The Democratization of Censorship

The Democratization of Censorship
By BrianKrebs

John Gilmore, an American entrepreneur and civil libertarian, once famously quipped that “the Internet interprets censorship as damage and routes around it.” This notion undoubtedly rings true for those who see national governments as the principal threats to free speech.

However, events of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely powerful cyber weapons with transnational reach.

underwater

More than 20 years after Gilmore first coined that turn of phrase, his most notable quotable has effectively been inverted — “Censorship can in fact route around the Internet.” The Internet can’t route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the “The Democratization of Censorship.”

Allow me to explain how I arrived at this unsettling conclusion. As many of you know, my site was taken offline for the better part of this week. The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor.

Let me be clear: I do not fault Akamai for their decision. I was a pro bono customer from the start, and Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company’s paying customers, they explained that the choice to let my site go was a business decision, pure and simple.

Nevertheless, Akamai rather abruptly informed me I had until 6 p.m. that very same day — roughly two hours later — to make arrangements for migrating off their network. My main concern at the time was making sure my hosting provider wasn’t going to bear the brunt of the attack when the shields fell. To ensure that absolutely would not happen, I asked Akamai to redirect my site to 127.0.0.1 — effectively relegating all traffic destined for KrebsOnSecurity.com into a giant black hole.

Today, I am happy to report that the site is back up — this time under Project Shield, a free program run by Google to help protect journalists from online censorship. And make no mistake, DDoS attacks — particularly those the size of the assault that hit my site this week — are uniquely effective weapons for stomping on free speech, for reasons I’ll explore in this post.

Google's Project Shield is now protecting KrebsOnSecurity.com

Google’s Project Shield is now protecting KrebsOnSecurity.com

Why do I speak of DDoS attacks as a form of censorship? Quite simply because the economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists.

In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.

Ask yourself how many independent journalists could possibly afford that kind of protection money? A number of other providers offered to help, but it was clear that they did not have the muscle to be able to withstand such massive attacks.

I’ve been toying with the idea of forming a 501(c)3 non-profit organization — ‘The Center for the Defense of Internet Journalism’, if you will — to assist Internet journalists with obtaining the kind of protection they may need when they become the targets of attacks like the one that hit my site.  Maybe a Kickstarter campaign, along with donations from well-known charitable organizations, could get the ball rolling.  It’s food for thought.

CALIBRATING THE CANNONS

Earlier this month, noted cryptologist and security blogger Bruce Schneier penned an unusually alarmist column titled, “Someone Is Learning How to Take Down the Internet.” Citing unnamed sources, Schneier warned that there was strong evidence indicating that nation-state actors were actively and aggressively probing the Internet for weak spots that could allow them to bring the entire Web to a virtual standstill.

“Someone is extensively testing the dcore defensive capabilities of the companies that provide critical Internet services,” Schneier wrote. “Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that.”

Schneier continued:

“Furthermore, the size and scale of these probes — and especially their persistence — points to state actors. It feels like a nation’s military cyber command trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.”

Whether Schneier’s sources were accurate in their assessment of the actors referenced in his blog post is unknown. But as my friend and mentor Roland Dobbins at Arbor Networks eloquently put it, “When it comes to DDoS attacks, nation-states are just another player.”

“Today’s reality is that DDoS attacks have become the Great Equalizer between private actors & nation-states,” Dobbins quipped.

UM…YOUR RERUNS OF ‘SEINFELD’ JUST ATTACKED ME

What exactly was it that generated the record-smashing DDoS of 620 Gbps against my site this week? Was it a space-based weapon of mass disruption built and tested by a rogue nation-state, or an arch villain like SPECTRE from the James Bond series of novels and films? If only the enemy here was that black-and-white.

No, as I reported in the last blog post before my site was unplugged, the enemy in this case was far less sexy. There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or — in the case of routers — are shipped by ISPs to their customers.

Some readers on Twitter have asked why the attackers would have “burned” so many compromised systems with such an overwhelming force against my little site. After all, they reasoned, the attackers showed their hand in this assault, exposing the Internet addresses of a huge number of compromised devices that might otherwise be used for actual money-making cybercriminal activities, such as hosting malware or relaying spam. Surely, network providers would take that list of hacked devices and begin blocking them from launching attacks going forward, the thinking goes.

As KrebsOnSecurity reader Rob Wright commented on Twitter, “the DDoS attack on @briankrebs feels like testing the Death Star on the Millennium Falcon instead of Alderaan.” I replied that this maybe wasn’t the most apt analogy. The reality is that there are currently millions — if not tens of millions — of insecure or poorly secured IoT devices that are ripe for being enlisted in these attacks at any given time. And we’re adding millions more each year.

I suggested to Mr. Wright perhaps a better comparison was that ne’er-do-wells now have a virtually limitless supply of Stormtrooper clones that can be conscripted into an attack at a moment’s notice.

A scene from the 1978 movie Star Wars, which the Death Star tests its firepower by blowing up a planet.

A scene from the 1977 movie Star Wars, in which the Death Star tests its firepower by blowing up a planet.

SHAMING THE SPOOFERS

The problem of DDoS conscripts goes well beyond the millions of IoT devices that are shipped insecure by default: Countless hosting providers and ISPs do nothing to prevent devices on their networks from being used by miscreants to “spoof” the source of DDoS attacks.

As I noted in a November 2015 story, The Lingering Mess from Default Insecurity, one basic step that many ISPs can but are not taking to blunt these attacks involves a network security standard that was developed and released more than a dozen years ago. Known as BCP38, its use prevents insecure resources on an ISPs network (hacked servers, computers, routers, DVRs, etc.) from being leveraged in such powerful denial-of-service attacks.

Using a technique called traffic amplification and reflection, the attacker can reflect his traffic from one or more third-party machines toward the intended target. In this type of assault, the attacker sends a message to a third party, while spoofing the Internet address of the victim. When the third party replies to the message, the reply is sent to the victim — and the reply is much larger than the original message, thereby amplifying the size of the attack.

BCP38 is designed to filter such spoofed traffic, so that it never even traverses the network of an ISP that’s adopted the anti-spoofing measures. However, there are non-trivial economic reasons that many ISPs fail to adopt this best practice. This blog post from the Internet Society does a good job of explaining why many ISPs ultimately decide not to implement BCP38.

Fortunately, there are efforts afoot to gather information about which networks and ISPs have neglected to filter out spoofed traffic leaving their networks. The idea is that by “naming and shaming” the providers who aren’t doing said filtering, the Internet community might pressure some of these actors into doing the right thing (or perhaps even offer preferential treatment to those providers who do conduct this basic network hygiene).

A research experiment by the Center for Applied Internet Data Analysis (CAIDA) called the “Spoofer Project” is slowly collecting this data, but it relies on users voluntarily running CAIDA’s software client to gather that intel. Unfortunately, a huge percentage of the networks that allow spoofing are hosting providers that offer extremely low-cost, virtual private servers (VPS). And these companies will never voluntarily run CAIDA’s spoof-testing tools.

CAIDA's Spoofer Project page.

CAIDA’s Spoofer Project page.

As a result, the biggest offenders will continue to fly under the radar of public attention unless and until more pressure is applied by hardware and software makers, as well as ISPs that are doing the right thing.

How might we gain a more complete picture of which network providers aren’t blocking spoofed traffic — without relying solely on voluntary reporting? That would likely require a concerted effort by a coalition of major hardware makers, operating system manufacturers and cloud providers, including Amazon, Apple, Google, Microsoft and entities which maintain the major Web server products (Apache, Nginx, e.g.), as well as the major Linux and Unix operating systems.

The coalition could decide that they will unilaterally build such instrumentation into their products. At that point, it would become difficult for hosting providers or their myriad resellers to hide the fact that they’re allowing systems on their networks to be leveraged in large-scale DDoS attacks.

To address the threat from the mass-proliferation of hardware devices such as Internet routers, DVRs and IP cameras that ship with default-insecure settings, we probably need an industry security association, with published standards that all members adhere to and are audited against periodically.

The wholesalers and retailers of these devices might then be encouraged to shift their focus toward buying and promoting connected devices which have this industry security association seal of approval. Consumers also would need to be educated to look for that seal of approval. Something like Underwriters Laboratories (UL), but for the Internet, perhaps.

THE BLEAK VS. THE BRIGHT FUTURE

As much as I believe such efforts could help dramatically limit the firepower available to today’s attackers, I’m not holding my breath that such a coalition will materialize anytime soon. But it’s probably worth mentioning that there are several precedents for this type of cross-industry collaboration to fight global cyber threats.

In 2008, the United States Computer Emergency Readiness Team (CERT) announced that researcher Dan Kaminsky had discovered a fundamental flaw in DNS that could allow anyone to intercept and manipulate most Internet-based communications, including email and e-commerce applications. A diverse community of software and hardware makers came together to fix the vulnerability and to coordinate the disclosure and patching of the design flaw.

deathtoddosIn 2009, Microsoft heralded the formation of an industry group to collaboratively counter Conficker, a malware threat that infected tens of millions of Windows PCs and held the threat of allowing cybercriminals to amass a stupendous army of botted systems virtually overnight. A group of software and security firms, dubbed the Conficker Cabal, hashed out and executed a plan for corralling infected systems and halting the spread of Conficker.

In 2011, a diverse group of industry players and law enforcement organizations came together to eradicate the threat from the DNS Changer Trojan, a malware strain that infected millions of Microsoft Windows systems and enslaved them in a botnet that was used for large-scale cyber fraud schemes.

These examples provide useful templates for a solution to the DDoS problem going forward. What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale.

That’s probably because at least for now, the criminals at the helm of these huge DDoS crime machines are content to use them to launch petty yet costly attacks against targets that suit their interests or whims.

For example, the massive 620 Gbps attack that hit my site this week was an apparent retaliation for a story I wrote exposing two Israeli men who were arrested shortly after that story ran for allegedly operating vDOS — until recently the most popular DDoS-for-hire network. The traffic hurled at my site in that massive attack included the text string “freeapplej4ck,” a reference to the hacker nickname used by one of vDOS’s alleged co-founders.

Most of the time, ne’er-do-wells like Applej4ck and others are content to use their huge DDoS armies to attack gaming sites and services. But the crooks maintaining these large crime machines haven’t just been targeting gaming sites. OVH, a major Web hosting provider based in France, said in a post on Twitter this week that it was recently the victim of an even more massive attack than hit my site. According to a Tweet from OVH founder Octave Klaba, that attack was launched by a botnet consisting of more than 145,000 compromised IP cameras and DVRs.

I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections.

But what we’re allowing by our inaction is for individual actors to build the instrumentality of tyranny. And to be clear, these weapons can be wielded by anyone — with any motivation — who’s willing to expend a modicum of time and effort to learn the most basic principles of its operation.

The sad truth these days is that it’s a lot easier to censor the digital media on the Internet than it is to censor printed books and newspapers in the physical world. On the Internet, anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor.

I sincerely hope we can address this problem before it’s too late. And I’m deeply grateful for the overwhelming outpouring of support and solidarity that I’ve seen and heard from so many readers over the past few days. Thank you.

September 25, 2016 at 12:58PM
via Krebs on Security http://ift.tt/2d9yV8p

EFF to law enforcement (and judges): Please remember that an IP address is not enough evidence for a search warrant or subpoena

EFF to law enforcement (and judges): Please remember that an IP address is not enough evidence for a search warrant or subpoena
By Caleb Chen

The Electronic Frontier Foundation (EFF) has released a whitepaper titled: Unreliable Informants: IP Addresses, Digital Tips and Police Raids. The EFF asks law enforcement to consider IP address “evidence” as nothing more than a rumor floating around the Internet and to please “conduct additional investigation to verify and corroborate the physical location” before applying for a search warrants and busting down doors willy nilly. The EFF has even provided law enforcement and courts with a step by step process to help. As a solid first step, they implore law enforcement to stop misrepresenting IP addresses as being the same caliber of identification information as a physical street address or vehicular license plate.

Judges: An IP Address is not enough identifying evidence to grant a search warrant

In the past, law enforcement around the country (and also the world) have filed search warrants and subpoenas on people and locations based only on IP address data, sometimes resulting in egregious and repeated errors. The biggest obstacle to breaking the courts’ seemingly willful ignorance to how IP addresses should be used in criminal investigations might be on the search warrant applications themselves. The EFF’s whitepaper has specifically called for police officers, when submitting their warrant applications, to:

“Remove imprecise analogies about IP addresses from warrant applications. Real-world analogies and metaphors are useful to explaining technology to courts and the public, but in the context of IP addresses, police should not use analogies that overstate the capabilities of IP address information. At minimum, police should stop representing IP addresses as sufficiently similar to a physical street addresses or license plates to justify a warrant, since they are neither.”

IP addresses are fundamentally different from license plates in many ways. With both a physical address and a license plate, there exist government maintained databases that are regularly and legally used for identification. Another key difference is simply that covering, or otherwise altering your IP address when you are on the Internet roadways is perfectly legal. Obviously, attempting to hit the motor roadways with a covered, borrowed, or shared license plate would not be OK. In this day and age, any kid could tell you the difference, but apparently there are police officers and judges that still cannot. Hopefully, the EFF’s education efforts will be fruitful.

Disclaimer: Private Internet Access is a sponsor of the EFF.

The post EFF to law enforcement (and judges): enforcement: Please remember that an IP address is not enough evidence for a search warrant or subpoena appeared first on Privacy Online News.

September 23, 2016 at 01:20PM
via Privacy Online News http://ift.tt/2cMi3a1

NSA’s Failure to Report Shadow Broker Vulnerabilities Underscores Need for Oversight

NSA’s Failure to Report Shadow Broker Vulnerabilities Underscores Need for Oversight
By Andrew Crocker and Bill Budington

In August, an entity calling itself the “Shadow Brokers” took the security world by surprise by publishing what appears to be a portion of the NSA’s hacking toolset. Government investigators now believe that the Shadow Brokers stole the cache of powerful NSA network exploitation tools from a computer located outside of the NSA’s network where they had been left accidentally, according to Reuters. A new detail, published for the first time in yesterday’s Reuters report, is that the NSA learned about the accidental exposure at or near the time it happened. The exploits, which showed up on the Shadow Brokers’ site last month, target widely used networking products produced by Cisco and Fortinet and rely on significant, previously unknown vulnerabilities or “zero days” in these products. The government has not officially confirmed that the files originated with the NSA, but the Intercept used documents provided by Edward Snowden to demonstrate links between the NSA and the Equation Group, which produced the exploits.

The Reuters story provides a partial answer to the most important question about the Shadow Brokers leak: why did the NSA seemingly withhold its knowledge of the Cisco and Fortinet zero days, among others, from the vendors? According to unnamed government sources investigating the matter, an NSA employee or contractor mistakenly left the exploits on a remote computer about three years ago, and the NSA learned about that mistake soon after. Because the agency was aware that the exploits had been exposed and were therefore vulnerable to theft by outsiders, it “tuned its sensors to detect use of any of the tools by other parties, especially foreign adversaries with strong cyber espionage operations, such as China and Russia.” Apparently finding no such evidence, the NSA sat on the underlying vulnerabilities until the Shadow Brokers posted them publicly.

But the NSA’s overconfidence should disturb us, as security researcher Nicholas Weaver points out. The “sensors” mentioned by Reuters are likely a non-technical reference to monitoring of the Internet backbone by the NSA under such authorities as Section 702 and Executive Order 12333, which could act as a form of Network Intrusion Detection System (NIDS). (The Department of Homeland Security also operates an NIDS called Einstein specifically to monitor government networks.) But Weaver explains that at least some of the exploits, including those that affected Cisco and Fortinet products, appear not to lend themselves to detection by outside monitoring since they operate within a target’s internal network. In other words, the NSA’s confidence that its surveillance tools weren’t being used by other actors might have been seriously misplaced.

The NSA’s decision not to disclose the Cisco and Fortinet vulnerabilities becomes even more questionable in light of the fact that some of the specific products affected had been approved by the Department of Defense’s Unified Capabilities (UC) Approved Products List (APL), which identifies equipment that can be used in DoD networks:1

Under National Security Directive 42 [.pdf], NSA is tasked with securing “National Security Systems” against compromise or exploitation, a mission which was traditionally housed within the Information Assurance Directorate (IAD). The NSA is currently in the process of combining the “defensive” IAD with its “offensive” intelligence-gathering divisions, but high-level officials charged with information assurance have acknowledged the NSA’s defensive mission is more important than ever. Regardless of whether the mission of protecting National Security Systems is interpreted broadly or narrowly, the NSA’s failure to remedy defects in products used widely across the IT sector and apparently by the government, and even the DoD itself, is difficult to defend.

Above all, the Shadow Brokers story highlights the need for oversight of the government’s use of zero days. Right now, the decision whether to retain or disclose a vulnerability is theoretically governed by the Vulnerabilities Equities Process (VEP), a once-secret policy that EFF obtained in redacted form via a Freedom of Information Act lawsuit. But because the VEP isn’t binding on the government, as far as we can tell, it’s toothless. While we don’t know the exact considerations employed by the government in reaching a decision to withhold a zero day, several of the high-level considerations described by White House Cybersecurity Coordinator Michael Daniel in a blog post about the VEP seem highly relevant:

  • How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
  • Does the vulnerability, if left unpatched, impose significant risk?
  • How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
  • How likely is it that we would know if someone else was exploiting it?

Even if NSA initially believed the specific vulnerabilities at issue in this case wouldn’t be discovered by others, its knowledge that the exploits had been left exposed should have changed that calculus. And if NSA knew specifically that the exploits had been stolen, it’s hard to think of a rationale where disclosure would still be outweighed by other considerations. Coincidentally, the NSA seems to have lost control of the Shadow Brokers exploits in 2013, during a fallow period for the VEP. Although the VEP was written in 2010, Michael Daniel told Wired that it was not “implemented to the full degree that it should have been” and was only “reinvigorated” in 2014.

We think lawmakers should be concerned with this story, and we encourage them to ask the NSA to explain exactly what happened. We think the government should be far more transparent about its vulnerabilities policy. A start would be releasing a current version of the VEP without redacting the decisionmaking process, the criteria considered, and the list of agencies that participate, as well as an accounting of how many vulnerabilities the government retains and for how long. After that, we urgently need to have a debate about the proper weighting of disclosure versus retention of vulnerabilities, and we should ensure that any policy that implements this decision is more than just a vague blog post or a document that lacks all “vigor.”

  • 1. We have chosen not to directly link to the APL here for technical reasons. The Department of Defense uses its own Certificate Authority (CA) for authenticating websites, which is not trusted in browsers. We provide the url here as a convenience, but recommend strongly against adding additional CAs to your browser: http://ift.tt/2ctXlO6

September 24, 2016 at 02:02AM
via Deeplinks http://ift.tt/2dqMbKc

Chelsea Manning Is ’embarrassed’ For The US Over Solitary Confinement Ruling

Chelsea Manning Is ’embarrassed’ For The US Over Solitary Confinement Ruling
By Tess Owen for VICE News

Earlier this summer, whistleblower Chelsea Manning tried to take her own life in prison. Yesterday, she learned the punishment: 14 days in solitary confinement for both attempting suicide and for possession of a book without her name written in it.

Now, she’s preparing herself for isolation.

“I have been in solitary confinement before,” Manning told VICE News, responding to questions through an intermediary. “I know what it feels like. I don’t like the feeling of isolation. It cuts me off from those who love me and care about me. It is incredibly lonely. I dread the idea of going back.”

She says the decision makes her feel hurt, alone and embarrassed.

“I am a US citizen,” Manning said. “I take pride in our military and our government. So when we do things like this, and look awful, I feel embarrassed.”

“The military depends on its “optics” and public confidence,” she added. “For me, this board undermines the confidence of the military in the eyes of the public.”

The disciplinary board was made up of three officials from the US Army prison in Kansas. She was found guilty on two counts: “Conduct Which Threatens” and possessing “Prohibited Property.” The first charge was because her suicide attempt interfered “with the good order, safety, and running of the facility.”

The second charge was because prison officials, while searching her cell after Manning had been removed, discovered a copy of “Hacker, Hoaxer, Whistleblower, Spy” by Gabriella Coleman which wasn’t labelled with her name.

She was acquitted of a third charge which alleged that she resisted efforts to forcibly remove her from her cell because she was unconscious.

There is no set date for her period in solitary technically known as “disciplinary segregation” to begin, and she has 15 days to appeal her punishment as soon she she receives the board’s decision in writing.

If she loses the appeal, she’ll have to serve seven days in solitary, and then another seven if she commits another perceived infraction in the next six months.

The hearing took a total of four hours, with a break for lunch. During those four hours, Manning, who is serving a 35-year sentence for leaking thousands of sensitive military documents to Wikileaks while working as an army intelligence analyst, presented evidence and questioned witnesses. She was not permitted to have any legal representation.

Manning told VICE News that the whole experience was hard, and made her feel “sad and anxious.”

“I had to relive and retrace everything that happened,” Manning said.

Solitary confinement is an increasingly controversial tool used by prisons across the United States to discipline inmates who have broken the rules or segregate those who are believed to be at risk of harm.

Stuart Grassian, a certified psychiatrist and former faculty member at Harvard Medical School interviewed hundreds of inmates who had been placed in solitary confinement, and concluded that isolating prisoners can cause a specific psychiatric condition characterized by “severe confusional, paranoid, and hallucinatory features”, also by “intense agitation” and “impulsive, often self-directed violence.”

Grassian observed these symptoms even in individuals who had no history of mental illness. Roughly a third of solitary inmates, Grassian concluded, were “actively psychotic and/ or acutely suicidal.”

The US Justice Department has issued guidelines warning against placing prisoners with mental illness in solitary confinement, because the extreme isolation could exacerbate existing psychiatric conditions.

September 23, 2016 at 05:51PM
via VICE News http://ift.tt/2d3OHlm

Max Schrems shows how one privacy activist can make a global difference

Max Schrems shows how one privacy activist can make a global difference
By Rick Falkvinge

Max Schrems is at it again: after having made the sharing of private European data to corporations in United States banned by the European Court of Justice, he’s now seeking class action status for a privacy lawsuit against Facebook. This is one individual calling out the highest executive offices on the purest of bullshit, and succeeding with it – he does not just set an example for others, but shows all of us that one individual can end global wrongs.

There was a small notice in a few news outlets yesterday, about how somebody is seeking class action status against a privacy lawsuit against Facebook. A TechCrunch article mentions his name, but not before calling him “privacy campaigner”, just like the BBC calls him “a privacy activist”, and only mentions his name halfway down the article. But to those of us who read court papers with all the boredom and dryness of an imminent dust explosion, the name Maximillian Schrems immediately rang bells from such court papers from a year ago.

It used to be that the European Commission – the executive branch of the European Union – gave away private data on European citizens to U.S. corporations freely, obviously without asking said citizens first, on some sort of goodwill assumption that European privacy laws would be followed (which they couldn’t be in the first place, as the US has the NSA). This was called “The Safe Harbor agreement” for European private data.

One person – one person out of 508 million – challenged this very questionable order that was mostly caused by the European Commissioners attending the right set of cocktail parties, and filed a lawsuit with the Irish Data Protection Commissioner, choosing to target Facebook. (Facebook, like many other US technology companies, has its European headquarters on Ireland – hence the Irish Data Protection and not Austrian.)

In doing so, Schrems outlined a number of Facebook practices that were illegal under European law, such as the absence of active and effective consent to data use, support of various NSA programs, tracking on external web sites, and so on. He was rapidly joined by 11,000 other people in seeking class action status, and it is this case that has come to the Austrian Supreme Court.

The first fallout of the case was that the European Supreme Court – the European Court of Justice (ECJ) – was asked to rule on whether the European Commission’s executive agreement of sharing European personal data willy-nilly with the United States was any kind of valid. To the shock of the world, the ECJ ruled firmly on Shrems’ side:

European Court of Justice ruling in the Schrems case, finding the Safe Harbor agreement invalid

European Court of Justice ruling in the Schrems case, finding the Safe Harbor agreement invalid

This pro-privacy ruling was considered a shock, both to the European and American establishment, as witnessed by media outlets like Wall Street Journal and New York Times. One person, one privacy activist, had won against the collected establishments and corporations of the United States and the European Union, and the latter were required to start respecting privacy laws. One out of 508 million had decided to make a difference.

And so now, Schrems has succeeded in sending two more issues to the ECJ in a quest for privacy. He’s challenging Facebook’s assertion that people lose their right to sue in a court of law if they also engage in a public discussion – an assertion that appears preposterous on the surface – and asking the ECJ to allow for class action lawsuits, even though such are not recognized by Austrian law. Like before, a pro-privacy ECJ siding with Schrems would send shockwaves through the corporate world.

Of course, there are other privacy activists who have made global differences over the years. Mike Masnick, who was instrumental in scuttling SOPA, obviously Edward Snowden, many others. The list goes on. But it’s important to recognize that at the end of the day, the world changes not because of money or power or access, but because individuals – like all of us – decide to make a difference.

Individuals like Max Schrems.

Privacy remains your own responsibility.

The post Max Schrems shows how one privacy activist can make a global difference appeared first on Privacy Online News.

September 20, 2016 at 01:32PM
via Privacy Online News http://ift.tt/2cFY0xf

If You Build A Censorship Machine, They Will Come

If You Build A Censorship Machine, They Will Come
By Mitch Stoltz

If you have the power to censor other people’s speech, special interests will try to co-opt that power for their own purposes. That’s a lesson the Motion Picture Association of America is learning this year. And it’s one that Internet intermediaries, and the special interests who want to regulate them, need to keep in mind.

MPAA, which represents six major movie studios, also runs the private entity that assigns movie ratings in the U.S. While it’s a voluntary system with no formal connection to government, MPAA’s “Classification and Ratings Administration” wields remarkable power. That’s because most movie theaters, along with retail giants like Wal-Mart and Target, won’t show or sell feature films that lack an MPAA rating. CHECK. And a rating of “R” or “NC-17” can drastically limit the audiences who are allowed to view or buy a movie. CHECK.

Power creates its own temptation. MPAA itself has been accused of rating independent films more harshly than those produced by MPAA’s own member studios. And this year, a class action lawsuit seeks to force MPAA to use its ratings system to eliminate tobacco imagery from children’s films. The lawsuit, Forsyth v. MPAA, claims that MPAA has a special legal duty to avoid harm to children, and because of that duty, MPAA should be required to give an “R” rating to every film that contains smoking or other tobacco use.

MPAA has responded by moving to dismiss the suit under California’s Anti-SLAPP law. The group argued that its movie ratings are a form of speech protected by the First Amendment. It denied having any legal duty to protect children from images of smoking. And MPAA argued—sensibly—that Mr. Forsyth’s claims are a slippery slope:

[Plaintiff] is trying to use the tort system to require [MPAA] to implement his policy goals. If Plaintiff’s claims were permitted to proceed, there would be no end to claims invoking [MPAA’s] purported duty to disregard its own opinions and instead to implement a given advocacy group’s preferred social policy in assigning ratings.
* * *
Plaintiff’s theory . . . has no logical stopping point. The rule would require [MPAA] to give an R rating to movies that depict any conduct that advocacy groups think unhealthy—for example, movies that depict alcohol use, gambling, contact sports, bullying, consumption of soda or fatty foods, or high-speed driving.

MPAA is right. The First Amendment generally prohibits using legal processes to regulate the opinions expressed by others, no matter how noble the purpose. In fact, the slippery slope of censorship is one of the primary reasons why courts and legislatures can almost never regulate speech based on its content: if one form of “harmful” speech is banned or limited, it’s hard to avoid banning or limiting speech on every subject that some powerful interest finds harmful. We expect that MPAA will prevail in this lawsuit.

But there’s an irony to MPAA’s position in this lawsuit, because at the same time it fights to protect the ratings board against co-opting by special interests, the trade association is also trying to co-opt other powerful private gatekeepers of speech into advancing MPAA’s own special interest: copyright enforcement. Internet intermediaries like webhosts, domain name registrars, search engines, and third-party platforms are, like MPAA’s ratings board, private organizations that stand between speakers and their audiences. Their roles give them power to suppress speech, by making it harder for audiences to access, or even making entire sites disappear from the Internet.

Power, once again, creates temptation. This year, MPAA made agreements with two domain name registries, Donuts and Radix, which control new top-level Internet domains such as .movie, .online, and .site. Both registries agreed to receive accusations from MPAA that particular websites are engaged in copyright infringement, and to consider taking away those websites’ domain names. MPAA, along with other representatives of major entertainment companies, has also been pushing ICANN, the group that oversees the domain name system, to mandate this new copyright enforcement regime worldwide.

Shadow RegulationThere are many problems with this initiative, which we’ll be exploring in the coming weeks. But one lesson that MPAA should have learned this year is that once one special interest obtains power to block the channels of communication, others will come knocking. Many powerful interests want the power to edit the Internet, from corporations and wealthy individuals who want to suppress criticism to repressive governments seeking to quash dissent. Some may even have widely supported (though controversial) social goals, like stopping “hate speech,” blasphemy, or pornography. Like the plaintiff in the Forsyth case, all of these folks want these private companies and systems “to perform a different function . . . one [they] make[] no claim to serve.” Just as MPAA is right to worry that the Forsyth case could open the door to more control of the ratings board by various special interests, new copyright enforcement systems will quickly become enforcement systems for all kinds of speech that a corporation or government declares to be dangerous.

This has already happened in the copyright realm: Major ISPs in the United Kingdom are now required to block their customers from reaching entire websites that are deemed to be copyright infringers, using a system that was originally set up to block child pornography.

But, you might say, copyright is a law, while preventing smoking is simply a policy goal. But just as MPAA has no legal duty to promote a zero-tolerance message about smoking, intermediaries have no legal duty to police the Internet for copyright infringement, or to prevent their users from infringing. And just as laws on “hate speech,” blasphemy, and sedition vary widely between countries, copyright is not the same everywhere. Depictions of tobacco use are themselves subject to strict “plain packaging” laws in some countries. The more Intermediaries on the global Internet are co-opted into regulating content, the more pressure they will face to apply the standards of the most censorious countries and organizations.

In the coming weeks, we’ll be exploring how speech on the Internet is being controlled by private agreements, and how Internet users can demand accountability and transparency in these Shadow Regulations. For now, even if the Forsyth case is quickly thrown out of court, it should serve as a cautionary tale: build a system that can regulate the speech of others, and the censors will beat a path to your door.

September 19, 2016 at 06:11PM
via Deeplinks http://ift.tt/2cCBjXH