Hacker Taunts T-Mobile, Calls Its Security 'Awful'

from the fool-me-once dept

It's historically always been true that however bad a hack scandal is when initially announced, you can be pretty well assured that it's significantly worse than was actually reported. That's certainly been true of the recent T-Mobile hack, which exposed the personal details (including social security numbers) of more than 53 million T-Mobile customers (and counting). It's the fifth time the company has been involved in a hack or leak in just the last few years, forcing the company's new(ish) CEO Mike Sievert to issue yet another apology for the company's failures last Friday:

The extra apology didn't come unprompted. It came after the hacker involved in the data breach conducted an interview with the Wall Street Journal (paywalled, here's an open alternative) in which he explained T-Mobile's overall consumer privacy and security protections as "awful":

Binns gained access to the servers after discovering an unprotected router by scanning T-Mobile's internet address for weak spots, The Journal reported. Over 53 million people had personal information compromised in the hack such as names, addresses, dates of births, phone numbers, Social Security numbers, and driver's license information."

In short he didn't so much as "hack" T-Mobile as he walked straight through an open door. Customers say they didn't know about the breach until the media did, prompting them to wonder why, if privacy and security is such a priority for a company like T-Mobile, they had to learn about the incident from somebody else:

"It just frustrates me, honestly," Richards said. "If our data is a priority for you guys to keep safe, how come I haven't gotten a notification or anything like that?"

Of course T-Mobile, like countless other American companies, isn't incentivized to actually secure user data because we don't have a meaningful privacy law for the internet-era. In most cases, the most companies like this see are a week of bad headlines and a few regulatory wrist slaps -- assuming U.S. regulators have the time or resources to pursue any kind of meaningful investigation at all. Without meaningful oversight and penalties the impact on consumers is often little more than an afterthought, and the most they get is another round of "free credit reporting" -- something they've already obtained from the last seven times their personal information wasn't properly secured.

Then of course there's the relentless "growth for growth's sake" mindset in telecom and other sectors that results in a near-mindless obsession with consolidation (often at the cost of anything else). T-Mobile has spent much of the last five years kissing Donald Trump's ass to gain regulatory approval for its job and competition eroding merger with Sprint. How much of the time spent pursuing their heavily criticized megadeal (and the follow up network integration) could have gone toward actually securing the company's servers, routers, and overall network?

Filed Under: data breach, hackers, leak, mike sievert, security
Companies: t-mobile

UK City Leaves Nearly Nine Million License Plate/Location Data Records Exposed On The Open Web

from the city-hopes-to-one-day-achieve-minimum-competence dept

Government officials always remind us that the price of order and lawfulness requires us, as a society, to give up some of our privacy and liberty. It shouldn't be that way, but it almost always is.

For UK motorists, the exchange rate for orderly motorway traffic is millions of their travel records left exposed on the open internet.

In a blunder described as "astonishing and worrying," Sheffield City Council's automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.

The ANPR camera system's internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield's road network.

Oh my no. This isn't acceptable. Sure, the Surveillance Camera Commissioner (yes, that's a thing in the UK) called it "astonishing and worrying," but even those terms fail to capture the horrendousness of this blunder. If it seems like a lot of records to leave unsecured on the open web, it is. It could allow anyone to retrace the travels of thousands of drivers with minimal effort.

It takes a while to amass nearly nine million license plate photos, but not nearly as long as one might expect. As The Register points out, the system's 100 cameras collect thousands of photos every day. On February 24, the cameras collected 21,000 photos. The only thing slowing the system down is the coronavirus. Stay at home orders dropped the record collection down to a more manageable 13,000 records on April 13.

The massive system went live in 2018, accompanied by documents that do not contain the word "privacy" anywhere in their 164-pages of bureaucratese. Apparently, no one bothered to perform any sort of penetration test that might have discovered this wide-open door before security researchers did. The best summation of this clusterfuck comes from the person who discovered the unsecured license plate portal.

The Register learned of the unprotected dashboard from infosec expert and author Chris Kubecka, working with freelance writer Gerard Janssen, who stumbled across it using search engine Censys.io. She said: "Was the public ever told the system would be in place and that the risks were reasonable? Was there an opportunity for public discourse – or, like in Hitchhiker's Guide to the Galaxy, were the plans in a planning office at an impossible or undisclosed location?"

The Sheffield City Council's response to the news is less than comforting. While properly calling the breach unacceptable, the city (and the local assistant chief constable) claims (without offering any evidence) that no one was "harmed" or "suffered any detrimental effects" from the exposed database. I beg to differ. It quite clearly harmed the trust drivers may have had in their local government and didn't do any favors for the traffic camera system provider either. Overseeing a system whose pervasiveness is only surpassed by its insecurity seems pretty detrimental to the "there's always a tradeoff" posturing governments use when subjecting constituents to even more omnipresent surveillance.

Filed Under: leak, license plate, location data, privacy, sheffield, uk

Whirlpool Left Appliance Data, User Emails Exposed Online

from the internet-of-very-broken-things dept

Another day, another shining example of why connecting everything from your Barbie dolls to tea kettles to the internet was a bad idea. This week it's Whirlpool that's under fire after a researcher discovered that the company had failed to secure a database containing 28 million records collected from the company's "smart" appliances. The database contained user email addresses, model names and numbers, unique appliance identifiers, and data collected from routine analysis of the appliances' condition, including how often the appliance is used, when its off or on, and whether it had any issues.

Needless to say this is just the latest example of security researchers doing companies' jobs for them after they connected their products to the internet, then failed to adequately secure the data gleaned from them. For its part, Whirlpool told the researcher that they managed to secure the information within a few days of being alerted earlier this month:

"Our company was recently made aware of a potential security concern with respect to one of its databases. The database was immediately taken offline and secured. Our investigation showed that 48,000 emails were publicly available – but no confidential information was exposed. We are in the process of reaching out to impacted consumers. Our company appreciated this notification so the issue could be quickly addressed."

Granted these kinds of issues occur at least once a week at this point, highlighting how companies were so excited to connect everything to the internet, they never stopped to ask if it was really necessary. A new study by hardware security company nCipher drives that point home, highlighting how the majority of IT professionals are terrified of the security nightmare we've created in the internet of broken things era:

"Sixty-eight percent of these professionals worried that hackers will simply alter the function of an IoT device. Fifty-four percent are concerned that IoT devices will come under the remote control of people with nefarious purposes or merely cruel senses of humor."

As security experts have long noted, there's no market solution to this problem because neither the hardware vendors nor the consumers actually care, given the privacy and security shortcomings (usually) only harm other people. The consumer doesn't care, often because they're never informed that this data is bouncing around the internet unsecured. The vendors don't care, because they're already on to marketing the next product and don't want to retroactively improve and secure their products. And government is, well, busy right now trying to chew gum and walk at the same time.

That's what makes efforts to educate consumers by including privacy features and security practices as part of product reviews so important. It's at least a fleeting attempt to generate some form of organic punishment for companies who treat security and privacy as a distant afterthought.

Filed Under: breach, data, iot, leak, security, smart appliances
Companies: whirlpool

Deloitte Hit By Cyberattack That Compromised Client Information & Decided To Basically Tell Nobody At All

from the ostrich-style dept

In the wake of the Equifax breach, there has been some discussion about just how quickly companies should publicly disclose when they have been victims of security breaches that reveal client information. In the case of Equifax, the company had essentially been sitting on the knowledge that it was attacked since July before going public in early September. Something like two months, in other words. While most people agree that victim companies should have some time to get their houses in order before opening the window shades, two months seemed like a lot, given the severity of the attack and the number of potential victims among Equifax's clients.

But two months is nearly lightning quick compared with Deloitte, the enormous accounting firm that discovered it was the victim of an attack in March and only bothered to tell the public, along with most of its clients, this week.

One of the largest private firms in the US, which reported a record $37bn (£27.3bn) revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.

The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments. So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

Now, Deloitte may have discovered the breach in March, but there have been whispers that the attackers may actually have pulled all this off in October of last year. The attack was pulled off by accessing an administrator account that lacked anything resembling two-factor authentication, all hosted on Microsoft's Azure cloud service, and potentially exposing every sort of client data ranging from passwords and IP addresses to health information. The decision was made within Deloitte to only inform a few partners and legal staff within the company and a total of six Deloitte clients that the breach had even occurred. Most Deloitte staff and customers had no idea until these past few days.

And that decision could amount to a very real problem for the company, given that most US states and territories have security breach notification laws mandating when companies must tell clients when these sorts of attacks occur. If Deloitte has customers outside of the six it has informed in any of those states or territories, which is a virtual certainty, and those clients' information was exposed by this attack, Deloitte could be in violation of all kinds of state laws for failing to inform those customers what had happened. Most of these laws frustratingly rely on ambiguous language as to how quickly clients or residents of the state should be informed of the breach -- there is all kinds of "in the most expedient time possible" and "without unreasonable delay" language in these laws --, but it would be patently absurd for Deloitte to suggest that 6 months time meets any of those requirements.

In fact, Deloitte won't even acknowledge if it has ever contacted law enforcement about the breach.

Deloitte declined to say which government authorities and regulators it had informed, or when, or whether it had contacted law enforcement agencies.

Now, for its part, Deloitte is making much of its ability to perform an internal review of the breach and the contracted security firms its engaged, all while stating that it has allowed them to pinpoint exactly what data was accessed and what wasn't, and that the amount actually accessed is very small. Except it's hard to take on faith the cyber-sleuthing capabilities when the firm has been so opaque about the breach thus far, and at least some of the notification laws require notification upon breach, not upon actual data acquisition.

If nothing else, it should be clear that covering this stuff up and trying to pretend it never happened is no way to do security.

Filed Under: cyberattack, data leak, disclosure, hack, leak
Companies: deloitte, equifax

Equifax Security Breach Is A Complete Disaster... And Will Almost Certainly Get Worse

from the hang-on... dept

Okay, chances are you've already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven't, you need to pay more attention to the news. I won't get into all the details of what happened here, but I want to follow a few threads:

First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it's not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was...) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it's set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user -- "Edelman" -- the name of a big PR firm.

Not surprisingly, it didn't take long for various security tools to warn that the site wasn't safe.

And, when Equifax pushed people to its own "TrustedID" program to supposedly check to see if you were a victim of its own failures... it just started telling everyone yes no matter what info they put in:

So, yeah, what the hell did Equifax do during those six weeks it had to prepare? Oh, well, a few of its top execs used the delay to sell off stock, which may put them in even more hot water (of the criminal variety). Also, just days before it revealed the breach, and long after it knew of it, the company was talking up how admired its CEO is. This is literally the last tweet from Equifax prior to tweeting about the breach (screenshotted, because who knows how long it'll last):

I can't see any scenario under which Smith keeps his job. And it seems likely that many other execs are going to be in trouble as well. Beyond the possible insider trading above, there's already scrutiny on its corporate VP and Chief Legal Officer, John J. Kelley, who made $2.8 million last year and runs the company's "security, compliance, and privacy" efforts.

And despite six weeks to prepare for this, the following was Equifax's non-apology:

We apologize to our consumers and business customers for the concern and frustration this causes.

That's a classic non-apology. It's not apologizing for its own actions. It's not apologizing for the total mess it's created. It's just apologizing if you're "concerned and frustrated."

Oh, and did we mention that the very morning of the day that Equifax announced the breach, it tweeted out about a newsletter it published about how "safeguarding valuable customer data is critical." Really (again, screenshotted in case this disappears):

What the fuck, Equifax? Should we even mention that Equifax has been a key lobbying force against data breach bills? Those bills have some problems... but, really, it's not a good look following all of this.

And while there was some concern that signing up to check to see if you were a victim (again: look, you probably were...) would force you out of being a part of any class action lawsuit, that's since been "clarified" to not apply to any class action lawsuits over the breach. And you better believe that the company is going to be facing one heck of a class action lawsuit (a bunch are being filed, but they'll likely be consolidated).

That's all background of course. What I really wanted to discuss is how this will almost certainly get worse before it gets better. More than twelve years ago, I wrote that every major data breach is later revealed to be worse than initially reported on. This has held true for years and years. The initial analysis almost always underplays how serious the leak is or how much data is leaked. Stay tuned, because there's a very high likelihood we'll find out that either more people were impacted or that more sensitive information is out there.

And that should be a major concern, because what we already know here is stunning. As Michael Hiltzik at the LA Times noted, this is the mother lode of data if you want to commit all sorts of fraud:

The data now at large includes names, Social Security numbers, birthdates, addresses and driver’s license numbers, all of which can be used fraudulently to validate the identity of someone trying to open a bank or credit account in another person’s name.

In some cases, Equifax says, the security questions and answers used on some websites to verify users’ identity may also have been exposed. Having that information in hand would allow hackers to change their targets’ passwords and other account settings.

Other data breaches may have been bigger in terms of total accounts impacted, but it's hard to see how any data breach could have been this damaging. For over a decade, we've pointed out that credit bureaus like Equifax are collecting way too much data, with zero transparency. In fact, back in 2005, we wrote about Equifax itself saying that it was "unconstitutional and un-American" to let people know what kind of information Equifax had on them. The amount of data that Equifax and the other credit bureaus hold is staggering -- and as this event shows, they don't seem to have much of a clue about how to actually secure it.

At some point, we need to rethink why we've given Equifax, Experian and TransUnion so much power over so much of our everyday lives. You can't opt-out. They collect most of their data without us knowing and in secret. You can't avoid them. And now we know that at least one of them doesn't know how to secure that data.

Filed Under: cybersecurity, fraud, leak, security, security breach
Companies: equifax

As HBO Screams About GoT Episodes Leaking From A Hack, HBO Leaks Next GoT Episode Early

from the fine-everything's-fine dept

I love HBO's Game Of Thrones. I hate everything we have to write about it, however, because the stories are typically dumb in the usual ways that stories are dumb here at Techdirt. From HBO happily playing the evil villain in protecting the show's IP in the most overly-protectionist manner possible, to HBO screaming about the show being heavily pirated while everyone else comments about how good a thing that actually is, all the way up to the occasional overt hacking that occurs, where episodes from the show leak early, everybody freaks out, and then HBO and GoT go on to rake in tons of eyeballs and money anyway. One of these hacks just occurred, as you may know, resulting in a ransom not being paid to the hackers, who were then eventually arrested. While episode four of the current season did indeed get leaked, it wasn't the hackers who leaked it, but someone at an HBO distribution partner. So HBO screams about hacks while someone with in its own house is leaking episodes.

And now it just appears to have happened again. Episode six has now leaked out and fingers are being pointed at the Spanish division of HBO itself for the leak.

Trouble continues for HBO as another episode of the popular Game of Thrones series has just leaked online, days ahead of the official premiere. Copies of the sixth episode of the current season, titled ‘Death is the Enemy,’ are currently circulating on various streaming portals, direct download, and torrent sites.

At the moment it’s not confirmed how the leak came about but some suggest that it was leaked by HBO itself in Spain. Several people have posted screenshots and videos that suggest it was made public by HBO unintentionally.

With no counter-narrative yet from HBO, which you'll recall loves to scream about hacks and piracy, the accidental leak from HBO is the only explanation on offer as of the time of this writing. And, look, mistakes like this happen. The point of this post isn't to point the finger and laugh at HBO for accidentally leaking an episode itself.

No, the point is that these leaks just don't matter. The show continues to rack up the same astounding viewership numbers, leaks and all. It's wildly successful. It has been spun off into board games and all manner of merchandise. It's to the point that nobody batted an eye when HBO refused to pay the hackers' ransom to not release the episodes early. There would be no point. Hell, when the first four episodes of season five of the show were leaked early, that season broke the show's viewership records.

So chill, HBO. Leaks from hackers, leaks from distributors, and leaks from your own offices aren't going to bring the piracy dragons to your doors to destroy your keep.

Filed Under: game of thrones, leak
Companies: hbo

North Carolina Election Agencies First Learned They'd Been Hacked From Leaked Documents Published By The Intercept

from the accelerated-disclosure dept

At the time, the documents leaked by NSA contractor Reality Winner -- showing Russian interference in the recent election -- didn't seem to be of much importance. They showed something that had long been suspected, but also showed the NSA performing the sort of surveillance no one really disapproves of. The documents were in the public's interest, but weren't necessarily of the "whistleblower" variety.

That aspect of the documents hasn't changed, but public interest in the unauthorized disclosure certainly has. In a post for Emptywheel, Marcy Wheeler takes on an NPR story about actions taken by electoral agencies as a result of the leak.

The company that provided the software for the poll books is VR Systems — the company that the document Reality Winner leaked showed had been probed by Russian hackers.

[S]usan Greenhalgh, who’s part of an election security group called Verified Voting, worried that authorities underreacted. She was monitoring developments in Durham County when she saw a news report that the problem pollbooks were supplied by a Florida company named VR Systems.

“My stomach just dropped,” says Greenhalgh.

She knew that in September, the FBI had warned Florida election officials that Russians had tried to hack one of their vendor’s computers. VR Systems was rumored to be that company.

Now, there's an investigation underway in North Carolina, linked directly to the documents leaked by Reality Winner. Josh Lawson, general counsel for the state's board of elections, said it first learned about the hacking from the Intercept's article.

Which makes you wonder when the federal government was going to get around to notifying affected state agencies. When local agencies are learning about Russian hacking from leaked documents rather than straight from the source, the downward flow of pertinent information seems to be more than a little broken.

Not that this news will do Winner any good as she heads to court. As noted by Ed Snowden earlier, and reaffirmed here by Marcy Wheeler, any positive outcomes resulting from leaked documents can't be raised by the defendant.

Last week, Magistrate Judge Brian Epps imposed a protection order in her case that prohibits her or her team from raising any information from a document the government deems to be classified, even if that document has been in the public record. That includes the document she leaked.

The protective order is typical for leak cases. Except in this case, it covers information akin to information that appeared in other outlets without eliciting a criminal prosecution. And more importantly, Winner could now point to an important benefit of her leak, if only she could point to the tie between her leak and this investigation in North Carolina.

With the protection order, she can’t.

This is generally how things go in espionage cases. This is what Snowden detractors ignore when they argue he should just return home and face a "fair trial." There are no fair trials in espionage cases. In Winner's case, the order is so broad it forbids her legal reps from discussing any classified document or any document they believe might be classified (or derived from classified documents), even if those documents have been leaked and published by journalistic entities.

The info in the leaked documents led to an investigation. This may excuse the leak in the minds of those whose first encounter with evidence of Russian hacking came from a site known for publishing leaks, rather than the federal government performing the surveillance that uncovered it. But this is of no use to Reality Winner, or any leaker in her position. No matter how much good may result from unauthorized disclosures, the government only cares about the authorization.

Filed Under: hacking, leak, north carolina, nsa, reality winner

Why Are The Congressional Intelligence Committees So Quiet On The NSA Malware Leaks?

from the speak-up,-feinstein,-we-can't-hear-you dept

Last week, we wrote about the leak of various NSA hacking tools, that showed it had zero-day exploits for a bunch of hardware, including some from Cisco. This has raised some concerns about how long the NSA sat on these vulnerabilities without telling companies -- along with reaffirming what many people already suspected: that the supposed "Vulnerabilities Equities Program" (VEP), in which the NSA is supposed to disclose the vulnerabilities it finds to the companies to patch, is a complete joke.

But Marcy Wheeler has another important point about all of this. When the Snowden documents originally leaked three plus years ago, the various top members of the House and Senate Intelligence Committees -- the so-called Gang of Four -- were quick to speak out (and condemn) the leak. But, oddly, this time they're staying pretty quiet.

Within hours of the first Snowden leak, Dianne Feinstein and Mike Rogers had issued statements about the phone dragnet. As far as I’ve seen, Adam Schiff is the only Gang of Four member who has weighed in on this

U.S. Rep. Adam Schiff, the ranking Democrat on the House Intelligence Committee, also spoke with Mary Louise. He said he couldn’t comment on the accuracy of any reports about the leak.

But he said, “If these allegations were true, I’d be very concerned about the impact on the intelligence community. I’d also obviously want to know who the responsible parties were. … If this were a Russian actor — and again, this is multiple ‘ifs’ here — we’d have to ask what is causing this escalation.”

Say, Congressman Schiff. Aren’t you the ranking member of the House Intelligence Committee and couldn’t you hold some hearings to get to the bottom of this?

Meanwhile, both Feinstein (who is the only Gang of Four member not campaigning for reelection right now) and Richard Burr have been weighing in on recent events, but not the Shadow Brokers release.

If the House and Senate Intelligence Committees were really about "oversight" of the NSA, then shouldn't they have jumped on this immediately? Shouldn't they be looking into how the NSA manages the VEP? Shouldn't they be looking into how these tools got out? Why are they just staying silent or giving meaningless statements like Schiff's?

Filed Under: 0days, adam schiff, devin nunes, dianne feinstein, house intelligence committee, leak, malware, nsa, richard burr, senate intelligence committee, vep, vulnerabilities

Greenpeace Publishes Leaked TTIP Documents... Show How Backroom Deals Are Driven By Lobbyists

from the because-of-course-they-are dept

We've written plenty of stories about the TTIP (Transatlantic Trade & Investment Partnership) agreement being worked on between the US and the EU. Think of it as the companion to the TPP, which covers the US and a variety of countries around the Pacific ocean. Like the TPP, the US has demanded extreme levels of secrecy around the negotiations (in the past, the US negotiating body, the USTR, has admitted that the more the public is aware of the details, the less likely they are to support the agreement). And while there have been reports out of the EU arguing that negotiators there are more willing to be more open about the negotiations, so far, the US has not allowed it. This has resulted in some crazy situations including secretive "reading rooms" where politicians are carefully guarded if they look at the current drafts -- and where they're not allowed to bring any device or copy anything from the documents.

Now, Greenpeace has leaked a bunch of the TTIP documents... and also set up their own "reading room" which mocks the secrecy of the current reading rooms, by making it very, very transparent:

Krasse Aktion von Greenpeace. Haben nen transparenten #TTIP Leseraum vor der US Botschaft … https://t.co/CZC0myHq5t pic.twitter.com/N0Iv8eHNwc

— Sebastian Jabbusch (@SebJabbusch) May 2, 2016

As for the contents revealed, it's pretty much what everyone suspected. Most of the focus, so far, is on details showing that the US has been pressuring the EU to loosen various consumer and environmental protections in the EU. While it hasn't received as much attention, the leak also does suggest problems for digital rights, mainly by giving telcos much more power. And while the "intellectual property" chapter does not appear to be included, one of the leaks is the "tactical state of play" document. This document isn't part of the negotiating text, but a general summary on where things are... and it's fairly revealing on a variety of topics, including intellectual property.

In the discussion on the intellectual property agreement, it notes that at the latest negotiation, the US refused to put forth "concrete proposals" on issues such as DRM, but the report notes that these are being pushed strongly by "rights holders." The EU, apparently, is nervous about what kind of language it will eventually see from the US. The US, in response, apparently told the EU negotiators that this would be a different kind of intellectual property chapter from the TPP:

A positive feature of the twelfth round of IP discussions was the US submission, for the first time, of some texts on relatively consensual areas (international treaties and general provisions). However, the US remains unwilling to table, at this stage, concrete proposals on more sensitive offensive interests that have been expressed by some of its right holders or that are explicitly referred to in its TPA (for instance on patents, on technical protection measures and digital rights management or on enforcement).

When confronted with the EU warning that bringing sensitive proposals that would require changes in EU law to the table – and doing it at a late stage of the negotiation – may have a negative impact on stakeholders and has very limited chances of being accepted, the US reiterated its understanding that the IPR chapter should not be a standard (TPP type) text, but also insisted that such a departure from its “model” creates some difficulties in terms of addressing the demands included in the IPR related sections of its TPA.

The report also notes that Congress' unwillingness to pass laws to stop patent trolls or in support of (awful) broadcast rights, public performance rights and resale rights, may be an issue, since all three are important to EU rightsholders. We've covered all three issues at various points in time, and all three involve basically expanding copyright law in dangerous ways that will further limit the public's rights. In this case, it looks like it's the EU that's pushing more strongly for them, which is too bad. The public performance rights have the most forward progress in the US right now, with the push to ratify the Beijing Treaty, but hopefully that's an area where legislative indifference kills a horrifically bad idea.

In short, it appears that there are a lot of competing interests on both sides of the Atlantic around the intellectual property chapter, but both sides appear to be focused almost entirely on the protectionist, anti-innovation, anti-public interests of specific rights holders and how to make them happy. There's basically no discussion of how all of this impacts the public.

That's not too surprising, but it also shows why they've worked so hard to keep these documents from being seen by the public. The TTIP agreement was already way behind the TPP agreement, and it's quite doubtful that a final agreement will be reached before the new US administration is in place, which could result in some pretty massive changes in terms of what the White House is demanding. But, as of right now, the agreement looks like yet another mess where lobbyists try to divvy up the spoils in taking things away from the public.

Filed Under: backroom deals, eu, intellectual property, leak, lobbyists, tafta, transparency, ttip, ustr
Companies: greenpeace

Terabyte-Sized 'Panama Papers' Leak Confirms The Continuing Rise Of The Super-Whistleblowers

from the who's-next? dept

As you may have noticed on Twitter and across social media, a big leak of documents from Mossack Fonseca, a global law firm based in Panama, took place over the weekend. Actually, to call the Panama Papers leak "big" is something of an understatement:

11.5 million records, dating back nearly 40 years -- making it the largest leak in offshore history. Contains details on more than 214,000 offshore entities connected to people in more than 200 countries and territories. Company owners in billionaires, sports stars, drug smugglers and fraudsters.

The main Panama Papers site run by The International Consortium of Investigative Journalists notes this bounty has provoked the "largest cross-border collaboration ever"; dozens of media sites are involved, although curiously few from the US. That means in-depth analysis of the implications of these documents for the rich, the powerful, the criminals and the companies they created will be appearing for many weeks, if not months. So there's little point trying to second-guess what will emerge, not least because there is no public access to the documents involved, making deeper analysis impossible.

Fortunately, here on Techdirt we're interested in a few specialized angles. For example, the tech side. The Guardian states that the the Panama Papers total 2.6 terabytes of data, which dwarfs earlier leaks of financial documents: the HSBC files are 3.3 gigabytes, the Luxembourg tax files 4.4 gigabytes, and the so-called "offshore secrets" files total 260 gigabytes, while Wikileaks is a mere 1.7 gigabytes.

A few years ago, it would have been inconceivable to "exfiltrate" terabytes of data like this. That in itself was a powerful brake on massive leaks. But today you can buy a portable, pocket-sized USB hard disk drive with a capacity of several terabytes for tens of dollars, with prices continuing to fall -- thanks to Kryder's Law and other factors. As a result, we are seeing leak inflation: where whistleblowers first grabbed megabytes and then gigabytes, but they now take terabytes, simply because they can. Why settle for a partial set, and risk leaving behind the juicy stuff, when you can simply "collect it all" (now, where have we heard that before?)

So leaks are likely to get bigger. They may also become more common. The more high-profile whistleblowers there are, the more others are likely to be inspired to do the same. That fact has not gone unnoticed in the corporate world. In an evident attempt to stem the flow of embarrassing leaks, companies have been pushing for more laws to protect their "trade secrets." For example, as Techdirt noted last year, TPP includes stronger protection, and TAFTA/TTIP will have it too. Even before TTIP is likely to require it, the EU is proposing to bring in new laws to beef up protection for corporate trade secrets:

A small group of lobbyists working for large multinational companies (Dupont, General Electric, Intel, Nestlé, Michelin, Safran, Alstom…) convinced the European Commission to draft such a legislation, and helped it all along the way. The problem is that they were too successful in their lobbying: they transformed a legislation which should have regulated fair competition between companies into something resembling a blanket right to corporate secrecy, which now threatens anyone in society who sometimes needs access to companies' internal information without their consent: consumers, employees, journalists, scientists...

As that post from Corporate Europe Observatory puts it, we are witnessing attempts to enshrine a new "right to corporate secrecy" around the world. That's the bad news; the good news is that it's getting easier for anyone to be a super-whistleblower on a massive scale. Recognizing the value of such leaks, the Greens in the European Parliament hope to present a proposal for laws protecting whistleblowers across Europe. There's not much hope it will be adopted at this stage, but it's a further sign of how important this whole area has become.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: leak, panama, panama papers, whistleblower
Companies: mossack fonseca