American Teen Gets 11 Year Sentence For Pro-ISIS Tweets That Taught People How To Use Bitcoin

from the really,-now? dept

Earlier this summer, the DOJ proudly announced that a Virginia teenager, Ali Shukri Amin, had taken a plea deal for "providing material support to ISIL" (the terrorist organization that everyone outside of the US government calls ISIS). This is back in the news now that Amin has been sentenced to 11 years in prison. Let's get this out of the way: ISIS is clearly a horrific and dangerous organization. But does what Amin did really deserve 11 years in prison? The details of the case against him also seem to raise some serious First Amendment questions about what counts as "material support."

First: the one area where Amin's actions do seem fairly questionable are when he helped another Virginia teen travel to Syria, apparently to join ISIS. That part definitely seems like it stepped over the legal line. But, the rest of the charges against him seem... like a teenager using Twitter and other social media to discuss stuff he's interested in. Amin ran a Twitter account called @AmreekiWitness, which had about 4,000 followers. He tweeted pro-ISIS propaganda, but that still seems to be a form of protected speech, last I checked. And, his big "crime" appears to be linking to an article about why ISIS supporters should use Bitcoin.

The following are examples of the defendant's use of Twitter in furtherance of his conspiracy to provide material support to ISIL:

On or about July 7, 2014, using the @AmreekiWitness account, the defendant tweeted a link to an article he authored entitled "Bitcoin wa' Sadaqat al-Jihad" (Bitcoin and the Charity of Jihad). The link transferred the user to the defendant's blog, where the article was posted. The article discussed how to use bitcoins and how jihadists could utilize this currency to fund their efforts. The article explained what bitcoins were, how the bitcoin system worked and suggested using Dark Wallet, a new bitcoin wallet, which keeps the user of bitcoins anonymous. The article included statements on how to set up an anonymous donations system to send money, using bitcoin, to the mujahedeen.

On approximately August 1, 2014, the defendant showed support for ISIL and his desire to help garner financial support for those wanting to commit jihad. Through @AmreekiWitness the defendant discussed methods to provide financial support for those wanting to commit jihad and for those individuals trying to travel overseas.

On approximately August 19, 2014, the defendant showed support for ISIL and desire to support ISIL. The defendant tweeted that the khilafah needed an official website "ASAP," and that ISIL could not continue to release media "in the wild" or use "JustPaste." Through various tweets, the defendant provided information on how to prevent the website from being taken down, by adding security and defenses, and he solicited others via Twitter to assist on the development of the website.

The defendant also operated an Amreeki Witness page on the website ask.fm. The defendant used these accounts extensively as a platform to proselytize his radical Islamic ideology, justify and defend ISIL's violent practices, and to provide advice on topics such as jihadists travel to fight with ISIL, online security measures, and about how to use Bitcoin to finance themselves without creating evidence of crime, among other matters.

The defendant also created the pro-ISIL blog entitled, "Al-Khilafah Aridat." On this blog, the defendant authored a series of highly-technical articles targeted at aspiring jihadists and ISIL supporters detailing the use of security measures in online communications to include use of encryption and anonymity software, tools and techniques, as well as the use of the virtual currency Bitcoin as a means to anonymously fund ISIL.

Tweeting about Bitcoin and saying that ISIS needs a website is a crime? One that deserves over a decade in jail? Obviously, aiding ISIS in any way is incredibly stupid, but it seems like a pretty slippery slope to argue that teaching people how to use Bitcoin or saying that ISIS needs a website rises to the level of "material support for ISIS" by itself. It seems like such a definition could lead to many, many people at risk. If you disagree with US policy for dealing with ISIS and say so -- at what point does it cross over the line? It seems way too easy to twist this into criminalizing dissent, rather than actually supporting a designated terrorist organization.

I'm all for coming up with ways to stop the spread of ISIS, and to prevent further attacks by the group. But jailing an American teenager over his tweets seems... excessive.

Filed Under: ali shukri amin, bitcoin, doj, first amendment, isis, material support, terrorism
Companies: twitter

James Comey: Retweets Equal Material Support For Terrorism, But Don't Worry, We'll Only Prosecute Real Terrorists

from the our-track-record-on-terrorism-prosecutions-is-immaculate! dept

Better add that "RTs ≠ endorsements" line to your Twitter profile. Huffington Post's Ryan J. Reilly's coverage of the FBI's efforts against ISIS notes that FBI head James Comey considers retweeting to be material support of terrorism. But that's OK, because the FBI's crew of mind-readers will make sure that anyone who didn't "mean it" avoids prosecution.

"Knowing it was wrong, you provided material support for a terrorist organization or some other offense," Comey said, explaining how the FBI sees these suspects in response to Huffington Post questions during a meeting with reporters last month. "That is the bulwark against prosecuting someone for having an idea or having an interest. You have to manifest a criminal intent to further the aims prohibited by the statute."

Asked if reposting materials alone would cross the line, Comey said the answer would be different based on the individual circumstances.

"It would depend upon what your mental state is in doing it," the FBI director said. "I can imagine an academic sharing something with someone as part of research would have a very different mental intent than someone who is sharing that in order to try and get others to join an organization or engage in an act of violence. So it's hard to answer in the abstract like that."

Yay. "Mental state" and "intent." That shouldn't be any problem to disprove in court. Comey says the burden of proof rests on the prosecution -- which it does -- but this "burden" becomes significantly lighter when "national security" is invoked and the onus suddenly shifts to the defendants, who are put in the position of proving a negative.

Much like Comey's certainty that secure encryption backdoors exist, the FBI head is also a firm believer that he and his agency will know materially-supportive retweets when they see them.

Comey said it was "pretty darn clear" where the line was.

Eye of the beholder and all that. Not exactly reassuring when the "pretty darn clear" line is being determined by an agency that appears to have created more terrorists in the US than any terrorist organization. Comey talks a lot in Reilly's article about "intent" and "mental state" -- two aspects that have been largely ignored in its counter-terrorist sting operations, which have resulted in the arrest of mentally-incompetent dreamers, senior citizens and a handful of easily-flattered bedroom revolutionaries. When the agency has to do everything but perform the terrorist attack itself, it would appear its definition of "intent" is very fluid... and any considerations about "mental states" completely subservient to its War on Terror desires.

Filed Under: fbi, isis, james comey, material support, material support for terrorism, retweets, social media
Companies: twitter

Insanity Rules: NSA Apologists Actually Think Apple Protecting You & Your Data Could Be 'Material Support' For ISIS

from the this-is-wrong dept

A few weeks ago, we pointed out that Senator Sheldon Whitehouse led the way with perhaps the most ridiculous statement of any Senator (and there were a lot of crazy statements) in the debate over encryption and the FBI's exaggerated fear of "going dark." He argued that if the police couldn't find a missing girl (using a hypothetical that not only didn't make any sense, but which also was entirely unlikely to ever happen), then perhaps Apple could face some civil liability for not allowing the government to spy on your data. Here's what he said:

It strikes me that one of the balances that we have in these circumstances, where a company may wish to privatize value -- by saying "gosh, we're secure now, we got a really good product, you're gonna love it" -- that's to their benefit. But for the family of the girl that disappeared in the van, that's a pretty big cost. And, when we see corporations privatizing value and socializing costs, so that other people have to bear the cost, one of the ways that we get back to that and try to put some balance into it, is through the civil courts. Through the liability system. If you're a polluter and you're dumping poisonous waste into the water rather than treating it properly somebody downstream can bring an action and can get damages for the harm they sustained, can get an order telling you to knock it off.

You can read our longer analysis of how wrong this is, but in short: encryption is not pollution. Pollution is a negative externality. Encryption is the opposite of that. It's a tool that better protects the public in the vast majority of cases. That's why Apple is making it so standard.

The suggestion was so ridiculous and so wrong that we were surprised that famed NSA apologist Ben Wittes of the Brookings Institute found Whitehouse's nonsensical rant "interesting" and worthy of consideration. While we disagree with Wittes on nearly everything, we thought at the very least common sense would have to eventually reach him, leading him to recognize that absolutely nothing Whitehouse said made any sense (then again, this is the same Wittes who seems to have joined the magic unicorn/golden key brigade -- so I'm beginning to doubt my initial assessment that Wittes is well-informed but just comes to bad conclusions).

However, even with Wittes finding Whitehouse's insane suggestion "interesting," it's still rather surprising to see him find it worthy of a multi-part detailed legal analysis for which he brought in a Harvard Law student, Zoe Bedell, to help. In the first analysis, they take a modified form of Whitehouse's hypothetical (after even they admit that his version doesn't actually make any sense), but still come to the conclusion that the company "could" face civil liability. Though, at least they admit plaintiffs would "not have an easy case."

The first challenge for plaintiffs will be to establish that Apple even had a duty, or an obligation, to take steps to prevent their products from being used in an attack in the first place. Plaintiffs might first argue that Apple actually already has a statutory duty to provide communications to government under a variety of laws. While Apple has no express statutory obligation to maintain the ability to provide decrypted information to the FBI, plaintiffs could argue that legal obligations it clearly does have would be meaningless if the communications remained encrypted.

To make this possible, Bedell and Wittes try to read into various wiretapping and surveillance laws a non-existent duty to decrypt information from your mobile phone. But that's clearly not true. If that actually existed, then we wouldn't be having this debate right now in the first place, and FBI Director James Comey wouldn't be talking to Congress about changing the law to require such things. But, still, they hope that maybe, just maybe, a court would create such a duty out of thin air based on things like "the foreseeability of the harm." Except, that's going to fall flat on its face, because the likelihood of harm here goes the other way. Not encrypting your information leads to a much, much, much greater probability of harm than encrypting your data and not allowing law enforcement to see it.

Going to even more ridiculous levels than the "pollution" argument, this article compares Apple encrypting your data to the potential liability of the guy who taught the Columbine shooters how to use their guns:

For example, after the Columbine shooting, the parents of a victim sued the retailer who sold the shooters one of their shotguns and even taught the shooters how to saw down the gun’s barrel. In refusing to dismiss the case, the court stated that “[t]he intervening or superseding act of a third party, . . . including a third-party's intentionally tortious or criminal conduct[,] does not absolve a defendant from responsibility if the third-party's conduct is reasonably and generally foreseeable.” The facts were different here in some respects—the Columbine shooters were under-age, and notably, they bought their supplies in person, rather than online. But that does not explain how two federal district courts in Colorado ended up selecting and applying two different standards for evaluating the defendant's duty.

But it's even more different than that. Even with this standard -- which many disagree with -- there still needs to be "conduct" that is "reasonably and generally foreseeable." And that's not the case here that it is "reasonably and generally foreseeable" that because data is encrypted that people will be at more risk. In all these years, the FBI still can't come up with a single example where such encryption was a real problem. It would be basically impossible to argue that this is a foreseeable "problem," especially when weighed against the very real and very present problem of people trying to hack into your device and get your data.

In the second in the series, Bedell and Wittes go even further in looking at whether or not Apple could be found to have provided material support to terrorists thanks to encryption. If this sounds vaguely familiar, remember a similarly ridiculous claim not to long ago from a music industry lawyer and a DOJ official that YouTube and Twitter could be charged with material support for terrorism because ISIS used both platforms.

Bedell and Wittes concoct a scenario in which a court might argue that providing a phone that can encrypt a terrorist's data, opens the company up to liability:

In our scenario, a plaintiff might argue that the material support was either the provision of the cell phone itself, or the provision of the encrypted messaging services that are native on it. Thus, if a jury could find that providing terrorists with encrypted communications services is just asking for trouble, then plaintiffs would have satisfied the first element of the definition of international terrorism in § 2331, a necessary step for making a case for liability under § 2333.

Of course, this is wiped out pretty quickly because that law requires intent. The authors note that this would "pose a challenge" to any plaintiff "as it would appear to be difficult, if not impossible, to prove that Apple intended to intimidate civilians or threaten governments by selling someone an iPhone..."

You think?

But, our intrepid NSA apologists still dig deeper to see if they can come up with a legal theory that will actually work:

But again, courts have handled this question in ways that make it feasible for a plaintiff to succeed on this point against Apple. For example, when the judge presiding over the Arab Bank case considered and denied the bank’s motion to dismiss, he shifted the analysis of intimidation and coercion (as well as the question of the violent act and the broken criminal law) from the defendant in the case to the group receiving the assistance. The question for the jury was thus whether the bank was secondarily, rather than primarily, liable for the injuries. The issue was not whether Arab Bank was trying to intimidate civilians or threaten governments. It was whether Hamas was trying to do this, and whether Arab Bank was knowingly helping Hamas.

Judge Posner’s opinion in Boim takes a different route to the same result. Instead of requiring a demonstration of actual intent to coerce or intimidate civilians or a government, Judge Posner essentially permits the inference that when terrorist attacks are a “foreseeable consequence” of providing support, an organization or individual knowingly providing that support can be understood to have intended those consequences. Because Judge Posner concludes that Congress created an intentional tort, § 2333 in his reading requires the plaintiff to prove that the defendant knew it was supporting a terrorist or terrorist organization, or at least that it was deliberately indifferent to that fact. In other words, the terrorist attack must be a foreseeable consequence of the specific act of support, rather than just a general risk of providing a good or service.

But even under those standards, it's hard to see how Apple could possibly be liable for material support. It's just selling an iPhone and doing so in a way that -- for the vast majority of its customers -- is better protecting their privacy and data. It would take an extremely twisted mind and argument to turn that into somehow "knowingly" helping terrorists or creating a "foreseeable consequence." At least the authors admit that much.

But why stop there? They then say that Apple could still be liable after the government asks them to decrypt messages. If Apple doesn't magically stop the user in particular from encrypting messages, then, they claim, Apple could be shown to be "knowingly" supporting terrorism.

The trouble for Apple is that our story does not end with the sale of the phone to the person who turns out later to be an ISIS recruit. There is an intermediate step in the story, a step at which Apple’s knowledge dramatically increases, and its conduct arguably comes to look much more like that of someone who—as Posner explains—is recklessly indifferent to the consequences of his actions and thus carries liability for the foreseeable consequences of the aid he gives a bad guy.

That is the point at which the government serves Apple with a warrant—either a Title III warrant or a FISA warrant. In either case, the warrant is issued by a judge and puts Apple on notice that there is probable cause to believe the individual under investigation is engaged in criminal activity or activity of interest for national security reasons and is using Apple’s services and products to help further his aims. Apple, quite reasonably given its technical architecture, informs the FBI at this point that it cannot comply in any useful way with the warrant as to communications content. It can only provide the metadata associated with the communications. But it continues to provide service to the individual in question.

But all of this, once again, assumes an impossibility: that once out of its hands, Apple can somehow stop the end user from using the encryption on their phone.

This is the mother of all stretches in terms of legal theories. And, throughout it all, neither Bedell nor Wittes even seems to recognize that stronger encryption protects the end user. It's like it doesn't even enter their minds that there's a reason why Apple is providing encryption that isn't "to help people hide from the government." It's not about government snooping. It's about anyone snooping. The other cases they cite are not like that at all. These arguments, even as thin as they are, only make sense if Apple's move to encryption doesn't really have widespread value for basically the entire population. You don't sue Toyota for "material support for terrorism" just because a terrorist uses a Toyota to make a car bomb. Yet, Wittes and Bedell are somehow trying to make the argument that Apple is liable for better protecting you, just because in some instances it might also help "bad" people. That's a ridiculous legal theory that barely deserves to be laughed at, let alone a multi-part analysis of how it "might work."

Filed Under: ben wittes, encryption, isis, liability, material support, mobile encryption, pollution, sheldon whitehouse, terorrism, zoe bedell
Companies: apple

Virginia Teenager Charged With Providing 'Material Support' For ISIS Through Tweets, Blog Posts About Privacy And Bitcoin

from the all-part-of-the-'safety'-exchange-rate dept

Wherein the Justice Department declares instructions on how to use Bitcoin to be "material support for terrorism."

Ali Shukri Amin, 17, admitted Thursday that he was behind the the now-suspended Twitter account @Amreekiwitness, which at one point had over 4,000 followers. Through it, according to a Department of Justice statement on Amin, he provided instructions on how to use the world’s dominant online cryptocurrency, and how to set up a Bitcoin wallet for would-be donors. In corresponding blog posts, Amin added more advanced tips, like recommending the use of the anonymizing Dark Wallet.

He was charged with conspiring to provide material support and resources to a terrorist organization, charges that carry a maximum penalty of 15 years in prison.

The plea agreement contains more details about Amin's actions, including his solicitation of help to build an "official" khalifah website and his utilization of every bully's favorite service, ask.fm, to "proselytize… radical Islamic ideology," as well as provide even more info on building secure websites and using Bitcoin for donations.

The DOJ filing also lists an 18-year-old co-defendant, who was allegedly assisted by Amin in his quest to join ISIL. The most interesting part of these claims is the DOJ's mention of encrypted texting app, Surespot, which seems to suggest it has found a way to access these communications.

In or about late November or early December 2014, the defendant put RN in touch with an ISIL supporter located outside of the United States via Surespot in order to facilitate travel to Syria to join and fight with ISIL.

[..]

On January 16, 2015, an overseas ISIL supporter communicated to the defendant via Surespot that the group of ISIL supporters, including RN, had successfully crossed over into Syria.

Considering Surespot doesn't store users' communications and is, in fact, unable to view the contents as users' hold their own decryption key, these statements suggest a couple of ways this information could have ended up in the government's hands.

The worst case scenario -- at least in terms of Surespot's non-criminal, non-terrorist users -- is that the government has found a way to intercept and decrypt messages.

The more likely scenario is that these messages were obtained from a search of Amin's electronic devices. End-to-end encryption can't prevent anyone from viewing stored, decrypted messages. Surespot's silence in response to "warrant canary" questions suggests the FBI/NSA is making further attempts to obtain user info and communications. Communications may be hard to obtain, but there's still a certain amount of useful info stored by Surespot, which includes friend lists and "conversation relationships," which may provide some basic "contact chaining."

While Amin may not have provided any direct assistance to ISIL, the allegations fall under the broad wording of "material support," which includes "providing expert advice and assistance." While Amin's Twitter account has been shut down, his pro-ISIL blog is still live, so you can gauge for yourself the "expertise" offered, which the DOJ refers to as "a series of highly-technical articles." (The entire blog is three articles posted over a two-month period, only one of which actually details anonymization options.)

The discussion of Surespot notwithstanding, this arrest seems to show that security and intelligence agencies still have little to fear in terms of "going dark." Cited frequently in the 7-page plea agreement are public messages on public platforms like Twitter and ask.fm, which seems to indicate there's still plenty of life left in these "old" investigative techniques.

But if you subtract ISIS from the equation, what we have is someone arrested and charged primarily for talking about certain things on the internet: religion, privacy and avoiding surveillance. None of these are criminal acts, even the "radicalization." Indeed, all would be protected speech except for the discussion of the Islamic State, something the government has declared is "off-limits" due to its designation as a terrorist entity. So, whether or not you feel this bust is legitimate, you have to worry about mission creep. Because this is mostly about a 17-year-old Virginian who talked about Bitcoin on ask.fm, but did it in "support" of the wrong entity.

Filed Under: ali shukri amin, bitcoin, doj, isis, material support, terrorism, virginia

Under President's New Cybersecurity Executive Order... Is Wikileaks Now An Evil Cyberhacker For Releasing Trade Deal?

from the broad-definitions,-broad-powers dept

Yesterday we talked about the ridiculousness of President Obama's new cybersecurity executive order, in which he declares a national emergency around "malicious cyber-enabled activities" and enables his own government to do mean things to anyone they think is responsible for cyber badness (that his own NSA is the primary instigator of serious cyberattacks gets left ignored, of course). One of the points we made is that the definitions in the executive agreement were really vague, meaning that it's likely that they could be abused in all sorts of ways that we wouldn't normally think of as malicious hacking.

Helpfully, the ever vigilant Marcey Wheeler has provided some examples of how the vague language can and likely will be twisted:

The EO targets not just the hackers themselves, but also those who benefit from or materially support hacks. The targeting of those who are “responsible for or complicit in … the receipt or use for commercial or competitive advantage … by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, … where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States” could be used to target journalism abroad. Does WikiLeaks’ publication of secret Trans-Pacific Partnership negotiations qualify? Does Guardian’s publication of contractors’ involvement in NSA hacking?

And, that's not all. How about encryption providers? Not too hard to see how they might qualify:

And the EO creates a “material support” category similar to the one that, in the terrorism context, has been ripe for abuse. Its targets include those who have “provided … material, or technological support for, or goods or services in support of” such significant hacks. Does that include encryption providers? Does it include other privacy protections?

We've already seen some -- including government officials -- argue that Twitter could be deemed to be providing "material support" to ISIS if it didn't take down Twitter accounts that support ISIS. Twitter wouldn't directly qualify under this executive order (which targets non-US actors), but it shows you how easy it is to stretch this kind of thinking in dangerous ways.

Making sure the technology we use every day is secure is important. But vaguely worded executive orders and an over-hyped "national emergency" isn't the solution. Instead, it's likely to be abused in serious ways that harm our freedoms.

Filed Under: cybersecurity, executive order, leaks, material support, tpp
Companies: wikileaks

Is Retweeting ISIS 'Material Support Of Terrorism'?

from the depends-on-your-point-of-view-apparently dept

Last week there was a bizarre and ill-informed post by music industry lawyer Chris Castle -- who has a weird infatuation with the idea that Google must be pure evil -- in which he tried to argue that because YouTube wasn't able to take down propaganda videos showing ISIS atrocities fast enough, that Google was providing "material support" for terrorism. As Castle notes:

Google's distribution of jihadi videos on Google’s monopoly video search platform certainly looks like material support of terrorists which is itself a violation of the federal law Google claims to hold so dear. (See 18 U.S. Code §2339A and §2339B aka the U.S. Patriot Act.)

Of course, there are all sorts of problems with the Patriot Act, including its definitions of "material support of terrorism," but to stretch the law to argue that providing an open platform and simply not removing videos fast enough (the videos in question all got removed pretty rapidly anyway, but not fast enough for Castle) is somehow "material support for terrorism" is flat out crazy. It stems from the same sort of confused logic that Castle has used in the past, arguing that Google and others must magically "just know" what is infringing and what is not -- suggesting a true lack of understanding about the scale of offerings like YouTube and the resources needed to sort through all the content.

We were inclined to simply dismiss Castle's nuttiness to the category of "WTF" where it belongs... until at a conference earlier this week, a DOJ official, John Carlin, who holds the role of assistant attorney general for national security, appeared to suggest that anyone helping ISIS's social media campaign could be guilty of "material support" for terrorism:

John Carlin, the assistant attorney general for national security, told a cybersecurity conference in Washington on Monday that officials could try to blunt ISIS’s violent PR operation by essentially trying propagandists as terrorists. He suggested the Justice Department could bring prosecutions under the law against providing material support to a terrorist organization. His remarks were believed to be the first time a U.S. official has ever said that people who assist ISIS with online media could face criminal prosecution.

Carlin was asked at the conference whether he would “consider criminal charges” against people who are “proliferating ISIS social media.”  

His answer: “Yes. You need to look at the particular facts and evidence.” But Carlin noted that the United States could use the material support law to prosecute “technical expertise” to a designated terrorist organization. And spreading the word for ISIS online could count as such expertise.

Carlin seems more focused on someone tweeting a link to ISIS propaganda or something along those lines, which would raise significant First Amendment issues, but his comment about "technical expertise" could certainly be turned around and put upon YouTube, Twitter, Facebook and other providers of social media tools. That would create a huge mess, and open a Pandora's box that would undermine one of the key premises of the internet that has made it so successful.

Is the DOJ really looking to undermine the entire internet, just because some terrorists have figured out that it's a good way to get out their message?

Meanwhile, if you want to see just how far this sort of ridiculous thinking takes you -- at the same time that people like Castle and Carlin are arguing about how YouTube may be supplying material support for terrorists, YouTube was deleting videos that were being used to document ISIS war crimes. YouTube has been rushing around trying to take down all kinds of ISIS and other terrorist content for a while now -- ever since then Senator Joe Lieberman demanded that YouTube block terrorist videos. And, the end result is that important channels that catalog and archive evidence and documentation of war crimes are being taken down. And, this is not the first time this sort of thing has happened.

When you start accusing these platforms of having some sort of liability (potentially criminal liability in the form of "materially supporting terrorists" for merely providing an open platform that anyone can use, you are more or less guaranteeing that important content, such as that which documents war crimes and atrocities gets banned as well. Is that really what Castle and Carlin are looking to do?

Filed Under: chris castle, doj, isis, john carlin, material support, patriot act, propaganda, social media, terrorism, war crimes, youtube
Companies: google, twitter, youtube