EFF being one of those recipients. So even the key case in which Google definitely gave EFF money, it involved a court-sanctioned punishment of Google, giving the money to EFF (and others) who had opposed Google's privacy practices. This was part of a so-called "cy pres" award, and as you can see, in the most recent period, that represented a little over a million dollars in EFF's income. This is hardly a majority and, considering how it comes in, hardly the kind of thing that makes EFF a mouthpiece for those providing the money.
And, of course, now the EFF is going after Google for privacy issues once again. It makes you wonder how everyone who likes to insist EFF is just a Google mouthpiece will spin this one. I'm sure the conspiracy theories will be creative.
The Electronic Frontier Foundation's website is eff.org. The squatted-on domain was electronicfrontierfoundation.org. As the real EFF vigorously fights against exactly the sort of thing being distributed by the fake site (spyware and malware), it had a legitimate complaint against the cybersquatter that went far deeper than mere trademark-related confusion.
The disputed domain name was registered on August 4, 2015.
On August 13, 2015, the Complainant was informed that the disputed domain name was being used to confuse consumers by redirecting them to the Complainant’s official website only after surreptitiously installing malicious software on the computers of unsuspecting visitors. According to an affidavit of a Staff Technologist of the Complainant, the malicious code exploited a known vulnerability in the computer programming language Java, by disabling Java security settings which allows it to execute arbitrary Java code without having to ask for the user’s permission.
The incident was reported in the media, for instance in an article published on August 28, 2015 on the website of Ars Technica under the title “Fake EFF site serving espionage malware was likely active for 3+ weeks”.
The EFF's complaint against the cybersquatter also pointed out that the URL was being used in bad faith, implanting computers with keyloggers and being used as a backdrop for a spear phishing campaign.
The Complainant contends that these facts strongly suggest that the disputed domain name was registered for the purpose of supporting a phishing campaign, i.e. an attempt to discover sensitive information such as usernames, passwords or personal details, by confusing consumers into believing that the attacker, to whom information is actually being provided, is in fact a different, trustworthy entity to whom consumers desire to provide information.
WIPO found that the EFF's complaint satisfied multiple prongs of its domain name dispute resolution process. The trademark on the name itself dates back to 1993 and the use of the bogus site to deliver malware payloads added up to "bad faith" use.
The domain has been taken from Shawanda Kirlin of Bali, Indonesia, and given to the EFF for its own use. This will kill off one arm of a sophisticated malware campaign with possible ties to the Russian government and prevent further abuse of internet users looking for information on privacy and security.
Earlier this year, EFF learned that more than a hundred ALPR cameras were exposed online, often with totally open Web pages accessible by anyone with a browser. In five cases, we were able to track the cameras to their sources: St. Tammany Parish Sheriff’s Office, Jefferson Parish Sheriff’s Office, and the Kenner Police in Louisiana; Hialeah Police Department in Florida; and the University of Southern California’s public safety department. These cases are very similar, but unrelated to, major vulnerabilities in Boston’s ALPR network uncovered in September by DigBoston and the Boston Institute for Nonprofit Journalism.
The earlier investigative work mentioned by the EFF has been spearheaded by Kenneth Lipp, who has exposed several insecure camera systems run by private contractors but deployed by government agencies. Lipp has also uncovered unsecured law enforcement CCTV systems in other major cities, including New York's Domain Awareness System, where feeds could be easily accessed via the internet.
The systems the EFF accessed are sold and maintained by PIPS Technology. The EFF was able to access several stationary ALPR cameras and view live captures of plate data.
The company, now owned by 3M, offered this statement when notified of the security hole.
We cannot comment on issues PIPS may have had prior to the acquisition, but I can tell you any issues with our products are taken very seriously and directly addressed with the customer.
We stand behind the security features of our cameras. 3M’s ALPR cameras have inherent security measures, which must be enabled, such as password protection for the serial, Telnet and web interfaces. These security features are clearly explained in our packaging.
Except, of course, the EFF's discoveries came after 3M's acquisition of PIPS. While the holes the EFF uncovered have been closed, 3M (and other companies) have pretty much declared unsecured ALPR cameras to be Not Their Fault. Over the years, researchers and activists (like Dan Tentler) have received a variety of deflections from ALPR companies.
3M spokeswoman Jacqueline Berry noted that Autoplate's systems feature robust security protocols, including password protection and encryption. They just have to be used.
"We're very confident in the security of our systems," she said.
That would mean something if the companies simply sold the software and hardware. But the companies also have direct access to client connections and should be able to check for unprotected sources. But they don't and when confronted, they blame the end user. When Kenneth Lipp went public with his discoveries, he received this answer from Genetec, which ran the systems he was able to access.
On the ALPR front, Genetec shirks all responsibility for the aforementioned open portal, even though a remote desktop client terminal, which was also left exposed, shows they had direct access. Reached by email for this story, the company’s Vice President of Marketing and Product Management Andrew Elvish wrote that the server in question was a “location used by a customer to transfer data to be used in a parking or law enforcement patrol car, equipped with a Genetec system.” The data, Elvish added, was “not gathered by a Genetec AutoVu ALPR system … [which is] automatically encrypted.”
As far as the contractors are concerned, the problem is law enforcement agencies who are deploying the cameras and systems without implementing built-in security features. And while the agencies involved quickly closed the security holes, it doesn't change the fact that these systems went live while they were still unsecured. This could be chalked up to carelessness, but it could also be another indication of how little most agencies (and the companies who sell to them) care about the millions of people who aren't cops/government contractors. In their minds, the important thing is that the systems went live and started contributing to vast plate/location databases. Properly securing systems is still an afterthought.
Earlier this year, we wrote about a plan to add DRM to the JPEG standard, meaning that all sorts of images might start to get locked down. For an internet where a large percentage of images are JPEGs, that presents a potentially serious problem. We did note that the JPEG Committee at least seemed somewhat aware of how this could be problematic -- and actually tried to position the addition of DRM as a way to protect against government surveillance. However, there are much better approaches if that's the real purpose.
The JPEG Committee recently met in Brussels to discuss this, and thankfully Jeremy Malcolm from the EFF was able to give a presentation explaining why this was such a bad idea and to suggest alternative approaches for protecting privacy without having to go down the path of DRM.
This doesn't mean that there is no place for cryptography in JPEG images. There are cases where it could be useful to have a system that allows the optional signing and encryption of JPEG metadata. For example, consider the use case of an image which contains personal information about the individual pictured—it might be useful to have that individual digitally sign the identifying metadata, and/or to encrypt it against access by unauthorized users. Applications could also act on this metadata, in the same way that already happens today; for example Facebook limits access to your Friends-only photos to those who you have marked as your friends.
Currently some social media sites, including Facebook and Twitter, automatically strip off image metadata in an attempt to preserve user privacy. However in doing so they also strip off information about authorship and licensing. Indeed, this is one of the factors that has created pressure for a DRM system that could to prevent image metadata from being removed. A better solution, not requiring any changes to the JPEG image format, would be if platforms were to give users more control over how much of their metadata is revealed when they upload an image, rather than always stripping it all out.
We encourage the JPEG committee to continue work on an open standards based Public Key Infrastructure (PKI) architecture for JPEG images that could meet some of the legitimate use cases for improved privacy and security, in an open, backwards-compatible way. However, we warn against any attempt to use the file format itself to enforce the privacy or security restrictions that its metadata describes, by locking up the image or limiting the operations that can be performed on it.
The Electronic Frontier Foundation has put out an alert noting that, as part of a larger spear phishing attack campaign, to try to gain control over computers, a group has created a fake EFF website, designed to trick people into thinking they're going to EFF's actual website, but really installing some pretty nasty malware.
The attack is relatively sophisticated—it uses a recently discovered Java exploit, the first known Java 0-day in two years. The attacker sends the target a spear phishing email containing a link to a unique URL on the malicious domain (in this case electronicfrontierfoundation.org). When visited, the URL will redirect the user to another unique URL in the form of http://electronicfrontierfoundation.org/url/{6_random_digits}/Go.class containing a Java applet which exploits a vulnerable version of Java. Once the URL is used and the Java payload is received, the URL is disabled and will no longer deliver malware (presumably to make life harder for malware analysts). The attacker, now able to run any code on the users machine due to the Java exploit, downloads a second payload, which is a binary program to be executed on the target's computer.
Needless to say, don't visit the site unless you know what you're doing -- and also, a good reminder not to click on URLs in emails. Go directly to sites.
Back in April, USA Today had a detailed report on a massive DEA phone records surveillance program that pre-dated 9/11 (and the NSA's similar phone records mass collection). The DOJ put an end to the DEA's program after the Snowden revelations when it realized that the government's own defense of why the NSA program was legal would conflict with the DEA program. Specifically, it kept trotting out "terorrism" and "national security" but that didn't apply to the DEA's program, which was actually used much more widely than the NSA's (according to the report, the DEA searched the database as many times in a day as the NSA did in a year). However, a day after this report, Human Rights Watch, represented by the EFF, sued the DEA over the program -- citing both the First and Fourth Amendment as being violated.
As expected, the DEA pulled out the usual defenses to try to get the lawsuit dismissed, including arguing that without direct evidence of surveillance on Human Rights Watch, the organization had no standing. Those arguments were given much more credence by the courts in the pre-Snowden era, but lately the courts have been much more skeptical. And, thus, the district court has (somewhat, narrowly) rejected this argument by the DEA and allowed the EFF to move forward with a bit of discovery, which hopefully will enable it to find out at least some details of the surveillance program.
More specifically, the court ruling by Judge Philip Guitierrez says that HRW has enough standing on the 4th Amendment question, but not on the 1st Amendment question. Specifically, on the 4th Amendment issue, the court finds HRW's claims to be entirely plausible, which is enough to allow discovery.
First, the Government argues that HRW has not pled that it suffered an injury in fact as a
result of the Mass Surveillance Program because HRW has not plausibly alleged that its call
records were ever collected pursuant to this Program.... The Government contends
that HRW’s allegation that “Defendants obtained records of HRW’s communications to the
Designated Countries as part of the Mass Surveillance Program,” ..., is insufficient
because it lacks supporting factual allegations that render the claim plausible, rather than merely
possible.... For example, the Government highlights that the
Complaint and the attached Patterson Declaration do not identify the specific U.S.
telecommunications companies that received administrative subpoenas under the Program or a
time period during which the Government requested and collected call information.... The Court acknowledges that the Complaint does not contain such particularized pleadings
as: HRW staff called individuals in Iran using Verizon lines in 2012; the Government issued
subpoenas to Verizon for all 2012 Iranian call data; Verizon produced all 2012 Iranian call data
to the Government; the Government obtained HRW’s 2012 Iranian call data. However, HRW’s
allegation that the Government collected records of its communications to designated foreign
countries pursuant to the Mass Surveillance Program is supported by some specific factual
allegations that render this allegation plausible, rather than merely possible.
The Patterson Declaration states that the Government compiled a database “consisting of
telecommunications metadata obtained from United States telecommunications service providers
pursuant to administrative subpoenas served upon the service providers under the provisions of
21 U.S.C. § 876.” ... The metadata “related to international phone calls
originating in the United Sates and calling [] designated foreign countries, one of which was
Iran, that were determined to have a demonstrated nexus to international drug trafficking and
related criminal activities.” ... The database could then “be used to query a telephone number
where federal law enforcement officials had a reasonable articulable suspicion that the telephone
number at issue was related to an ongoing federal criminal investigation.” ... From these
factual representations, HRW alleges that the program collected call records for “all, or
substantially all” telephone calls originating in the United States and terminating in the
“designated countries” since at least 2011....
This allegation that “all, or substantially all” of these calls were collected necessarily
embraces the more specific factual allegation that the Government issued subpoenas to all, or
substantially all U.S. telecommunications companies to collect these calls.... Moreover, HRW’s allegation that the Government collected call
data on “all, or substantially all” calls is plausible. First, the Patterson Declaration did not
contain language indicating that the Government targeted only some U.S. telecommunications
providers, instead it stated broadly that metadata was “obtained from United States
telecommunications service providers.”... Further, because the only criteria
for collection were the involvement of certain initiating and receiving countries and the
Program’s aim was to create a broad database for criminal investigation queries, it is not
implausible that subpoenas would be issued to all U.S. telecommunications companies
requesting all qualifying data so that the Government could compile a complete database to
better serve the investigative query purpose.
And thus:
In light of the plausible allegation that nearly all such calls were
collected pursuant to the Program, the pled facts regarding HRW’s telephone practices support
the ultimate allegation that the Government did collect HRW’s call data, as directly alleged in
the Complaint.
The government also argued that since the program is over, there's nothing to fight over any way, and there's no standing to seek an injunction since there's nothing to stop. However, the court finds that because the government has not said it destroyed the data, there is at least enough of a reason to move forward to determine if the government retained the data.
Standing over the First Amendment claim is rejected, however, because the complaint did not claim a concrete injury:
The Court does not reach the legal sufficiency of this claimed injury because HRW has
not alleged this First Amendment injury with factual sufficiency. Injury in fact requires a harm
that is “‘concrete’ and ‘actual or imminent,’ not ‘conjectural’ or ‘hypothetical.’”... HRW does not provide any factual allegations that
indicate that HRW’s chilled communication concern is actual and imminent rather than
conjectural. For example, HRW does not allege that any of its contacts know about the Mass
Surveillance Program or that they have ever refused to communicate with HRW due to the
Government’s retention of collected telephone metadata pursuant to a Program that has been
occurring for years. Without alleging any specific supporting facts, HRW’s statement that its
“ability to effectively communicate with people inside the Designated Countries” has been
burdened is a conclusory allegation that the Court does not accept. Moreover, the allegation that
HRW “cannot assure its associates abroad that their communications records will not be shared”
is implausible in light of the Patterson Declaration’s attestation that the Government is not
currently using or querying the collected information.
Still, the win on standing over the 4th Amendment issue is important, and it will allow discovery to move forward -- but in a fairly limited way, focused on determining if the government did, in fact, retain the records.
The Court agrees that some limited discovery directed toward the Government is
warranted because such discovery could possibly provide HRW with jurisdictional evidence
suggesting that the Government still possesses HRW’s call records in some form. Accordingly,
the Court will allow HRW the opportunity to conduct limited discovery on this issue.
[....] The Court limits the interrogatory topics to the following issues: (1) whether the Government
retains call records in repositories other than the purged database; and (2) whether the
Government retains Program call records in derivative forms. Accordingly, the Court orders that
HRW is permitted to serve no more than five interrogatories on the Government regarding these
two issues.
This is fairly narrow, and it's entirely possible that the government may now try to get out of this whole case by simply saying that it has purged all those records. However, at the very least, as the EFF notes, it will let the world know whether or not the government has kept all those phone records.
