Senator Leahy Tries To Sneak Through Plans To Make Merely Talking About Computer Hacking A Serious Crime

from the that's-not-good dept

You may have heard about the recent high-profile, malicious hack of Target's point of sale systems, giving the attackers access to the details of at least 40 million credit cards. Senator Patrick Leahy is, incredibly cynically, using this news event to try to sneak through a change to the "anti-hacking" law, the CFAA, which was used to prosecute Aaron Swartz and many others. And it's not a change to improve that law, but to broaden it, extending massively how the DOJ can charge just about anyone they want with serious computer crimes. This is monumentally bad, and Senator Leahy is trying to hide it behind a major news event because he knows he couldn't get this kind of DOJ wishlist through without hiding it.

Officially, this is Leahy reintroducing his Personal Data Privacy and Security Act -- a bill he's tried to introduce a number of times before. The crux of that bill makes some sense: requiring companies that have had a security breach to inform those who were impacted. State laws (most notably, California's) already include some similar requirements, but this is an attempt to create a federal law on that front. There are some reasonable concerns about such a law, but the general idea of better protecting the public from data breaches, by at least letting them know about it, is an idea worth considering.

The problem is that Leahy has inserted a couple of other dangerous bits and pieces into the bill, including a couple of "reforms" to the parts of the CFAA that have raised significant concerns, and burying them deep within this bill. Section 105 of the bill, for example, simply repeats the same change that the House Judiciary tried to include last year in an attempt at bad CFAA reform. It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense. It may be difficult to understand if you just read the proposed bill (this is on purpose), but the bill says it wants to include the term "for the completed offense" so that the CFAA now reads:

Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.

Right now, the law does not include those four words. Why is that a big change? As we explained last year:

All they did was add the "for the completed offense," to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become.

While the proposed bill does include a further change that notes that merely violating a terms of service agreement does not make you subject to the CFAA, it's not just the TOS issue that concerns so many people about the CFAA.

The CFAA needs to be greatly scaled back, not expanded, no matter what the DOJ wants. It's ridiculous that Senator Leahy is not only proposing this, but then trying to hide it in this bill about security breach reporting, tying it to a news event.

Filed Under: aaron swartz, cfaa, conspiracy, criminal, data breach, patrick leahy
Companies: target

Eight Months In Jail For Teaching People How To Pass A Lie Detector Test

from the for-tests-that-don't-even-work-well dept

Just a few weeks ago, we wrote about how the feds had been directly going after people who claimed to teach others how to pass lie detector tests, claiming that this was part of their war on stopping leakers and security vulnerabilities. What was chilling was that a US official specifically said that they needed to focus their investigative efforts on the people who protested the loudest, which seems like a clear attack on free speech. As we noted at the time, the feds had already filed criminal charges against two people for offering to teach others how to beat lie detector tests, and now one of them has been sentenced to eight months in jail -- for teaching people how to beat a test that many argue has never ever been accurate in the first place.

As we noted last time, TV shows like Mythbusters and Penn & Teller: Bullshit! have both more or less taught people the same thing. While the government sought an even longer sentence, this is still worrisome on a variety of levels. Merely instructing people how to beat an extremely faulty technology should never be a crime. The judge and the DOJ's statements on the case are just bizarre:

O’Grady acknowledged “the gray areas” between the constitutional right to discuss the techniques and the crime of teaching someone to lie while undergoing a government polygraph. “There’s nothing unlawful about maybe 95 percent of the business he conducted,” the judge said.

However, O’Grady added that “a sentence of incarceration is absolutely necessary to deter others.”

Deter others from what? From speaking out about how to trick incredibly unreliable technology that the government probably relies on too much already?

“This crime matters because what he did endangers others,” said Anthony Phillips, a prosecutor with the Justice Department’s division that pursues corrupt public officials.

No it didn't. It doesn't endanger others to show them that a lie detector is faulty and not reliable. What endangers people is the federal government relying on such a dreadful technology that's so easy to "beat."

In many ways, this is similar to discovering a massive security flaw and then blaming the messenger for showing others how that security is flawed. The proper response is to not use the flawed security. But that's not how the government operates, unfortunately.

Filed Under: criminal, lie detector, teaching

German Publishers File Criminal Complaint Against Two News Sites For Mentioning Name Of Unauthorized Ebook Site

from the really-now? dept

We know that some legacy players who rely too heavily on copyright law seem to react negatively to any discussion of unauthorized distribution of files, but a group of German book publishers have apparently taken this to the next level. As highlighted on TorrentFreak, they've resorted to filing criminal complaints against two news websites, Der Tagesspiegel and Zeit.de, for publishing an interview with the creators of a website called Boox.to, which offers up unauthorized downloads of ebooks. Again, this is not the unauthorized site itself they filed the complaint over, but rather news websites for daring to name the site in the interview that was done.

“With the direct and multiple naming of the Internet address the reader is immediately aware of the illicit supply of the website. With regard to objective journalistic reporting there was no need for direct nomination,” the publishers write in their complaint.

“The publication of the Website and its Internet address immediately enabled a broad mass of readers to become aware of the site. The reader is also indirectly encouraged to take advantage of the offer, taking advantage of the illegal site that has been highlighted by the play of the interview.”

Of course, this raises the obvious retort: if publishing an interview helps make a "broad mass" of people more "aware of the site," what do they think filing a really stupid and ridiculous lawsuit against these websites will do?

Filed Under: copyright, criminal, germany, journalism, publishing
Companies: boox.to

Police Admit That NZ Spy Agency Illegally Spied On Kim Dotcom, But Aren't Going To Do Anything About It

from the enforce-the-law? dept

You may recall that it came out last year that the New Zealand equivalent of the NSA, the GCSB, illegally spied on Kim Dotcom (oh, and dozens of others), possibly with the help of the NSA, despite not being allowed to spy on those in New Zealand.

An investigation by the police has agreed that the GCSB clearly broke the law... but the police have said that they don't plan to prosecute the spy agency. Because, you know, that might hold them accountable. Now, at least, the GCSB knows that it can abuse the law at will with no punishment.

Instead, it appears that the excuse being used by the police is the same one we've been hearing from NSA defenders: because these abuses weren't intentional, they can be ignored:

Today, Detective Superintendent Peter Read told a media conference that in spite of the GCSB committing one breach under the provisions of the Crimes Act, no criminal "intent" by the GCSB could be established.

I'm not sure that actually makes sense. Yes, when it comes to criminal activity, intent can be important in determining if it's actually criminal, but there's little doubt that the GCSB intentionally spied on Dotcom. It wouldn't have taken very much at all to recognize that Dotcom was a resident of New Zealand who GCSB is forbidden from surveilling. So it seems like the intent was pretty clear.

Filed Under: criminal, gcsb, intent, kim dotcom, mens rea, new zealand, spying, surveillance

Spain Considers Making Digital Copyright Law Worse: Pleasing The US Again?

from the never-ending-story dept

We wrote a couple of weeks ago how some were arguing that Spain ought to go back on the "naughty" Special 301 list for failing to show any "positive developments" on the copyright front recently. By an interesting coincidence, the Spanish Internet Association has just published a leaked draft of proposals to make digital copyright law in Spain even harsher. Here's how the Web site ADSL Zone describes them (original in Spanish):

The new proposals have a clear intention: to amend the Criminal Code to allow criminal prosecutions of Websites that provide links. According to the leaked document it will be an offense to provide ordered listings and categorized links to protected content, developed for this purpose and involving an active and non-neutral maintenance and updating of those lists.

Interestingly, Google wouldn't be affected by the new law according to ADSL Zone, nor would "occasional links" be prosecuted. Of course, everything would then hinge on what "occasional" meant in this context.

There's also the following proposal:

Second, the paper seeks to limit the concept of private copying. This will require us to be in possession of the "original media". This is really incompatible with the current reality, since there are legal platforms like Spotify or iTunes where you do not have that "native support".

The concept of "original media" is meaningless in the digital realm, where files are copied many times as they traverse the Internet, or as people move them around on their storage media. How on earth would you prove that your digital copy was "original"?

Finally, there is a suggestion for making the copyright levy system not only worse, but in conflict with current EU plans to rationalize it:

no matter whether we copy or not, whether or not we have the "original media", the fee will be charged in any case.

In an age where storage media are becoming ubiquitous -- if Samsung's refrigerator is running Android, it must have storage -- such levies are anachronistic and harm innovation, so Spain's plans to push on with them is one more indicator that it's heading in the wrong direction. The big question, of course, is why it is doing this: is it simply the usual story of lobbyists' privileged access to government ministers who aren't interested in whether the new measures are fair or even effective? Or is this once more the heavy hand of America reaching across the water to put a little pressure on its Hispanic friends...?

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: copyright, criminal, links, spain, special 301

Is The Line Between 'Hacker' And 'Criminal' Really That Fuzzy?

from the only-if-you-don't-really-understand-stuff dept

We recently wrote about a series of cases where young computer hackers were either charged or threatened with criminal charges for doing things that don't seem particularly criminal at all. The NY Times now has a blog post on more or less the same subject, but focusing on the "fuzzy and shifting line between hacker and criminal." While it's good that more attention is getting paid to these kinds of questionable cases, I wonder if that framing is really accurate. I don't think there's a "line" -- fuzzy, shifting or not -- between "hacker" and "criminal." The two things are different. Can you be a criminal hacker? Sure. But the problem is that many non-techie folks seem to assume that any kind of hacking must be criminal. And that's the problem. It's not that some imaginary line is moving around, but that some people don't seem to understand that hacking itself is not criminal, and that there are plenty of good reasons to hack -- including to expose security holes.

Filed Under: cracker, criminal, freedom to tinker, hacker, intent

German Court Sees Through The DOJ Fairy Tale, Rejects Attempt To Seize Megaupload Assets

from the a-string-of-failures dept

We've covered a series of embarrassing setbacks for the US government's case against Megaupload over the past few months. It's a pretty stunning trail of errors by US officials who seemed to think that a scary story about a "bad man" would trump a lack of actual evidence or following legal procedure. While the case may hold up in the long run, it seems like everywhere you look there's evidence of highly questionable activity by the government.

The latest setback comes from Germany, where the US sought assistance from officials in seizing various assets of Dotcom's or Megauploads. However, the court has now rejected the request:

The Frankfurt judges have since rejected this request, because it contains insufficient evidence. The US legal team failed to demonstrate that a web hosting service for the illegal upload of copyrighted files, amounts to a criminal offence.

According to the German 'Telemediengesetz' (communications legislation), a hosting service for foreign files will generally not be accountable unless the host had active knowledge of illegal activity. The judges also emphasised that the concept of knowledge is limited to positive knowledge. Therefore if the service provider believes that it is possible or likely that a specific piece of information is stored on their server, this is not sufficient evidence of knowledge of abuse.

According to the court ruling, there is no legal obligation to monitor the transmitted data or stored information or to search for any illegal activity.

Of course this was the same point that we raised the day that Megaupload was shut down. While it may be true that many Megaupload users have infringed on copyrights, there's a massive leap from that point to the idea that Megaupload is a criminal enterprise -- yet the US government's case basically skips over any details to make that leap. Thankfully cooler heads are recognizing that a significant amount of the US's case seems to be based on a fairy tale that US officials -- under the influence of Hollywood -- keep telling.

Tip to DOJ officials under the sway of Hollywood's version of the internet: remember, these people make their livings telling fairy tale stories. You know those opening credit lines about how something is "based on a true story"? Yeah, quite frequently the actual truth is a long way from what's shown. It seems that you may have been taken in by another such Hollywood "true" tale.

Filed Under: assets, copyright, criminal, doj, germany, hosting, kim dotcom, liability
Companies: megaupload

Court: If Violating Your Privacy Helps The Police, It's Not Violating Your Privacy

from the say-what-now? dept

In a horrifyingly bad ruling, the 6th Circuit appeals court has said that the owner of a prepaid phone has no 4th Amendment rights in protecting his location info from law enforcement. There have been a number of cases touching on this subject, with a few different rulings back and forth, including more than a few in the federal courts that argue tracking someone's location isn't a 4th Amendment violation. But, even if you grant that, this particular ruling is egregiously bad and poorly argued. The EFF highlights some of the more brain-numbing aspects of the ruling:

In what can only be described as a results-oriented opinion, the court found Skinner had no reasonable expectation of privacy in the cell phone location data because "if a tool used to transport contraband gives off a signal that can be tracked for location, certainly the police can track the signal." Otherwise, "technology would help criminals but not the police." In other words, because cell phones can be used to commit crimes, there can't be any Fourth Amendment privacy rights in them. If this sounds like an over-simplistic description of the legal reasoning in an opinion we disagree with, the sad reality is that the court's conclusion really did boil down to this shallow understanding of the law.

Yes, you read that right. Basically, if you've broken the law, according to the court, you have no 4th Amendment rights. And, then it goes further, by basically noting, because anyone might be a criminal, we might as well remove all of their 4th Amendment rights as well, because doing so might help the police. Of course, this goes against the very basis of the 4th Amendment.

The story involves police tracking a guy accused of being a drug runner, via the GPS in his pre-paid phone, without getting a warrant. The guy, Melvin Skinner, pointed out that this violated his 4th Amendment rights, but, as noted above, the court disagreed.

Julian Sanchez walks through the many ways the court got some rather basic things wrong in their ruling:

The court proceeds through a series of lazy and underdeveloped analogies:

Otherwise dogs could not be used to track a fugitive if the fugitive did not know that the dog hounds had his scent. A getaway car could not be identified and followed based on the license plate number if the driver reasonably thought he had gotten away unseen. The recent number of cell phone technology does not change this. If it did, then technology would help criminals but not the police. It follows that Skinner had no expectation of privacy in the context of this case, just as the driver of a getaway car has no expectation of privacy in the particular combination of colors of the car’s paint.

But it does not follow at all. “What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection,” the Supreme Court explained in the seminal case of Katz v. United States, “But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.” Any member of the public can buy a dog and follow a scent. Any member of the public can view and copy down a license plate number. Any member of the public can view the external paint job of a car. But any member of the public cannot just track the GPS signal of a random cell phone—and if they could, most of us would be extremely wary about carrying cell phones. Unlike all these other examples, GPS tracking as employed here depends crucially on the ability of police to invoke state authority—a seemingly salient distinction the court fails to take any note of.

That's not all. The court seems equally confused about other cases, and both the EFF and Sanchez's link above details other mistakes concerning other case law. This isn't just a case of people having different interpretations. This seems like a clear case of a court not really bothering much with the details or the case law and just seeing one thing: this guy was a criminal and the GPS info was useful in finding him, therefore it must be okay. This is a very troubling precedent to have on the books no matter how you look at it.

And it will impact many Americans. While the focus in the ruling is on the "but he's a criminal!!!!" aspect, it applies across the board to pre-paid mobile phone users (well, at least those covered by the 6th Circuit). And that's about a quarter of mobile phone subscriptions. As the EFF put it, in an effort to make sure criminals get no privacy location privacy rights, the court has killed such rights for everyone else as well -- which is exactly the opposite of how our system is supposed to work.

Filed Under: criminal, drug dealing, gps, prepaid, privacy

Rojadirecta Points Court To FlavaWorks Ruling Concerning Infringement On Linking Sites

from the time-for-a-wake-up-call dept

We recently wrote about the (somewhat surprising) ruling by Judge Posner in the 7th Circuit appeals court's Flava Works vs. myVidster case, in which Posner pointed out that a site providing links to infringing content is not infringing. He actually ruled that just watching the videos or embedding them are not direct infringement either. As we noted that seemed to have direct bearing on a number of other cases out there, including the criminal charges against Rojadirecta (and against TVShack's Richard O'Dwyer). It appears that Rojadirecta's lawyers wasted little time in letting the judge in their cases know about the ruling. While Rojadirecta's fight is in the 2nd Circuit, hopefully this helps the courts to recognize how ridiculous the governments' charges are. Even if they don't quite agree with Posners' ruling, just the fact that there are significant questions over whether or not linking/embedding are legal, should raise significant questions about the "willfulness" needed to show criminal copyright infringement.

Filed Under: copyright, criminal, liabiity, linking, rojadirecta
Companies: flava works, puerto 80

Publishing Execs Arrested, Face Jail Time, Because Book Tells People How To Back Up DVDs

from the arrested-for-what? dept

Last month we wrote about a new copyright law in Japan whose punishments seemed so disproportionate it was hard to take it seriously. For example, downloading unauthorized copies or backing up content from a DVD were both subject to criminal penalties. According to this story from Daily Yomiuri Online, it looks like it's no joke:

The Metropolitan Police Department arrested Yoshiaki Kaizuka, 43, an executive of Chiyoda Ward publisher Sansai Books Inc., and three other company employees on suspicion of violating the Unfair Competition Prevention Law, and sent papers on the firm to the Tokyo District Public Prosecutors Office. According to a senior police official, these are the nation's first arrests over the distribution of software to remove copy protection.

And their terrible crime? Allegedly selling a book that told people how to make backup copies of DVDs. That, of course, would involve circumventing the trivial copy protection on DVDs, which was enough to trigger the arrests, apparently. But as a post on Wired.it points out, if publishers can get into trouble under the new law so easily, so might others:

It's interesting to note that Japanese cyber Police could arrest the Amazon Japan CEO too as the online giant is selling a lot of magazines, books and software packages for DVD copy and ripping: exactly what put in trouble Sansai Books staff.

The same post notes that many GNU/Linux distributions come with the libdvdcss library which similarly allows the DRM system to be circumvented so that the DVD can be played, and would therefore fall foul of the new copyright legislation. So does the Japanese government plan to go after all the Web sites offering such software, and all the users?

The current action probably doesn't presage a massive crackdown on every infringing use, since that would involve arresting a significant fraction of the Japanese population. It's more likely to be an attempt to put the frighteners on people in the hope that everyone will stop downloading files and cease making backups. As we know from similar situations, that may work for a few months. But once things die down, people will go back to doing what they did before until the next time the Japanese authorities decide to make an example of someone, and the whole pointless cycle begins again.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: arrests, back up dvds, chiyoda ward, copyright, criminal, japan
Companies: sansai books