Robocalls Swamp Hospitals As The Trump FCC Pretends To Fix The Problem

from the spammed-to-death dept

Despite endless government initiatives and countless promises from the telecom sector, our national robocall hell continues. Robocalls from telemarketers continue to be the subject the FCC receives the most complaints about (200,000 complaints annually, making up 60% of all FCC complaints), and recent data from the Robocall Index indicates that the problem is only getting worse.

As robocallers get bolder, they're increasingly targeting institutions like hospitals, often to a dangerous degree:

"At Tufts Medical Center, administrators registered more than 4,500 calls between about 9:30 and 11:30 a.m. on April 30, 2018, said Taylor Lehmann, the center’s chief information security officer. Many of the messages seemed to be the same: Speaking in Mandarin, an unknown voice threatened deportation unless the person who picked up the phone provided their personal information."

Tufts' phone provider, Windstream, informed the medical center there was nothing they could do. But the problem has spiked in recent months, and other medical professionals say legislators, corporations, and the FCC have been too slow in responding to the threat:

"Administrators at other hospitals, cancer centers and medical research organizations around the country share Tufts’s robocall concerns. They fret that such a seemingly obvious tech malady has worsened in recent months and that government regulators and phone companies have been too slow to help. And they fear that robocallers could eventually outmatch their best efforts to keep hospital phone lines free during emergencies, creating the conditions for a potential health crisis."

As we just got done explaining, the Pai FCC has been getting a lot of press for what it claims is a bold, new plan to help rein in the robocall menace by "suggesting" that carriers offer free robocalling tools by default, and recommending that they quickly adopt call authentication technology to thwart spoofing (faking the originating call number). But the Pai FCC proposal isn't actually new, and offers absolutely no penalty for carriers that fail to comply.

And while Ajit Pai has promised to hold carriers accountable if they don't, there's absolutely nothing in Pai's tenure so far that suggests he's actually capable of standing up to carriers. The press likes to beat around the bush on this front, but there are two major reasons this FCC hasn't done more to thwart robocalls. One, carriers don't want to have to pay for it, and the Pai FCC has proven to be a mindless rubber stamp to carrier interests. Two, a lot of "legitimate" telemarketing and debt collecting agencies utilize these exact same tactics, and the FCC doesn't want to upset them either.

What we get as a result is a government that pays a lot of lip service to the problem, but doesn't actually do much of anything for fear of upsetting campaign contributors in the telecom and marketing industries. They're quick to go after smaller robocall players that are easy to prosecute, but they're terrified of holding larger, legitimate companies accountable for their own role in failing to implement technologies that could have put the problem to bed years ago. Again because while a lot of "robocalls" are perpetuated by illegal scam operations, a lot of them are perpetuated by industries using the exact same tactics (this 2018 testimony by Margot Saunders (pdf) explains this in great detail) to harass and spam consumers.

As a result, the problem will only get worse until somebody in government grows a spine and mandates that all carriers must implement anti-spoofing tech and provide completely free robocall-blocking tools to consumers by default, giving consumers full control over who can call them and when. The problem is getting bad enough that even Ajit Pai may be forced to take a tougher stance against his BFFs in the marketing and telecom sectors, but that's not a bet most would be willing to make anytime soon.

Filed Under: ajit pai, fcc, hospitals, robocalls, spam

On Heels Of Favorable FCC Ruling, Verizon Imposes 'Spam' Fees On Text Message Service For Schools, Nonprofits

from the do-not-pass-go,-do-not-collect-$200 dept

Just about a month ago the FCC quietly handed the telecom industry another favor by voting to reclassify text messages as an "information service" instead of a "telecommunications service" under the Telecom Act, effectively freeing text messaging practices from government oversight. While the FCC stated the move was essential in order to fight text spam, consumer groups were quick to note the lack of oversight provided cellular carriers a nifty way to hamper third-party SMS services that might just compete with, or cause problems for, their own offerings.

Fast forward to this month, and lo and behold, Verizon's already ruffling some feathers on this front. Remind, a free school texting, chat and messaging service used by teachers, students, school coaches, and parents, this week sent a notice to its customers stating that it may no longer be able to offer the service on the Verizon network thanks to a new "spam" fee Verizon is imposing on a service that's not really spam. From the notice to customers:

"To offer our text messaging service free of charge, Remind has always paid for each text that users receive or send. Now, Verizon is charging Remind an additional fee intended for companies that send spam over its network.

Your Remind messages aren’t spam, but that hasn’t helped resolve the issue with Verizon. The fee will increase our cost of supporting text messaging to at least 11 times our current cost—forcing us to end free Remind text messaging for the more than 7 million students, parents, and educators who have Verizon Wireless as their carrier.

While several Canadian companies charge similar fees, Remind said on Twitter that Verizon was the only US company (for now) to begin charging this fee, which the company estimates could cost it up to several million dollars annually. And because the FCC gutted all regulatory oversight, the agency eroded any meaningful authority over Verizon or any additional company looking to impose such spurious surcharges. When pressed by Ars Technica, Verizon stuck to its claim that the new surcharge is essential to help combat spam:

"Verizon, which touts its commitment to education, defended the new fee. Such fees are "intended to share costs incurred to help protect students, parents, and teachers from spam and dangerous text messages over the Verizon network, while reducing fraud," Verizon said in a statement to Ars.

Verizon said the "very small fee will be charged only to major text-messaging aggregation companies such as Remind and Twilio–and not schools, parents, or students." The fees "pay for the work required to contain spam and fraud associated with this service," Verizon said.

But Remind and the company they use to send the messages and alerts (Twilio) already pay Verizon money to carry the texts, and this new fee will only compound those costs dramatically to Verizon's direct financial benefit. In the midst of the bickering between the two companies, Verizon issued a news release saying it would back away from its original plan, slightly. This being Verizon, it was unable to do so without attempting to shift the blame entirely to Remind:

"As discussed this week with Remind, Verizon will not charge Remind fees as long as they don’t begin charging K-12 schools, educators, parents and students using its free text message service. Despite this offer, made Tuesday, Remind has not changed its position that it will stop sending free texts to Verizon customers who use the service regarding school closures, classroom activities and other critical information."

In short, Verizon's "compromise" is that it will reverse the fee for K-12 users of the free Remind service, but that still means numerous other users of the service (like coaches, preschools, and day care centers) will still face the arbitrary fee. Remind tells Ars Technica they've yet to get that proposal in writing, and there's questions as to how K-12 users would even verify their exemption with Verizon in the first place. A better option remains to simply not engage in the cash grab at all.

This particular fight over text messaging oversight began a little more than a decade ago, when Verizon decided to ban a pro-choice group named NARAL Pro-Choice America from sending text messages to Verizon Wireless customers who had opted in to receiving them. Verizon justified the ban by declaring the text messages "controversial or unsavory." A curious move for an industry that has historically cuddled up to marketing spammers and crammers when it's profitable.

Ever since then consumer groups, worried that cellular carriers would abuse their gatekeeper power on the text messaging front, have been urging the FCC to declare text messages a “telecommunications service," making it illegal for carriers to ban, hinder, or impose arbitrary fees on such select SMS services. Of course the Ajit Pai FCC did the exact opposite, and here we are, with non-profits and schools lighting up Twitter with complaints under the #reversethefee hashtag.

Filed Under: fcc, fees, nonprofits, schools, spam, text messaging
Companies: remind, twilio, verizon

Everything Wrong In One Story: Data Silos, Privacy, And Algorithmic Blocking

from the nerding-harder-won't-solve-complex-problems dept

Facebook is probably not having a very good week concerning its privacy practices. Just days after it came out that -- contrary to previous statements -- the company was using phone numbers that were submitted to Facebook for two-factor-authentication as keys for advertising, earlier this morning the company admitted a pretty massive data breach in which its "view as" tool was allowing users to grab tokens of other users and effectively take over their accounts (even if those users had two factor authentication enabled).

This is, as they say, "really, really bad." It turned the "view as" feature -- which lets you see how your own page looks to other users -- into a "take over someone else's account" feature. That's a pretty big mistake to make for a product used by approximately half of the entire population of the planet. I'm sure there will be much more on this, but a few hours after the announcement, Facebook had another headache to deal with: numerous reports said that people trying to post articles about this new security mess from either the Guardian or the AP, were getting that action blocked, with Facebook's systems saying that the action looked like spam:

If you can't read that, it says:

Action Blocked

Our security systems have detected that a lot of people are posting the same content, which could mean that it's spam. Please try a different post.

If you think this doesn't go against our Community Standards let us know.

It's not hard to see how this happened of course. Many times, when a ton of people all start linking to the exact same story, there's a decent chance that it might just be a spam attack. I think even our own spam filter for the Techdirt comments takes something similar into account. Thus, with so many people all posting that link to Facebook, it tripped an algorithmic alarm, leading it to block the posting as possible spam. It appears this practice only lasted for a little while, as currently both articles can be posted to Facebook again.

Obviously, given that the content was about a big Facebook security breach, this looks fishy, even if there's a perfectly "logical" explanation for how it happened. But this also gives us yet another opportunity to highlight how ridiculous it is for people to argue that algorithmic content moderation is a reasonable solution. It's always going to mess up, especially when used at scale, and sometimes will do so in incredibly embarrassing ways, such as here.

And, of course, it provides yet another opportunity to highlight the problems of having just a few giant silos collecting and keeping so much data about people. Even if they are very good at security -- and despite arguments to the contrary, Facebook has a strong security team -- there are always going to be vulnerabilities like this, and companies like Facebook are always going to represent huge targets. This seems like yet another reminder that we need to be looking for more solutions to decentralize the web, and move away from giant silos holding onto all of our data.

Tragically, the powers that be are often looking at this the other way: trying to magically "force" big companies to "lock down" data, which actually only increases the value and demands on the silo, while expecting magic algorithms to protect the data. If we're serious about protecting privacy, we need to start looking at very different solutions that don't mean letting the giant internet companies control all this data all the time. Move it out to the ends of the network, let individuals control their own data stores (or partner with smaller third parties who can help with security) and then let those users choose when, how and where to allow the large platforms access to that data (if at all). There are better solutions, but there seems to be little interest in actually making them work.

Filed Under: algorithms, blocking, centralization, content moderation, data breach, decentralization, privacy, silos, spam, tokens
Companies: facebook

Internet Content Moderation Isn't Politically Biased, It's Just Impossible To Do Well At Scale

from the stop-this-dumb-narrative dept

The narrative making the political rounds recently is that the big social media platforms are somehow "biased against conservatives" and deliberately trying to silence them (meanwhile, there are some in the liberal camp who are complaining that sites like Twitter have not killed off certain accounts, arguing -- incorrectly -- that they're now overcompensating in trying to not kick off angry ideologues). This has been a stupid narrative from the beginning, but the refrain on it has only been getting louder and louder, especially as Donald Trump has gone off on one of his ill-informed rants claming that "Social Media Giants are silencing millions of people." Let's be clear: this is all nonsense.

The real issue -- as we've been trying to explain for quite some time now -- is that basic content moderation at scale is nearly impossible to do well. That doesn't mean sites can't do better, but the failures are not because of some institutional bias. Will Oremus, over at Slate, has a good article up detailing why this narrative is nonsense, and he points to the episode of Radiolab we recently wrote about, that digs deep on how Facebook moderation choices happen, where you quickly begin to get a sense of why it's impossible to do it well. I would add to that a recent piece from Motherboard, accurately titled The Impossible Job: Inside Facebook’s Struggle to Moderate Two Billion People.

These all highlight a few simple facts that lots of angry people (on all sides of political debates) are having trouble grasping.

1. If you leave a platform completely unmoderated, it will fill up with junk, spam, trolling and the like, thereby decreasing its overall utility and pushing people away.
2. If you do decide to moderate, you have a set of impossible choices. So much content requires understanding context, and context may be very different, even for the same content when viewed by different people.
3. If you're going to moderate at scale, you're going to need a set of "rules" that thousands of generally low paid individuals will have to be able to put into practice, reviewing pieces of content for just a few seconds (a recent report said that Facebook reviewers were expect to review 5,000 pieces of content per day.
4. It is impossible to make rules like that that can easily be applied to all content. A significant percentage of content falls into gray areas, where it then becomes a judgment call by people in a cubicle in the middle of reviewing 5,000 pieces of content.
5. At that rate, many mistakes are made. It is collateral damage of moderation at scale.
6. People caught in the crossfire of collateral damage will rightly make a big stink about it and the social media companies will look bad.
7. Meanwhile, some of the reasonable moderation decisions will hit trolls hard (see point 1 above) and those trolls will then take to other platforms and make a huge stink about how unfair it all is, and the social media companies will look bad.

Put this all together and it is a no win situation. You can't leave the platform completely unmoderated. But any attempt at moderation at scale is going to have problems. The "scale" part of this is what's the most difficult for most people to grasp. As Kate Klonick (again, author of an incredible paper on content moderation that you should read as well as author of a guest post here on Techdirt) notes in the Motherboard piece:

“This is the difference between having 100 million people and a few billion people on your platform,” Kate Klonick... told Motherboard. “If you moderate posts 40 million times a day, the chance of one of those wrong decisions blowing up in your face is so much higher.”

Later in the piece, Klonick again makes an important point:

“The really easy answer is outrage, and that reaction is so useless,” Klonick said. “The other easy thing is to create an evil corporate narrative, and that is also not right. I’m not letting them off the hook, but these are mind-bending problems and I think sometimes they don’t get enough credit for how hard these problems are.”

This is why I've been advocating loudly for platforms to move the moderation decisions further out to the ends of the network, rather than doing it in a centralized fashion. Let end users create their own moderation system, or adapt ones put together by third parties. But, of course, even that has problems as well.

No matter what choices are made, there are significant tradeoffs. As the Motherboard article also highlights, what seems like a "simple" rule gets hellishly complex quickly when applied to other situations, and then you've suddenly increased the "error" rate and people get angry all over again and the whole mess gets blown out of proportion again.

“There's always a balance between: do we add this exception, this nuance, this regional trade-off, and maybe incur lower accuracy and more errors,” Guy Rosen, VP of product management at Facebook, said. "[Or] do we keep it simple, but maybe not quite as nuanced in some of the edge cases? Balance that's really hard to strike at the end of the day.”

As the Oremus piece notes, the "bias" of platforms when it comes to moderation is not "liberal" or "conservative," it's Capitalist. Having a platform overrun with spam and trolls is bad for business. Hiring enough people who can adequately review content within the correct context is somewhere between insanely cost prohibitive and impossible. So the platforms muddle by with imperfect review processes. Making moderation mistakes is also bad for business, and the platforms would love to minimize them, but "mistakes" are often in the eye of the beholder as well, again reinforcing that this is an impossible task. For everyone screaming about how Alex Jones should be kicked off platforms, there's a similar number of people screaming about how awful the platforms are that do kick him off. There is no "right" way to do this, and that's what every platform struggles with.

And, if you think that these platforms are unfairly silencing "conservatives" (which is the prevailing narrative right now), it's probably because you're not paying enough attention elsewhere. Black Lives Matter and other civil rights groups have complained about "racially biased" moderation in the opposite direction, saying that minority groups are regularly silenced on these platforms. Indeed, it's not hard to find a ton of reports about black activists having content removed from social media platforms. And for all the talk of Infowars being taken off these platforms, how many people noticed that the Facebook page of the Venezuelan socialist TV station Telesur was recently taken down as well.

Yes, it's fine to point out that these platforms (mainly Facebook, Twitter and YouTube) are really bad at moderating. But, unless you're willing to actually understand the scale at play, recognize how many mistakes are going to be made (and recognize how trolls are going to go nuts over correct decisions), you're playing into a false narrative to argue that any of these platforms are "targeting" anyone. It's not true.

Filed Under: bias, content moderation, errors, filters, mistakes, scale, social media, spam, trolls
Companies: facebook, google, twitter, youtube

Many Of Those Desperate GDPR Emails You've Been Getting Are Violating A Different EU Regulation

from the not-to-mention-unnecessary dept

As we careen wildly into a post-GDPR world at the end of this week, you've probably already been inundated with tons upon tons of emails from various companies where you either have an account or have been signed up for their mailing list. Some of these emails likely note that they want you to confirm that you want to remain on their list because of the GDPR. Others pretend they're just checking in with you for the hell of it. According to an expert in EU regulation, many of these emails probably violate another EU regulation, one designed to make spamming illegal. As for the others? They're almost certainly not necessary under the GDPR and appear to be people misunderstanding the GDPR "out of an abundance of caution."

In short, if a service already has proper permission from you, then it doesn't need to get it again. If it doesn't, it's violating EU spam regulations by asking you to give your consent to receive such messages.

Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.

“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”

And, yes, EU regulators are aware of all of this:

“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them,” Steve Wood, the deputy information commissioner, wrote in guidance for businesses. “So think about whether you actually need to refresh consent before you send that email, and don’t forget to put in place mechanisms for people to withdraw their consent easily.”

Like Vitale, Wood emphasised that asking for marketing consent from people who had not given it initially could be illegal. “It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act,” he said.

Depending on how you look at this, it's either the most European of European regulation situations -- in which efforts to comply with a new set of convoluted regulations means violating existing convoluted EU regulations -- or just another example of how ridiculous companies act. Still, it does seem fairly clear that the whole GDPR situation is an utter mess, with tons of companies having no idea what they actually need to do, or how to actually comply with the law.

Whether you think the GDPR is a wonderful innovation in protecting our privacy, or you think it's a giant clusterfuck of bureaucratic virtue signaling, it does seem like it could be something of a general problem if basically every internet company everywhere has no idea how to actually be in compliance.

Filed Under: data protection, email, eu, gdpr, opt-in, permission, privacy, spam

Facebook 'Security': A New VPN That's Spyware And Two-Factor Authentication That Spams You

from the insecurity dept

Facebook's definition of protection isn't quite up to snuff. Last week, some Facebook users began seeing a new option in their settings simply labeled "Protect." Clicking on that link in the company's navigation bar will redirect Facebook users to the “Onavo Protect – VPN Security” app’s listing on the App Store. There, they're informed that "Onavo Protect helps keep you and your data safe when you browse and share information on the web." You're also informed that the "app helps keep your details secure when you login to websites or enter personal information such as bank accounts and credit card numbers."

What you're not told is that Facebook acquired the company back in 2013, and is now using it as little more than glorified spyware, allowing Facebook to track and monetize your travels around the internet (especially time spent wandering around competing social media platforms). That is, understandably, upsetting some people who believe that security tools should, well, actually protect you from surveillance, not open up an entirely new avenue for it:

"Facebook, however, purchased Onavo from an Israeli firm in 2013 for an entirely different reason, as described in a Wall Street Journal report last summer. The company is actually collecting and analyzing the data of Onavo users. Doing so allows Facebook to monitor the online habits of people outside their use of the Facebook app itself. For instance, this gave the company insight into Snapchat’s dwindling user base, even before the company announced a period of diminished growth last year."

Amusingly, as one Facebook team was busy pushing a VPN service that spies on you, other parts of the company have been busy pushing a new two-factor authentication system (good) that the company also thought should be co-opted for marketing purposes (not so good). Ideally, two-factor authentication should use your phone number exclusively to send you authentication codes via SMS. But Facebook apparently got the nifty idea to immediately take that number and spam customers in the hopes this would drive additional engagement at the website:

On a positive note, Facebook was quick to acknowledge that the SMS spam isn't intentional, and that it would be rolling out out a fix shortly (hopefully before too many people get disgusted by 2FA):

"It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won't receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug."

While Facebook was quick to own its 2FA problem, the company has been somewhat mute regarding the backlash to its "VPN" service offering. That effort likely began with good intentions among Facebook's security team, then got hijacked by company higher ups nervous about the fact Facebook's engagement and subscriber numbers have begun a precipitous dive. The solution to that problem is making Facebook better and more secure, not pushing security and privacy services whose real agenda is monetization and, apparently, annoyance.

Filed Under: 2fa, marketing, security, sms, spam, tracking, two factor authentication, vpn
Companies: facebook

Dear Senators Portman & Blumenthal: What Should Blogs Do If SESTA Passes?

from the how-do-we-stay-on-the-right-side-of-the-law dept

So we've spent some time talking about why SESTA is such a bad bill even in its updated form (which fixes just a tiny sliver of the overall problems). And we may have some more soon about other problems with the language in the bill, but for now I want to make this even more real and ask Congress -- and SESTA authors Senators Rob Portman and Richard Blumenthal, specifically, what they think bloggers, independent journalists, citizen journalists and anyone who hosts comments on their site should do if SESTA passes. Because all these sites are platforms protected by Section 230 of the CEA and, as SESTA is written, parts of it are so unclear that it could introduce significant legal liability, or at least uncertainty over whether or not they're liable for the comments readers post on their sites and articles.

One thing we've heard over and over again from SESTA supporters is that the bill won't have any impact on most sites because (they claim) "no one accidentally facilitates sex trafficking." We wonder how they can be so certain. Ignoring, for the moment, that all sorts of important speech can be branded as speech related to trafficking, even for speech we all agree is problematic, it is not clear what the Congressional authors of the bill, and SESTA's staunchest advocates, think smaller sites, like ours, should do to ensure that none of that content ever sneaks through and ends up in our comment sections. To use us as an example: we're a small site, with a small team and limited resources. But we do allow comments on our posts, because we think community is an important aspect of a modern media site -- and we get a lot of comments, to the point that it is literally impossible for us to review every single comment on the site. We also, obviously, get a fair number of spam comments, and have put in place spam filters. The spam filters are pretty good, but they will make a few Type I and Type II errors at times (i.e., accidentally holding a legit comment and accidentally letting through a spam comment).

The number of comments (spam and not spam) vary day by day, but it's not uncommon to deal with on the order of 2000 comments or so (both spam and not spam) on a daily basis. We cannot read through all of them. And at least some of the spam may be advertising questionable and illegal behavior -- potentially sex trafficking. Here's an example that I found in our spam filter. The title of the spam reads "hot chinese women" but the text of the comment links to a site advertising "columbian girls" and while we've redacted part of the URL (we don't want to promote them at all), as you can see, part of the domain involves "love." Most of the text is nonsense garbage which is just designed to get through a spam filter (thankfully, in this case, it did not work):

Is this comment "facilitating sex trafficking" under federal law? I certainly hope not. But it's possible that the links in that spam go to a site that facilitates sex trafficking. And, while this comment was caught in our spam filter, what if it had gotten through? Do we now have "knowledge" that Techdirt, via its open comments, "assisted, supported, or facilitated" a violation of sex trafficking law? I would still argue that we don't, because we had no knowledge of that particular comment, and if we had seen it sneak through the spam filters, we clearly would have flagged it as spam and taken it off the site. But... the standard in the bill is not at all clear. Even worse: could this very post -- in which I'm explaining to Congress the uncertainty created by its own bill -- be used as evidence of me showing "knowledge" that sometimes spammers try to post these kinds of comments on our site? Is that enough to pass the hurdle in the bill to suggest I now have the requisite "knowledge" to potentially be both civilly and criminally liable? That would be a patently ridiculous outcome, but that, alone, represents some of the key problems of the bill as written.

Indeed, my concerns about merely asking Congress what sites like ours should do, demonstrate the automatic chilling effect in the bill. The chilling effect is happening now, before the bill is even passed.

I would hope that most rational people would say that we should not be liable just because some spammer is possibly clever enough to get a comment like this around our spam filters. But... as the bill is worded now, I am left wondering how do I avoid such liability? There are no clear safe harbors that tell me what steps to take to avoid such liability. Are we required to use a spam filter? What if none are perfect enough? Is the only way I can protect Techdirt be to kill the comment section and all the benefits a comment section enables? Can Senators Rob Portman and Richard Blumenthal tell me what to do? After all, during the hearing on this bill, when Blumenthal was told about its effect on smaller, independent sites, he insisted that such sites were "outliers" who "should be prosecuted." Is that what Blumenthal really thinks? A blog with a spam filter that is not 100% accurate should be prosecuted? If that's not what he thinks, then shouldn't the law he helped write make it clear for bloggers like me that merely allowing comments should not expose us to liability? Do small sites like Techdirt need to get pre-approval by the Internet Association who endorsed the bill to know if we'd be ok? Or, more likely, should sites like ours now need to go spend hundreds or thousands of dollars on lawyers to get an opinion that won't actually stop any potential lawsuit?

I am sure that many supporters of SESTA will argue that this is an extreme scenario. They will say, "Oh, come on, no one is going to go after you for a spam comment." I hope that's true! But, under the language of the bill, it's unclear. And that's the problem. We've certainly seen (repeatedly) that when someone wants to attack a site, they will use whatever laws they can find on the books. To make matters worse, SESTA also allows state Attorneys General to bring both civil and criminal suits. We've certainly upset some state Attorneys General in the past. Would a vindictive one use this opportunity to stifle Techdirt and shut it down? I, again, hope not, but we're living in an age where apparently it's considered okay for politicians to use their bully pulpits to threaten legal action against opponents, including the press.

There may be ways to improve SESTA -- but many of the ideas on the table also have potential serious negative consequences. We should be engaged in a careful discussion about those consequences and the costs and benefits of various approaches. There needs to be a clear explanation for how sites like ours can avoid these risks. But that's not what's happening. Small sites don't have the resources of a Facebook or a Google. They can't just spend thousands of dollars on lawyers to figure out how to navigate this new vague language, which wouldn't even guarantee that they won't get in trouble just because, say, a spam filter isn't good enough.

SESTA isn't just a bad bill because it won't do anything to stop trafficking (the trafficking will continue). It leaves smaller sites, such as ours, completely in the lurch over what our own level of risk is. So, a plea to Congress -- and Senators Portman and Blumenthal specifically: if you are going to move forward on this bill at least fix it so that sites like ours know what to do to stay on the right side of the law.

Filed Under: cda 230, comments, intermediary liability, richard blumenthal, rob portman, sesta, spam, techdirt

Court Says Google Has A First Amendment Right To Delist Competitor's 'Spammy' Content

from the Sec.-230-not-so-much-though dept

Last summer, a Florida federal court reached some unusual conclusions in a lawsuit filed by SEO company e-ventures, which felt Google had overstepped its bounds in delisting a lot of its links. Google defended itself, citing both Section 230 and the First Amendment. The court disagreed with both arguments.

As to Section 230, the court found that Google's delisting efforts weren't in "good faith." The reason cited was e-ventures' claim that the delisting was in "bad faith." So much for this seldom-used aspect of Section 230: the "Good Samaritan" clause which states no third-party company can be found liable for actions it takes to remove content it finds questionable. And so much for "viewed in the light most favorable to the non-moving party." Apparently, Google's long history of spam-fighting efforts is nothing compared to an SEO wrangler's pained assertions.

The court also said Google had no First Amendment right to handle its search rankings however it saw fit, which is more than a little problematic. While it admitted Google's search rankings were protected speech, its statements about how it handled search engines weren't. And, for some reason, the court felt that Google's ads undermined its First Amendment protections because its desire to turn a profit somehow nullified its "editorial judgment."

It was a strange decision and one that suggested this court might be considering getting into the business of telling service providers how to run their businesses. It also suggested this court believed the more successful the business was, the fewer rights and protections it had. These dubious conclusions prevented Google from having the case dismissed.

Fortunately, this wasn't the final decision. As Eric Goldman points out, last year's denial only delayed the inevitable. After a few more rounds of arguments and legal paperwork, Google has prevailed. But there's not much to celebrate in this decision as the court has (again) decided to route around Google's Section 230 "Good Samaritan" defense.

Regarding 230(c)(2), the court says “spam” can qualify as “harassing” or “objectionable” content (cite to e360insight with a but-see to the Song Fi case). Still, the court says e-ventures “brought forward enough circumstantial evidence” about Google’s motivations to send the case to a trial. By making it so Google can’t even win on summary judgment, rulings like this just reinforce how Section 230(c)(2) is a useless safe harbor.

Had it ended there, Google would be still be facing e-ventures' claims. But it didn't. The court takes another look at Google's First Amendment claims and finds that the search engine provider does actually have the right to remove "spammy" links. Beyond that, it finds Google even has the First Amendment right to remove competitors' content. From the order [PDF]:

“[T]he First Amendment protects as speech the results produced by an Internet search engine.” Zhang v. Baidu.com, Inc., 10 F. Supp. 3d 433, 435 (S.D.N.Y. 2014). A search engine is akin to a publisher, whose judgments about what to publish and what not to publish are absolutely protected by the First Amendment. See Miami Herald Publ’g Co. v. Tornillo, 418 U.S. 241, 258 (1974) (“The choice of material to go into a newspaper . . .—whether fair or unfair—constitute[s] the exercise of editorial control and judgment” that the First Amendment protects.) The presumption that editorial judgments, no matter the motive, are protected expression is too high a bar for e-ventures to overcome.

And the court walks back its earlier conclusion -- the one that seemed to find profit-motivated "editorial judgment" to be unworthy of First Amendment protections.

Google’s actions in formulating rankings for its search engine and in determining whether certain websites are contrary to Google’s guidelines and thereby subject to removal are the same as decisions by a newspaper editor regarding which content to publish, which article belongs on the front page, and which article is unworthy of publication. The First Amendment protects these decisions, whether they are fair or unfair, or motivated by profit or altruism.

The case is now dismissed with prejudice which bars e-ventures from complaining about Google's delisting efforts in federal court. e-ventures has gone this far already in hopes of seeing its terms-violating content reinstated, so it will likely attempt to appeal this decision. But it really shouldn't. It's unlikely another set of judges will help it clear the First Amendment hurdle. Not only that, but this area of law should be well-settled by now, as Goldman points out:

Of course Google can de-index sites it thinks are spam. It’s hard to believe we’re still litigating that issue in 2017; these issues were explored in suits like SearchKing and KinderStart from over a decade ago.

The plaintiff was given a long leash by the court, which should have tossed last year. Even with the extra time and the court doings its Section 230 circumvention work for it, e-ventures still couldn't prevail.

Filed Under: cda 230, first amendment, search results, section 230, spam
Companies: e-ventures, google

Confused Reporter Doubles Down On Bogus Trump/Russian Server Story With 'I'm Just Asking Questions' Non-Apology

from the this-fucking-election dept

Franklin Foer is a pretty famous reporter. But this week he totally blew a story that a ton of other media operations had passed on (for good reason), claiming that there was an internet server out there owned by Donald Trump, that was communicating almost exclusively with a server for a Russian bank. It took all of a few minutes to debunk this as technological confusion on the part of Foer, and a whole heck of a lot of confirmation bias between Foer and the security researchers who had concocted this conspiracy theory with data that they're only supposed to be using for malware research. Of course, in this stupid election season where both candidates simply love to fling ridiculous accusations at one another, Hillary Clinton herself tweeted out two separate tweets about the article, and called it "the most direct link yet between Donald Trump and Moscow."

Except, of course, that was bullshit. It was nothing of the sort. It was some confused security researchers, teaming up with a reporter who famously doesn't like the internet or technology, getting a story so ridiculously wrong that it hurts. Some of us kept waiting for Slate to correct or just pull down the story, but they didn't. They put one small update and one small correction that didn't even touch on the core elements of the story that Foer completely flubbed.

On Thursday, instead, Foer released a new story, which he claims is him "revisiting" the story to evaluate "new evidence and countertheories." But that's also bullshit. The original theory made no sense at all. The "countertheories" are perfectly logical explanations backed up by data -- but Foer basically puts them all on equal footing and claims he stands by his original reporting. Ridiculously, Foer tries to debunk the claims that everyone made that this was just an outsourced Trump hotel spam server, by arguing that it never appeared on any spam blackhole lists:

Was the server sending spam—unsolicited mail—as opposed to legitimate commercial marketing? There are databases that assiduously and comprehensively catalog spam. I entered the internet protocal address for mail1.trump-email.com to check if it ever showed up in Spamhaus and DNSBL.info. There were no traces of the IP address ever delivering spam. Perhaps the spam went uncataloged because it was being sent to a single bank in Russia, but L. Jean Camp, an Indiana University computer scientist and a source in my original story, thought that possibility unlikely. “It’s highly implausible that spam would continue for so many months, that it would never be reported to spam blocker, or that nobody else in the world would see the spam during that time frame,” she told me.

Wait, what? This seems to be Foer doubling down on his ignorance and confusion about the story. Almost everyone discussing how this was a spam server was using "spam" in the colloquial sense of "marketing emails." They weren't arguing that it was a literal unsolicited email server spewing things like fake Viagra or fake diplomas (though, with Trump, I guess that last one is a possibility too). It's just a marketing server. People who stay at Trump hotels get on a mailing list. I get that kind of spam all the time from hotels or hotel chains I've stayed at. I don't categorize it as outright spam in the purely scammy sense, but it's marketing spam. But Foer and Camp seem to act as if everyone meant the scammy kind of spam.

And, as Rob Graham notes in yet another debunking of Foer, this shows a serious misunderstanding of how spam blacklists work anyway:

Cendyn is constantly getting added to blocklists when people complain. They spend considerable effort contacting the many organizations maintaining blocklists, proving they do "opt-outs", and getting "white-listed" instead of "black-listed". Indeed, the entire spam-blacklisting industry is a bit of scam -- getting white-listed often involves a bit of cash.

Those maintaining blacklists only go back a few months. The article is in error saying there's no record ever of Cendyn sending spam. Instead, if an address comes up clean, it means there's no record for the past few months. And, if Cendyn is in the white-lists, there would be no record of "spam" at all, anyway.

Later, Foer does consider the marketing email idea, but also tries to discount it.

Still, the marketing email theory has a few holes. A typical marketing campaign would involve the wide distribution of emails, spreading word of discounted prices and hotel openings far and wide. It seems unlikely that a campaign would so exclusively focus its efforts on a bank in Russia and a health care company in Michigan (which received a small batch of DNS look-ups), even if, as one critic has claimed, executives from Alfa Bank had a penchant for staying in Trump hotels.

Except that's misleading too. Because the information that has been revealed publicly does not prove that the server in question only communicated with the Russian server. In fact, others have argued it's not true.

Graham also raises some pretty serious questions about one of the "DNS experts" that Foer relies on, Jean Camp:

Jean Camp isn't an expert. I've never heard of her before. She gets details wrong. Take for example in this blogpost where she discusses lookups for the domain mail.trump-email.com.moscow.alfaintra.net. She says:

This query is unusual in that is merges two hostnames into one. It makes the most sense as a human error in inserting a new hostname in some dialog window, but neglected to hit the backspace to delete the old hostname.

Uh, no. It's normal DNS behavior with non-FQDNs. If the lookup for a name fails, computers will try again, pasting the local domain on the end. In other words, when Twitter's DNS was taken offline by the DDoS attack a couple weeks ago, those monitoring DNS saw a zillion lookups for names like "www.twitter.com.example.com".

He then goes on to reproduce that kind of merged hostname situation. Graham has a number of other examples of technical points that Foer just gets totally wrong. It's kind of embarassing actually. Rather than admit he's wrong, Foer tries to just post these "countertheories" and then pulls out a "well, I just hope that my reporting gets us closer to the truth."

I pursued this story because I was impressed by the emphatic belief of the experts I consulted, my suspicions were raised by the evidence they presented, and I thought I would be remiss if I sat on data that I believed deserves to be evaluated and understood before we elect the next president. The underlying context for the piece is that Donald Trump has cultivated a troubling relationship with Russia, and the U.S. government has identified Russia as trying to meddle in this election. Not every nexus between the candidate and Russia is nefarious. This one might well be entirely innocent or even accidental. As the New York Times reported on Tuesday, after my story published, the FBI looked into the server activity but “ultimately concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts.” Or maybe it’s less than innocent, as the computer scientists suggested and still believe. (I’ve checked back with eight of the nine computer scientists and engineers I consulted for my original story, and they all stood by their fundamental analysis. One of them couldn't be reached.) I concluded my account of these scientists’ search for answers by arguing that the servers and their activity deserved further explanation. Hopefully my story and the debate that has followed will move us closer to a fuller understanding.

Except, it seems like "the truth" almost certainly is that there's no story at all here, and in publishing as if it was a story, a whole bunch of people are making questionable claims. The whole "Russian connection" thing that keeps popping up in this election is getting pretty ridiculous. It may very well be that the Russians are trying to muck with our election. Lots of credible people are suggesting that's the case. But then coming up with a bunch of weak conspiracy theories based on technical ignorance and confirmation bias is just like being scared of monsters in the shadows.

Filed Under: donald trump, emails, franklin foer, reporting, rob graham, russia, spam
Companies: alfa bank, slate