Archive for the ‘Technology’ Category
Steve Lohr reports in the NY Times:
Big technology companies have usually played a defensive game with government prosecutors in their legal fight over customer information, fighting or bowing to requests for information one case at a time.
But now Microsoft, in a move that could broaden the debate over the balance between customer privacy and law enforcement needs, is going on the offense.
The software giant is suing the Justice Department, challenging its frequent use of secrecy orders that prevent Microsoft from telling people when the government obtains a warrant to read their emails.
In its suit, filed Thursday morning in Federal District Court in Seattle, Microsoft’s home turf, the company asserts that the gag order statute in the Electronic Communications Privacy Act of 1986 — as employed today by federal prosecutors and the courts — is unconstitutional.
The statute, according to Microsoft, violates the Fourth Amendment right of its customers to know if the government searches or seizes their property, and it breaches the company’s First Amendment right to speak to its customers.
Microsoft’s suit, unlike Apple’s fight with the Federal Bureau of Investigation over access to a locked iPhone, is not attached to a single case. Instead, it is intended to challenge the legal process regarding secrecy orders.
It also draws attention to legal issues that have become more acute as tech companies move their customers’ personal and business information into so-called cloud-computing systems. The largest such digital storehouses of personal email and documents are operated by big tech companies like Microsoft, Google and Apple.
Seizing information from file drawers or personal computers used to require entering a building to examine paper or a hard drive. Typically, the target of an investigation knew about it.
Not so in the cloud computing era, when investigators can bypass an individual and go straight to the company that hosts that information. And when courts issue secrecy orders, often with no time limit, a target may never know that information was taken.
Microsoft, in its suit, contends that the government has “exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”
In an interview, Bradford L. Smith, Microsoft’s president and chief legal officer, said, “People should not lose their rights just because they are storing their information in the cloud.”
Microsoft, like Google and Apple, fields thousands of requests a year from federal and state prosecutors for customer information. The companies issue periodic reports with the totals.
But, Mr. Smith said, it was the rising portion of gag orders attached to the information warrants that led to the suit. From September 2014 to March 2016, Microsoft received 5,624 federal demands in the United States for customer information or data. Nearly half of them — 2,576 — were accompanied by secrecy orders.
Mr. Smith called the growing share of secrecy orders “fairly shocking,” suggesting they had become a routine process rather than an exception.
The suit positions Microsoft as a champion of its customers’ privacy and draws attention to a legal process many may not be aware of. . .
Since the Obama administration has embraced secrecy in a big way, I’m sure it will fight this lawsuit fiercely. The last thing the US government wants these days is for its citizens to know what it’s doing in its surveillance of them.
Jenna McLaughlin reports in The Intercept:
PRIVACY ADVOCATES SAY government officials are talking out of two sides of their mouths when it comes to cybersecurity. The latest case in point: Assistant Attorney General John Carlin calling for super-secure, hack-proof cars at an automotive conference on Tuesday, even as FBI Director James Comey continues to pressure phone manufacturers and technology companies to roll back their security to allow for law enforcement access.
“There are things you can do to mitigate the risk, protect yourselves and your companies, and ultimately, the cybersecurity of the United States,” Carlin said at the SAE 2016 World Congress conference in Detroit. “First, design with security in mind.”
But driving a car in 2016 is not totally different from using a cellphone – and protecting either of them against hacking raises the same issues. These days, dozens of networked electronic control units manage things like braking and accelerating by communicating with each other, and more and more cars are connected to the internet, or accessible via Blu-ray. Securing the conversation between your brake pedal and your brakes is a lot like securing your banking app or your intimate phone conversation.
While Carlin is telling car companies that bulking up their cyber defenses is key to their long-term success, Comey has publicly suggested that phone manufacturers and communications providers like Apple, Google, and WhatsApp, who provide their customers with unbreakable encryption to secure their communications, rethink their business models.
“It’s ironic to see the head of the FBI pressing companies to deploy less encryption at the same time the Justice Department’s top national security lawyer is highlighting just how important and hard it is to secure our devices and networks in an increasingly connected and hostile digital environment,” Kevin Bankston, director of the Open Technology Institute, wrote in an email to The Intercept.
“You can’t listen to Comey and [NSA Director Michael] Rogers get up and say cyber is the number one threat while at the same time asking companies to weaken security without seeing some hypocrisy,” Amie Stepanovich, U.S policy director for digital rights group Access Now, told The Intercept.
Comey wants companies to design their products securely, she explained — but not so securely that law enforcement can’t get in. And that’s not compatible with the needs of every company.
Plus, encryption poses no existential threat to law enforcement for several reasons, a panel of experts at Harvard’s Berkman Center for Internet and Society concluded in a February report.
Meanwhile, hackers have already shown they can take control of a moving car in the middle of the highway, as demonstrated in an widely-read story in Wired by Andy Greenberg last year. [Not to mention the death of Michael Hastings (after making powerful enemies in the deep state) in a somewhat mysterious car crash—the car seemed to go out of control, accelerating wildly until the crash. – LG] . . .
If law enforcement wants access to your phone and to your communications (via Stingray), they are going also to want to be able to take control of your car (“for safety reasons”).
A very interesting article in Motherboard by Lorenzo Franceschi-Bicchierai that will be of interest to anyone following the government’s strenuous efforts to ensure that no citizen is immune from government spying and the government’s equally strenuous efforts to keep secret what they are doing.
From last June, a jaw-dropping Washington Post article by Tom Jackman about the low professional standards some medical people exhibit.
Sitting in his surgical gown inside a large medical suite in Reston, Va., a Vienna man prepared for his colonoscopy by pressing record on his smartphone, to capture the instructions his doctor would give him after the procedure.
But as soon as he pressed play on his way home, he was shocked out of his anesthesia-induced stupor: He found that he had recorded the entire examination and that the surgical team had mocked and insulted him as soon as he drifted off to sleep.
In addition to their vicious commentary, the doctors discussed avoiding the man after the colonoscopy, instructing an assistant to lie to him, and then placed a false diagnosis on his chart.
“After five minutes of talking to you in pre-op,” the anesthesiologist told the sedated patient, “I wanted to punch you in the face and man you up a little bit,” she was recorded saying.
When a medical assistant noted the man had a rash, the anesthesiologist warned her not to touch it, saying she might get “some syphilis on your arm or something,” then added, “It’s probably tuberculosis in the penis, so you’ll be all right.”
When the assistant noted that the man reported getting queasy when watching a needle placed in his arm, the anesthesiologist remarked on the recording, “Well, why are you looking then, retard?”
There was much more. So the man sued the two doctors and their practices for defamation and medical malpractice and, last week, after a three-day trial, a Fairfax County jury ordered the anesthesiologist and her practice to pay him $500,000. . .
Sharon Lerner reports in The Intercept:
For decades 3M was the primary producer of C8, or PFOA, and was the sole producer of a related chemical known as PFOS. But while DuPont was caught up in amassive class action suit over C8, 3M has largely avoided public scrutiny and serious legal or financial consequences for its role in developing and selling these industrial pollutants.
In February, however, a state court in Minnesota, where the company is headquartered, allowed a class-action suit against 3M to move forward. And late last year lawyers filed another class action suit in Decatur, Alabama, home to one of 3M’s biggest plants. Both lawsuits charge that 3M knew about the health hazards posed by the perfluorinated chemicals it was manufacturing and using to make carpet coating, Scotchgard,firefighting foam, and other products — and that the company knew the chemicals were spreading beyond its sites. With PFCs cropping up in drinking water around the country and all over the world, the two lawsuits raise the possibility that 3M may finally be held accountable in a court of law.
State Attorney General Lori Swanson first filed the class action lawsuit against 3M on behalf of the people of Minnesota in 2010, claiming that the company polluted more than 100 square miles of groundwater near its plant in Cottage Grove Minnesota as well as four aquifers serving as drinking water for some 125,000 people in the Twin Cities. The suit charges that the company piped PFC-polluted wastewater into a stream that flows into the Mississippi River and disposed of it on land near the river, which allowed it to leach into the river.
Based on the company’s own research, the complaint argues, 3M “knew or should have known” that PFCs harm human health and the environment and that the chemicals would leach from their disposal sites into and “result in injury, destruction, and loss of natural resources of the State.”
William A. Brewer III, a partner in the firm representing 3M in PFC-related litigation, said that 3M “absolutely and vigorously” denies all charges in that suit — and any others that “describe what 3M did as polluting.” While the complaint says that 3M’s emissions of the chemicals into water was “not authorized or permitted by the state,” Brewer disagreed, arguing that “100 percent of 3M’s conduct has been permitted by the state,” which he told me undermines the idea that 3M is responsible for any leakage that might have resulted. “When you take your waste or some of it and you deliver it some place that the state tells you you can bring it and then they turn around and tell you it wasn’t properly managed, we just deny that we have responsibility for other people’s conduct.”
After the initial discovery of PFCs in drinking water near the Cottage Grove plant, 3M installed filtration systems on the water supply for the nearby community of Oakdale, provided bottled water for residents with private wells, and remediated three of its former dump sites. However, the most recent water tests, released by the EPA in January, still showed 25 detections of PFCs in wells that provide drinking water to Woodbury, Oakdale, and Hastings — which all are near 3M headquarters — as well as in the Cottage Grove water utility, which serves more than 33,000 people.
In two wells in Oakdale, Minnesota, PFOS contamination detected by EPA tests released in January exceeded the provisional health levels set by the agency. And several Oakdale wells had PFOA levels higher than those that qualified residents to participate in a class action suit against DuPont in West Virginia and Ohio.
Since 2012, lawyers on both sides of the case have been caught up with a technical question. 3M had tried to have Covington & Burling LLC, the firm representing the state, disqualified on the grounds that it had a conflict of interest because it had at one point represented 3M on other PFC-related issues. In February, a judge ruled that the firm could represent the state and that the suit could move forward.
An Early Exit Strategy
In part, 3M escaped blame for PFC contamination because it opted to stop producing both PFOA and PFOS in 2002, while DuPont and other companies didn’t phase out PFOA until 2013 or later. At the time, the decision brought the company praise for its foresight and good judgment. “3M deserves great credit for identifying this problem and coming forward voluntarily,” said EPA Administrator Carol M. Browner.
Brewer, 3M’s attorney, continues to argue that the company’s early exit from the C8 business places it in a separate category from DuPont. “3M has acted appropriately and on the principled path,” he told me. “They immediately reported it, investigated it and frankly decided to exit the C8 chemistries in their entirety well more than a decade before anyone else who was a competitor.”
But Gary Davis, a partner in Davis & Whitlock, which filed the 2015 case against 3M in Decatur, said the company had evidence of the dangers of PFCs well before it stopped making them. “We’ve found out that they knew it was toxic. They have the knowledge even more deeply than DuPont about the toxicity of the chemicals,” said Davis. “We believe it is absolutely parallel.” . . .
Sean Vitka reports in Motherboard:
On Thursday, what appears to be a draft bill from Senators Richard Burr (R-North Carolina) and Dianne Feinstein (D-California) was uploaded by The Hill reporter Cory Bennett. The bill has not been confirmed as authentic, and even if it is authentic, may have changed since the version that was posted online. Regardless, it’s worth critiquing the draft that was published, which aspires to kill end-to-end encryption in America—a move that, to lift a phrase from former NSA director Michael Hayden, only North Korean hackers could love.
Allow me to explain.
The bill, the “Compliance with Court Orders Act of 2016,” requires that all companies providing any kind communications or data service be able to give information to the government in an “intelligible format.” If the company made the data unintelligible, it must provide “technical assistance” to undo it. In case there is any question about the aim, the bill defines intelligible as “decrypted, deciphered, decoded, demodulated, or deobfuscated to its original form.”
Instead of learning from the Department of Justice’s ill-fated attempt to demonizeservices that rely on encryption to protect their customers and maintain user trust, these two Senators are doubling down. To make matters worse, Senators Burr and Feinstein chair the Senate Select Committee on Intelligence, which means they’re the very people tasked with overseeing overreach by intelligence agencies. The White House, increasingly anti-encryption since the Apple-FBI flop, is reportedly deeply spliton the proposal.
If this bill were to pass, it would outlaw secure communications, which are heavily—and increasingly—dependent on end-to-end encryption. By definition, end-to-end encryption cannot be decrypted except by the credentials of the senders and receivers. This is how information that truly needs to be secure is protected, because it minimizes the ways highly sensitive information can be decrypted.
Simply put, this bill would flat-tire end-to-end encryption within America. Every service, person, human rights worker, protester, reporter, company—the list goes on—will be easier to spy on. It jams a crowbar into the gut of Americans’ privacy andsecurity. It sets the precedent that the Department of Justice sought in the Apple-FBI case. And by crippling encryption, it risks turning those compromised products into new funnels of information for the never-ending haystack of information. After all, finding vulnerabilities like these are gold mines for hackers, and many of the world’s best work for American intelligence agencies. But, we’re told, it will make us more secure overall.
But, in fact, the impact on American security is one of the biggest threats of this bill. The notion of a backdoor, or what Senators Burr and Feinstein euphemistically call “technical assistance,” that can only be used by the government—whether law enforcement needs a warrant to do so or otherwise aside—has been unanimously rejected by every mathematician and cryptologist who studies it. That isn’t an exaggeration. You can’t have a backdoor that isn’t a security vulnerability. And Congress knows that. This same fight happened in the 90s, during the Crypto Wars. It was literally the exact. Same. Argument. Loathe as I am to say it, even Michael Hayden, who oversaw the agency’s rise to power and many, many disastrous decisions, agrees.
As far reaching as the effects of this bill would be on Americans’ privacy and safety, its jurisdictional narrowness is yet another catastrophic flaw. At the risk of stating the obvious, this is a proposed American law. It does not control Russian companies, or the North Korean government. It is the modern equivalent of Congress passing a law that bans the development of intercontinental ballistic missiles. “Have fun with that,” the rest of the world seems to say, while Senators Burr and Feinstein proclaim how much safer we are.
Even in draft form, this legislation is so short-sighted it calls into question the authors’ ability to lead the Senate Select Committee on Intelligence, which, again, Senators Burr and Feinstein chair. Their positions are singularly powerful in their ability to ensure that intelligence collection is done effectively and legally. This bill is powerful evidence that they are not up for the job.
As egregious as the Compliance with Court Orders Act of 2016 is, it highlights . . .
Dianne Feinstein is not running for re-election, thank God. She’s done enough damage. But this draft bill is highly disturbing in how it displays a complete and comprehensive ignorance of the field.
UPDATE: See also Joshua Koptstein’s aticle, “Congress’s New Encryption Bill Just Leaked, And It’s As Bad As Experts Imagined“.
See also Jenna McLaughlin’s article in The Intercept: “Bill That Would Ban End-to-End Encryption Savaged by Critics“