Latest Leak: NSA Abused Rules To Spy On Americans 'Thousands Of Times Each Year'

from the boom dept

Throughout the whole ordeal with the NSA leaks, the one line that we kept hearing from defenders of the program was that not only were these programs legal, no one had showed any abuse by the NSA. That is, even if this program was collecting data on everyone, the NSA had those important tools in place to block it from being abused. At last week's press conference, this was a key point made by President Obama. NSA boss Keith Alexander insisted that there was no abuse, while Rep. Mike Rogers, the NSA's prime defender and head of the House Intelligence Committee, similarly insisted that there was no abuse by the NSA. As we noted, that seemed hard to believe, given past revelations of clear abuse.

And... the latest report from the Washington Post based on leaked documents shows that an audit of the NSA's activities shows it broke privacy rules, mostly to spy on Americans, thousands of times per year:

The National Security Agency has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008, according to an internal audit and other top-secret documents.

Most of the infractions involve unauthorized surveillance of Americans or foreign intelligence targets in the United States, both of which are restricted by law and executive order. They range from significant violations of law to typographical errors that resulted in unintended interception of U.S. e-mails and telephone calls.

The audit info comes from Ed Snowden's leaks, so it seems rather incredible that President Obama, Keith Alexander and Mike Rogers didn't seem to realize that this audit would eventually come to light, showing that they were flat out 100% lying to the American public.

The NSA audit obtained by The Post, dated May 2012, counted 2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications. Most were unintended. Many involved failures of due diligence or violations of standard operating procedure. The most serious incidents included a violation of a court order and unauthorized use of data about more than 3,000 Americans and green-card holders.

The NSA's response to all of this is almost comical:

“We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” a senior NSA official said in an interview, speaking with White House permission on the condition of anonymity.

Well, of course! That's the point that we've made over and over and over again here in response to these claims of "no abuse." The NSA is made up of humans. And when you give humans the power to spy on just about anyone there will always be some abuse. This is why it's important to limit the collection of information, not promise to stop the abuses. You need to make such abuses much more difficult in the first place.

Even worse, this report only covers the NSA's activities in the DC area. Other NSA locations are not covered.

Three government officials, speaking on the condition of anonymity to discuss classified matters, said the number would be substantially higher if it included other NSA operating units and regional collection centers.

Even a long-term defender of the NSA's programs, Senate Intelligence Committee chair Dianne Feinstein, sounded a bit taken aback by the report, noting that the Intelligence Committee "can and should do more to independently verify that NSA’s operations are appropriate." Coming from Feinstein, that's a startling admission showing that she's finally realizing just how bad this program is -- a program that she's been defending very strongly for years.

The story also reveals the details of the now infamous, but secret, FISC order that had said certain collection practices were deemed unconstitutional by the FISC. Apparently, the NSA "diverted large volumes of international data passing through fiber-optic cables in the United States into a repository where the material could be stored temporarily for processing and selection," and then later admitted that there was a ton of US emails in there and that it was impossible to filter out the Americans. It was only months later that the FISC was fully informed of this and said the practice had to stop.

Perhaps the most ridiculous of the abuses was accidental, but reveals how easy it is to have these surveillance programs abused:

In one instance, the NSA decided that it need not report the unintended surveillance of Americans. A notable example in 2008 was the interception of a “large number” of calls placed from Washington when a programming error confused U.S. area code 202 for 20, the international dialing code for Egypt, according to a “quality assurance” review that was not distributed to the NSA’s oversight staff.

And, boom, just like that, a ton of calls from Washington DC were intercepted "by accident" and no one was told about it. No biggie.

So, now, can President Obama, Keith Alexander and Mike Rogers please explain why they lied about the lack of abuse?

Filed Under: abuse, ed snowden, leaks, nsa, nsa surveillance

Detroit Police Commander Emails Female Officers' Measurements To Entire Police Force

from the just-Detroit-being-Detroit,-I-suppose dept

An unfortunate and cautionary tale of inappropriate data "leakage" has emerged from Detroit (itself an unfortunate and cautionary tale). The lessons here are many, but one of the first is ALWAYS CHECK EVERY PAGE OF YOUR ATTACHMENT BEFORE FORWARDING TO THE ENTIRE MAILING LIST.

Police sources said about three weeks ago, Commander Dwayne Love was asked to notify the officers that their bullet proof vests were ready to be picked up. So he forwarded an email to the commanders, who then forwarded it to the supervisors, who then forwarded it to the officers.

White claimed Love didn't know the weight, height and bra cup sizes of the women were included on the attached Excel spreadsheet until it was too late.

The personal information was on the third page of the spreadsheet, something Love failed to notice before he forwarded the information. Apparently, everyone else in the chain of command failed to notice it as well. Or ignored it. Long story short, nearly every officer in the Detroit police department had access to the measurements of nearly every female officer on the force.

As is to be expected, certain officers decided to misuse this information.

[S]everal female officers, who say they have faced ridicule from fellow officers, with the help of their union are filing two grievances against the department and one complaint with EOC. Even if Love made an innocent mistake, the damage they feel has already been done.

There's one lesson: no matter what standard certain people are supposed to hold themselves to, there's always several who will willingly let that standard slip.

But there's a larger lesson here as well. The anonymous tipster who sent this in included the following statement with the submission.

Nice article to link to when you need an example of just how "professional" officers can be when they have access to sensitive/personal information.

First off, members of the police department weren't even professional enough to handle their own data without abusing the details that fell into their hands.

Now, extrapolate.

Thousands of police departments across the nation have access to the personal details of millions of citizens, including everything coughed up in order to get a driver's license. Add to that the information gathered by thousands of CCTV cameras, license plate scanners, red light cams, etc. and you've got a ton of data, most of it unrelated to any criminal activity, just laying around waiting for a "bad apple" to root through it for his or her own nefarious ends.

Extrapolate further.

Our nation's intelligence agencies have also gathered tons of data on Americans, much of it under dubious readings and interpretations of standing laws and elastically-defined words like "relevant." When we complain, the defenders explain that it is all handled very carefully and the agencies themselves take extraordinary safeguards against abuse of the gathered data.

But let's all be honest with each other. Every single one of these agencies hires from the human race, and the human race is stocked all too well with people prone to abusing the power and information under their control.

Rather than craft strict rules on the care and disposal of "non-relevant" information, these agencies tends towards amassing the data carelessly and holding it indefinitely. There are exceptions, of course, but the general feeling is grab it and hold it. Just in case.

So, you see the problem. Data is collected and left in the hands of humans. But we're expected to believe abuse is such a rarity that considering stricter safeguards or collection limitations is laughable.

When we see that a single police department can't even handled a botched internal email without finding itself on the receiving end of harassment claims, it doesn't give us much hope for larger data collections held by larger agencies, especially those with previous abuses on their rap sheets.

Filed Under: abuse, detroit, police, privacy

NSA Boss & Defenders Insist NSA Can't Abuse Surveillance Systems; Forgets To Mention It Already Has

from the just-saying dept

As NSA boss Keith Alexander was in Vegas to present at the Black Hat conference this week, much of the attention has been paid to the fact that he was heckled by audience members, though others in attendance said that the audience was "mostly supportive" of Alexander's statements. Either way, I'd like to focus in on a key point that he made, when he claimed that NSA analysts wouldn't abuse their surveillance powers, because they're audited and trained not to break the rules:

“The assumption is our people are just out there wheeling and dealing. Nothing could be further from the truth. We have tremendous oversight over these programmes. We can audit the actions of our people 100%, and we do that,” he said.

[....] Should anyone in the NSA try to circumvent that, in defiance of policy, they would be held accountable, he said: “There is 100% audibility.” Only 35 NSA analysts had the authority to query a database of US phone records, he said.

Meanwhile, Rep. Mike Rogers, who really doesn't know when to give up, went out on Twitter to "defend" the leaks about XKeyscore, insisting that they're magically immune from abuse because of "legal constraints, comprehensive training and layers of oversight built into all NSA programs."

You see, that sounds great... except for the fact that we already know that they have abused those powers. Back in 2009, it was revealed that NSA analysts viewed former President Bill Clinton's emails:

An anonymous former intelligence analyst tells reporters James Risen and Eric Lichtblau that during much of the Bush years, the NSA “tolerated significant collection and examination of domestic e-mail messages without warrants.” Reportedly, one of the accessed domestic e-mail accounts belonged to former President Bill Clinton.

This same report gets to the supposed "training" that Alexander insists helps to prevent abuse:

The former analyst added that his instructors had warned against committing any abuses, telling his class that another analyst had been investigated because he had improperly accessed the personal e-mail of former President Bill Clinton.

I can just imagine sitting in that "training" in which the NSA says don't look at people's emails, because someone once looked at Bill Clinton's emails. That seems more like daring them to spy on emails. It's telling them "holy shit, you can look at famous and powerful people's emails." And, of course, that's not the only story of abuse. A year earlier, it was reported that NSA linguists listened in on phone sex calls between Americans living abroad.

Adrienne Kinne, a former U.S. Army Reserves Arab linguist, told ABC News the NSA was listening to the phone calls of U.S. military officers, journalists and aid workers overseas who were talking about "personal, private things with Americans who are not in any way, shape or form associated with anything to do with terrorism."

David Murfee Faulk, a former U.S. Navy Arab linguist, said in the news report that he and his colleagues were listening to the conversations of military officers in Iraq who were talking with their spouses or girlfriends in the United States.

According to Faulk, they would often share the contents of some of the more salacious calls stored on their computers, listening to what he called "phone sex" and "pillow talk."

So, forgive us for being skeptical when Alexander and Rogers insist that abuse is basically impossible because of "oversight" and "training." We've already seen that abuse occur. As far as I know, the NSA still hires analysts from the human race, and with that comes people who are given great responsibility -- and the ability to give in to temptation, such as scouring a former President's emails. To claim that there isn't any abuse just isn't credible.

Filed Under: abuse, keith alexander, mike rogers, nsa, nsa surveillance, privacy

Report On TSA Misconduct Finds 1 In 16 Employees Was Investigated Last Year

from the and-that's-just-the-beginning-of-the-bad-news dept

The TSA's security theater is now officially a substandard off-Broadway production. The Government Accountability Office has released a damning report* on the TSA's handling of employee misconduct. Not that the TSA doesn't have its hands full simply writing up the paperwork on ill-behaved employees. From 2010-2012, over 9,600 cases of employee misconduct were reported, with 3,408 of those coming in 2012, an increase of over 700 cases from the previous year.

* Honestly, the GAO doesn't seem to release any other kind of report than "damning." At this point, "all systems nominal" would be the government equivalent of receiving a third Michelin star.

A large percentage of these cases were of the banal, could-happen-at-any-workplace variety.

As with many jobs, the largest group of misconduct offenses involved “Attendance and Leave” issues — “Unexcused or excessive absences or tardiness, absence without leave, failure to follow leave procedures.” This accounted for nearly 1/3 of all investigations between 2010 and 2012.

The more shocking statistic is the number of cases related to the specifics of the job -- screening and security. 1,936 cases -- 20% of the total -- were violations like failing to follow standard operating procedures, bypassing security or sleeping on the job. Another 16% (1,548 cases) weren't any better -- insubordination, ignoring policies and disrespectful conduct.

Remember, these employees are the last line of defense between terrorists and planes, at least according to the narrative that's presented when infants and elementary school kids being detained and invasively searched. (Or when iPads go missing.) The TSA likes to brag about the weapons it's caught, but this data indicates there's still a good chance many weapons are making it through.

Then there's this:

4% -- 426 cases -- fell under this heading: "Inattention to duty resulting in a loss of property or life, careless inspection."

Adding it all up: nearly 40% of the misconduct cases fall under headings that could very conceivably undercut what little actual "security" the dog-and-pony-and-naked-scan show provides. As with any large government agency, most cases were handled with disciplinary triplicate (Letter of Reprimand). Hopefully, those were limited to non-security-breaching first offenses. But temper that hope with this dash of reality -- a mere 17% of violations resulted in termination.

Even these numbers fail to tell the whole story. Things could actually be worse than these stats make it appear. The GAO found the agency's recordkeeping skills to be as lax as its discipline.

Additionally, TSA is criticized for its failure to keep full documentation of misconduct cases, in spite of having a database in which all that info should be kept. GAO blames TSA leadership, which has not issued guidance requiring the recording of all misconduct investigation outcomes.

This brings to light the scariest deficiency of the TSA’s investigation and adjudication process — It lacks “procedures to follow up on completed misconduct investigations to ensure that the agency has identified cases requiring adjudication,” writes GAO.

I realize that private sector businesses usually only fire employees for egregious wrongdoing and that most infractions are "written up" rather than pink slipped. And I realize there are several companies who take a hands-off approach to employee discipline, allowing lousy staffers to stay employed long after they've outlived their usefulness.

But the TSA is no ordinary business. It's stated purpose is to ensure the safety of millions of travelers. It should hold itself to a much higher standard than companies and agencies not charged with protecting the lives of others. Instead, the agency slaps wrists, hands out suspensions and defers any charges from the court of public opinion to the passive-aggressive statements and quasi-apologies of Blogger Bob.

The government wants us to believe in the power of its security theater but the agency's failure to effectively police its own staff undercuts its own narrative.

Filed Under: abuse, misconduct, security, security theater, tsa

Government Has Already Fooled Us More Than Once On Privacy; History Belies How CISPA Will Be Used

from the let's-get-real dept

One of the key things we've seen in the pushback on CISPA is that its backers insist that people arguing against it don't really understand how the bill works, and that it does protect privacy. CISPA sponsor Rep. Mike Rogers himself took to Twitter this morning to tell the EFF that it's misreading his bill. But, of course, as we've seen, it seems that Rogers himself is the one being misleading when it comes to privacy. If he truly believed in privacy protections, he would have supported a variety of straightforward amendments that made it clear how privacy could be protected. But he didn't. Instead, he clearly left it open for abuse.

One of the key points that Rogers keeps saying over and over again is that this bill is not a "surveillance" bill. Why? Because it doesn't allow the NSA or others to go in and automatically get info. But Rogers is choosing his words very carefully, such that he absolutely misrepresents how the bill can and almost certainly will be used. And while he and other CISPA supporters will (and have) argued that the possible abuses of CISPA are crazy conspiracy theories that wouldn't happen in practice, we have too many examples of how the US government's intelligence infrastructure very quickly expands to make use of every single loophole provided to them within the law -- sometimes going so far as to interpret laws in ways clearly contrary to Congressional intent, just because they can. Let's just highlight two examples:

1. The FISA Amendments Act, which was passed in association with the Patriot Act, supposedly to give the NSA more powers to scoop up communications of folks involved in terrorist activity. Now, the NSA is -- by mandate -- not allowed to spy on Americans. And yet, multiple whistleblowers and hints from folks who know in Congress have made it quite clear that the NSA has interpreted the FISA Amendments Act to allow exactly that -- even as many in Congress clearly don't understand how the bill is being used.
   
   While it's still not official, enough information has been revealed to show that the NSA interprets the requirement that its surveillance target foreign persons to mean that as long as it's looking for foreign terrorist activity, it can spy on everyone. Get that? It's a sneaky trick that many have not realized. The NSA argues -- likely with agreement from a secret court ruling -- that so long as it can claim that it is investigating a foreign threat somewhere, somehow, the prohibition on spying on Americans does not apply. There is increasing evidence that this now means that the NSA is scooping up pretty much all data it can get its hands on. While it may not be going through it in real time, it appears to believe that as long as it can make the argument that it's searching for a foreign threat, that it can delve into that treasure chest of, well, everything.
   
   
2. Next: the "national security letters" (NSL) issue. While a court recently ruled these unconstitutional, this process has been widely abused by the FBI for years to get private information on people without a warrant and with a gag order on recipients. Every time it's been investigated, it's been shown that the FBI has widely abused its NSL powers. However, since there's almost no oversight, the FBI still feels free to make widespread use of the tool, which was only supposed to be used in extreme circumstances.
   
   Along those lines, the FBI has gotten so comfortable with asking companies for data without a warrant or any formal oversight process, that it was revealed a few years ago that, rather than going through the drudge of actually processing paperwork to get private info from AT&T, some agents simply used Post-It Notes to make their requests, which AT&T readily coughed up without question.

The point, hopefully, is clear. We've never seen law enforcement show any hint of not making use of any and all powers it has at its disposal to twist and interpret laws to allow it to get private information on people without a warrant or any real oversight. While the latest version of CISPA pays some tiny lip service to privacy, the simple fact is that, by definition, it wipes out all privacy laws in protecting companies entirely from liability for coughing up your information.

CISPA supporters also like to claim that since CISPA is "voluntary," companies will have no reason to give up your private info. That's nice in theory. And, sure, perhaps some principled companies will resist, but we've already seen the AT&T example above. And, even more importantly, we've seen how pressure from the US government, or even threats of the government shaming them publicly for not "helping" have been incredibly effective in making "voluntary" action suddenly seem obligated.

The saying goes "fool me once, shame on you. Fool me twice, shame on me." We've been fooled many times by the US government insisting that certain laws won't be used to violate our privacy, when it later comes out that they were used in exactly that way. So forgive us for calling bullshit on Mike Rogers' claims that CISPA doesn't "allow" the government to spy on Americans. It absolutely does. It opens up a clear path for law enforcement and intelligence agencies (and others!) to hide behind the liability protections within the law to pressure companies to reveal whatever they want with absolutely no repercussions.

That seems like a pretty serious issue, and one that Congress and supporters of CISPA don't seem to want to admit.

Filed Under: abuse, cispa, cybersecurity, fisa amendments act, intelligence, mike rogers, national security letters, privacy

State Audit Finds More Than Half Of Minnesota's 11,000 Law Enforcement Users Misused Driver Data

from the unfortunately,-nothing-really-shocking-about-these-findings dept

It's been proven before by various government agencies and it still holds true: if you give someone more access than oversight when it comes to collected personal information, you can't be surprised when this tool gets abused.

The latest abuse of a government-harvested database was uncovered by state auditors in Minnesota. The report details extensive misuse of driver's license records by law enforcement agencies.

The review by the state's legislative auditor — highly anticipated by legislators and privacy advocates — said officers need better training in allowed uses of the protected data, and local and state agencies should do more to monitor use. Beyond 88 incidents of misuse documented in state records last year, auditors found even more suspicious activity buried in audit trails.

More than half of the 11,000 law enforcement users of the Driver and Vehicle Services (DVS) website in that time frame queried themselves or people with the same last name, for example, or disproportionately searched for people of one sex.

This study's findings will likely result in some additions to legislation proposed earlier this year, which seeks to add penalties and transparency to data breaches by government employees, requiring local agencies to post full investigation reports online should any breach occur. The legislation itself was written in response to a severe data breach traced back to a single government employee.

The legislation came on the heels of news that a former employee at the Department of Natural Resources had viewed thousands of drivers license records — almost exclusively of women — without a permissible use. That employee, John Hunt, is now facing criminal charges, and his actions have spurred five federal lawsuits against the state.

This employee might have been caught more quickly, but Hunt likely knew the limitations of the DPS auditing system and stayed below the radar, despite making nearly 19,000 queries to the database over the course of five years.

The report also recommended that because audits by the DPS largely detect heavy users, rather than suspicious use, local agencies should conduct more proactive monitoring. They suggested the department beef up its abilities to assist local agencies.

[Public safety commissioner Mona] Dohman said in an interview that the queries were so spread out that he did not emerge in their monthly review of the top 50 users.

In addition to the larger breaches, there were also cases where failure to deactivate accounts resulted in additional misuse of the DVS system.

During the 18 months ending June 30, 2012, 13 users conducted queries using access privileges associated with law enforcement agencies that no longer existed. Over the same time period, three former employees of state law enforcement agencies, as well as four former employees of local law enforcement agencies, accessed the DVS Web site using usernames and passwords that should have been disabled.

The current process for disabling accounts is almost farcical in its slowness. The report points out that the DVS allows accounts to remain dormant for 120 days before inactivating them. While this is a huge improvement over the 500 days it used to allow, it's still plenty of time for anyone looking to query a database they should no longer have access to.

Compounding the existing misuse issues is the fact that law enforcement agencies have exempted themselves from many of the policies affecting authorized civilian users. To begin with, sworn officers are not required to attend training or refresher courses on proper use of the DVS system, including policies regarding general security and appropriate data use. Officers are also exempted from the same user agreement that greets civilians at login and are otherwise not held accountable by any agreement when utilizing the DVS database.

DPS (Dept. of Public Safety) has not implemented other access management practices for all users. For example, DPS does not require a user agreement for sworn officers with access to the DVS Web site. Civilian law enforcement employees must sign a user agreement justifying their need for driver's license information, including their specific needs for access to driver's license photographs. DVS staff review the agreements before granting access. BCA (Bureau of Criminal Apprehension) has a signed intra-agency agreement with DVS. Agencies with employees who access BCA systems sign an agreement taking responsibility for access by their staff, among other things. Thus, it is only sworn officers who use the DVS Web site for whom DPS does not require an agreement, signed by the user or his or her employer, taking responsibility for appropriate access.

The findings of this study will certainly raise questions about this law enforcement double-standard. The proposed legislation and its attendant penalties and openness is, unsurprisingly, being fought by the law enforcement community.

House author Rep. Mary Liz Holberg, R-Lakeville, said she has already met resistance from some law enforcement entities.

"If you have bad actors in your bunch, then why shouldn't the public know about it?" Holberg said. "It seems like nobody wants any sunshine around this issue. And I think it would do a lot to rebuild the public trust if there was more public awareness of misuse and consequences."

It's pretty hard to rebuild public trust when you don't trust the public. Or, at least, don't trust them enough to be honest with them. The law enforcement fraternity has never been one for openness and consistency. As the study notes, misuse of the DVS system is handled differently by every law enforcement agency, if it's even punished at all. The lack of a codified "best practices" or even a basic "user agreement" that holds the individual officer responsible for his actions has led to widespread misuse. Minnesota's legislators are on the right track and this audit offers some very sound suggestions, but the feeling that those who enforce the law should be exempted from these same laws is somewhat endemic in law enforcement, meaning this has the potential to get worse before it gets any better. If they aren't careful, this legislation could reach passage with very few "teeth" intact, if it gets there at all.

Filed Under: abuse, data, driver data, minnesota, privacy

Company Tries To Delete Recording Of Exec Cursing Analyst During Conference Call Via Copyright Claim

from the copyright-is-not-your-personal-time-machine dept

Oh, look. It's our good friend "copyright" being used to perform a some light censorship. Certain entities seem to love this aspect of copyright -- the fact that it can be used to sweep something embarrassing under the rug.

The entity involved in activating copyright's wonder twin powers (form of a broom!) is Canada's Encana Corporation. And what needs to be swept away? A muttered expletive directed at an analyst who had the audacity to ask a tough question during a conference call.

Encana Corp, Canada's largest natural gas producer, apologized on Thursday because one of its executives cursed after an analyst asked about whether new Canadian investment rules would prohibit its takeover by foreign state-owned entities.

When asked the question by Canaccord Genuity analyst Phil Skolnick, interim CEO Clayton Woitas said: "The answer would be no." Then, in a whispered comment that was clearly audible on a replay of the call, someone can be heard saying, "fucking asshole."

Nice. Apparently, the swearing executive somehow forgot that being in a room full of microphones means even the under-the-breath swearing will be broadcast. Encana, of course, swiftly apologized for the low flying insult. But, instead of leaving it there (which would be perfectly acceptable -- people being fallible and all that), it has decided it needs to erase the recording from the internet, in hopes that reality will fall in line with the official transcript of the conference call.

Unfortunately for Encana, the recording has already been uploaded to Chirbit, an audio sharing site, and so far the play button has been pushed over 55,000 times. Encana is now leaning on Chirbit to take the clip down.

On Thursday, Chirbit founder Ivan Reyes said he has received a takedown request from Encana. Mr. Reyes has declined, citing fair use provisions in copyright law and a site policy directing that such requests be sent to the poster of audio.

Encana, in its request, says:

“Encana is the copyright owner of the Recording. It was expressly stated at the outset of the Conference Call that 'this conference call may not be recorded or rebroadcast without the express consent of Encana Corporation',” the letter states.

“The Recording has been posted without Encana’s consent. The unauthorized use of this Recording clearly constitutes copyright infringement. ... Encana views this matter extremely seriously and requests that you respond to the undersigned on or before the close of business on Friday, February 22, 2013, failing which, Encana will have no other recourse but to take all actions as may be available to it to protect its proprietary rights.”

Encana is trying to erase two words from the internet, something its spokesman finds reasonable and, more sadly, possible.

“I think any individual or organization that has something embarrassing broadcast over the web without proper permissions would make any attempt to have that content eventually removed as, understandably, we do not wish to have that clip living on in perpetuity on the web,” he said.

The clip was uploaded by a Globe and Mail reporter who had recorded the conference call, common practice among journalists to ensure accuracy in their reporting. Copyright over the entire call, much less those two words, is a pretty grey area. Over at the Canadian Intellectual Property Blog, Jahangir Valiani breaks down this scenario.

To be clear, assuming there is no agreement to the contrary, the only aspect of the conversation posted that Encana may be able to claim copyright over is the three words said by its employees. Copyright to the question posed by the third party would belong to that third party unless the person who posed the question assigned it in writing to Encana.

For copyright to exist in a statement, the statement being copyrighted must be an “original… work”. The test for originality in Canada requires the author to exercise skill and judgement, where the skill and judgement exercised must not be so trivial as to be characterized as purely mechanical. While the qualitative test for a statement to be a “work” is low, there is a quantitative minimum that must be met for copyright protection.

The statements made by the Encana executives in this scenario do not qualify for copyright protection as they fail to meet both the criteria for a copyrightable work. The obscenity was not an exercise of skill and judgement. It was an impulsive response to a question that the speaker found insulting. In fact, if the speaker had exercised skill and judgement, it is likely that the he wouldn't have said the obscenity at all.

Valiani says that, in this case, copyright protection for the exec's "unguarded moment" isn't impossible, it's just highly unlikely. If Encana has any recourse, it would be to pursue legal action for breach of contract, as Encana specifically prohibited third-party recording. As noted above, Chirbit is leaving the clip up, citing fair use.

This likely won't satisfy Encana, which clearly wishes the clip to be vanished into the copyright cornfield. The reality of the situation is that even if it gets the clip taken down, the recording will very definitely resurface. Encana's best move is to simply let it go. People swear and do inappropriate things at inappropriate times. Continued pursuit of the offending clip will only "Streisand" it, causing it spread across the internet like a sweary wildfire. Even if Encana is within its rights, it gains nothing by attempting to whitewash something that is already public knowledge.

Filed Under: abuse, analyst, canada, censorship, copyright, cursing
Companies: encana

DMCA Nonsense: Your Default Login Page Is A Ripoff Of Our Default Login Page!

from the username-then-password,-what-a-work-of-art dept

No matter how brazenly people abuse the DMCA takedown process, and no matter how ridiculous the notices get, it seems like there's always someone waiting to do something even stupider. This latest incident, submitted by Anonymous American, is a serious contender for the crown dunce cap: a DMCA takedown over a login page.

And not just any login page, but the barely-modified default login page of an open source website platform, which the operators of iPhotographyCourse.com claim infringes on... their own barely-modified default login page of a different open source website platform. Yeah. Jenny McCann, who runs the Institute of Photography website built on the Moodle content management system, received a takedown notice claiming that her login page was infringing. When she asked for clarification, she was simply told "entire page copied". Here's the supposedly infringing page:

And here's the "original":

Even at first glance, the claim is obviously idiotic. There is nothing similar about the pages beyond the purely functional login page elements. But things get really amusing when you realize that the iPhotographyCourse page is virtually unaltered from the default Wordpress login page:

The only expressive choices—a requirement of copyright protection—are the inclusion of the logo (the rather poor inclusion, as there are visible artifacts at the top of the image that show the logo was sloppily clipped from the site's front page banner, meaning the designer didn't even have a copy of it on hand) and the rounding of the button corners (which may actually just be a Wordpress version discrepancy). As if that wasn't enough, the supposedly infringing login page is itself just a minor modification of the default Moodle page:

A new frame, color scheme and accent image—nothing major, but actually significantly more design changes than the iPhotographyCourse page, and far more likely to qualify for some level of copyright protection. And, quite clearly, in no way an infringing copy.

According to later comments from McCann on the Moodle forum thread, the login page was specifically included among other items in the takedown which related to actual content on the site. It could be that there is more merit to the other complaints, but McCann does not believe there is, and judging from the utter stupidity of this example, I'm inclined to suspect she's right. Either way, the people behind iPhotographyCourse, like so many before them, have exposed their true intentions by targeting such an obviously non-infringing page: this isn't about protecting intellectual property, but interfering with competition by abusing the DMCA process. Either that, or they are tragic victims of our ownership culture who also haven't logged into a website in the past ten years.

Filed Under: abuse, censorship, dmca, iphotographycourse, login

Congressional Investigation Slams DHS Anti-Terror Centers: Wasted Taxpayer Funds, Created No Useful Intelligence & Violated Civil Liberties

from the have-we-done-anything-useful? dept

Since September 11th, the government has often had something of a blank check (and the equivalent lack of oversight) for anything labeled as being part of an anti-terror effort. As such, it should hardly come as a surprise that programs are wasteful, possibly fraudulent, bad for civil liberties and (oh yeah) completely useless (to actively harmful) in fighting terrorism. A Congressional investigation into the Department of Homeland Security's (DHS) "fusion centers," which were supposed to be a key force in anti-terrorism efforts, presents an absolutely scathing condemnation of the effort.

The Subcommittee investigation found that DHS-assigned detailees to the fusion centers forwarded "intelligence" of uneven quality - oftentimes shoddy, rarely timely, sometimes endangering citizens' civil liberties and Privacy Act protections, occasionally taken from already-published public sources, and more often than not unrelated to terrorism. The Subcommittee investigation also found that DHS officials' public claims about fusion centers were not always accurate. For instance, DHS officials asserted that some fusion centers existed when they did not. At times, DHS officials overstated fusion centers' "success stories." At other times, DHS officials failed to disclose or acknowledge non-public evaluations highlighting a host of problems at fusion centers and in DHS' own operations.

Oh, and did we mention how wasteful they were? Apparently, taxpayer money simply "disappeared" into the program often being spent on totally unrelated things like flat screen TVs:

The Subcommittee investigation also reviewed how the Federal Emergency Management Agency (FEMA), a component of DHS, distributed hundreds of millions of taxpayer dollars to support state and local fusion centers. DHS revealed that it was unable to provide an accurate tally of how much it had granted to states and cities to support fusion centers efforts, instead producing broad estimates of the total amount of federal dollars spent on fusion center activities from 2003 to 2011, estimates which ranged from $289 million to $1.4 billion. The Subcommittee investigation also found that DHS failed to adequately police how states and municipalities used the money intended for fusion centers. The investigation found that DHS did not know with any accuracy how much grant money it has spent on specific fusion centers, nor could it say how most of those grant funds were spent, nor has it examined the effectiveness of those grant dollars. The Subcommittee conducted a more detailed case study review of expenditures of DHS grant funds at five fusion centers, all of which lacked basic, "must-have" intelligence capabilities, according to assessments conducted by and for DHS. The Subcommittee investigation found that the state and local agencies used some of the federal grant money to purchase: dozens of flat-screen TVs; Sport Utility Vehicles they then gave away to other local agencies; and hidden "shirt button" cameras, cell phone tracking devices, and other surveillance equipment unrelated to the analytical mission of a fusion center.

Of course, this kind of thing isn't all that uncommon. I remember a story from nearly a decade ago about all the money designated for things like E911 services, instead being used to pay for boots and pens. We recently wrote about the failure of a NY City program to spy on Muslims to turn up a single lead, but this takes that kind of failure to a whole new level.

Of course, the scary part in all this isn't just the misuse of funds or the failure to produce anything relevant. It's that what was done almost certainly violated the public's rights. And apparently, such violations of civil liberties were a very common problem.

The inappropriate reporting appears to have been a regular problem. An April 2009 email from an alarmed senior I&A official stated: “[State and Local Fusion Center officials] are collecting open-source intelligence (OSINT) on U.S. persons (USPER), without proper vetting, and improperly reporting this information through homeland information reporting (HIR) channels,” wrote Barbara Alexander, then director of the Collection and Requirements Division, which oversaw HIR reporting. “The improper reporting of this information through HIR channels is likely a result of a lack of training on proper collection and reporting procedures . . . they are inadvertently causing problems.” In an interview with the Subcommittee, Ms. Alexander said she recalled being told the Reporting Branch was “flooded” with inappropriate reporting. “A lot of information was coming in inappropriately,” she remembered. “The information was not reportable.”

[....] Ms. Schlanger’s presentation, a copy of which DHS provided to the Subcommittee, indicated that areas in which DHS intelligence reporters had overstepped legal boundaries included: Reporting on First Amendment-protected activities lacking a nexus to violence or criminality; reporting on or improperly characterizing political, religious or ideological speech that is not explicitly violent or criminal; and attributing to an entire group the violent or criminal acts of one or a limited number of the group’s members.

The investigation goes on to quote numerous examples of "reports" prepared on information that DHS is not allowed to report on as it violates civil liberties.

In the end, as with so many "anti-terror" programs, what we have is a program that took in a ton of taxpayer funds, with almost no oversight as to what happened to those funds (leading to $1.4 billion disappearing), no intelligence of any use but undertook plenty of efforts that were clearly beyond the mandate of Homeland Security. And all of this is supposed to make us feel safer?

Filed Under: abuse, civil liberties, congress, dhs, fusion centers, homeland security, terrorism, waste

How UK Police Attempted To Misuse Official Databases To Smear Disaster Victims

from the if-they-can,-they-will dept

A recent scandal in the UK concerned the country's worst sporting disaster, when 96 football/soccer fans were crushed to death at a stadium in Hillsborough in 1989. Prime Minister David Cameron issued an official apology to the families of the victims for the fact that the safety measures at the ground were known to be inadequate, and that police and emergency services had tried to deflect the blame for the disaster onto fans.

One way the police did this was by falsifying statements made to them after the disaster, to remove negative comments about how they had handled the situation. But another way involved trying to suggest the deaths were caused in part by the drunken behavior of fans. One attempt to bolster this view apparently involved the use of the UK's main Police National Computer system. Here's what the Report of the Hillsborough Independent Panel (pdf) wrote about new evidence that had come to light:

2.5.112 The document indicates that a Police National Computer (PNC) check was conducted on all who died at Hillsborough for whom a blood alcohol reading above zero was recorded. It includes a handwritten list of the names, dates of birth, blood alcohol readings and home addresses of 51 of the deceased and provides screen-prints apparently drawn from the PNC. A summary of the results appears on the front page, establishing the number 'with cons' (convictions).

The idea was clearly to point to previous convictions as evidence that many of those who died were in some way responsible for the deaths of themselves and others because of drunkenness. As TJ McIntyre emphasizes in a blog post on this revelation:

This illustrates an important point that privacy campaigners have been making for a long time: centralised databases of this type can and will be abused, and the power to trawl databases for information on individuals -- in effect, to manufacture a case against them -- is a dangerous one. It's not hard to imagine how data retention records might be abused in a similar way in future.

Although the UK government's proposed "Snooper's Charter" foresees the creation of distributed databases of information about every citizen's online activities, it will be possible to carry out "filters" -- searches -- across them, unifying them into a single, virtual centralized database. As McIntyre notes, it's easy to imagine these hugely-detailed records being trawled for information and then used by the police to cover up their own blunders in the future, or to support a flimsy case against someone, in exactly the same way that those involved in the Hillsborough disaster tried to do with the existing PNC database. The latest revelations of database misuse are another compelling reason not to bring in the intrusive and ineffective approach that lies at the heart of the UK government's plans.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: abuse, database, police, privacy, uk