Amazon Archives - Page 2 of 3

Posts

Monday Morning: Synthesized Brain

March 21, 2016/6 Comments/in Culture, Cybersecurity /by Rayne

When you need a break this hectic Monday morning, take five minutes and watch ANA from Factory Fifteen. I’m intrigued by the props and set — how much is CGI, and how much is actual production line? What company allowed this production company access to their equipment?

Though snappy and visually engaging, the story’s not realistic — yet. But much of the equipment on the production line is very close to that used in manufacturing today. And just as depicted in this short film, the weakest link is the human.

Worth keeping in mind this week as we plow deeper into the conflict at the intersection of humans and devices. Speaking of which…

Apple-heavy week ahead

Hearing in California tomorrow in front of Judge Sheri Pym over the San Bernardino’s shooter’s iPhone. Be sure to read Marcy’s take on the hearing and witnesses.
WLTX of Columbia SC posted a timeline of #AppleVsFBI events — unfortunately, it starts on February 16 with Judge Pym’s order to Apple.
NYT reported last week that Apple employees may quit if Apple is ordered to cooperate and write security-undermining code. But is this a deliverable in itself? The article offered an incredible amount of detail about Apple’s operations; if employees quit, any entities observing the technology company will know even more. Has this shakedown been designed to yield information about Apple’s operations, while risking corporate and personal security?
Apple will release information about new products today at a media event. The buzz may be less about the new products than the hearing tomorrow.
An iPhone 6 bursting into flames during a flight to Hawaii didn’t help Apple. One might wonder why this particular phone flamed out so spectacularly as it’s a relatively new device.

HEADS UP TECH USERS

Kindle users: Amazon is forcing a mandatory update across all its older Kindle reader devices. Deadline: TOMORROW MARCH 22 — after that date, users will have to manually update devices and download books via PC and not over the internet.
Tweetdeck users: Owner Twitter will kill the Windows app on April 15th. After that time, Windows-based users will need to use a browser. Can’t blame Twitter–it’s ridiculously expensive to write and service so many apps when the same devices usually have a browser.
Android users: 1) Protect your privacy and security by checking these settings; 2) Check this setting, stat, to prevent unauthorized access.
Nexus users: Make sure you have the latest patch issued last week. All other Android users should nag their equipment makers for their version of the same patch.

Before the machines complete their occupation of our world…

Nice read on law emerging with the rise of robots. Too bad none of them really incorporate Asimov’s Three Laws of Robotics. (The Atlantic)
Want to bet the overlords will argue workers should be paid less because they don’t have to work as hard wearing an exoskeleton — like these at Panasonic? (By the way, DARPA, that’s yet another commercially-developed exoskeleton near release; where’s yours/ours?) (Mashable)
Artificial intelligence already pitted against humans by those bloody banksters. Watch this video and ask yourself if this guy from Global Capital Acquisitions realizes there are humans at the nodes of the investment network whose lives are affected by his blah-blah-blah-babbling about artificial intelligence. STG he could be a machine himself. (Bloomberg)
Myths about AI busted – another solid read. Combined with the preceding Bloomberg bankster video it reinforces AI threat awareness. (Gizmodo)

After watching that video at Bloomberg, I think we’re a lot closer to ANA than we realized. Watch your backs — Monday is certainly gaining on you, if robots aren’t.

Thursday Morning: A Little Green Around The Gills

March 17, 2016/44 Comments/in Culture, Cybersecurity, MI Politics /by Rayne

[image (mod): LeAnn E. Crowe via Flickr]

Happy St. Patrick’s Day to those of you who observe this opportunity to drink beer (tinted green or otherwise) and eat boiled dinner and wear green! We’ll know the hardcore among you tomorrow by your hangovers.

Folks overseas don’t understand how St. Patrick’s Day blew up to the same proportions as other holidays like Halloween, blaming it on American commercialization. But the holiday as observed in the U.S., like Halloween, has roots in immigration. Four to five million Irish immigrated to the U.S.; their descendants here are nearly 40 million today, roughly seven times the number of actual Irish in Ireland now. With this many Irish-Americans, even a tepid observation of St. Patrick’s Day here would be visible abroad.

In addition to all things green, we’ll be watching this week’s second #FlintWaterCrisis hearing. Representatives Chaffetz and Cummings can go all shouty on Michigan’s OneLawyeredUpNerd Governor Rick Snyder and EPA’s Gina McCarthy though I have my doubts anything new will emerge. (And you’ll see me get really angry if Rep. SlackerForMichigan Tim Walberg shows up to merely make face on camera. Useless helicoptering.)

Unlike Tuesday, I hope like hell somebody brings up Legionnaire’s cases and deaths in Flint after the cut-over of Flint’s water to Flint River. Thousands of children may have been permanently poisoned by lead, but people sickened and died because of this complete failure of government-as-a-business.

I can’t stress this enough: There were fatalities in Flint because of the water.

Hearing details – set a reminder now:

Thursday 17-MAR — 9:00 AM — Gov. Snyder (R-MI) & EPA Head McCarthy: House Hearing on Flint, MI Water Crisis (est 3 hours, on C-SPAN3) Link to House Oversight Committee calendar entry

You can find my timeline on Flint’s water here — as noted Tuesday, it’s a work in progress and still needs more entries.

Moving on…

Apple leaves Amazon for Google’s cloud service
Wait, what?! File under ‘Wow, I didn’t know!’ because I really though Apple housed all its cloud services under its own roof. I mean, I’ve written about data farms before, pointed to a new Apple location. I didn’t know Apple had outsourced some of its iCloud to Amazon.

Which makes Senator Ron Wyden’s remarks about asking the NSA with regard to the San Bernardino shooter’s iPhone even more interesting.

No wonder Apple is moving to Google, considering Amazon’s relationship with certain government agencies as a cloud service provider. Some of Apple’s data will remain with Amazon for now; we might wonder if this is content like iTunes versus users’ data. Keep your eyes open for future Apple cloud migrations.

US Navy sailors’ electronic devices combed for data by Iran
Gee, encrypted devices and communications sure are handy when members of the military are taken into custody by other countries. Too bad the Navy’s devices weren’t as secure as desired when Iran’s navy detained an American vessel in January this year. To be fair, we don’t know what all was obtained, if any of the data was usable. But if the devices were fully encrypted, Iran probably wouldn’t have said anything.

American Express’ customers’ data breached — in 2013
Looks like a select number of AmEx customers will receive a data breach notice with this explanation:

We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system. Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.

The breach happened on December 7, 2013, well into the Christmas shopping season, but we’re just finding out now? “Third party service” means “not our fault” — which may explain why AmEx shareholders (NASDAQ:AXP) haven’t been notified of a potential risk to stock value as yet. Who/what was the third party service? Where’s their notification to public and shareholders?

I need to brew some coffee and limber up before the hearing on Flint, track down my foam footballs and baseballs to throw at the TV while Gov. Snyder goes on about how sorry he is and how he’s going to fix Flint’s water crisis. Oh, and find an emesis basin. See you here tomorrow morning!

On Jim Comey’s Attempts to Force Apple to Change Its Business Model

March 8, 2016/4 Comments/in Cybersecurity /by emptywheel

As he has said repeatedly in Congressional testimony, FBI Director Jim Comey wants to change Apple’s business model.

The former General Counsel for defense contractor Lockheed and hedge fund Bridgewater Associates has never, that I’ve seen, explained what he thought Apple’s business model should be, or how much he wants to change it, or how the FBI Director put himself in charge of dictating what business models were good for America and what weren’t and why we’re even asking that in an age of multinational corporate structures.

It seems there are three possible business models Comey might have in mind for Apple:

The AT&T (or Lockheed) model, in which a provider treats federal business as a significant (in Lockheed’s case, the only meaningful) market, and therefore treats federal requests, even national security ones, as a primary market driver; in this case, the Feds are your customer
The Google model, in which a provider sees the user’s data as the product, rather than the user herself, and therefore builds all systems so as to capture and use the maximal amount of data
A different model, in which Apple can continue to sell what I call a walled garden to customers, still treating customers as the primary market, but with limits on how much of a walled garden it can offer

I raise these models, in part, because I got into a conversation on Twitter about what the value of encryption on handsets really is. The conversation suffered, I think, from presuming that iPhones and Android phones have the same business model, and therefore one could calculate the value of the encryption offered on an iPhone the same way one would calculate the value of encryption on an Android phone. They’re not.

Even aside from the current difference between Google’s business model (the data model at the software level, the licensing model at the handset level) versus Apple’s model, in Apple’s model, the customer is the customer, and she pays a premium for an idyllic walled garden that includes many features she may not use.

I learned this visiting recently with a blind friend of mine, whom I used to read for on research in college, who therefore introduced me to adaptive technologies circa 1990 (which were pretty cutting edge at the time). I asked her what adaptive technologies she currently uses, thinking that as happened with the 90s stuff the same technology might then be rolled out for a wider audience in a slightly different application. She said, the iPhone, the iPhone, and the iPhone. Not only are there a slew of apps available for iPhone that provide adaptive technologies. Not only does the iPhone offer the ability to access recorded versions of the news and the like. But all this comes standard in every iPhone (along with other adaptive technologies that wouldn’t be used by a blind person any more than most sighted ones). All iPhone users pay for those adaptive technologies as part of their walled garden, even though even fewer realize they’re there than they realize their phone has great encryption. But because they pay more for their phone, they’re effectively ensuring those who need adaptive technologies can have them, and on the market leader in handsets. Adaptive technologies, like online security, are part of the idyllic culture offered within Apple’s walled garden.

The notion that you can assign a value to Apple’s encryption, independent of the larger walled garden model, seems mistaken. Encryption is a part of having a walled garden, especially when the whole point of a walled garden is creating a space where it is safe and easy to live online.

Plus, it seems law enforcement in this country is absolutely obtuse that the walled garden does provide law enforcement access in the Cloud, and they ought to be thrilled that the best encryption product in the world entails making metadata — and for users using default settings, as even Syed Rizwan Farook seems to have been — content readily available to both PRISM and (Admiral Rogers made clear) USA Freedom Act. That is, Apple’s walled garden does not preclude law enforcement from patrolling parts of the garden. On the contrary, it happens to ensure that American officials have the easiest ability to do so, within limits that otherwise ensure the security of the walled garden in ways our national security elite have been both unwilling and even less able to do.

But there’s one more big problem with the fanciful notion you can build a business model that doesn’t allow for encryption: Signal is free. The best app for encrypted calls and texts, Signal, is available free of charge, and via open source software (so it could be made available overseas if Jim Comey decided it, too, needed to adopt a different business model). The attempt to measure in value what value encryption adds to a handset is limited, because someone can always add on top of it their own product, so any marginal value of encryption on a handset would have to make default encrypted device storage of additional marginal value over what is available for free (note, there is a clear distinction between encrypting data at rest and in motion, but the latter would be more important for anyone conducting nefarious actions with a phone).

Finally, there’s one other huge problem with Comey’s presumption that he should be able to dictate business models.

Even according to this year’s threat assessment, the threat from hacking is still a greater threat to the country than terrorism. Apple’s business model, both by collecting less unnecessary data on users and by aspiring to creating a safe walled garden, offers a far safer model to disincent attacks (indeed, by defaulting on encryption, Apple also made iPhone theft and identity via device theft far harder). Comey is, effectively, trying to squelch one of the market efforts doing the most to make end users more resilient to hackers.

The only model left–that could offer a safer default environment–would effectively be an AT&T model pushed to its limits: government ownership of telecoms, what much of the world had before Reagan pushed privatization (and in doing so, presumably made the rest of the world a lot easier for America to spy on). Not only would that devastate one of the brightest spots in America’s economy, but it would represents a pretty alarming move toward explicit total control (from what it tacit control now).

Is that what former Hedgie Jim Comey is really looking to do?

One final point. While I think it is hard to measure marginal value of encryption, the recent kerfuffle over Kindle makes clear that the market does assign value to it. Amazon dropped support for encryption on some of its devices last fall, which became clear as people were no longer able to upgrade. When they complained in response, it became clear they were using Kindles beyond what use Amazon envisioned for them. But by taking away encryption users had already had, Amazon not only made existing devices less usable, but raised real questions about the CIA contractor’s intent. Pretty quickly after the move got widespread attention, Amazon reversed course.

Even with a company as untrustworthy and data hungry as Amazon, removing encryption will elicit immediate distrust. Which apparently is not sustainable from a business perspective.

Friday Morning: The Political is Musical

March 4, 2016/22 Comments/in Culture, Cybersecurity /by Rayne

It’s Friday, and that means more jazz. Today’s genre is Afrobeat, which emerged in the late 1960s/early 1970s.

Nigerian musician Fela Kuti is credited as the genre’s progenitor, though Fela maintained drummer Tony Allen was essential to style, saying, “[w]ithout Tony Allen, there would be no Afrobeat.”

Afrobeat fuses a number of different types of music with jazz, including funk, highlife, rock, and folk music from West African cultures. In this video, Beasts of No Nation, it’s easy to hear the different styles of music added as layers underpinned and unified by drums.

The lyrics of many Afrobeat tunes are very political; the album of the same name, Beasts of No Nation, was an anti-apartheid statement released in 1989.

Recommended read to accompany today’s musical selection: The Wealth of Nations by Emmanuel Iduma (Guernica magazine).

Let’s move…

Not far from the Apple tree
Lots of developments yesterday in the #AppleVsFBI story.

In support of Apple, big names in tech file amicus briefs to meet deadline. The two most powerful briefs constituted a who’s who of Silicon Valley. Amazon, Box, Cisco, Dropbox, Evernote, Facebook, Google, Microsoft, Mozilla, Nest, Pinterest, Slack, Snapchat, WhatsApp, and Yahoo filed one joint brief. AirbNb, atlassian, Automattic, Cloudflare, EBay, Github, Kickstarter, LinkedIN, Mapbox, Medium, Meetup, Reddit, Square, SquareSpace, Twilio, Twitter, Wickr filed the second. There were several other pro-Apple briefs filed, but none with the economic clout of these two briefs.
Cato’s Julian Sanchez may have the best take on yesterday’s filings.
UN’s High Commissioner for Refugees Zeid Ra’ad Al Hussein said forcing Apple to write code for the FBI “could have extremely damaging implications for the human rights of many millions of people, including their physical and financial security,” constituting a “a gift to authoritarian regimes.”
Michael Ramos, the San Bernardino County DA, exposed his lack of technology prowess in an ex parte application to participate as Amicus Curiae.

“The iPhone is a county owned telephone that may have connected to the San Bernardino County computer network. The seized iPhone may contain evidence that can only be found on the seized phone that it was used as a weapon to introduce a lying dormant cyber pathogen that endangers San Bernardino’s infrastructure…”

Emphasis mine. WHAT. EVEN. Dude just screwed law enforcement, making the case (using a made-up term) for the iPhone to never be opened.

Brazil’s former president Lula held for questioning as home raided
The investigation into state-run oil company Petrobras now reaches deeply into the highest levels of Brazil’s government. Investigators are looking into former president Luiz Inacio Lula da Silva’s role in Petrobras’ corruption, including kickbacks and influence peddling. The investigation’s discoveries threaten the viability of current president Dilma Rousseff’s ruling coalition. Wonder if the NSA was following this when they were spying on Petrobras?

Quick licks

Absolute insanity: Amazon’s Kindle devices no longer encrypted (Motherboard) — Well, nobody in this household is getting a Kindle any time soon.
Nope, not hackers, not squirrels: bird droppings suspected in shutdown of Indian Point nuke plant last December (Phys.org)
Joint US-UK college hacking competition this weekend (Phys.org) — Wanna’ bet some of these students will be asked about hacking Apple iPhones?
Connecticut wants to ban weaponization of drones, thanks to stupid teenager’s home project (Naked Security) — Seems like a federal issue, IMO, but let me guess the gun lobby will step and whine about gun-enabled drones as a Second Amendment right. Surely our forefathers anticipated flying, cellphone-controlled privately-owned gun drones.

Ugh. That’s a wrap on this week, stopping now before this really devolves though I can’t see any distance between here and absolute bottom. Have a good weekend!

Tuesday Morning: Guidance to Be True

March 1, 2016/9 Comments/in automobiles, Culture, Cybersecurity /by Rayne

Now an oldie but goodie, this Fiona Apple ditty. The subtle undertow of irony seems fitting today.

Speaking of guidance…

Google’s self-driving car went boom
Oops. Autonomous vehicles still not a thing when they can’t avoid something the size of a bus. Thank goodness nobody was hurt. Granted, until now Google’s self-driving test cars were not the cause of accidents — human drivers have been at fault far more often. In this particular accident, both the car and the human test driver may have been at fault.

VW’s CEO Mueller spins the (PR) wheels on agreement with U.S.
This is now a habit: before every major international automotive show, VW’s Matthias Mueller grants an interview to offer upbeat commentary on the emissions standards cheating scandal, this time ahead of the 2016 Geneva International Auto Show. Not certain if this is helping at all; there’s not much PR can do when no truly effective technical fix exists while potential liability to the U.S. alone may approach $46 billion. Probably a better use of my time to skip Mueller’s spin and spend my time slobbering over the Bugatti Chiron. ~fanning self~

Apple all the time

Court rules against government in Brooklyn Apple iPhone case (Ars Technica)
Not to be confused with the San Bernardino Apple iPhone case; this case involved a different iPhone model. (Link to Judge Orenstein’s order here.)
List of For/Against/On The Fence in Apple’s pushback against the government (The Guardian)
More obvious separation of Microsoft’s current management from its progenitor.
Law prof Neil Richards says an Apple win against government on First Amendment grounds would be a bad move (MIT Technology Review)
This will surely generate some rebuttals. Worth a read.

#YearInSpace ends this evening for astronaut Scott Kelly
Undocking begins at 7:45 p.m. EST with landing expected at 11:25 p.m. EST, barring any unforeseen wrinkles like negative weather conditions. NASA-TV will cover the event live. Can’t wait to hear results of comparison testing between Scott and his earth-bound twin Mark after Scott’s year in space.

Department of No

Amazon partners with Brita to create WiFi-enabled water filters (CNET) — Just, no.
Doing work or conducting personal business over airline WiFi: bad idea (Ars Technica) — Come on. You know this. Work offline or read a damned book.
Even before the disastrous Aliso Canyon methane leak, U.S. methane emissions greatly underestimated (MIT Technology Review) — Not good. Not at all. We badly need more aggressive effort toward better measurements and remediation.

That’s enough for now. I’m off to be a bad, bad girl. Stay safe.

Monday Morning: Swivel, Heads

February 29, 2016/2 Comments/in Culture, Cybersecurity /by Rayne

Somebody out there knows what this tune means in my household. For our purposes this Monday morning, it’s a reminder to take a look around — all the way around. Something might be gaining on you.

Let’s look…

Android users: Be more vigilant about apps from Google Play
Better check your data usage and outbound traffic. Seems +300 “porn clicker” apps worked their way around Google Play’s app checking process. The apps rack up traffic, fraudulently earning advertising income; they persist because of users’ negligence in vetting and monitoring downloaded apps (because Pr0N!) and weakness in Google’s vetting. If this stuff gets on your Android device, what else is on it?

IRS’ data breach bigger than first reported
This may also depend on when first reporting occurred. The number of taxpayers affected is now ~700,000 according to the IRS this past Friday, which is considerably larger than the ~464,000 estimated in January this year. But the number of taxpayers affected has grown steadily since May 15th last year and earlier.

Did we miss the ‘push for exotic new weapons’?
Nope. Those of us paying attention haven’t missed the Defense Department’s long-running efforts developing new tools and weapons based on robotics and artificial intelligence. If anything, folks paying attention notice how little the investment in DARPA has yielded in payoff, noting non-defense development moving faster, further, cheaper — a la SuitX’s $40K exoskeleton, versus decades-plus investment by DARPA in exoskeleton vaporware. But apparently last Tuesday’s op-ed by David Ignatius in WaPo on the development of “new exotic weapons” that may be deployed against China and Russia spawned fresh discussion to draw our attention to this work. THAT is the new development — not the weapons, but the chatter, beginning with the Pentagon and eager beaver reporter-repeaters. This bit here, emphasis mine:

Pentagon officials have started talking openly about using the latest tools of artificial intelligence and machine learning to create robot weapons, “human-machine teams” and enhanced, super-powered soldiers. It may sound like science fiction, but Pentagon officials say they have concluded that such high-tech systems are the best way to combat rapid improvements by the Russian and Chinese militaries.

Breathless, much? Come the feck on. We’ve been waiting decades for these tools and weapons after throwing billions of dollars down this dark rathole called DARPA, and we’ve yet to see anything commercially viable in the way of an exoskeleton in the field. And don’t point to SKYNET and ask us to marvel at machine learning, because the targeting failure rate is so high, it’s proven humans behind it aren’t learning more and faster than the machines are.

Speaking of faster development outside DARPA: Disney deploying anti-drones?
The Star Wars franchise represents huge bank — multiple billions — to its owner Disney. Control of intellectual property during production is paramount, to ensure fan interest remains high until the next film is released. It’s rumored Disney has taken measures to reduce IP poaching by fan drones, possibly including anti-drones managed by a security firm protecting the current production location in Croatia. I give this rumor more weight than the Pentagon’s buzz about exoskeletons on the battlefield.

Lickety-split quickies

Logistics behemoth Amazon now targeting grocery deliveries in the UK (TechCrunch)
Bet Tesco is peeved off it gave up the two warehouse buildings Amazon’s now using in its roll out with grocery chain Morrisons.
Check your bias: Just another pretty face, not necessarily a smarter one (Ars Technica)
Humans assume people with more attractive features are smarter, according to a recent study. Tests, removing other bias for race, comparing actual intellectual performance, show attractiveness isn’t proof of smarts. Duh. The question now: why the bias?
India’s Department of Electronics and Information Technology (DEITY) tells Google’s Project Loon pick a partner provider
Google’s balloon-delivered wireless broadband project can proceed once it picks a ground-based telecom network with which to work. DEITY has been receptive to Project Loon as Google has not walled off any part of the internet under its brand — unlike Facebook. (The Register)
Phys.Org asks, Can we trust police drones?
As much as we can trust police dash cameras and police body cameras — they are only as trustworthy as the persons using them and the law enforcement department employing them.
Scientists developed a theory on how ideas go viral
Using epidemiological models, scientists built a model of virality. Skepticism proved an infection control method. (Phys.org)

That’s a wrap — keep your eyes peeled. To quote Ferris Bueller, “Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.”

Amazon’s Transparency Report: “Certain Purchase History”

June 15, 2015/in FISA /by emptywheel

Last week, precisely 10 days after USA F-Redux — with its different formulas allowing for provider transparency –passed, Amazon released its first transparency report. In general, the report shows that Amazon either doesn’t retain — or successfully pushes back — against a lot of requests. For example, Amazon provided no or only partial information to a third of the 813 subpoenas it received last year.

Also of note, in a post accompanying the report, Stephen Schmidt claimed that “Amazon never participated in the NSA’s PRISM program,” which may not be all that surprising given that it has only received 25 non-national security search warrants.

As I’ve already suggested, I find the most interested detail to be the timing: given that Amazon has gotten crap as the only major company not to release a transparency report before, I suspect either that Amazon had a new application 2 years ago when everyone started reporting, meaning it had to wait until the new collection had aged under the reporting guidelines, or something about the more granular reporting made the difference for Amazon. Amazon reported in the 0-250 range (including both NSLs and other FISA orders), so it may just have been waiting to be able to report that lower number.

That said, Amazon received 13 non-national security court orders (aside from the one take down order they treat separately, which I believe has to do with an ISIL site), only 4 of which they responded fully to. I think this category would be where Amazon would count pen registers. And I’d expect Amazon to get pen registers in connection with their hosting services. If any of the 0 to 250 National Security orders are pen registers, it could be fairly intrusive.

Finally, Amazon clarified (sort of) something of particular interest. While Amazon makes clear that content stored in a customer’s site is content (self-evident, I know, but there are loopholes for stored content, which is a big part of why Amazon would be of interest (and was when Aaron Swartz was using them as a hosting service).

Non-content. “Non-content” information means subscriber information such as name, address, email address, billing information, date of account creation, and certain purchase history and service usage information. Content.

“Content” information means the content of data files stored in a customer’s account.

But Amazon doesn’t include “certain purchase history information” to be content.

As the country’s biggest online store, that’s where Amazon might be of the most interest. Indeed, in the legal filings pertaining to Usaamah Abdullah Rahim (the claimed ISIL follower whom Boston cops shot and killed on June 2) show they were tracking Rahim’s Amazon purchase of a knife very closely.

If you wanted to do a dragnet of purchase records, you’d include Amazon in there one way or another. And such a dragnet order might represent just one (or four) of the fewer than 250 orders Amazon got in a year.

It’s not surprising they’re treating (“certain”) purchase records as metadata. But it is worth noting.

Leahy’s Freedom Act May Not Change Status Quo on Records Other than Call Records

August 14, 2014/2 Comments/in FISA /by emptywheel

Update: According to the DOJ IG NSL Report released today, the rise in number of Section 215 orders stems from some Internet companies refusing to provide certain data via NSL; FBI has been using Section 215 instead. However they’re receiving it now, Internet companies, like telephone companies, should not be subject to bulk orders as they are explicitly exempted.

WaPo’s MonkeysCage blog just posted a response I did to a debate between H.L. Pohlman and Gabe Rottman over whether Patrick Leahy’s USA Freedom includes a big “backdoor” way to get call records. The short version: the bill would prevent bulk — but not bulky — call record collection. But it may do nothing to end existing programs, such as the reported collection of Western Union records.

In the interest of showing my work, he’s a far more detailed version of that post.

Leahy’s Freedom still permits phone record collection under the existing authority

Pohlman argues correctly that the bill specifically permits the government to get phone records under the existing authority. So long as it does so in a manner different from the Call Detail Record newly created in the bill, it can continue to do so under the more lenient business records provision.

To wit: the text “carves out” the government’s authority to obtain telephone metadata from its more general authority to obtain “tangible things” under the PATRIOT Act’s so-called business records provision. This matters because only phone records that fit within the specific language of the “carve out” are subject to the above restrictions on the government’s collection authority. Those restrictions apply only “in the case of an application for the production on a daily basis of call detail records created before, on, or after the date of the application relating to an authorized investigation . . . to protect against international terrorism.”

This means that if the government applies for a production order of phone records on a weekly basis, rather than on a “daily basis,” then it is falls outside the restrictions. If the application is for phone records created “before, on, [and] after” (instead of “or after”) the date of the application, ditto. If the investigation is not one of international terrorism, ditto.

However, neither Pohlman nor Rottman mention the one limitation that got added to USA Freedumber in Leahy’s version which should prohibit the kind of bulk access to phone records that currently goes on.

Leahy Freedom prohibits the existing program with limits on electronic service providers

The definition of Specific Selection Term “does not include a term that does not narrowly limit the scope of the tangible things … such as–… a term identifying an electronic communication service provider … when not used as part of a specific identifier … unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.”

In other words, the only way the NSA can demand all of Verizon’s call detail records, as they currently do, is if they’re investigating Verizon. They can certainly require Verizon and every other telecom to turn over calls two degrees away from, say, Julian Assange, as part of a counterintelligence investigation. But that language pertaining to electronic communication service provider would seem to prevent the NSA from getting everything from a particular provider, as they currently do.

So I think Rottman’s largely correct, though not for the reasons he lays out, that Leahy’s Freedom has closed the back door to continuing the comprehensive phone dragnet under current language.

But that doesn’t mean it has closed a bunch of other loopholes Rottman claims have been closed.

FISC has already dismissed PCLOB (CNSS) analysis on prospective collection

For example, Rottman points to language in PCLOB’s report on Section 215 stating that the statutory language of Section 215 doesn’t support prospective collection. I happen to agree with PCLOB’s analysis, and made some of the same observations when the phone dragnet order was first released. More importantly, the Center for National Security Studies made the argument in an April amicus brief to the FISC. But in an opinion released with the most recent phone dragnet order, Judge James Zagel dismissed CNSS’ brief (though, in the manner of shitty FISC opinions, without actually engaging the issue).

In other words, while I absolutely agree with Rottman’s and PCLOB’s and CNSS’ point, FISC has already rejected that argument. Nothing about passage of the Leahy Freedom would change that analysis, as nothing in that part of the statute would change. FISC has already ruled that objections to the prospective use of Section 215 fail.

Minimization procedures may not even protect bulky business collection as well as status quo

Then Rottman mischaracterizes the limits added to specific selection term in the bill, and suggests the government wouldn’t bother with bulky collection because it would be costly.

The USA Freedom Act would require the government to present a phone number, name, account number or other specific search term before getting the records—an important protection that does not exist under current law. If government attorneys were to try to seek records based on a broader search term—say all Fedex tracking numbers on a given day—the government would have to subsequently go through all of the information collected, piece by piece, and destroy any irrelevant data. The costs imposed by this new process would create an incentive to use Section 215 judiciously.

As I pointed out in this post, those aren’t the terms permitted in Leahy Freedom. Rather, it permits the use of “a person, account, address, or personal device, or another specific identifier.” Not a “name” but a “person,” which in contradistinction from the language in the CDR provision — which replaces “person” with “individual” — almost certainly is intended to include “corporate persons” among acceptable SSTs for traditional Section 215 production.

Like Fedex. Or Western Union, which several news outlets have reported turns over its records under Section 215 orders.

FISC already imposes minimization procedures on most of its orders

Rottman’s trust that minimization procedures will newly restrain bulky collection is even more misplaced. That’s because, since 2009, FISC has been imposing minimization procedures on Section 215 collection with increasing frequency; the practice grew in tandem with greatly expanded use of Section 215 for uses other than the phone dragnet.

While most of the minimization procedure orders in 2009 were likely known orders fixing the phone dragnet violations, the Attorney General reports covering 2010 and 2011 make it clear in those years FISC modified increasing percentages of orders by imposing minimization requirements and required a report on compliance with them

The FISC modified the proposed orders submitted with forty-three such applications in 2010 (primarily requiring the Government to submit reports describing implementation of applicable minimization procedures).

The FISC modified the proposed orders submitted with 176 such applications in 2011 (requiring the Government to submit reports describing implementation of applicable minimization procedures).

That means the FISC was already requiring minimization procedures for 176 orders in 2011, only 5 of which are known to be phone dragnet orders. Read more →

What Kind of Fishing Trip Did the Government Conduct into Aaron Swartz’ Amazon Data?

January 14, 2013/10 Comments/in WikiLeaks /by emptywheel

Yesterday, privacy researcher Chris Soghoian posted an interesting exchange he had with Aaron Swartz in March 2011.

But then I wondered about Amazon. Amazon not only has a lot of private data on its own, but they host a lot of other websites with personal data. It seems like everyone is using Amazon EC2 these days Reddit and Netflix and Foursquare and more. Even sites that aren’t hosted on EC2, like 37 signals, still use S3 for backup. The “truly paranoid” tarsnap uses both EC2 and S3. (Yes, tarsnap encrypts your data, but [it sometimes has bugs][b] and doesn’t protect against traffic analysis.) Hell, even WikiLeaks was hosted there at one point.

What’s disturbing is that this means your personal data isn’t just accessible by the people who operate these sites it’s also accessible by Amazon. And anyone Amazon decides to hand it to.

What are Amazon’s policies? I’ve had several conversations with them about this, but they refuse to comment on the record. Still, I’m in the rare position of getting to experience them firsthand. A couple years ago the government sent Amazon a subpoena for information about an EC2 instance I’d purchased. Amazon handed it over without stopping to warn me. When I asked them about it specifically, they refused to comment. When I asked them about their general policy, they refused to comment. The only reason I found out about it was because I filed a FOIA request with the Department of Justice. The DOJ was more transparent about this than Amazon.

As best as I can tell, this is Amazon’s policy: When the government asks, turn stuff over. Never tell the people affected. Don’t give them a chance to object.

The exchange ends with Soghoian asking if Swartz will publish his piece, to which Swartz says he cannot.

I thought of that and wish I could, but I can’t put my name on it right now personal reasons.

The exchange happened, we now know, in between the time the Cambridge police first arrested him for breaking and entering and the time the government indicted him for a slew of computer crimes. It seems likely that those “personal reasons” include negotiations with the Secret Service about the JSTOR downloads (we know Swartz and his lawyer met with the Secret Service that summer and turned over some hard drives).

As Swartz himself pointed out, this exchange also happened in the wake of news that the government had issued orders to Twitter–basically within a day of the time the Secret Service triggered Swartz’ initial arrest–for the communications of people associated with WikiLeaks.

The exchange is notable because of a request Swartz’ lawyer made the following year, at the beginning of the pre-trial discovery process. In addition to asking how the government had obtained a bunch of communication involving Swartz and others, his lawyer asked to see everything returned from grand jury subpoenas and orders served on MIT and JSTOR–which makes sense in this case–but also Twitter, Google, and Amazon.

These paragraphs request information relating to grand jury subpoenas. Paragraph 1 requested that the government provide “[a]ny and all grand jury subpoenas – and any and all information resulting from their service – seeking information from third parties including but not limited to Twitter. MIT, JSTOR, Internet Archive that would constitute a communication from or to Aaron Swartz or any computer associated with him.” Paragraph 4 requested “[a]ny and all SCA applications, orders or subpoenas to MIT, JSTOR, Twitter, Google, Amazon, Internet Archive or any other entity seeking information regarding Aaron Swartz, any account associated with Swartz, or any information regarding communications to and from Swartz and any and all information resulting from their service.” Paragraph 20 requested “[a]ny and all paper, documents, materials, information and data of any kind received by the Government as a result of the service of any grand jury subpoena on any person or entity relating to this investigation.”

Swartz requests this information because some grand jury subpoenas used in this case contained directives to the recipients which Swartz contends were in conflict with Rule 6(e)(2)(A), see United States v. Kramer, 864 F.2d 99, 101 (11th Cir. 1988), and others sought certification of the produced documents so that they could be offered into evidence under Fed. R. Evid. 803(6), 901. Swartz requires the requested materials to determine whether there is a further basis for moving to exclude evidence under the Fourth Amendment (even though the SCA has no independent suppression remedy).

[snip]

Moreover, defendant believes that the items would not have been subpoenaed by the experienced and respected senior prosecutor, nor would evidentiary certifications have been requested, were the subpoenaed items not material to either the prosecution or the defense. Defendant’s viewing of any undisclosed subpoenaed materials would not be burdensome, and disclosure of the subpoenas would not intrude upon the government’s work product privilege, as the subpoenas were served on third parties, thus waiving any confidentiality or privilege protections. [my emphasis]

Effectively, Swartz’ lawyer was indicating that he had seen subpoenas and orders that requested information from–among others–Amazon, but not all of what these providers had returned in exchange was turned over as evidence in the case. He was trying to see what else the government had. He’s also making it clear that the government asked for the information in such a form that could be entered as evidence in a trial (meaning the government would not have to call an employee from Amazon or another service provider to certify the authenticity of the data, who could then be questioned by the defense).

And he’s suggesting that if the prosecutor asked for these things, then they must be relevant in this case, and therefore discoverable.

I suspect, though, that that last claim is not what the lawyer really thought. I suspect that he believed the grand jury investigating Swartz–during precisely the same period when Swartz was researching how Amazon might respond to a government request for information–had conducted a fishing trip on other issues, and had done so in such a way that any information gleaned could be used both to prosecute the alleged JSTOR download but also any other crime.

Now I suspect that DOJ’s original request to Amazon–the one Swartz mentioned to Soghoian–dated to Swartz’ efforts to liberate PACER. It shows up in the part of his FBI file Swartz published on his blog.

Data that was exfiltrated went to one of two Amazon IP addresses.

Investigation has determined that the Amazon IP address used to access the PACER system belongs to Aaron Swartz.

So it’s possible the grand jury was reinvestigating what Aaron had done two years earlier, even though DOJ had earlier declined to press charges, in an effort to criminalize Swartz’ efforts to liberate information generally.

But given the timing and Swartz’ own tie to the WikiLeaks orders, I also wonder whether there was something else there–whether Swartz believed the government had information pertaining to activities entirely unrelated to JSTOR or PACER.

Ultimately, Swartz didn’t get this information. As to the communications, the judge assumed the government’s assurances that they had neither used a civil administrative subpoena nor “court ordered electronic surveillance” to get his communications closed the issue (given that the government investigated WikiLeaks as an Espionage case, the government might have claimed access to some of this under the PATRIOT Act simply because of Swartz’ ties to the Cambridge hacktavist community). And she refused to turn over the grand jury information on the grounds that the government may use such inquiries to chase down every lead, even if those leads are unrelated.

So it’s not clear Swartz ever learned what the government was looking for in its fishing expedition with Amazon.

Santa’s Elves Just Got Fired

January 12, 2012/6 Comments/in Economics /by emptywheel

Remember the “good” jobs report last week? As Dean Baker explained, many of the new jobs were actually the “couriers” who delivered your holiday presents.

The sharp drop in the unemployment rate over the last four months (from 9.1 percent to 8.5 percent) is not consistent with the job growth reported in the establishment survey. The survey reported 200,000 jobs in December; however, this figure is skewed by the 42,200 job gain reported for couriers. There was a similar gain in this category reported for last December, which was completely reversed the next month. Clearly this is a problem of seasonal adjustment, not an issue of real job growth. Pulling out these jobs, the economy created 158,000 jobs in December, in line with expectations.

Pulling out the courier jobs, growth has averaged 145,000 per month over the last four months. This is somewhat better than the 90,000-100,000 a month needed to keep pace with the growth of the labor force, but certainly not rapid enough to explain a 0.6 percentage point drop in unemployment. At this pace, we would not get back to pre-recession levels of unemployment until 2027. [my emphasis]

Now Baker’s predicted reversal in those jobs has started to appear, with initial jobless claims up 24,000 this week.

More Americans than forecast filed applications for unemployment benefits last week, raising the possibility that a greater-than-usual increase in temporary holiday hiring boosted December payrolls.

Jobless claims climbed by 24,000 to 399,000 in the week ended Jan. 7, Labor Department figures showed today in Washington. The median forecast of 46 economists in a Bloomberg News survey projected 375,000. The number of people on unemployment benefit rolls rose, while those receiving extended payments decreased.

Hiring by package delivery companies and retailers during the holidays to meet demand for gifts may now be giving way to an increase in dismissals.

These words–“couriers” and “package delivery companies”–are very cold. What we’re really talking about are Santa’s Elves, the wondrous people who make your holidays magical, particularly given how they help you avoid crowded malls by allowing you to shop online. In all the cartoon Christmas specials, those elves spend the off-season making more toys for the next Christmas. Not so our “modern” economy. Now, we benefit from their services, enjoy our holidays, and then <<BAM!!>> the Elves are on the street again, looking for work.

Merry Christmas!