Congressional legislators -- apparently caught off guard by one state's revenue stream -- are asking the California Department of Motor Vehicles a $50 million question: why the hell are you selling residents' personal data?
A group of nearly a dozen lawmakers led by member of Congress Anna Eshoo wrote to the California Department of Motor Vehicles (DMV) on Wednesday looking for answers on how and why the organization sells the personal data of residents. The letter comes after Motherboard revealed last year that the DMV was making $50 million annually from selling drivers' information.
As Karl Bode noted last year when covering this revelation, this sale of data is codified. The Driver's Privacy Protection Act doesn't do much to protect drivers' privacy. It may prevent abuse of this data by government employees but none of that affects private sector access where the real money is made.
The data from the California DMV is sold to a variety of data brokers. The public records request that resulted in this windfall of transparency about the DMV's windfall of actual money didn't name any of its customers. But did show a steady increase in revenue over the five years the records covered.
The letter [PDF] signed by nine members of Congress -- including California Congressional rep Ted Lieu -- asks the DMV a lot of pointed questions about its practice of profiting off data Californians are forced to hand over in exchange for licenses. It asks the questions the records obtained by Motherboard left unanswered. First off, the legislators want to know who this data is being sold to.
What types of organizations has the DMV disclosed drivers’ data to in the past three years? In particular, has the DMV sold or otherwise disclosed data to debt collection agencies, private investigators, data brokers, or law enforcement agencies?
Has the DMV ever disclosed drivers’ photos to federal, state, or local law enforcement agencies or given such agencies access to a database of drivers’ photos?
What specific fields of personal information have been sold or disclosed to third parties by the DMV in the past three years?
Have Social Security numbers or driver’s license photos ever been disclosed?
The legislators also want to know if this data is being shared with ICE and other federal agencies for the purposes of locating undocumented immigrants. It also asks if Californians can ask to opt out of the data sales/sharing and whether the agency would honor any of these requests.
The legislators note that they're concerned about this practice they probably should have already been aware of -- especially the two California assembly members who also signed the letter.
[W]e’re troubled by press reports about the California DMV’s disclosure of vast quantities of data which could enable invasive biometric policing and be a symptom of a deeper privacy malady. [...] What information is being sold, to whom it is sold, and what guardrails are associated with the sale remain unclear.
The DMV has already answered some of these questions... sort of. In a statement to Motherboard, the DMV said the $50 million/year it makes on data sales only offsets the cost of "administering its requester program." It denies selling information to marketers. It did not deny selling info to data brokers or other common customers for DMV data, like credit reporting agencies.
"The DMV takes its obligation to protect personal information very seriously. Information is only released according to California law, and the DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes. For example, if a car manufacturer is required to send a recall notice to thousands of owners of a particular model of car, the DMV may provide the car manufacturer with information on California owners of this particular model through this program," the statement added.
"Only released according to California law." That's the problem. The law allows the DMV to sell data to private companies. It takes a few purchases to add up to $50 million. Handing out info to car manufacturers for recalls is probably something the DMV does for a minimal cost, if it even charges anything for it. The DMV's statement sounds good but really says nothing. No one will really know what happens to the data the DMV collects until it starts handing over detailed answers to these questions from Congress.
Last week we noted that the latest person that Rep. Devin Nunes was threatening to sue (a constantly growing list) was a fellow Congressional Representative, Ted Lieu. Nunes was particularly mad that Lieu had said Nunes "conspired" with Lev Parnas, the now indicted Rudy Giuliani aide who has been dribbling out a bunch of fascinating info lately. We, and many others, had asked Lieu to release the letter from Nunes' lawyer, and he finally released the first page as well as his own response letter. And the timing is interesting, because it comes just as the House released new evidence of a connection between Parnas and Nunes.
First, though, let's look at the letter Nunes' regular SLAPP-happy lawyer, Steven Biss, sent to Lieu:
Attached is the first page of a five page letter in which the lawyer for @DevinNunes threatens that Rep Nunes will sue me.
We've seen plenty of ridiculous and empty defamation threat letters, but this one surprised me in how absolutely stupid it is. Rather than your typical defamation letter, Biss is claiming that the Constitution protects a person's "right to an unimpaired reputation." This is not something that exists. But here's what the part of the letter that Lieu revealed says:
Dear Mr. Lieu:
I represent Devin G. Nunes.
As I am sure you are aware, the United States Constitution and the common law faithfully protect a person's "absolute" right to an unimpaired reputation. In Rosenblatt v. Baer, the United States Supreme Court expressly affirmed that:
"'Society has a pervasive and strong interest in preventing and redressing attacks upon reputation.' The right of a man to the protection of his own reputation from unjustified invasion and wrongful hurt reflects no more than our basic concept of essential dignity and worth of every human being--a concept at the root of any decent system of ordered liberty ... The destruction that defamatory falsehood can bring is, to be sure, often beyond the capacity of the law to redeem. Yet, imperfect though it is, an action for damages is the only hope for vindication or redress the law gives to a man whose reputation has been falsely dishonored".
First of all, what an odd citation to use. Rosenblatt v. Baer does not say that you have an absolute right to an unimpaired reputation. Second, the court in Rosenblatt rejected an attempt by a public figure to sue for defamation. It came out soon after the much more well known and important New York Times v. Sullivan case that said for there to be defamation of a public figure, the statements had to be made by someone knowing they were false, or demonstrating reckless disregard for the truth. And, in Rosenblatt v. Baer, the court determined that you couldn't sue someone just for being critical of your actions as a government employee.
Here's part of the ruling not cited by Nunes' lawyer, who quotes only the first bit of this, but leaves out what comes right afterward and which I've highlighted:
Society has a pervasive and strong interest in preventing and redressing attacks upon reputation. But in cases like the present, there is tension between this interest and the values nurtured by the First and Fourteenth Amendments. The thrust of New York Times is that when interests in public discussion are particularly strong, as they were in that case, the Constitution limits the protections afforded by the law of defamation. Where a position in government has such apparent importance that the public has an independent interest in the qualifications and performance of the person who holds it, beyond the general public interest in the qualifications and performance of all government employees, both elements we identified in New York Times are present and the New York Times malice standards apply.
In other words, going by the standard in Rosenblatt v. Baer, Nunes has no leg to stand on. Oh, and also, the actual section that Biss is quoting from is not the majority opinion, but rather a concurrence by Justice Stewart that (even while concurring) complains about the quoted section the majority put forth above. In other words, this is not the official position of the Supreme Court.
This is bad lawyering upon bad lawyering.
Anyway, that takes us to Lieu's response which is... just wonderful:
Dear Mr. Biss,
I received your letter dated December 31, 2019 in which you state your client Congressman Devin Nunes will sue me if I don't, among other actions, issue a public apology to Devin Nunes. It is true that I stated Congressman Nunes worked with Lev Parnas and conspired to undermine our own government. As you know, truth is a defense. So go read the documents and text messages provided by Lev Parnas to the House of Representatives, and watch his interview on the Rachel Maddow Show, which aired on January 15, 2020, that directly implicates Rep Nunes.
I welcome any lawsuit from your client and look forward to taking discovery of Congressman Nunes. Or, you can take your letter and shove it.
Daaaaaaaaaaamn, Congressman. Bringing fire.
Anyway, about the time that Lieu released that letter, the House released a bunch of Whatsapp messages, provided by Parnas, between Parnas and top Devin Nunes aide Dereck Harvey. It shows Harvey and Parnas discussing US foreign aid to Ukraine and setting up some sort of interviews, including with the former Ukraine Prosecutor General, Viktor Shokin. They also set up a few meetings between themselves at the Trump Hotel in DC including one conversation the very day before previously released records showed Nunes and Parnas playing phone tag, before apparently connecting for over eight minutes.
And, in case you forgot, here are the phone records between Parnas and Nunes.
As the Politico article linked above notes:
The newly released text messages show Harvey asking Parnas to pursue several lines of inquiry with his Ukrainian contacts, including one regarding what Harvey calls “rumors” about coordination between the 2016 campaign of Hillary Clinton and the Ukrainian government to dig up dirt on Trump’s campaign manager Paul Manafort.
Harvey asked a few days later whether Parnas was preparing to send documents or if he would “keep working through [John] Solomon,” a reference to a former columnist at The Hill who was working closely with Parnas and Giuliani on the effort.
Over the next few weeks, the pair attempted to arrange Skype interviews between Republican staff of the Intelligence Committee and senior officials in Ukraine, including former prosecutors Viktor Shokin and Yuri Lutsenko, who had been working to oust Yovanovitch and had offered up allegations of dirt on Biden.
So, uh, yeah. I'm guessing for all the bluster and questionable legal arguments from Biss, Devin Nunes probably does not want to sue Lieu and find himself in discovery. The question is whether or not Nunes is actually smart enough to know when he should take one of his silly legal threats and "shove it," or if he's going to continue down his destructive path of suing anyway.
At times he's admitted that these lawsuits are about fishing for journalist's sources, but it certainly seems pretty clear that this is all an intimidation campaign, by a silly little man who is an elected representative in Congress and simply can't handle criticism. Of course, as more evidence comes out that, at the very least, suggests that Nunes is somehow tied up with all of the mess around impeachment -- including reports revealing that the indicted Lev Parnas spoke by phone with Nunes -- he seems to be getting more and more upset with anyone calling him out.
The latest is that fellow California Representative Ted Lieu noted on Twitter that Nunes' lawyer sent him a letter threatening to sue Lieu for saying "that Nunes conspired with Parnas."
Amazing Lev Parnas interview on #Maddow. Also, I’m disclosing that the lawyer for @DevinNunes wrote a letter saying Rep Nunes will sue me if I didn’t apologize for saying last month that Nunes conspired with Parnas.
Unfortunately, Lieu hasn't yet released that letter, but I'm hoping he does. I'd be curious to see if Nunes tries to sue Lieu in Virginia like most of his other lawsuits, rather than California. Also, I'd love to see how Nunes and his lawyer think they can get around the Speech or Debate Clause.
In the meantime, Ted Lieu, we really could use more people in Congress supporting a federal anti-SLAPP law. Seems like now might be a good time for you to support such a law, right?
So, yesterday the House Judiciary Committee did what the House Judiciary Committee seems to do best: hold a stupid, nonsensical, nearly fact-free "hearing" that serves as nothing more than an opportunity for elected members of Congress to demonstrate their ignorance of an important topic, while attempting to play to their base. This time, the topic was on the content filtering practices of Facebook, Twitter and Google. Back in May there was actually a whole one day conference in Washington DC on this topic. The Judiciary Committee would have been a lot better served attending that than holding this hearing. I'd recommend not wasting three hours of your life watching this thing, but if you must:
The shortest summary would be that some Republican members of Congress think that these websites censor too much conservative speech, and some Democratic members of Congress think that they don't censor enough other speech (including hoaxes and conspiracy theories)... and almost no one wants to admit that this is not even remotely an issue that Congress should be concerned about. There's a narrative that has been picked up by many that insist that social media platforms are unfairly censoring "conservatives." There is basically zero evidence to support this. Indeed, a thorough analysis of the data back in March by Nieman Labs and Newswhip found that conservative-leaning sites get much, much, much more engagement on Facebook than liberal-leaning sites.
But, never let facts get in the way of a narrative. Since that seems to be the way many hyperpartisan sites (at either end of the spectrum) deal with these things, Congress is helping out. The only bit of sanity, perhaps bizarrely, came from Rep. Ted Lieu, who reminded everyone of the importance of free markets, free speech and the fact that private platforms get to decide how they manage their own services. Considering that Republicans often like to claim the mantle of being the "small, limited government" party who wants the government's hands out of business regulation, the fact that most of the hearing involved Republicans screaming for regulating internet platforms and a Democrat reminding everyone about the importance of a free market, capitalism and free speech, it really was quite a hearing. Lieu's remarks were some of the rare moments of sanity during the hearing -- including defending Facebook leaving Alex Jones' conspiracy theories on its site. Let's start with that high point before we dive into the awfulness. His comments come at about 2 hours and 10 minutes into the video:
... we're having this ridiculous hearing on the content of speech of private sector companies. It's stupid because there's this thing called the First Amendment. We can't regulate content! The only thing worse than an Alex Jones video is the government trying to tell Google... to prevent people from watching the Alex Jones video. We can't even do it if we tried. We can't even do any legislation out of this committee. And we're having this ridiculous second installment hearing after the first hearing about Diamond and Silk not getting enough likes on Facebook.
He then went on to ask questions "so the American public understands what a dumb hearing this is." And those questions -- again -- seemed like the kinds more expected from supposedly "free market" conservatives. Specifically he asked the companies if they were private companies aiming to maximize profits for shareholders. And he wasn't doing that to show that companies were evil, he was doing that to show that that's how the free market works. He followed up with this:
I noticed all of you talked about your own internal rules. Because that's what this should be about. You all get to come up with your own rules. But not because government tells you what to do. Or because government says you have to rule this way or that way. And the whole notion that somehow we should be interfering with these platforms from a legislative, governmental point of view is an anathema to the First Amendment. And really it's about the marketplace of ideas.
Kudos to Rep. Lieu. This is the kind of speech that you'd normally expect to hear from a "small government" conservative who talks about respecting the Constitution. But, in this case, it's a Democrat. And it's shameful that others (on both sides of the aisle) weren't making the same point. Instead, there was a ton of pure nonsense spewed from the Republicans at the hearing. It's hard to fathom that the following statements were made by people we've actually elected to our legislative body. There were so many dumb statements made that it's difficult to pick out just a few.
Let's start with Rep. Steve King, who has made quite a name for himself saying and repeating bigoted nonsense. Starting at about an hour and five minutes in the video, King seemed particularly concerned about traffic to Gateway Pundit, a site famous for trafficking in utter nonsense.
It's a matter of Congressional record that Gateway Pundit, Mr. Jim Hoft, has introduced information into the record that in the span of time between 2016 and 2018, he saw his Facebook traffic cut by 54%. Could you render an explanation to that?
Um... what? How the hell is it of any concern to Congress whatsoever the traffic a single site gets? And, as we were just discussing recently, traffic to lots of news sites from Facebook has dropped massively as Facebook has de-prioritized news. In that post, we pointed out that Slate was self-reporting a drop in Facebook traffic over that same period of time of 87%. Based on that, why isn't King asking about Slate's traffic dropping? Perhaps because Gateway Pundit publishes the kind of nonsense King supports and Slate points out that King is a bigot?
And... isn't that, again, kind of the point of the First Amendment? To protect news sites from having Congress play favorites?
Incredibly, King then concludes his time by first claiming he's all for free speech and free enterprise, but wonders about turning social media sites into regulated utilities.
I'm all for freedom of speech and free enterprise and for competition and finding a way that we can have competition itself that does its own regulation, so government doesn't have to, but if this gets further out of hand, it appears to me that Section 230 needs to be reviewed, and one of the discussions that I'm hearing is 'what about converting the large behemoth organizations that we're talking about here into public utilities.'
Are we living in an upside down world? A Democrat is praising the free market, profits and free speech, and a Republican is advocating for limiting free speech and in favor of turning some of the most successful US companies into public utilities? What is even going on here?
Around an hour and 18 minutes, we get our old friend Rep. Louis Gohmert, who has a fairly long and extensive history of making the dumbest statements possible concerning technology issues. And he lived down to his usual reputation in this hearing as well. It starts off by him trying to play down the issue of Russian interference in elections, by claiming (?!?) that the Russians helped Truman get elected, and then claiming that Russians had helped basically every Democratic President get elected in the past 70 years. And then spent a long time trying to complain that the platforms wouldn't tell him if Chinese or North Korean intelligence services had also used their platforms. Remember, these companies were asked to come and testify specifically about Russian use of their platforms to interfere with the election and Gohmert stepped in with this insane "what about other countries, huh?" argument:
Gohmert: I need to ask each of you. You've been asked specifically about Russian use of your platforms. But did you ever find any indication of use of your platform, utilized by the Chinese, North Korea, or any other foreign country intelligence or agency of that country. First, Ms. Bickert?
Bickert/Facebook: I would note, Congressman, that we're not in North Korea or China. In terms of whether we've seen attacks on our services, we do have -- we are, of course, a big target -- we do have a robust security team that works...
Gohmert: Well, but that's not my question. It's just a very direct question. Have you found... You don't have to be in North Korea to be North Korean Intelligence and use... We have foreign government intelligence agencies IN THIS COUNTRY. So have... It seems to me you were each a little bit vague about "oh yes, we found hundreds" or whatever. I'm asking specifically, were any of those other countries besides Russia that were using your platform inappropriately? It should be a yes or no.
Actually, no, it shouldn't be a yes or no. That's a dumb and misleading question for a whole long list of reasons. Of course, lots of other intelligence agencies are using Facebook, because of course they are. But, the entire point of this line of questioning seems to be Gohmert trying to play down Russian use of the platform, which is... odd. Especially after he started out by praising the fact that maybe the Russians might help "our side" get elected going forward.
Bickert: I don't have the details. I know we work to detect and repel attacks...
Gohmert: I know that. But were any of them foreign entities other than Russia?
Bickert: I can certainly follow up with you on that.
Gohmert: SO YOU DON'T KNOW?!? You sure seemed anxious to answer the Democrats questions about RUSSIA's influence. And you don't really know of all the groups that inappropriately used your platform? You don't know which were Russians and which were other foreign entities?
No, that's not what she's saying at all. She's pretty clearly saying that this hearing was specifically about Russian influence and that's what she was prepared to testify on. She didn't say that Facebook can't tell Russians from other entities, just that the other entities aren't the ones accused of messing with the election and thus there isn't that much relevant right now. But that's quite a deflection attempt by Gohmert.
Let's move on to Rep. Tom Marino at about an hour and a half into the video. Marino seems to have a fairly bizarre understanding of the law as it concerns defamation. He focuses on the guy from Twitter, Nick Pickles, and starts out by reading a definition of "libel." Then he asks
Have any of you considered libel? Or do you think you are immune from it?
This is an incredibly stupid question. Twitter is clearly not immune from libel. Marino's line of questioning is an attempt to attack CDA 230, which provides immunity to Twitter from liability for defamatory statements made by its users. This is an important distinction that Marino conveniently ignores as he continues to bug Pickles.
Pickles: We have clear rules that governs what happens on Twitter. Some of those behaviors are deplorable and we want to remove them immediately... So, terrorist content is one example, where we now detect 95% of the terrorist accounts we remove...
Marino: Okay, I understand that sir. But how about... we in Congress, we put up with it all the time. I know we're public officials, same with people in the movies... but do you specifically look for and address... republication can be used in a defamation case. Do you look at libel and defamation content?
I don't even know what that means. Do you look at libel content? What? How does Twitter know if something is libelous? Especially against public officials? How is Twitter supposed to make that judgment when that's what courts are there to figure out? And, for what it's worth, Twitter has been known to abide by court rulings on defamatory speech in deciding to take down that content, but Marino seems to be asking if they make an independent judgment outside of the courts of what's libelous. Which is both crazy and impossible. Pickles makes a valiant effort in response, noting how Twitter focuses on its rules -- which is all that it's required to do -- but Marino clearly seems to want to attack CDA 230 and magically make Twitter liable for libelous content on its platform. After Pickles again explains that it focuses on its rules, rather than making judicial rulings that it cannot make, Marino puts on a dumb smirk and makes another dumb statement:
With all due respect, I've heard you focus on your rules about 32 times. DO. YOU. LOOK. FOR. LIBEL. OR. DEFAMATION. IN. YOUR. COMPANY'S. OPINION?
You can't "look for libel or defamation" like that. That's not how it works. Marino is a lawyer. He should know this. The Facebook and YouTube representatives neatly sidestep Marino's silly line of questioning by pointing out that when informed of legal rulings determining "illegal" speech, they take it down. Marino doesn't even seem to notice this very specific distinction and asks "where do you draw the line?"
At an hour and forty minutes, we have everyone's favorite, Rep. Lamar Smith, author of SOPA back in the day. He spews more utter nonsense claiming conservatives have been more negatively impacted by the moves of these social media companies, and then (bizarrely) argues that Google employees forcing the company not to help surveillance activity is somehow an attack on conservatives. Excuse me? Conservatives don't support the 4th Amendment any more? Say what? But the real craziness is this line:
Google has also deleted or blocked references to Jesus, Chick-Fil-A and the Catholic religion.
I'm going to call time out here and note [citation needed] on that one, Smith. Google pretty clearly shows me results on all three of those things. I've been trying to figure out what the hell he's referring to, and I'm guessing that Smith -- in his usual Smithian nonsensical way -- is confusing Google for Facebook, and Facebook's bad filter that initially blocked a page about "Chick-fil-Appreciation Day," and some Catholic church pages. The "Jesus" blocking is also Facebook and was in reference to an ad for a Catholic university.
All of these examples were not, as Smith implies, evidence of "liberal bias" on behalf of Facebook, but rather evidence of why it's so problematic that governments are putting so much pressure on Facebook to magically filter out all of the bad stuff. That's not possible without making mistakes. And what happens is that you set up guidelines and those guidelines are then handed to people who don't have nearly enough time to understand the context, and sometimes they make mistakes. It's not bias. It's the nature of trying to moderate millions of pieces of content every damn day, because if they don't, these same idiots in Congress would be screaming at them about how they're letting the bad content live on. I mean, it's doubly ridiculous for Smith to use the Jesus example as even the guy who bought the ad, the university's web communications director, specifically said that he didn't believe it had anything to do with bias, but was just a bad decision by an algorithm or a low level staffer.
Finally (and there are more, but damn, this post is getting way too long) we get to Rep. Matt Gaetz. At around an hour and 55 minutes into the hearing, he suddenly decides to weigh in that the First Amendment and CDA 230 are somehow in conflict, in another bizarre exchange between Gaetz and Twitter's Pickles.
Gaetz: Is it your testimony or is it your viewpoint today that Twitter is an interactive computer service pursuant to Section 230 sub c(1).
Pickles: I'm not a lawyer, so I won't want to speak to that. But as I understand, under Section 230, we are protected by that, yes.
Gaetz: So Section 230 covers you, and that section says "no provider of an interactive computer service shall be treated as the publisher or speaker of any information provided by another"... is it your contention that Twitter enjoys a First Amendment right under speech, while at the same time enjoying Section 230 rights?
Pickles: Well, I think we've discussed the way the First Amendment interacts with our companies. As private companies we enforce our rules, and our rules prohibit a range of activities.
Gaetz: I'm not asking about your rules. I'm asking about whether or not you believe you have First Amendment rights. You either do or you do not.
Pickles: I'd like to follow up on that, as someone who is not a lawyer... I think it's very important...
Gaetz: Well, you're the senior public policy official for Twitter before us and you will not answer the question whether or not you believe your company enjoys rights under the First Amendment?
Pickles: Well, I believe we do, but I would like to confirm with colleagues...
Gaetz: So what I want to understand is, if you say "I enjoy rights under the First Amendment" and "I'm covered by Section 230" and Section 230 itself says "no provider shall be considered the speaker" do you see the tension that creates?
There is no tension there. The only tension is between the molecules in Gaetz's brain that seemed to think this line of nonsensical argument makes any sense at all. There is no conflict. First, yes, it's obvious that Twitter is clearly protected by both the First Amendment and CDA 230. That's been established by dozens of court rulings with not a single ruling ever holding otherwise. Second, the "tension" that Gaetz sees is purely a figment of his own misreading of the law. The "no provider shall be considered a speaker" part, read in actual context (as Gaetz did earlier) does not say that platforms are not speakers. It says that they are not considered a speaker of other people's speech. In fact, this helps protect free speech by enabling internet platforms the ability to host any speech without facing liability for that speech.
That helps protect the First Amendment by ensuring that any liability is on the speaker and not on the tool they use to distribute that speech. But Twitter has its own First Amendment rights to determine what speech it decides to keep on its site -- and which speech it decides not to allow. Gaetz then, ridiculous, tries to claim that Pickle's response to that nonsensical response is somehow in conflict with what Twitter's lawyers have said in the silly Jared Taylor lawsuit. Gaetz asks Pickles if Twitter could kick someone off the platform "for being a woman or being gay." Pickles points out that that is not against Twitter's rules... and Gaetz points out that in the Taylor case, when asked the same question, Twitter's lawyers stated (1) that Twitter has the right to do so but (2) never would.
Again, both Pickles and Twitter's lawyers are correct. They do have that right (assuming it's not a violation of discrimination laws) but of course they wouldn't do that. Pickles wasn't denying that. He was pointing out that the hypothetical is silly because that's not something Twitter would do. Twitter's lawyers in the case were, correctly, pointing out that it would have the right to do such a nonsensical thing if it chose to do so, while also making it clear it would never do that. Again, that's not in conflict, but Gaetz acts as if he's "caught" Twitter in some big admission.
Gaetz falsely then claims that Pickles is misrepresenting Twitter's position:
Right but it is not in service of transparency if Twitter sends executives to Congress to say one thing -- that you would not have the right to engage in that conduct -- and then your lawyers in litigation say precisely the opposite.
Except that's not what happened at all. Pickles and the lawyers agreed. At no point did Pickles say that Twitter did not have "the right" to kick people off its platform for any reason. He just noted that it was not a part of their policy to do so, nor would it ever be. That's entirely consistent with what Twitter's lawyers said in the Taylor case. This is Gaetz making a complete ass out of himself in completely misrepresenting the law, the constitution and what Twitter said both in the hearing and in the courthouse.
Seriously, people, we need to elect better Representatives to Congress. This is embarrassing.
The FBI continues its push for a solution to its "going dark" problem. Joined by the DOJ, agency head Christopher Wray has suggested the only way forward is a legislative or judicial fix, gesturing vaguely to the thousands of locked phones the FBI has gathered. It's a disingenuous push, considering the tools available to the agency to crack locked devices and obtain the apparently juicy evidence hidden inside.
The FBI hasn't been honest in its efforts or its portrayal of the problem. Questions put to the FBI about its internal efforts to crack locked devices are still unanswered. The only "new" development isn't all that new: Ray Ozzie's "key escrow" proposal may tweak a few details but it's not that far removed in intent from the Clipper Chip that kicked off the first Crypto War. It's nothing more than another way to make device security worse, with the only beneficiary being the government.
The FBI's disingenuousness has not gone unnoticed. Efforts have been made over the last half-decade to push legislators towards mandating government access, but no one has been willing to give the FBI what it wants if it means making encryption less useful. A new bill [PDF], introduced by Zoe Lofgren, Thomas Massie, Ted Poe, Jerry Nadler, Ted Lieu, and Matt Gaetz would codify this resistance to government-mandated backdoors.
The two-page bill has sweeping safeguards that uphold security both for developers and users. As the bill says, “no agency may mandate or request that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.”
This bill would protect companies that make encrypted mobile phones, tablets, desktop and laptop computers, as well as developers of popular software for sending end-to-end encrypted messages, including Signal and WhatsApp, from being forced to alter their products in a way that would weaken the encryption. The bill also forbids the government from seeking a court order that would mandate such alterations. The lone exception is for wiretapping standards required under the 1994 Communications for Law Enforcement Act (CALEA), which itself specifically permits providers to offer end-to-end encryption of their services.
The Secure Data Act shouldn't be needed but the FBI and DOJ have forced the hand of legislators. Rather than take multiple hints dropped by the previous administration, the agencies have only increased the volume of their anti-encryption rhetoric in recent months. Maybe the agencies felt they'd have the ear of the current administration and Congressional majority, but investigations involving the president and his staff have pretty much killed any "law and order" leanings the party normally retains. This bill may see widespread bipartisan support simply because it appears to be sticking it to the Deep State. Whatever. We'll take it. Hopefully, this makes a short and direct trip to the Oval Office for a signature.
Leaked NSA exploits have now been the basis for two massive cyberattacks. The first -- Wannacry -- caught hospitals and other critical infrastructure across several nations in the crossfire, using a tool built on the NSA's ETERNALBLUE exploit backbone. The second seems to be targeting Ukraine, causing the same sort of havoc but with a couple of particularly nasty twists.
This one, called Petya, demanded ransom from victims. Things went from bad to worse when email provider Posteo shut down the attacker's account. Doing so prevented affected users from receiving decryption keys, even if they paid the ransom.
It soon became apparent it didn't matter what Posteo did, no matter how clueless or ill-advised. There was no retrieving files even if ransoms were paid. Two separate sets of security researchers examined the so-called ransomware and discovered Petya is actually a wiper. Once infected, victims' files are as good as gone. No amount of bitcoin is going to reverse the inevitable. The ransomware notices were only there to draw attention to the infection and away from the malware's true purpose.
Both cases are considered to be attacks by nation states. Inconsistently-applied patches -- most of them released with zero information by Microsoft -- have led to an insane amount of damage.
Through it all, the NSA -- whose tools were leaked -- has remained consistently silent. There's been no indication if the agency is working to mitigate the ongoing threat or whether it's far more concerned with discovering who left behind the malware toolkit first exposed by the ShadowBrokers.
It's unlikely we'll hear much being said publicly by the agency, but Rep. Ted Lieu has sent a letter to NSA chief Mike Rogers demanding answers. The letter [PDF] points out both attacks have been based on NSA exploits (ETERNALBLUE and ETERNALROMANCE). Lieu also states he fears the attacks seen in the past few weeks are only the "tip of the iceberg." The agency's refusal to discuss the attacks apparently isn't going to fly anymore.
Lieu makes two requests: the first is for the agency to see if it has some sort of magic "OFF" switch just laying around.
My first and urgent request is that if the NSA knows how to stop this global malware attack, or has information that can help step the attack, NSA should immediately disclose it. If the NSA has a kill switch for this new malware attack, the NSA should deploy it now.
It's far more likely the NSA has information it would rather not share than it is the agency has a way to shut down this attack, much less prevent future variations on its ETERNAL theme. But that's directly related to the second part of Lieu's request: work with companies whose software is being exploited to prevent further attacks. If the NSA still has security holes it's hoping won't be patched anytime soon, the current situation would seem to call for a rethink of its exploit-hoarding M.O.
What may be in order is the NSA stepping up and playing defense. It has stated a desire to be a larger cog in the US cyberwar machinery, but often seems more interested in playing offense than pitching in to help on the defensive end. That may need to change quickly if the NSA isn't going to be seen as more of a problem than a solution.
The FBI announced (without going into verifiable detail) that it had implemented new minimization procedures for handling information tipped to it by the NSA's Prism dragnet. Oddly, this announcement arrived nearly simultaneously with the administration's announcement that it was expanding the FBI's intake of unminimized domestic communications collected by the NSA.
So, which was it? Was the FBI applying more minimization or was it gaining more raw access? The parties involved have so far refused to offer any further details on either of the contradictory plans, save for vague assurances about the lawfulness of both options.
We respectfully request you confirm whether the NSA intends to routinely provide intelligence information-collected without a warrant-to domestic law enforcement agencies. If the NSA intends to go down this uncharted path, we request that you stop. The proposed shift in the relationship between our intelligence agencies and the American people should not be done in secret. The American people deserve a public debate. The United States has a long standing principle of keeping our intelligence and military spy apparatus focused on foreign adversaries and not the American people.
The letter points out that while Congress has granted the NSA "extraordinary authority" to conduct warrantless surveillance and harvest massive amounts of data, it has not done so for domestic intelligence and law enforcement agencies. But that deliberate limitation of powers has been undone by the administration's expansion. It may be indirect -- requiring the assistance of the NSA -- but it accomplishes the same purpose: giving warrantless surveillance and bulk collection powers to domestic agencies by proxy.
The letter -- sent to the heads of a variety of Congressional committees -- pulls no punches in its comparative depiction of this overreach.
We believe allowing the NSA to be used as an arm of domestic law enforcement is unconstitutional. Our country has always drawn a line between our military and intelligence services, and domestic policing and spying. We do not -- and should not -- use U.S. Army Apache helicopters to quell domestic riots; Navy Seal Teams to take down counterfeiting rings; or the NSA to conduct surveillance on domestic street gangs.
What's most amazing about the administration's move is that it followed -- directly -- two and a half years of NSA document leaks, their accompanying protests, lawsuits and backlash, the passage of the USA Freedom Act and an intense debate over the lawfulness of the PATRIOT Act. Add to that the fact that it was dropped right in the middle of a heated legal battle that has shown the FBI to be both grasping for power and incapable of telling the truth -- and it clearly shows the administration is so insulated from the collateral damage of a decade-plus of constantly expanding surveillance powers as to be completely unable to detect shifts in tone.
Everyone's talking about the big legal fight that magistrate judge Sheri Pym has kicked off by ordering Apple to build a backdoor into an iPhone to get around security tools that would block attempts to decrypt the contents of the phone. As some are noting, if the ruling is not overturned it could force Congress to change the law. Over the last year or so, it had become clear that Congress did not support laws that mandate backdoors. Yes, some in Congress -- including Senators Richard Burr, Dianne Feinstein and John McCain -- have been pushing for such legislation, but most have admitted that there aren't nearly enough votes in support of that, and there are many in Congress who recognize the ridiculousness of such a law. A year ago, a congressional hearing made it clear that there was a ton of skepticism in Congress about ordering backdoors.
And now we see Congress speaking out about the court order as well. Rep. Ted Lieu -- who, people always point out, has a computer science degree, and who a year ago noted that backoors were "technologically stupid" -- has told the DailyDot that this order creates a very dangerous slippery slope:
"Can courts compel Facebook to provide analytics of who might be a criminal?" Lieu said in an email to the Daily Dot. "Or Google to give a list of names of people who searched for the term ISIS? At what point does this stop?"
Apple, as do other technology companies, complies with lawful orders and warrants. But they are unable to deliver to the government what they do not have – in this case, a key to break into their operating system in the manner the FBI desires. It is astonishing that a court would consider it lawful to order a private American company be commandeered for the creation of a new operating system in response.
The issue of mandating back doors in encryption has been a topic of vigorous discussion in the Congress. The emerging consensus has been that creating back doors for the use of law enforcement, important as law enforcement is, would endanger Americans by generally weakening security. These weaknesses will inevitably be exploited by criminal hackers or foreign opponents. That a single magistrate should substitute her judgment for that of the duly elected President and Congress – that was already thoroughly engaged in the subject – is wrong as a matter of policy and of law.
Finally, should this order not be overturned, technology companies will have no choice but to further deploy robust encryption that would prevent their engineers from creating any system that would effectively open up previously deployed security measures.
I urge the judicial branch to swiftly overturn this misguided ruling and further urge the Director of the FBI to refrain from seeking public policy decisions from the courts that are more properly decided by the Legislative branch of government.”
I don't take a backseat to anyone when it comes to hunting down terrorists and protecting Americans from harm. However, this unprecedented reading of a nearly 230-year-old law would create a dangerous precedent that would put at risk the foundations of strong security for our people and privacy in the digital age. If upheld, this decision could force U.S. technology companies to actually build hacking tools for government against their will, while weakening cybersecurity for millions of Americans in the process.
Furthermore, this move by the FBI could snowball around the world. Why in the world would our government want to give repressive regimes in Russia and China a blueprint for forcing American companies to create a backdoor? Companies should comply with warrants to the extent they are able to do so, but no company should be forced to deliberately weaken its products. In the long run, the real loses will be Americans' online safety and security.
Of course, not all our lawmakers are so enlightened. Senator Feinstein, despite technically representing Apple, has shown for a long time now that she has no interest at all in representing the true interests of anyone in California if it goes against the desire of the surveillance state. She basically told Apple to shut up and do what the court says. After pretending it's about protecting Californians (because San Bernardino is in California) she warns that if Apple doesn't obey it will force her and Senator Burr to push for the legislation they've already been pushing for:
I would hope that bill would not be necessary. I would hope Apple understand the seriousness of this request. I have no doubt that to deny the request would likely bring on law to change law, so that this can be done. We're in jeopardy if you cannot -- through proper evidence submitted by a probable cause warrant -- be able to open these systems.
The PBS interviewer who asked Feinstein about this also asked (twice!) about Apple's statement that creating backdoors will create opportunities for those with malicious intent to break into the phones as well, and Feinstein displays her technological ignorance by stating:
Oh I don't believe that's necessarily true.
She's wrong about that. She's literally advocating for everyone to be made less safe just so we can get a little more information on some people who we already know committed a crime. That's crazy.
And, of course, Senator Burr made a similar statement -- first by lying and pretending that the order is not about creating a backdoor:
There are no decryption demands in this case, and Apple is in no way required to provide a so-called backdoor. The FBI needs access to the phone so the agency can better piece together information about the terrorists and whom they contacted.
This is technologically ignorant as well. This is exactly what a backdoor is. Apple is being told to create a bit of software that disables security measures in order to decrypt encrypted material. That's the very definition of a backdoor. Burr goes on, pretending that weakening the safety and security of basically everyone is somehow making them more secure:
The iPhone precedent in San Bernardino is important for our courts and our ability to protect innocent Americans and enforce the rule of law. While the national security implications of this situation are significant, the outcome of this dispute will also have a drastic effect on criminal cases across the country. The newest Apple operating systems allow device access only to users — even Apple itself can’t get in. Murderers, pedophiles, drug dealers and the others are already using this technology to cover their tracks.
Yup, always bring up the holy trinity of "murderers, pedophiles and drug dealers." I'm amazed he didn't say terrorists as well. Of course, as people keep pointing out, there have always been ways for people with ill-intent to hide their communications. There's nothing in the law that says we have to be able to track every communication ever made by everyone. That's a dystopian vision -- but one that apparently Senator Burr likes.
Even worse, Burr insists that because the law "protects" Apple in other cases, it should roll over for this. And also, ridiculously, he argues that this is more about Apple's business model than protecting the safety of Americans.
Apple’s position in the San Bernardino case affirms that it has wrongly chosen to prioritize its business model above compliance with a lawfully issued court order. While the company may have routinely complied with such court orders in the past, it now claims that it cannot comply as a result of security features it has built into its newest products. Apple exists as a corporate entity with the protections provided by U.S. laws, but it cannot be allowed to pick and choose when to abide by those laws as it sees fit. We are a country of laws, and this charade has gone on long enough. Apple needs to comply with the court’s order.
Hilariously, this is the very same Senator Burr who, just months ago, was going on and on in Congress about the importance of cybersecurity, and fearmongering about "cyberattacks." What he doesn't seem to recognize is that the only real way to protect against those attacks is encryption. The very encryption he now seeks to undermine.
"Apple chose to protect a dead ISIS terrorist's privacy over the security of the American people. The Executive and Legislative Branches have been working with the private sector with the hope of resolving the 'Going Dark' problem. Regrettably, the position Tim Cook and Apple have taken shows that they are unwilling to compromise and that legislation is likely the only way to resolve this issue. The problem of end-to-end encryption isn't just a terrorism issue. It is also a drug-trafficking, kidnapping, and child pornography issue that impacts every state of the Union. It's unfortunate that the great company Apple is becoming the company of choice for terrorists, drug dealers, and sexual predators of all sorts."
I mean, come on. Apple is not "protecting a dead ISIS terrorists' privacy," it's talking about the very real issue of whether or not courts have the power to order companies to hack their customers on behalf of the government. That's a big deal that you would think would matter to politicians.
These statements are not unsurprising, but they continue to show a level of profound ignorance about basic technology issues. The fact that Feinstein and Burr, at least, are working on legislation around an issue they so clearly have no clue about is downright scary. One hopes that the others who actually understand the technical and legal issues -- such as those at the top of this article -- will prevail in Congress.
Legislators in two states have proposed (largely unworkable) bans on the sale of encrypted phones, citing (of course) concerns about all the criminals who might get away with something if law enforcement can't have near immediate access to the entire contents of their phones.
Congressmen Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas) have introduced what they call the Ensuring National Constitutional Rights of Your Private Telecommunications (ENCRYPT) Act of 2016. It’s an attempt, Lieu and Farenthold wrote in a letter to their colleagues, to address “[c]oncerns over the privacy, security and technological feasibility of a ‘backdoor’ into encrypted devices for the government and law enforcement” by making encryption a federal issue and keeping individual states from trying to ban it.
Update: We've been informed that it's not just Lieu and Farenthold, but also Reps. Suzan Delbene and Mike Bishop.
Not only would such bans/backdoors make device usage less safe for users, but the lack of unified stance on phone encryption would turn phone sales in the US into a logistical nightmare, to the detriment of all involved.
“We are deeply concerned,” Lieu told the Daily Dot in a phone interview, “that a patchwork system with different encryption requirements in every state would not only undermine national security—it would also threaten the competitiveness of American companies and dampen innovation.”
Whether this will go anywhere remains to be seen. It would appear few legislators are willing -- at least as this point -- to tell the FBI to stop asking for backdoors or bans. Alarmingly, despite the ongoing discussion bringing more evidence to the surface that such actions are not only bad ideas, but pretty much impossible to implement without doing away with encryption entirely, it seems like more legislators are moving towards the FBI's line of thinking.
Unfortunately, that is often the nature of the political business, where fear nearly always trumps rational thinking. For too many, it's perfectly acceptable that thousands of phone users be left open to attacks than one criminal suspect go free.
Usually, when we see clueless government lackeys discussing the need to backdoor encryption, they at least admit upfront that they think encryption is important in protecting private information. Even that nutty rambling speech by Homeland Security Appropriations chair Rep. John Carter recognized that there were important reasons to use encryption to protect privacy. And FBI boss James Comey usually does some hand waving to that effect as well. But apparently he forgot to tell one of his deputies.
While testifying before Congress, Michael Steinbach, assistant director in the FBI's Counterterrorism Division, just went to the levels of pure insanity, in arguing that above all else companies should work to prevent encryption. This was during a ridiculous grandstanding hearing held by the House Homeland Security Committee entitled "Terrorism Gone Viral", and Steinbach didn't waste the opportunity to make a ridiculously viral comment of his own:
So that’s the challenge: working with those companies to build technological solutions to prevent encryption above all else.
Above all else? Is he crazy? At least his written testimony isn't quite as crazy, but still has a bunch of fear-mongering about "going dark."
Unfortunately, changing forms of internet communication are quickly outpacing laws
and technology designed to allow for the lawful intercept of communication content. This real
and growing gap the FBI refers to as “Going Dark” is the source of continuing focus for the FBI,
it must be urgently addressed as the risks associated with “Going Dark” are grave both in
traditional criminal matters as well as in national security matters.
"There are 200-plus social media companies. Some of these companies build their business model around end-to-end encryption," said Michael Steinbach, head of the FBI's counterterrorism division. "There is no ability currently for us to see that" communication, he said.
"We're past going dark in certain instances. We are dark," he added.
While the head of the committee, Rep. Michael McCaul played along with this insanity, arguing about how these so called "dark spaces" are a "tremendous threat to the homeland" at least Rep. Ted Lieu -- the same Rep. who recently called out the push to backdoor encryption as "technologically stupid" -- has some more thoughts on the FUD and grandstanding by McCaul and Steinbach. As he told the Intercept:
“When they talk about dark places, ooooh it sounds really scary,” Lieu said. “But you have a dark place in your home you can talk, you can meet in a park –- there are a zillion dark places the FBI will never get to and they shouldn’t because we don’t want to be monitored in our home.” .....
“The notion that encryption is somehow different than other forms of destroying and hiding things is simply not true,” Lieu told The Intercept. “Forty years ago, you could make the statement that paper shredders are one of the most damaging things to national security because they destroy documents that law enforcement might want to see.”
More Lieu, less McCaul and Steinbach, please.
The thing is, as we've noted before, what's equally as disturbing as the ignorant statements from folks like Steinbach is that now, security researchers and tech companies are going to have to waste tons of time and resources explaining why all of this is not just "technically stupid" but actively makes all of us less safe. And they need to do that, rather than building stronger encryption, which is what we really need.