Should Doxxing Be Illegal?

from the questions,-questions dept

There has been a debate over the past few years about the legality of "doxxing," which would loosely be defined as identifying individuals and/or their personal information which they'd prefer to remain secret. This is coming up in a variety of contexts, including effort to unveil the whistleblower who first called attention to President Trump's questionable call with Ukraine's President. However, we also noted in passing, last week, that the new privacy bill from Reps. Zoe Lofgren and Anna Eshoo contained an anti-doxxing clause, which states:

Whoever uses a channel of interstate or foreign commerce to knowingly disclose an individual’s personal information—

(1) with the intent to threaten, intimidate, or harass any person, incite or facilitate the commission of a crime of violence against any person, or place any person in reasonable fear of death or serious bodily injury; or

(2) with the intent that the information will be used to threaten, intimidate, or harass any person, incite or facilitate the commission of a crime of violence against any person, or place any person in reasonable fear of death or serious bodily injury,

shall be fined under this title or imprisoned not more than 5 years, or both.

At a first pass, you can certainly understand the thinking here. If you're looking to disclose someone's personal information in order to "threaten, intimidate, or harass" someone, that feels problematic. But, then again, what is meant by "intimidate or harass" in this situation could matter quite a bit. What got me thinking about this again was another news report, about people doxxing members of a defunct neo-nazi online forum:

The metadata of a now-defunct neo-Nazi message board that is considered the birthplace of several militant organizations—among them the U.S.-based terror group Atomwaffen Division—was dumped onto the internet by what appears to be anti-fascist activists.

The site, IronMarch, is widely associated with the rise of the new wave of white supremacist accelerationst groups advocating for armed insurgency against society. The site ran from 2011 to 2017 and garnered more than 150,000 posts while active. The dump of its inner workings includes the login names of its former members and their associated emails and IP addresses.

For fairly obvious reasons, many would likely argue that we should want those people identified. And while the report notes that efforts are underway to try to track down the identities of people who were active on this forum, and it could be argued that the intent behind figuring out who was on this forum is to "intimidate or harass" those individuals (for being Nazis), I think many people who might otherwise support these kinds of privacy laws might take issue with the idea that revealing these individuals as Nazis and/or Nazi sympathizers should be illegal.

And that, again, gets at part of the issue with legislating privacy. Context matters quite a bit, and it's pretty difficult to write context into the law. Yes, doxxing is often used in negative ways to harm, intimidate or silence people. But it can also be used to reveal people who are doing crazy stuff hidden behind a shield of anonymity.

Filed Under: doxxing, investigation, privacy, privacy laws

The Race Is On To Create A Federal Online Privacy Law: First Entry From Reps. Eshoo & Lofgren

from the lots-of-thought,-but-little-chance dept

There's a race on to have Congress introduce a comprehensive federal privacy law. As you may (or may not?) know, the US really doesn't have a law protecting our privacy. To date, any privacy protections have been a mixture of other laws, from the defanged 4th Amendment protecting (in theory more than reality) against government intrusion into our private lives, to the FTC's consumer protection mandates. However, many people recognize that this probably isn't doing enough to protect privacy in this age -- and with the EU taking the lead with the GDPR, it's become clear that the US needs to put at least something in place. So far, Congress has failed to come up with much, and there's a bit of a ticking time bomb in the form of California's hugely problematic CCPA law, which is set to go into effect on January 1st, despite a long list of problems with the law.

So much of the discussion has been around whether or not a new federal law will come into play that pre-empts various states trying to create their own set of privacy laws. Reps. Anna Eshoo and Zoe Lofgren have now announced their entrant into the discussion with their Online Privacy Act. It is quite long and detailed, coming in at 132 pages which I recommend reading. They've also created a one page summary of the bill.

The bill is ambitious, detailed and thoughtful... but also has some problems and is not likely to become law. There's a lot in the bill, but it will create a brand new federal agency, staffed with 1,600 employees, to "enforce users' privacy rights." Along those lines, it establishes what those rights are -- with much of it pulling from concepts currently found in the GDPR (i.e., rights to access, correct, delete, and download information companies hold about you). There are some opt-in requirements for using your data for things like machine learning (what seems like a response to the kerfuffle over IBM using Flickr images to train facial recognition AI).

The law would also put a bunch of obligations on companies regarding data minimization and also force the companies to be more upfront about what they need particular data for. It would also limit the sale or transfer of personal information. It also criminalizes "doxxing" which it defines as disclosing "personal information with intent to cause harm." If this became law, that section might run into some 1st Amendment problems.

Part of the "thoughtfulness" of the bill is that Eshoo and Lofgren have clearly heard some of the concerns that were laid out about the GDPR or other approaches to privacy. It includes an exemption for small businesses and then also includes a "ramp up" phase for companies that cross out of the small business realm. I'm always a bit concerned about "small business exemptions" because they lead to weird incentives and not always great outcomes. From a purely efficient standpoint, I tend to think that if the law is written in a manner that requires exempting certain classes of companies, it tends to highlight problems with the overall law itself, though there are some exceptions to that rule.

Importantly, the bill also calls out that it should have no impact on journalism, and acts of journalism (reporting on people) should never be seen as violating the law. That could lead to some conflicting situations within the bill, but hopefully the blanket exemption on journalism would protect journalistic activity.

That said, there are still problems with the bill. The biggest one is that it does not appear to pre-empt state laws, which is kind of the whole reason for introducing a federal law in the first place. I know that some privacy activists have pushed back against state pre-emption, but that by itself makes the bill somewhat useless, because California's law and other state privacy laws would more or less wipe this law off the books in terms of effectiveness. I understand the thinking that some have put forth that letting states craft their own privacy laws encourages more experimentation and thoughtfulness, but it makes little sense on an internet that crosses all borders. Complying with all state privacy laws is going to be a huge mess -- and therefore it seems like a federal law must include pre-emption of state laws for it to be valid.

The bill also includes a private right of action, which is seen by many to be problematic -- as it's going to enable the rise of what are, in effect, privacy trolls. Again, there are reasonable concerns about if it's only left up to government enforcement that enforcement will be lax, or will suffer from regulatory capture, but leaving open a broad private right of action could have significant problematic consequences. The bill also seems clearly designed to set up certain non-profits to file a bunch of class action privacy lawsuits:

NONPROFIT COLLECTIVE REPRESENTATION.— An individual shall have the right to appoint a nonprofit body, organization, or association which has been properly constituted in accordance with the law, has statutory objectives which are in the public interest, and is active in the field of the protection of individual rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in this Act on his or her behalf.

I worry a bit about the incentive structure there as well. I certainly have faith that groups like EFF would use this particular power wisely and in pursuit of actually protecting our privacy, but there are a number of non-profits out there that would likely take this to ridiculous extremes and immediately go after lots of companies for potentially dubious reasons.

Most reports on this acknowledge that this bill is unlikely to become law. It does not currently have bipartisan support, and the creation of an entirely new government agency, the lack of state pre-emption, and the private right of action have been seen as non-starters for many.

All that said, we're likely to see a bunch of privacy bills showing up in Congress soon, so it's worth exploring the details of this one. And, of course, it should be noted that both Lofgren and Eshoo represent parts of Silicon Valley, which might make you assume that the bill is "friendly" to tech companies. Looking through the details, though, and that would be a mistake. While I'm sure some will criticize the bill for not going far enough, this would create a pretty massive overhaul in how online privacy is handled in the US today and would, in effect, create an equivalent of the GDPR. That might still "benefit" large companies in making it more difficult for others and new entrants to compete (even with the small business exemption), but this bill doesn't do any favors for internet companies.

I do still worry that most of our attempts to regulate privacy fail because we often misunderstand what privacy means, and I do worry that the approach in this bill, as with the GDPR and the CCPA, suggests a static, rather than dynamic internet world, in which the focus is on "limiting" things, rather than recognizing how they might be better enabled by putting more control in the hands of the end users. So much of the structure of this and other bills seems based on the idea that there are central entities "controlling" our data -- which may be the case today, but need not necessarily be the case in the future.

Filed Under: anna eshoo, competition, doxxing, gdpr, online privacy act, privacy, private right of action, state pre-emption, states, zoe lofgren

Georgia's Brian Kemp Decides To Dox Absentee Voters, Revealing Why They All Voted Absentee

from the voting-irregularities dept

Kind of a key part of the American election setup is the concept of a secret ballot for hopefully obvious reasons. We haven't gone quite so far as eliminating that, but down in Georgia, Secretary of State Brian Kemp (who was running for governor at the same time as he was overseeing the integrity of the election and also putting in place a bunch of attempts at voter suppression) has doxxed hundreds of thousands (291,164 to be exact) of absentee voters by posting an Excel file on the state's website listing out the names, addresses and reasons why they voted absentee.

In typical spokesperson Candice Broce fashion (see her previous nonsensical quotes defending her boss), Broce/Kemp denied that there's anything wrong with this at all. The systems, they are all working perfectly:

When reached, Georgia secretary of state’s press secretary Candice Broce told TechCrunch that all of the data “is clearly designated as public information under state law,” and denied that the data was “confidential or sensitive.”

“State law requires the public availability of voter lists, including names and address of registered voters,” she said in an email.

While it is true that voter name and address info is required to be made available, it is usually not made available in aggregate for anyone to just download without restrictions. And, it's especially concerning that they released the reasons for voting absentee just a day or so after the election -- as people pointed out that this could be quite useful info for criminals looking for who might be away from their homes.

More concerning, of course, is the idea that this could scare off future voters as well who don't want such info being released in such a manner.

Either way, the idea that the Secretary of State, who kept insisting how wonderful his electronic voting systems were, would then release a giant Excel spreadsheet should again raise questions about the technological skills of whoever set up the system, let alone Kemp for overseeing such a system.

Filed Under: absentee voters, brian kemp, doxxing, elections, georgia, voter suppression

Man Who Doxxed Dozens Of People, Engaged In Nineteen 'Swattings', Nets Only One Year In Prison

from the cyber-sentencing-still-mostly-incoherent dept

The treatment of all things "cyber" by the government is incredibly inconsistent. Give someone a password so they can deface a website for 40 minutes and it's two years in jail. Doxx, SWAT, and cyberstalk multiple people and the best the court can do is two years minus time served. The end result is one year in prison for Mir Islam, who doxxed multiple celebrities and politicians, as well as called in fake threats that resulted in the swatting of at least nineteen people, including security researcher Brian Krebs, who uncovered Islam's doxxing tactics.

Krebs' investigation of Islam and his abuse of free credit report services to obtain personal information on a variety of public figures led to the following:

Peeved that I’d outed his methods for doxing public officials, Islam helped orchestrate my swatting the very next day. Within the span of 45 minutes, KrebsOnSecurity.com came under a sustained denial-of-service attack which briefly knocked my site offline.

At the same time, my hosting provider received a phony letter from the FBI stating my site was hosting illegal content and needed to be taken offline. And, then there was the swatting which occurred minutes after that phony communique was sent.

[...]

Nearly a dozen heavily-armed officers responded to the call, forcing me out of my home at gunpoint and putting me in handcuffs before the officer in charge realized it was all a hoax.

The response to the hoax call on Krebs' residence was, by comparison, minimal. Islam also called in a fake active shooter report at the University of Arizona campus. This was apparently in retaliation to a cheerleader's failure to realize Islam's cyberstalking was just another way of saying "I love you."

A woman representing an anonymous “Victim #3” of Islam’s was appearing in lieu of a cheerleader at the University of Arizona that Islam admitted to cyberstalking for several months. When the victim stopped responding to Islam’s overtures, he phoned in an active shooter threat to the local police there that a crazed gunman was on the loose at the University of Arizona campus.

According to Robert Sommerfeld, police commander for the University of Arizona, that 2013 swatting incident involved 54 responding officers, all of whom were prevented from responding to a real emergency as they moved from building to building and room to room at the university, searching for a fictitious assailant. Sommerfeld estimates that Islam’s stunt cost local responders almost $40,000, and virtually brought the business district surrounding the university to a standstill for the better part of the day.

Worse, some of Islam's swatting efforts and cyberstalking occurred while he was "cooperating" with federal prosecutors following his arrest for attempting to sell stolen credit cards to undercover agents.

Federal prosecutors wanted to see Islam jailed for nearly four years -- towards the upper reaches of the mandatory sentencing guidelines. Instead, the judge handed down a sentence of two years. Islam has been in federal custody since July 2015 and that time is being credited towards his sentence, meaning it will only be another year at the most before Islam is free again.

The credit for time served makes sense and the departure from the upper limits of the guidelines is something I would be extremely hesitant to suggest is a bad thing. Prosecutors wanted a much longer sentence, and the allegations here would seem to justify a lengthier imprisonment for Islam.

The problem with the government's fear of anything cyber-related is that the default mode for prosecutors is almost always the upper reaches of the sentencing guidelines, even when the severity of the criminal activity doesn't appear to warrant this sort of punitive sentencing. The government sought a longer sentence for Matthew Keys' minimal participation in a 40-minute headline alteration at a news website. Someone who endangered lives of dozens of people by sending heavily-armed law enforcement officers after them -- in addition to doxxing a large number of public figures and participating in multiple cyberstalkings -- was apparently only deemed dangerous enough to warrant a 46-month sentence, as compared to the 60 months sought in the Keys case.

Then there's this:

Judge Moss, in explaining his brief deliberation on arriving at Islam’s two-year (attenuated) sentence, said he hoped to send a message to others who would endeavor to engage in swatting attacks.

Swatting has the potential to kill people, something clearly not reflected by the "severity" of this sentence.

As Brian Krebs points out, it does send a message, although certainly not the one the judge intended. It says you can endanger the lives of others without seriously affecting your own freedom. It also sends the message that the government -- as a whole -- will remain incoherent and inconsistent in its handling of cybercrime.

Filed Under: brian krebs, crime, dox, doxxing, mir islam, punishment, swatting

The Campaign To Dox Twitter Users In Islamic Countries For 'Blasphemy' And Supporting LGBT Rights

from the pure-evil dept

Nearly half a decade ago, we wondered publicly what a company like Twitter, a self-proclaimed advocate of free and open speech, would do if confronted by a government that is anything but. In that post, Mike discussed how Twitter had been used to rant against the government in Saudi Arabia, and wondered what would happen if Saudi Arabia decided to make such speech illegal. But what if it's not direct government action but that of other users that threatens such speech? While we have seen some governments routinely punish internet speech they don't like, we're now seeing signs of non-government individuals getting into the racket as well, as a way to silence the kind of barely-progressive speech a company like Twitter would likely say it wants to protect.

Late Sunday night, Twitter user @old_gaes tweeted a screenshot of one of @Pharaohoe’s tweets from February, which had replaced the word “domain” in a verse from the Quran with a slang word for vagina.

“This is the end of another atheist and we should continue exposing every Arab atheist child to their parents who do not know of their atheism,” @old_gaes wrote in Arabic above the tweet.

Several friends of @Pharaohoe on Twitter told The Daily Beast that she is 16 years old and lives in Kuwait.

@old_gaes has apparently been making a habit of this sort of thing, seeking out citizens of countries that would severely punish speech deemed to be blasphemous or in support of the LGBT community and reporting any speech like that, or encouraging followers to report it, to the authorities. That appears to be the only kind of tweeting the account does, in fact. Where this kind of harassment has very real consequences in nations like the United States, those consequences are not nearly as severe as might occur in other countries. And, lest you think that this kind of doxing nonsense would go unseen by the Islamic governments in question:

Dubai’s verified police account tweeted back to @old_gaes on Monday morning, asking him to “kindly send the details” about potential blasphemy along to a specific email address.

On Monday, @Pharaohoe tweeted “they fucking found me,” “im gonna puke,” then “i’m deactivating guys.” She then deleted her account.

In addition, there are many followers of this Twitter account and others like it, creating a network of like-minded individuals who could potentially out those using Twitter as a platform for speech. The targets mostly appear to be women in Islamic nations who make statements of atheism or of a faith other than strict Islam, or who make any noises in support of LGBT rights. And, according to those witnessing this doxing, Twitter isn't doing much about it.

“Twitter is absolutely useless. They don’t take this sort of thing seriously,” said the woman who asked to remain anonymous. “I don’t know what the solution is.”

“He’s so dangerous,” said Afra. “I don’t know how his account is still up.”

And, yet, what is Twitter to do? Certainly continued harassment can and should be addressed, but the fact is that Twitter operates internationally, including in countries where the law is not as friendly to secular values as it is in America. If the law in Dubai, for instance, is that blasphemous speech on Twitter should be reported and punished, then Twitter would be walking an interesting line in banning or blocking accounts for doing so. It could try to pull access from those countries, of course, but that would be technically challenging, wouldn't be in its business interests, and would only result in denying those people any voice at all. That doesn't seem like a likely solution. Attempts to get clarity from Twitter itself on how it would want to handle situations like this haven't resulted in much information.

When The Daily Beast reached out to Twitter to ask how accounts like @Old_gaes were allowed to remain active despite consistent reports of harassment, a spokesperson said that “we do not comment on individual accounts, for privacy and security reasons.”

When asked to “better outline how Twitter assesses threats to personal safety” after a violation of the rules that could leave its users in danger, the company did not respond to repeated requests at press time.

And so we have a speech tool co-opted by those wishing to oppress speech, with the company behind the tool seemingly paralyzed as to what to do about it. The good news is that, whatever steps backwards like these may occur, the flourishing of options for free and open speech typically also results in often unexpected change, however slow that change might occur.

Filed Under: blasphemy, doxxing, middle east, social media
Companies: twitter

Honda Tried To Get Jalopnik To Dox Commenter, Delete Posts, Meets The Streisand Effect Instead

from the hi-honda dept

Criticism is part of life, of course, and I tend to believe that people show their true selves most transparently when they show how they deal with criticism. Unfortunately, we've covered entirely too many stories involving people and companies responding to online criticism poorly here at Techdirt. Typically, these unfortunate responses amount to trying to censor the criticism, but it can more dangerously involve the attempted silencing of journalism as well as threats of legal action against those making the critical comments.

Too many times, websites and web services cave to this sort of censorship. But not everyone. Gawker Media, about whom I could fill these pages with criticism, appears to be pushing back on once such attempt levied against its site Jalopnik. Apparently, car-maker Honda took a negative view of some comments made at the site, purportedly by a Honda employee. For some reason, Honda decided that this distinction meant that it could not only silence the comments, but that it should receive help from the site in outing the commenter. The whole thing starts off, as seems so often the case, with some rather mild criticism in the form of a comment.

In December, a commenter calling him or herself HondAnonymous, posted a string of comments on these posts claiming to be a technician at Honda’s research and development facility. People on the Internet make claims like that all the time, but HondAnonymous seemed able to back them up with actual information about the development of the NSX and other cars. The most interesting bits were complaints about the NSX’s Continental tires (“they are garbage”) and how newer Honda engines have an issue “with the studs on the cat either backing out of the head or snapping altogether.”

Interesting, if not earth-shattering. A lot of it sounds like normal car development. The first one is a complaint we’ve seen in various early NSX tests, and the last is probably a recall waiting to happen. But earlier this month, Honda’s lawyers contacted us to say that information posted by HondAnonymous “is confidential information owned by Honda R&D Americas, Inc., and posts by that user of such confidential information breaches a contractual obligation of confidentiality owed to Honda R&D Americas, Inc.”

As Jalopnik notes, it wasn't them that posted the information. Instead, it was a commenter within the open commenting system Gawker Media uses. Regardless, apparently Honda's attorneys requested not only that all comments by the user be taken down immediately, but they also requested that the site turn over all identifying information about the user to them so that they could hunt down the leak. Think about this for just a moment and you'll see the problem: Honda wants Jalopnik's help in figuring out who this commenter is, while also demanding that the content be taken down because it violates a contractual confidentiality agreement. However, Jalopnik isn't obligated in any way to help Honda, regardless of what private contracts may or may not have been violated.

In typical Gawker fashion, Jalopnik gleefully is posting about all this, Streisanding the issue back into the news when it might otherwise have died off quickly.

It’s pretty egregious for a corporation to try to bully a news organization into deep-sixing comments from its own readers. It’s far more egregious to threaten to subpoena us if we don’t dox one of those readers. The good news is we couldn't dox HondAnonymous even if we somehow wanted to. He or she used an anonymous burner account, and we don’t track passwords, logins, or IP addresses for any of our users. HondAnonymous’ posts will stay up.

To Honda, or any other automaker: If you would like us to delete the comments of our readers or expose their identities (which, again, we can’t do anyway) again, please let me know! I am more than happy to drag your intimidation tactics into the public eye for all your customers and prospective buyers to see. Govern yourselves accordingly.

So, in trying to silence and out a critic, Honda instead finds themselves the subject of reports about the attempted silencing of the critic, whose criticism is once more in the public light. Bang up job, lawyers!

Filed Under: anonymity, comments, contracts, doxxing, jalopnik, news sites, streisand effect
Companies: gawker, honda

Utah Politician Looking To Tackle Doxing, DoS Attacks And Swatting With New Slate Of Cybercrime Amendments

from the as-usual,-bill-has-arrived-in-completely-unfinished-state dept

Three of the Four Horsemen of the Internet Apocalypse (*Revenge Porn not included) are being targeted by Utah legislator David Lifferth with a package of amendments to the state's cybercrime statutes.

Utah Representative David E. Lifferth (R) has filed House Bill 225 which modifies the existing criminal code to include cyber crimes such as doxing, swatting and DoS (denial of service) attacks. According to the amendments, these crimes can now range anywhere from misdemeanors to second-degree felonies.

As is often the case when (relatively) new unpleasantness is greeted with new legislation, the initial move is an awkward attempt to bend the transgressions around existing laws, or vice versa. Lifferth's is no exception. As GamePolitics points out, only one of the new crimes is specifically referred to by its given name: DoS attacks. The other two can only be inferred by the wording, which is unfortunately broad.

Swatting becomes:

[making] a false report to an emergency response service, including a law enforcement dispatcher or a 911 emergency response service, or intentionally aids, abets, or causes a third party to make the false report, and the false report describes an ongoing emergency situation that as reported is causing or poses an imminent threat of causing serious bodily injury, serious physical injury, or death; and states that the emergency situation is occurring at a specified location.

It's the stab at doxing that fares the worst. In its present form, the wording would implicate a great deal of protected speech. This is the wording Lifferth would like to add to the "Electronic communication harassment" section.

electronically publishes, posts, or otherwise makes available personal identifying information in a public online site or forum.

Considering it's tied to "intent to annoy, alarm, intimidate, offend, abuse, threaten, harass, frighten, or disrupt the electronic communications of another," the amended statute could be read as making the publication of personal information by news outlets a criminal activity -- if the person whose information is exposed feels "offended" or "annoyed." Having your criminal activities detailed alongside personally identifiable information would certainly fall under these definitions, which could lead to the censorship (self- or otherwise) of police blotter postings, mugshot publication or identifying parties engaged in civil or criminal court proceedings.

It also would to make "outing" an anonymous commenter/forum member/etc. a criminal act, even if the amount of information exposed never reaches the level of what one would commonly consider to be "doxing." Would simply exposing the name behind the avatar be enough to trigger possible criminal charges?

While it's inevitable that lawmakers will have to tangle with these issues eventually, it's disheartening to see initial efforts being routinely delivered in terrible -- and usually unconstitutional -- shape. We expect our legislators to be better than this. After all, it's their job to craft laws and to do so with some semblance of skill and common sense. If nothing else, we expect them to learn something from previous failures to pass bad laws, whether theirs or someone else's.

Filed Under: cybercrime, david lifferth, dos attacks, doxing, doxxing, swatting, utah

Islamic Extremists Use YouTube's Automated Copyright Dispute Process To Access Critics' Personal Data

from the the-further-breaking-of-a-very-broken-system dept

YouTube's infringement reporting system is -- like many others around the web -- fundamentally broken. Making bogus copyright claims is still an easy way to get channels shut down or to siphon ad revenue from existing videos. It can also be used as a censor -- a cheap and dirty way to shut up critics or remove compromising video.

Apparently, Islamic extremists linked with Al-Qaeda have found another use for YouTube's mostly automated dispute process: low-effort doxxing. According to German news sites, a YouTube channel (Al Hayat TV) known for its criticism of Islam has had to send its listed contact person into hiding after bogus copyright claims filed by extremists led to the exposure of his personal information.

On September 25th, someone using the name "First Crist, Copyright" filed bogus copyright complaints against Al Hayat TV. In order to prevent the channel from being shut down for multiple "strikes," Al Hayat TV was forced to file a counter notification. But in order to do so, the channel operators had to expose sensitive information.

From the YouTube Help section on counter notifications:

After we receive your counter notification, we will forward it to the party who submitted the original claim of copyright infringement. Please note that when we forward the notice, it will include your personal information. By submitting a counter notification, you consent to having your information revealed in this way.

Some of the people behind the channel contacted YouTube and tried to explain the danger of releasing this personal information, especially considering a majority of its contributors operated anonymously for safety reasons. These pleas went unheeded, thanks to the automation of the copyright dispute process. Each request was greeted with pre-generated responses from YouTube support. Discussions with actual humans at YouTube only confirmed that the channel wouldn't be reinstated without following the counter notice procedure -- including handing over details on the channel's contact person.

Unfortunately unaware of the fact that it could have used a legal representative to handle this, Al Hayat TV filed formal counter notices using one of its member's names. Shortly thereafter, it received threats from the supposed copyright holder warning the contact person to "watch your head" (a phrase basically understood to be a death threat in Arabic) and promising to spread this info across several extremist websites. The message also told the contact person to [paraphrased slightly] enjoy living in fear under police protection. The contact person has since gone into hiding.

The quid pro quo of the copyright dispute process netted Al Hayat TV death threats and a completely bogus "First Crist, Copyright" contact person: Samuel George of 245 George Street in Sydney, Australia. Google Street View shows this address to be right in the middle of some prime downtown shopping.

At this point, it would be beyond tedious to rehash the problems with these automated enforcement systems. But this story shows the system can be easily exploited to satisfy very twisted ends. YouTube's copyright dispute process is automated out of necessity. The fact that it instantly "sides" with the accuser contributes to the problem. Trying to sort out the legitimacy of copyright claims without chewing up thousands of man-hours would be a logistical nightmare and would quite possibly result in a system inferior to the irreversibly-broken one in place today. The unfortunate lesson to be drawn from this debacle is that those on the "inside" need to game the system as effectively as those on the "outside." If YouTube's going to treat copyright claims issued by "Crist" from the middle of the Establishment Bar in Sydney, Australia as wholly legitimate, Al Hayat TV should be shown the same disinterested "courtesy" and be allowed to issue a counter notices signed by an imaginary attorney residing at some random address. After all, if the dispute continues past this point, YouTube simply washes its hands of the entire situation and tells both parties to work it out themselves.

Copyright isn't really the culprit here. It's the systems that have been developed in response to rights holders' complaints. They're too easily gamed and little to nothing in the way of deterrents. Unfortunately, unlike incidents where copyright enforcement has been clumsily deployed as a censor, there's no Streisand Effect equivalent for those who greet speech they don't like with threats and violence. Extremists like this simply don't care what others think of their irrational hatred and colossally stupid worldview.

Filed Under: al hayat tv, al qaeda, automated process, contentid, copyright, dmca, doxxing, identification, terrorists
Companies: google, youtube

Reddit, Trolling, Doxxing, Free Speech & Anonymity: Whoo Boy, Is This Stuff Complicated

from the keeping-up dept

In case you haven't been following last week's big controversy on Reddit, there are a number of debates going on about a variety of topics, concerning free speech, trolling, anonymity and more. The very short version is as follows: there had been some (quite reasonable and understandable) concern about the subreddit /r/CreepShots in which people (almost all of whom are likely to be guys) were posting surreptitiously shot photos of others, usually women, usually focused on sexually objectifying the subjects of the shot. The subreddit was one of a number of similarly disturbing subreddits that focus on objectifying women -- often very young women. Reddit tends to take a mostly hands off approach to this kind of thing, letting the community do what the community does. In extreme cases where the terms of service have been violated (and laws have been broken) stuff gets shut down -- but for the most part, Reddit lets the community police itself. Some Redditors figured out that the best way to deal with information they don't like is with more information and they started exposing information about the moderators of CreepShots, sometimes naming them publicly (and getting a teacher fired for posting cameraphone shots of his students -- ick).

Jezebel published an article about outing CreepShots moderators, and from that came the news that Adrian Chen at Gawker was getting set to expose one of the more well known moderators/trolls on the site, ViolentAcrez. Before this even came out, some of the moderators on one of the most popular subreddit, /r/Politics announced that they were banning links to all Gawker sites "until action is taken to correct this serious lack of ethics and integrity." Chen went on to publish the story anyway -- a well-written, thoroughly detailed story about the guy, Michael Brutsch, who admits to enjoy being a "troll" in order to get a reaction out of people. Over the weekend, Brutsch was apparently fired from his job.

There has been a lot of talk about all of this -- and about the ethics of pretty much everyone involved. Someone named Navneet Alang directly challenged us, claiming that if Facebook had "censored" an article, we'd be "raging" about it -- but that since we're somehow aligned with Reddit, that's not the case.

The truth -- as always -- is a lot more complex. First of all, let me be clear on a few things: I think that /r/CreepShots and various other subreddits like that are very troubling and ethically dubious. I equally think that the decision to ban Gawker stories from certain subreddits was stupid and really counterproductive if the intent was to draw attention away from the article. That said, the goal may have been more to create chilling effects for other journalists. And, on that front, I'm with Adrian Chen. I think he did a fantastic piece of reporting (actual journalism, yay) and should not be punished for doing so. I tend to think it makes the mods who decided to do the ban look childish and, if not directly hypocritical, very much open to charges of hypocrisy.

That said, the situation is not so simple. This is not the same thing as Facebook banning links -- because that's a company's decision that impacts its users. Reddit, on the other hand, has always been driven by its users with the mods having significant power over each subreddit they control. If they want to make a decision like banning every Gawker site -- no matter how stupid and counterproductive such a decision might be -- they have the right to do so. In some ways, the "Facebook analogy" would be more proper if the person had said that any individual had the power to block links on their own wall. Which they do -- and which no one complains about.

The different subreddits are playgrounds controlled by those mods, not by "Reddit" itself. Sometimes amazing things come out of there, and sometimes absolute crap comes out of there. This is the nature of the internet, and shutting down something or silencing one's speech doesn't change any of that. It just reshuffles the deck.

I believe quite strongly in the importance of anonymity online -- but that's mainly to the extent that the government should not be able to force anonymous speech to be connected to the speaker, except in extreme circumstances. That, however, is entirely different than an enterprising reporter discovering the details that connect someone's account to their name. The accusations by various Reddit moderators that this is somehow an unfair "doxxing" seems like an extreme overreaction. Chen put together information and reported on it. That's journalism.

But, at the same time, I think it's unfair to blame Reddit itself or its management for the (admittedly dumb) decision to block links to Gawker. Reddit is very much about what it's community decides it wants to do, and with that comes some good and bad decisions. I can (and will) criticize what I think is a bad decision by the moderators who did this, but that doesn't mean a condemning of Reddit as a whole, any more than criticizing someone who blocks others from posting to his Facebook wall or Google Groups or personal blog, automatically implicates those platform providers.

Free speech does not mean you are free from the consequences of your speech. And, in the end result, this whole situation encapsulates the power of "more speech" being the best answer to "bad speech." A giant conversation has been started and (almost) none of it has involved getting the law involved to step in and decide who is bad and who is good. Instead, in occasionally messy ways, the community is working out its own norms, and that's fascinating to watch.

Filed Under: adrian chen, creepshots, doxxing, free speech, michael brutsch, violentacrez
Companies: reddit